Europe’s top court sharpens guidance on data retention for combating serious crime

A ruling by the European Union’s top court has reaffirmed that national law cannot rely on a claim of combating serious crime to deviate from the prohibition in EU law on general and indiscriminate collection of electronic comms data.

Although the court has signposted some targeted exceptions it suggests may be permissible for gathering digital evidence in bulk to fight serious crime, such as by targeting places with a high instance of crime or a high volume of visitors (such as airports), or other locations which house critical infrastructure.

The referral to the CJEU, which followed an appeal in a case related to use of mobile phone data to secure a murder conviction in Ireland, saw a long list of EU Member States joining Ireland to press for the court to take a broader interpretation of how law enforcement authorities can retain and use data, as the Irish Times reported earlier. But the bloc’s top court rejected any blurring of the line between national security and serious crime — instead reiterating that EU law precludes the general and indiscriminate retention of traffic and location data relating to electronic communications for the purposes of combating serious crime.

“While the privacy and electronic communications directive allows Member States to place limitations on the exercise of those rights and obligations for the purposes inter alia of combating crime, those limitations must comply with the principle of proportionality,” runs a CJEU press release on the judgement. “That principle requires compliance not only with the requirements of aptitude and of necessity but also with that of the proportionate nature of those measures in relation to the objective pursued.

“Thus, the Court has already held that the objective of combating serious crime, as fundamental it may be, does not, in itself, justify that a measure providing for the general and indiscriminate retention of all traffic and location data, such as that established by [EU] Directive 2006/24, should be considered to be necessary.

“In the same vein, even the positive obligations of the Member States relating to the establishment of rules to facilitate effective action to combat criminal offences cannot have the effect of justifying interference that is as serious as that entailed by legislation providing for the retention of traffic and location data with the fundamental rights of practically the entire population, in circumstances where the data of the persons concerned are not liable to disclose a link, at least an indirect one, between those data and the objective pursued.”

The broad interest in the case hints at how many other national laws may be operating on similarly shaky ground vis-a-vis bulk data retention — whether in relation to serious crime, or national security.

On the latter, the CJEU has repeatedly made it clear that general and indiscriminate data retention regimes are not legal — although the court did allow, in a ruling back in October 2020, that where a Member State faces a pressing national security threat then temporary bulk data collection and retention, limited to ‘what is strictly necessary’, may be allowed.

The CJEU’s ruling on the Irish referral today emphasizes the need for public authorities to strike a balance between the general/public interest in catching a criminal and individuals’ fundamental rights under EU law, which include a right to private life and respect for personal data.

The court rejected submissions by Member States for a workaround that would have meant particularly serious crime could be treated in the same way as a threat to national security “which is genuine and current or foreseeable” — and thereby allow for time-limited general and indiscriminate retention of traffic and location data for the purpose of combating crime.

“Such a threat is distinguishable, by its nature, its seriousness, and the specific nature of the circumstances of which it is constituted, from the general and permanent risk of the occurrence of tensions or disturbances, even of a serious nature, that affect public security, or from that of serious criminal offences being committed,” the press release says on that.

So the implication is Member States which have been pressing this line of argument to try to workaround the EU law — and ‘legalize’ their illegal bulk data collection regimes — are facing a bit of a dead-end.

In the ruling, the CJEU has sought to provide tighter steerage for public authorities on alternative courses of action they may take to gather digital evidence — with the court saying it’s confirming earlier case law by holding that EU law does not preclude legislative measures for the purposes of combating serious crime and preventing serious threats to public security that provide for:

  • the targeted retention of traffic and location data which is limited, according to the categories of persons concerned or using a geographical criterion;
  • the general and indiscriminate retention of IP addresses assigned to the source of an internet connection;
  • the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems;
  • the expedited retention (quick freeze) of traffic and location data in the possession of those service providers.

Albeit, the ruling also stresses that any such measures are subject to the limits of what is strictly necessary.

More on the cited exceptions from the ruling:

” … a targeted measure for the retention of traffic and location data may, at the choice of the national legislature and in strict compliance with the principle of proportionality, also be set using a geographical criterion where the competent national authorities consider, on the basis of objective and non-discriminatory factors, that there exists, in one or more geographical areas, a situation characterised by a high risk of preparation for or commission of serious criminal offences. Those areas may include places with a high incidence of serious crime, places that are particularly vulnerable to serious crime, such as places or infrastructure which regularly receive a very high volume of visitors, or strategic locations, such as airports, stations, maritime ports or tollbooth areas (see, to that effect, judgment of 6 October 2020, La Quadrature du Net and Others, C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraphs 150 and the case-law cited).

“It should be borne in mind that, according to that case-law, the competent national authorities may adopt, for areas referred to in the preceding paragraph, a targeted measure of retention using a geographic criterion, such as, inter alia, the average crime rate in a geographical area, without that authority necessarily having specific indications as to the preparation or commission, in the areas concerned, of acts of serious crime. Since a targeted retention using that criterion is likely to concern, depending on the serious criminal offences in question and the situation specific to the respective Member States, both the areas marked by a high incidence of serious crime and areas particularly vulnerable to the commission of those acts, it is, in principle, not likely moreover to give rise to discrimination, as the criterion drawn from the average rate of serious crime is entirely unconnected with any potentially discriminatory factors.

“In addition and above all, a targeted measure of retention covering places or infrastructures which regularly receive a very high volume of visitors, or strategic places, such as airports, stations, maritime ports or tollbooth areas, allows the competent authorities to collect traffic data and, in particular, location data of all persons using, at a specific time, a means of electronic communication in one of those places. Thus, such a targeted retention measure may allow those authorities to obtain, through access to the retained data, information as to the presence of those persons in the places or geographical areas covered by that measure as well as their movements between or within those areas and to draw, for the purposes of combating serious crime, conclusions as to their presence and activity in those places or geographical areas at a specific time during the period of retention.”

The court rejected another workaround type argument — which had posited that serious-crime-fighting authorities should be allowed to dip into mobile data which had been gathered in bulk, in a general and indiscriminate way, to address a serious threat to national security which is genuine and current or foreseeable.

“That argument makes that access depend on factors that are unrelated to the objective of combating serious crime,” notes the CJEU’s press release. “In addition, under that line of argument, access could be justified by an objective of lesser importance than that which justified its retention, namely safeguarding national security, which would be contrary to that hierarchy of public interest objectives in the context of which the proportionality of a retention measure must be assessed. Furthermore, to authorise such access would deprive of any effectiveness the prohibition on carrying out general and indiscriminate retention for the purpose of combating serious crime.”

The court further held that access to personal data such as traffic and location data by competent national authorities must be subject to a prior review — carried out either by a court or by an independent administrative body — and that a review decision must be preceded by the proper requesting procedure (aka “a reasoned request by those authorities submitted, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime”).

The CJEU also makes it explicitly clear that a police officer cannot stand in for the requisite court or independent body in this scenario. So, basically, sign-off on data access by a police officer does not qualify as a valid decision review body and will not let Member States pull off another quick ‘n’ dirty bypass of EU law (not legally anyway).

A national court also cannot eschew its responsibility to strike down national legislation that’s incompatible with the EU directive on privacy and electronic communications, the CJEU further held — which looks pertinent for France where the government has been seeking to use the national courts to do just that in recent years (via Politico).

On the specific point of case referral — as to whether the retained mobile traffic and location data should be allowed to stand as evidence in the murder case — the CJEU has bounced the matter back to the Irish courts, emphasizing that a ruling needs to comply with the principles of equivalence and effectiveness. So whether that evidence gets thrown out or not remains to be seen.