CURIA - Documents

Home > Search form > List of results > Documents

Start printing

Language of document : ECLI:EU:C:2016:970

Joined Cases C‑203/15 and C‑698/15

Tele2 Sverige AB
v
Post- och telestyrelsen

and

Secretary of State for the Home Department
v
Tom Watson and Others

(Requests for a preliminary ruling from the Kammarrätten i Stockholm and the Court of Appeal (England & Wales) (Civil Division))

(Reference for a preliminary ruling — Electronic communications — Processing of personal data — Confidentiality of electronic communications — Protection — Directive 2002/58/EC — Articles 5, 6 and 9 and Article 15(1) — Charter of Fundamental Rights of the European Union — Articles 7, 8 and 11 and Article 52(1) — National legislation — Providers of electronic communications services — Obligation relating to the general and indiscriminate retention of traffic and location data — National authorities — Access to data — No prior review by a court or independent administrative authority — Compatibility with EU law)

Summary — Judgment of the Court (Grand Chamber), 21 December 2016

1. Approximation of laws — Telecommunications sector — Processing of personal data and the protection of privacy in the electronic communications sector — Directive 2002/58 — Right of Member States to restrict the scope of certain rights and obligations — Scope — Legislative measure requiring providers of electronic communications services to retain traffic and location data of users — Included

(European Parliament and Council Directive 2002/58, as amended by Directive 2009/136, Arts 5(1) and 15(1))

2. Approximation of laws — Telecommunications sector — Processing of personal data and the protection of privacy in the electronic communications sector — Directive 2002/58 — Right of Member States to restrict the scope of certain rights and obligations — Restrictive interpretation — Grounds capable of justifying adoption of a restriction — Exhaustive nature

(European Parliament and Council Directive 2002/58, as amended by Directive 2009/136, Arts 5(1) and 15(1))

3. Approximation of laws — Telecommunications sector — Processing of personal data and the protection of privacy in the electronic communications sector — Directive 2002/58 — Right of Member States to restrict the scope of certain rights and obligations — National legislation providing for general and indiscriminate retention of traffic and location data of users, for the purpose of fighting crime — Not permissible — Serious interference in the rights to respect for privacy, the protection of personal data and freedom of expression

(Charter of Fundamental Rights of the European Union, Arts 7, 8, 11 and 52(1); European Parliament and Council Directive 2002/58, as amended by Directive 2009/136, Art. 15(1))

4. Approximation of laws — Telecommunications sector — Processing of personal data and the protection of privacy in the electronic communications sector — Directive 2002/58 — Right of Member States to restrict the scope of certain rights and obligations — National legislation allowing the targeted retention of traffic and location data of users, for the purpose of fighting serious crime — Lawfulness — Conditions

(Charter of Fundamental Rights of the European Union, Arts 7, 8, 11 and 52(1); European Parliament and Council Directive 2002/58, as amended by Directive 2009/136, Art. 15(1))

5. Approximation of laws — Telecommunications sector — Processing of personal data and the protection of privacy in the electronic communications sector — Directive 2002/58 — Right of Member States to restrict the scope of certain rights and obligations — National legislation governing the protection and security of traffic and location data of users –Ability of national authorities to obtain access to that data not subject to prior review by a court or administrative authority — Not permissible — No obligation, on providers of electronic communications services, to retain that data within the European Union — Not permissible

(Charter of Fundamental Rights of the European Union, Arts 7, 8, 11 and 52(1); European Parliament and Council Directive 95/46, Arts 22 and 2002/58, as amended by Directive 2009/136, Arts 15(1) and (2))

6. Fundamental rights — European Convention on Human Rights — Legal instrument not formally incorporated into EU law

(Art. 6(3) TEU; Charter of Fundamental Rights of the European Union, Art. 52(3))

7. Questions referred for a preliminary ruling — Jurisdiction of the Court — Limits — General or hypothetical questions — Abstract and purely hypothetical question with respect to the subject matter of the dispute in the main proceedings — Inadmissibility

(Art. 267 TFEU)

1. Article 15(1) of Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136, states that Member States may adopt, subject to the conditions laid down, legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1) to (4), and Article 9 of that directive.

The scope of that provision extends, in particular, to a legislative measure that requires the providers of electronic communications services to retain traffic and location data, since to do so necessarily involves the processing, by those providers, of personal data. The scope also extends to a legislative measure relating to the access of the national authorities to the data retained by those providers. The protection of the confidentiality of electronic communications and related traffic data, guaranteed in Article 5(1) of Directive 2002/58, applies to the measures taken by all persons other than users, whether private persons or bodies or State bodies.

(see paras 71, 75-77)

2. Article 15(1) of Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136, enables the Member States to introduce exceptions to the obligation of principle, laid down in Article 5(1) of that directive, to ensure the confidentiality of personal data, and to the corresponding obligations, referred to in Articles 6 and 9 of that directive. Nonetheless, in so far as Article 15(1) of Directive 2002/58 enables Member States to restrict the scope of that obligation of principle, that provision must be interpreted strictly. That provision cannot, therefore, permit the exception to that obligation of principle and, in particular, to the prohibition on storage of data, laid down in Article 5 of Directive 2002/58, to become the rule, if the latter provision is not to be rendered largely meaningless.

