Telecom, Web Data Retention Laws OK: EU Court Adviser

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

July 19 — European Union laws on telecommunications and internet data retention for law enforcement purposes should comply with the bloc's data protection standards and privacy rights, according to a European Court of Justice advocate general's July 19 non-binding opinion ( Tele2 Sverige AB v. The Swedish Post and Telecom Authority, E.C.J., No. C-203/15, recommended opinion, 7/19/16 ).

Even though the ECJ invalidated the EU's Data Retention Directive (2006/24/EC) in April 2014, EU countries aren't prevented from adopting national data retention laws, as long as certain criteria are met, ECJ Advocate General Henrik Saugmandsgaard Øe said in the non-binding opinion.

Opinions of the ECJ advocate general are non-binding preliminary findings ahead of a court ruling. In most cases, ECJ judgements follow the advocate general's opinion.

Philip James, a partner with Sheridans in London, told Bloomberg BNA July 19 that the advocate general's opinion set out a “logical and proportionate approach” to data retention that was “seeking to insert some checks and balances into how that data will be accessed” by authorities.

The EU Data Retention Directive required EU member states to put in place laws obliging telecommunications companies and internet service providers to retain certain unique user data for up to two years, and to provide it to law enforcement authorities if requested for the purposes of combating crime and terrorism. The ECJ invalidated the directive on the basis that it permitted indiscriminate bulk retention of data and contravened EU privacy rights (13 PVLR 660, 4/14/14).

Tove Ernst, a spokeswoman for the European Commission, the EU's executive arm, confirmed to Bloomberg BNA July 19 that the commission won't propose a new EU-level data retention law, leaving the issue for EU countries to decide on a national level.

Uncertain Status

After the invalidation, a number of EU member states annulled their national laws on data retention. Countries that rescinded their laws included Austria, Belgium, Bulgaria, Germany, the Netherlands, Poland, Romania, Slovakia and Slovenia.

Surviving data retention laws in EU member states have had an uncertain status and it has been unclear to what extent internet and telecommunication companies should retain data for possible handing over to law enforcement agencies.

To resolve the uncertainty, two cases concerning national data retention laws were referred to the ECJ. One case involved Tele2, a Swedish telecoms operator, which began to delete retained communications data after the invalidation of the Data Retention Directive. The second was a challenge brought by a group of British lawmakers against the U.K.'s Data Retention and Investigatory Powers Act 2014, under which retention of communications data is required for up to 12 months.

Privacy Safeguards

The advocate general said that provisions in the EU e-Privacy Directive (2002/58/EC), which prohibit blanket data retention except where it is “necessary, appropriate and proportionate” for national security purposes, should “be interpreted as not precluding” specific data retention laws in EU countries.

However, those laws should be transparent and be protected “against arbitrary interference,” and should be in line with rights on privacy contained in the EU Charter of Fundamental Rights, Øe said.

In addition, national data retention laws may only target “serious crime” and should only be used if “strictly necessary” and when “no other measure or combination of measures could be as effective in the fight against serious crime,” he said.

National data retention laws should also respect standard data protections on access to data, data retention periods and data security, the advocate general said.

Furthermore, national data retention laws should be “proportionate, within a democratic society, to the objective of fighting serious crime,” he said.

James said that the opinion, if confirmed by the ECJ, may have an impact on the U.K. Data Retention and Investigatory Powers Act, because the criteria set out by the advocate general are “more restrictive around what can be accessed.”

The advocate general's stipulation that data retention is only permissible if “strictly necessary” to fight serious crime was “very narrow” and was “probably the most controversial” aspect of the opinion, he said.

Data Protection Reinforcement

Carlo Piltz, a data protection attorney with JBB Lawyers in Berlin, told Bloomberg BNA July 19 that the Advocate General's opinion reinforced the ECJ’s 2014 ruling that invalidated the Data Retention Directive.

That ruling set out data protection safeguards that data retention requirements should take into account, but the German government and some other EU countries regarded these safeguards as “merely illustrative,” Piltz said.

“The advocate general rejects this interpretation” and provides a “detailed analysis of the requirements national laws obliging companies to store communications data would have to fulfil,” Piltz added.

The opinion attempts “to find a balance between the necessity to provide EU citizens with security while respecting the fundamental rights of private life and data protection,” Piltz said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editors responsible for this story: Donald G. Aplin at daplin@bna.com ; Daniel R. Stoller at dstoller@bna.com

For More Information

The ECJ Advocate General's July 19 opinion is available at http://src.bna.com/gVi.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.