Council of the European Union: Privacy first, but security comes in a close second

In April 2014 the Court of Justice of the European Union annulled the Data Retention Directive in Digital Rights Ireland and in December 2016 in Tele 2 Sverige it reiterated that, as long as it is indiscriminate, all data retention is unlawful. Ever since, ‘to retain or not to retain?’ has been the question haunting telecom service providers and governments alike. Even while prioritising privacy, the Court never questioned the value of telecommunications metadata in investigating crime. However, advocates of data retention often lacked or did not present concrete statistical data to back their claims. Particularly at a pan-EU level, a general sense of confusion has reigned as to what to retain, how long to retain it and with whom and under what conditions to share it. After Tele 2 telecommunications providers are free to continue retaining data for business purposes, as long as they keep in line with the principles of necessity and proportionality. However, no service provider is obliged to retain data unless they choose so. In its Conclusions on the Retention of Data for the Purpose of Fighting Crime from June 2019, the Council of the European Union reflects on the status quo and provides guidelines for the Commission and Member States on what to consider in their pursuit of a proportionate and harmonised EU data retention regime.

A fractured landscape

In its conclusions, the Council notes that it is appropriate to lay down proportional, necessary and transparent data retention obligations for telecommunications operators and service providers to meet law enforcement’s operational needs. It emphasised that such data retention regimes must provide sufficient safeguards for fundamental rights, in particular the rights to privacy, protection of personal data, non-discrimination and presumption of innocence. Concerns were raised over whether the data retained solely for business purposes is sufficient for crime investigation and national security purposes. Leaving the availability of data up to the service providers and not laying down a harmonised regime on an EU level is further scattering the already disorganised landscape of data retention practices and therefore complicating cross-border cooperation between intelligence and law enforcement agencies.

In April 2017, the Council called on the Commission to conduct a study on the current state of play regarding data retention across the EU. As a result, a comprehensive report was produced, in which each MS reported:

  • whether there was a data retention regime in force;
  • whether there were planned or implemented amendments to data retention legislation; and
  • whether there was relevant case law.

According to the report, as of March 2019, 25 of the 28 MS have some form of data retention legislation in force. Some have revised the regime pursuant to the case law of ECJ, and some have kept the original national implementation of the now defunct Data Retention Directive. The amendments introduced are also of varied nature, ranging from a stricter review of access procedures and specified retention periods to the requirement to store data either on the territory of the MS or of the EU.

The conclusions refer to the report of the Special Committee on Terrorism of the European Parliament and notes that the necessity of an appropriate data retention regime was consistently raised during the work of the Committee. The rapporteurs of the Committee deemed it necessary to provide for an EU regime on data retention in line with the requirements stemming from the case law of the CJEU, while considering the needs of the competent authorities and the specificities of the counter-terrorism field.

Pending cases

The Council notes that there are requests for preliminary rulings pending with the CJEU. The first request is by the UK Investigatory Powers Tribunal, asking whether or not Union law can prevail over domestic measures when it comes to regulating national security. Second, the Constitutional Court in Belgium has asked whether ‘fighting serious crime’ is the sole legitimate objective, or would a broader purpose also justify maintaining a data retention regime. On a similar line, the French Conseil d´Etat has asked about the scope of legitimate objective and the applicability of Union law. Fourth, the Estonian Constitutional Court has asked whether access to retained data is restricted to fighting serious crime, regardless of the period to which the retained data relates. The Estonian Court has also inquired whether there is a proportional relationship between the amount of accessible data and the gravity of the investigated offenses and whether the public prosecutor´s office can be regarded as an independent oversight body.

Key takeaways

In sum, when compared to the applicable CJEU case law, the Council’s conclusions are bent towards giving data retention a chance. Although the Council remains unwavering in its opinion that all investigative measures must comply with fundamental rights and freedoms, it highlights the essential role of data retention in fighting serious crime such as terrorism or cyber crime. Rather than envisage a future without data retention, the Council states that legislative reforms at national or European level, including the future e-Privacy Regulation, should maintain the legal possibility for schemes for retention of data at EU and national level. The conclusions invite the Commission to analyse the actual needs of MS competent authorities for retained communications data, engage with stakeholders and subsequently prepare a comprehensive study that would, among other aspects, cover the evolving case law both from CJEU and national courts.

Author: Ann Väljataga, NATO CCDCOE Law Branch

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.