On November 18, 2021, the Advocate General of the Court of Justice of the European Union (“CJEU”) issued an opinion on several data retention cases before by the Court, following a long line of CJEU jurisprudence on this topic.

To give context to the issues considered in these cases, Europe’s experience of totalitarian regimes in the last century has shaped its approach to privacy rights.  This is evident in the GDPR and in the decisions of the CJEU to date.  But there remain tensions that are complex and difficult to deal with in this area — notably, the tension between individual rights to privacy and data protection on one hand, and the duty of the State to protect its population against security threats and crime on the other.  These tensions do not marry easily, as surveillance of personal electronic communications is increasingly demanded to detect and deal with crime and terrorism.

How to enable and control that interference in a way that minimizes the trespass to personal data has been a particularly thorny issue for EU Member States since the 2006 EU Directive regulating that interference was found to be invalid in the Digital Rights Ireland and Seitlinger cases of 2014.  EU Member States have relied largely on their own domestic legislation to regulate the specifics of that interference since then.  While much of that legislation was put in place under the invalidated 2006 Directive, case law from the CJEU has helped define the boundaries of EU law with revisions to domestic law in consequence.  However, there are differences between EU Member States laws, resulting in a steady stream of cases referred to the CJEU on the validity of aspects of data retention and access laws around Europe.  The latest cases involve Irish and German data retention legislation, as well as a French referral on insider dealing legislation containing similar requirements.

The cases

The CJEU dealt with several referrals from EU Member States that addressed challenges to their own domestic legislation in recent years.  Namely, Swedish, UK, French, Belgian, Spanish, Estonian — and more recently Irish and German — courts referred questions to the CJEU on whether their domestic legislation on data retention and access complies with EU law.  The recurring theme has been how to balance the fundamental rights of privacy and data protection with the need to investigate and prosecute serious crime and terrorism, and what limits the State could place on individual personal privacy in the interest of safeguarding their population.  In particular, under what conditions should the State be able to gain access to the metadata of personal electronic communications, and what levels of oversight are required to ensure effective surveillance while minimizing the invasion of privacy?

To illustrate the importance of this issue, in 2015, the metadata from the SIM cards of a couple of discarded mobile phones yielded up the identity of a suspected killer and ultimately played a significant role in his conviction before an Irish court, just months after the 2006 Directive was declared invalid.  The Irish legislation had, like that of most other EU Member States, followed the Directive permitting police access to retained metadata.  The key question in that case was whether the detailed domestic legislation was, like its parent Directive, also flawed.  In the Irish case, it was the convicted killer who has challenged the validity of the domestic legislation which helped convict him.

In addition to the Irish referral was a German referral involving challenges to German law from two electronic communications providers.  The Irish and German referrals were joined together for a hearing before the CJEU on September 13, 2021.  The Advocate General of the CJEU has now given his opinion on the referrals and the decision of the CJEU itself will follow later. His opinion is not binding on the CJEU.  However, while the CJEU may differ in its views, it often follows, at least in part, the reasoning of its Advocate General.

The opinion of the Advocate General of the CJEU

In essence, the Advocate reiterated what he regards as now settled law from prior CJEU decisions. He referred to the fact that both the Irish and German referring courts had declined the invitation to withdraw their referrals on the basis that the previous decisions either answered the questions now asked, or that the answers could be inferred from them without difficulty.

While the Advocate General praised the progress of the German legislation to comply with CJEU case law, it should have focused more on protecting the retained data.  He opined that the German law was wrong to oblige general and indiscriminate storage of a very wide range of traffic and location data.  The time limits (4 weeks for location data and 10 weeks for other data) did not, he stated, remedy that as the storage should have been targeted.  What may now be an insufficient retention period to produce profiles that would reveal sensitive personality and life traits “may be more than enough at some point in the future.”  It was, he opined, a serious interference with the rights to privacy and data protection irrespective of the duration of storage.

In the Irish case, the designated storage period was two years for the traffic and location data of all subscribers to the electronic communications providers.  The Advocate General similarly opined that national security requirements permit the general and indiscriminate retention of traffic and location data, but not for the prosecution of offences.  Irish legislation was, in his view, also non-compliant, as prior access to the retained data was not subject to prior independent review, but rather, was subject to review internally by the Gardaí (the Irish police).  Of particular relevance to the murder conviction was the Advocate General’s opinion that the Irish court cannot, under EU law, simply limit the period of invalidity to the future, but must also do so for the past application of the legislation.

The Advocate General added his opinion on a referral from the French Court de Cassation on two insider dealing cases.  Dealing with EU financial services law, the key issue was whether an EU Member State could impose an obligation to retain electronic communications data in a general and indiscriminate way for insider dealing investigations like the cases in hand.  The Advocate General opined that, like in the other cases, the retention of traffic data under EU Member State law for investigating insider dealing was flawed as only national security purposes justified such general and indiscriminate data retention.

It remains to be seen whether the CJEU will agree with the Advocate General, but it is clear that this is an issue of key concern to many EU Member States and their policing authorities in particular.