Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Companies doing business in the European Union can't be widely compelled to retain customer data, the EU’s top court ruled Dec. 21 ( Tele2 Sverige AB v. The Swedish Post and Telecom Authority, CJEU, No. C-203/15, 12/21/2016).
EU countries that adopt legislation imposing on companies a blanket obligation to retain personal data and make it available to law enforcement agencies are in breach of EU-wide law, the Court of Justice of the EU (CJEU) ruled.
Eduardo Ustaran, a partner with Hogan Lovells LLP in London, told Bloomberg BNA Dec. 21 that the CJEU ruling was “entirely consistent with its previous decisions.” The EU’s top court “has pointed out that governments need to tread very carefully when intruding into people’s digital lives,” he said.
The Luxembourg-based court ruled that the bloc’s 28 member governments can require companies, such as telecommunication and internet providers, to retain traffic and location data for specific law enforcement-related purposes, but retention orders should be targeted, limited to the combating serious crime, and only permitted to deviate from data protection standards “insofar as is strictly necessary.”
The court’s ruling concerns data retention cases referred to it from Sweden and the U.K. The ruling will have implications for data retention laws in those countries and in other EU countries that still apply data retention provisions after the CJEU’s 2014 invalidation of the EU Data Retention Directive (2006/24/EC).
In addition to only allowing targeted data retention, any national law should include “substantive and procedural conditions governing the access of the competent national authorities to the retained data,” including a requirement for access requests to be approved by a court or independent body, the CJEU said.
Lorna Woods, a professor at the U.K.’s University of Essex School of Law, told Bloomberg BNA Dec. 21 that laws requiring airlines to retain passenger name record (PNR) data for law enforcement purposes may be affected, including PNR deals that the EU signs with non-EU countries. “I would expect to see the same rules being applied” to a broad swath of other data retention provisions, Woods said.
EU Security Union Commissioner Julian King told Bloomberg BNA Dec. 21 that the European Commission, the EU’s executive arm, would examine the CJEU ruling to see if there was any need for EU-level measures.
There “may be wider implications that we need to look at, but it’s too early to say,” King said.
The CJEU’s decision may have broad implications for various privacy and data security regimes.
For example, Ustaran said the ruling was “a reminder that the EU-U.S. Privacy Shield will be closely scrutinized for potential lack of control over indiscriminate data capture and retention by the U.S. government.” The Privacy Shield is currently subject to a legal challenge by French and Irish privacy advocacy groups.
Additionally, Electronic communications providers that retain data in line with government orders must “take appropriate technical and organizational measures to ensure the effective protection of retained data against risks of misuse and against any unlawful access to that data,” and retained data should not be transferred outside the EU, the court said.
The court ruling also said that law enforcement authorities that receive retained data from companies “must notify the persons affected” when a notification “is no longer liable to jeopardize the investigations being undertaken.”
Ustaran said the court “does not rule out all forms of data retention and surveillance; it just need to be targeted in terms of scope and purpose.”
The CJEU said in a statement Dec. 21 that EU law, and specifically the EU e-Privacy Directive (2002/58/EC), “precludes a general and indiscriminate retention of traffic data and location data,” but data retention laws may be permitted if they “provide for sufficient guarantees of the protection of data,” and are based on “objective criteria in order to define the circumstances and conditions under which the competent national authorities are to be granted access to the data.”
The CJEU ruling also has implications for EU countries that either disregarded the 2014 invalidation of the EU Data Retention Directive, or have introduced new laws to replace those that were put in place under the directive.
In the Netherlands, for example, a new data retention law has been proposed that would disproportionately infringe privacy, the Dutch Data Protection Authority (DPA) said.
Dutch DPA spokeswoman Merel Eilander told Bloomberg BNA Dec. 21 that the CJEU ruling “seems completely in line with our advice” on the proposed Dutch law, which has still not been adopted.
In the U.K. case, the U.K. High Court in July 2015 found that the U.K. Data Retention and Investigatory Powers Act 2014 (DRIPA) was out of step with privacy protections. The British government appealed the ruling and the case was referred to the CJEU.
DRIPA is subject to a sunset clause. It will be replaced after Dec. 31 by the U.K. Investigatory Powers Act.
Woods said the Investigatory Powers Act would be open to challenge because it falls short of the CJEU’s specifications for data retention laws. For example, the act does not prohibit transfer of retained data out of the EU, and doesn't have strong prior oversight requirements for data access requests, Woods said.
Ustaran said the Investigatory Powers Act “will need to be revised to comply with EU law.”
“The prospect of Brexit could make the U.K. government think that they can ignore this ruling, but that would be unwise if the U.K. wishes to position itself as an adequate jurisdiction for data flowing from the EU,” Ustaran said.
To contact the reporter on this story: Stephen Gardner in Brussels at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)