Joined Cases C‑793/19 and C‑794/19
Bundesrepublik Deutschland
v
SpaceNet AG
and
Telekom Deutschland GmbH
(Requests for a preliminary ruling from the Bundesverwaltungsgericht)
Judgment of the Court (Grand Chamber), 20 September 2022
(Reference for a preliminary ruling – Processing of personal data in the electronic communications sector – Confidentiality of communications – Providers of electronic communications services – General and indiscriminate retention of traffic and location data – Directive 2002/58/EC – Article 15(1) – Charter of Fundamental Rights of the European Union – Articles 6, 7, 8 and 11 and Article 52(1) – Article 4(2) TEU)
1. Approximation of laws – Telecommunications sector – Processing of personal data and the protection of privacy in the electronic communications sector – Directive 2002/58 – Scope – National legislation requiring providers of electronic communications services to retain traffic and location data – Objectives of protecting national security and combating crime – Included
(Art. 4(2) TEU; European Parliament and Council Directive 2002/58, as amended by Directive 2009/136, Arts 1(1) and (3), 3 and 15(1))
(see paragraph 48)
2. Approximation of laws – Telecommunications sector – Processing of personal data and the protection of privacy in the electronic communications sector – Directive 2002/58 – Power of Member States to limit the scope of certain rights and obligations – National measures requiring providers of electronic communication services to retain, generally and indiscriminately, traffic and location data – Objective of combating serious crime and preventing serious threats to public security – Unlawful – Duration of the period of general and indiscriminate retention of those data – Irrelevant – National measures relating to the retention of certain categories of data – Objectives of safeguarding national security, combating serious crime and preventing serious threats to public security – Whether permissible – Conditions
(Charter of Fundamental Rights of the European Union, Arts 7, 8, 11 and 52(1); European Parliament and Council Directive 2002/58, as amended by Directive 2009/136, Art. 15(1))
(see paragraphs 49-75, 77-81, 83-85, 87-94, 97-99, 110, 113, 116-121, 127-131 and operative part)
Résumé
In recent years, the Court has ruled, in several judgments, on the retention of and access to personal data in the field of electronic communications. (1)
More recently, in the judgment in La Quadrature du net and Others, (2) delivered by the Grand Chamber on 6 October 2020, the Court confirmed its case-law arising from the judgment in Tele2 Sverige and Watson and Others (3) on the disproportionate nature of a general and indiscriminate retention of traffic and location data relating to electronic communications. It also provided clarification, inter alia as regards the extent of the powers conferred on the Member States by the Directive on privacy and electronic communications with regard to the retention of such data for the purposes of safeguarding national security, combating crime and safeguarding public security.
In the present joined cases, two requests for a preliminary ruling were submitted by the Bundesverwaltungsgericht (Federal Administrative Court, Germany), before which the Federal Republic of Germany brought an appeal on a point of law against two judgments which had upheld the actions brought by two companies providing internet access services, SpaceNet AG (Case C‑793/19) and Telekom Deutschland GmbH (Case C‑794/19). By those actions, those companies challenged the obligation imposed by the German legislation (4) to retain traffic and location data relating to their customers’ electronic communications.
The doubts expressed by the referring court concern, inter alia, the compatibility with the Directive on privacy and electronic communications, (5) read in the light of the Charter of Fundamental Rights of the European Union (‘the Charter’) (6) and of Article 4(2) TEU, of national legislation which requires providers of publicly available electronic communications services – inter alia for the purposes of prosecuting serious criminal offences or preventing a specific risk to national security – to retain, in a general and indiscriminate way, most of the traffic and location data of the end users of those services, laying down a retention period of several weeks and rules intended to ensure the effective protection of the retained data against the risks of abuse and against any unlawful access to those data.
By its judgment, the Court, sitting as a Grand Chamber, confirms its case-law arising from La Quadrature du Net and Others, and, more recently, the judgment in Commissioner of An Garda Síochána and Others, (7) and clarifies the scope of that case-law. It recalls inter alia that the general and indiscriminate retention of traffic and location data relating to electronic communications is not permitted, on a preventative basis, for the purposes of combating serious crime and preventing serious threats to public security.
Findings of the Court
The Court begins by confirming the applicability of the Directive on privacy and electronic communications to the national legislation at issue, and then recalls the principles derived from its case-law, before carrying out a detailed examination of the characteristics of the national legislation at issue, highlighted by the referring court.
As regards, first of all, the extent of the data retained, the Court observes that the retention obligation laid down by the national legislation at issue covers a very broad set of traffic and location data and that it concerns practically the entire population without those persons being, even indirectly, in a situation liable to give rise to criminal prosecutions. It also notes that that legislation requires the general retention, without a reason, and without any distinction in terms of personal, temporal or geographical factors, of most traffic and location data, the scope of which corresponds, in essence, to that of the data retained in the cases which led to the judgment in La Quadrature du net and Others. Accordingly, in the light of that case-law, the Court considers that a data retention obligation such as that at issue in the main proceedings cannot be regarded as a targeted retention of data.