In that regard, the first sentence of Article 15(1) of Directive 2002/58 provides that the objectives pursued by the legislative measures that it covers, which derogate from the principle of confidentiality of communications and related traffic data, must be to safeguard national security — that is, State security — defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, or one of the other objectives specified in Article 13(1) of Directive 95/46, to which the first sentence of Article 15(1) of Directive 2002/58 refers. That list of objectives is exhaustive, as is apparent from the second sentence of Article 15(1) of Directive 2002/58, which states that the legislative measures must be justified on one of the grounds laid down in the first sentence of Article 15(1) of that directive. Accordingly, the Member States cannot adopt such measures for purposes other than those listed in that latter provision.

(see paras 88-90)

3. Article 15(1) of Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.

That data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them. In particular, that data provides the means of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications. The interference entailed by such legislation in the fundamental rights enshrined in Articles 7 and 8 of the Charter is very far-reaching and must be considered to be particularly serious. The fact that the data is retained without the users of electronic communication services being informed is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Even if such legislation does not permit retention of the content of a communication and is not, therefore, such as to affect adversely the essence of those rights, the retention of traffic and location data could nonetheless have an effect on the use of means of electronic communication and, consequently, on the exercise by the users thereof of their freedom of expression, guaranteed in Article 11 of the Charter.

Given the seriousness of the interference in the fundamental rights concerned represented by such national legislation, only the objective of fighting serious crime is capable of justifying such a measure. However, while the effectiveness of the fight against serious crime, in particular organised crime and terrorism, may depend to a great extent on the use of modern investigation techniques, such an objective of general interest, however fundamental it may be, cannot in itself justify that national legislation providing for the general and indiscriminate retention of all traffic and location data should be considered to be necessary for the purposes of that fight. First, the effect of such legislation is that the retention of traffic and location data is the rule, whereas the system put in place by Directive 2002/58 requires that retention of data to be the exception. Second, such national legislation, which covers, in a generalised manner, all subscribers and registered users and all means of electronic communication as well as all traffic data, provides for no differentiation, limitation or exception according to the objective pursued. It applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious criminal offences. Such legislation therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society, as required by Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter.

(see paras 99-105, 107, 112, operative part 1)

4. Article 15(1) of Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, does not prevent a Member State from adopting legislation permitting, as a preventive measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary.

In order to satisfy those requirements, that national legislation must, first, lay down clear and precise rules governing the scope and application of such a data retention measure and imposing minimum safeguards, so that the persons whose data has been retained have sufficient guarantees of the effective protection of their personal data against the risk of misuse. That legislation must, in particular, indicate in what circumstances and under which conditions a data retention measure may, as a preventive measure, be adopted, thereby ensuring that such a measure is limited to what is strictly necessary.

Second, as regards the substantive conditions which must be satisfied by such national legislation, if it is to be limited to what is strictly necessary, while those conditions may vary according to the nature of the measures taken for the purposes of prevention, investigation, detection and prosecution of serious crime, the retention of data must continue nonetheless to meet objective criteria, that establish a connection between the data to be retained and the objective pursued. In particular, such conditions must be shown to be such as actually to circumscribe, in practice, the extent of that measure and, thus, the public affected. As regards the setting of limits on such a measure, the national legislation must be based on objective evidence which makes it possible to identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences, to contribute in one way or another to fighting serious crime or to prevent a serious risk to public security. Such limits may be set by using a geographical criterion where the competent national authorities consider, on the basis of objective evidence, that there exists, in one or more geographical areas, a high risk of preparation for or commission of such offences.

(see paras 108-111)

5. Article 15(1) of Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union.

In that regard, in order to ensure that access of the competent national authorities to retained data is limited to what is strictly necessary, it is, indeed, for national law to determine the conditions under which the providers of electronic communications services must grant such access. However, the national legislation concerned cannot be limited to requiring that access should be for one of the objectives referred to in Article 15(1) of Directive 2002/58, even if that objective is to fight serious crime. That national legislation must also lay down the substantive and procedural conditions governing the access of the competent national authorities to the retained data. Accordingly, and since general access to all retained data, regardless of whether there is any link, at least indirect, with the intended purpose, cannot be regarded as limited to what is strictly necessary, the national legislation concerned must be based on objective criteria in order to define the circumstances and conditions under which the competent national authorities are to be granted access to the data of subscribers or registered users. In that regard, access can, as a general rule, be granted, in relation to the objective of fighting crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime. However, in particular situations, where for example vital national security, defence or public security interests are threatened by terrorist activities, access to the data of other persons might also be granted where there is objective evidence from which it can be deduced that that data might, in a specific case, make an effective contribution to combating such activities.

In order to ensure, in practice, that those conditions are fully respected, it is essential that access of the competent national authorities to retained data should, as a general rule, except in cases of validly established urgency, be subject to a prior review carried out either by a court or by an independent administrative body, and that the decision of that court or body should be made following a reasoned request by those authorities submitted, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime. Likewise, the competent national authorities to whom access to the retained data has been granted must notify the persons affected, under the applicable national procedures, as soon as that notification is no longer liable to jeopardise the investigations being undertaken by those authorities. That notification is, in fact, necessary to enable the persons affected to exercise, inter alia, their right to a legal remedy, expressly provided for in Article 15(2) of Directive 2002/58, read together with Article 22 of Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, where their rights have been infringed.

Further, given the quantity of retained data, the sensitivity of that data and the risk of unlawful access to it, the providers of electronic communications services must, in order to ensure the full integrity and confidentiality of that data, guarantee a particularly high level of protection and security by means of appropriate technical and organisational measures. In particular, the national legislation must make provision for the data to be retained within the European Union and for the irreversible destruction of the data at the end of the data retention period.

(see paras 118-122, 125, operative part 2)

6. See the text of the judgment.

(see paras 127-129)

7. See the text of the judgment.

(see para. 130)