The Court of Justice of the European Union (“CJEU”) struck down national legislation in EU member states that require an electronic communications services provider to carry out the general and indiscriminate transmission or retention of traffic data and location data to combat crime in general, for safeguarding national security or as a preventive measure.

The CJEU's most recent judgments provide further clarification to its past judgments on this topic. The CJEU now clarifies that the EU directive on privacy and electronic communications applies to national legislation requiring providers of electronic communications services to carry out personal data processing operations, such as its retention or disclosure to public authorities to safeguard national security and combat crime. The directive provides that EU member states must not restrict or diminish the confidentiality of communication and traffic data unless they comply with the general EU law principles of proportionality and provide the fundamental rights guaranteed by EU legislation.

However, the CJEU's recent judgment does allow EU member states to derogate from the obligation to ensure the confidentiality of data relating to electronic communications in situations where a member state is facing a serious, genuine, and present or foreseeable threat to national security. In that case, an EU member state may legislate general and indiscriminate retention of that data for a period that is limited in time to what is strictly necessary. Nonetheless, the court requires that such measures be subject to effective judicial review or review by an independent administrative body whose decision is binding. The independent review mechanism should verify that these exigent circumstances indeed exist and that the conditions and safeguards laid down are observed.

The CJEU's decision also clarifies that EU law does not preclude legislative measures that facilitate targeted and limited retention of traffic and location data based on objective and non-discriminatory factors, such as data relating to categories of persons concerned or geographically targeted data. It also permits the general and indiscriminate retention of IP addresses assigned to the source of  communication, provided that the retention period is limited to what is strictly necessary, as well as retention of data relating to the civil identity of users of electronic communication, in which case there is no requirement for a limited retention period. Member states may also require an expedited process to access data available to a communications service provider if it is necessary to shed light on serious criminal offenses or attacks on national security.

CLICK HERE to read the CJEU's decision in C‑623/17 Privacy International v. the UK.

CLICK HERE to read the CJEU's decision in the joined cases C-511/18, La Quadrature du Net v. France, C-512/18 French Data Network v. France, and C-520/18 Ordre des barreaux francophones et germanophone v. Belgium.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.