Next, as regards the data retention period, the Court notes that it is follows from the Directive on privacy and electronic communications (8) that the length of the retention period provided for by a national measure imposing a general and indiscriminate retention obligation is indeed a relevant factor, amongst others, in determining whether EU law precludes such a measure, since that sentence requires that that period be ‘limited’. However, the seriousness of the interference stems from the risk, particularly in view of their number and variety, that the data retained, taken as a whole, may enable very precise conclusions to be drawn concerning the private life of the person or persons whose data have been retained and, in particular, provide the means of establishing a profile of the person or persons concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications. Accordingly, the retention of traffic or location data is in any event serious regardless of the length of the retention period and the quantity or nature of the data retained, when that set of data is liable to allow precise conclusions to be drawn concerning the private life of the person or persons concerned. (9)
Lastly, as regards the safeguards intended to protect the retained data against the risks of abuse and against any unlawful access, the Court points out, on the basis of its previous case-law, that the retention of and access to those data each constitute separate interferences with the fundamental rights of the persons concerned, requiring a separate justification. It follows that national legislation ensuring full respect for the conditions established by the case-law as regards access to retained data cannot, by its very nature, be capable of either limiting or even remedying the serious interference with the rights of the persons concerned which results from the general retention of those data.
In addition, in order to respond to certain arguments raised before it, the Court notes, in the first place, that a threat to national security must be genuine and present, or, at the very least, foreseeable, which presupposes that sufficiently concrete circumstances have arisen to be able to justify a generalised and indiscriminate measure of retention of traffic and location data for a limited period of time. Such a threat is therefore distinguishable, by its nature, its seriousness, and the specific nature of the circumstances of which it is constituted, from the general and permanent risk of the occurrence of tensions or disturbances, even of a serious nature, that affect public security, or from that of serious criminal offences being committed. Thus, crime, even of a particularly serious nature, cannot be treated in the same way as a threat to national security.
It observes, in the second place, that authorising access, for the purpose of combating serious crime, to traffic and location data which have been retained in a general and indiscriminate way in order to confront a serious threat to national security, would be contrary to the hierarchy of public interest objectives which may justify a measure adopted under the Directive on privacy and electronic communications. (10) That would amount to allowing access to be justified for an objective of lesser importance than that which justified its retention, namely the safeguarding of national security, which would risk depriving of any effectiveness the prohibition on a general and indiscriminate retention for the purpose of combating serious crime.
The Court concludes, confirming its previous case-law, that the Directive on privacy and electronic communications, read in the light of the Charter, precludes national legislative measures which provide, on a preventative basis, for the purposes of combating serious crime and preventing serious threats to public security, for the general and indiscriminate retention of traffic and location data.
However, it does not preclude national legislative measures which allow, for the purposes of safeguarding national security, recourse to an instruction requiring providers of electronic communications services to retain, generally and indiscriminately, traffic and location data in situations where the Member State concerned is confronted with a serious threat to national security that is shown to be genuine and present or foreseeable. In that regard, the Court specifies that the decision imposing such an instruction must be subject to effective review, either by a court or by an independent administrative body whose decision is binding, the aim of that review being to verify that one of those situations exists and that the conditions and safeguards which must be laid down are observed, and that instruction may be given only for a period that is limited in time to what is strictly necessary, but which may be extended if that threat persists.
That directive, read in the light of the Charter, also does not preclude national legislative measures providing, for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security, for the targeted retention of traffic and location data which is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion, for a period that is limited in time to what is strictly necessary, but which may be extended.
The same is true of national legislative measures providing, for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security, for the general and indiscriminate retention of IP addresses assigned to the source of an internet connection, for a period that is limited in time to what is strictly necessary, and data relating to the civil identity of users of electronic communications systems, the retention of which may undisputedly contribute to the fight against serious crime, to the extent that those data make it possible to identify persons who have used those means in the context of planning or committing an act constituting serious crime.
That is also the case for national legislative measures that allow, for the purposes of combating serious crime and, a fortiori, safeguarding national security, recourse to an instruction requiring providers of electronic communications services, by means of a decision of the competent authority that is subject to effective judicial review, to undertake, for a specified period of time, the expedited retention of traffic and location data in the possession of those service providers.
However, the Court states that all the abovementioned measures must ensure, by means of clear and precise rules, that the retention of data at issue is subject to compliance with the applicable substantive and procedural conditions and that the persons concerned have effective safeguards against the risks of abuse. Those various measures may, at the choice of the national legislature and subject to the limits of what is strictly necessary, be applied concurrently.