Case C‑140/20
G.D.
v
Commissioner of An Garda Síochána and Others
(Request for a preliminary ruling from the Supreme Court (Ireland))
Judgment of the Court (Grand Chamber), 5 April 2022
(Reference for a preliminary ruling – Processing of personal data in the electronic communications sector – Confidentiality of the communications – Providers of electronic communications services – General and indiscriminate retention of traffic and location data – Access to data – Subsequent court supervision – Directive 2002/58/EC – Article 15(1) – Charter of Fundamental Rights of the European Union – Articles 7, 8 and 11 and Article 52(1) – Possibility for a national court to restrict the temporal effect of a declaration of the invalidity of national legislation that is incompatible with EU law – Excluded)
1. Approximation of laws – Telecommunications sector – Processing of personal data and the protection of privacy in the electronic communications sector – Directive 2002/58 – Power of Member States to limit the scope of certain rights and obligations – National measures requiring providers of electronic communications services to retain, generally and indiscriminately, traffic and location data – Objective of combating serious crime and preventing serious threats to public security – Not permissible – National measures providing for the targeted retention of those data on the basis of objective and non-discriminatory factors, and for a period of time limited to what is strictly necessary – National measures providing for the general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a period that is limited in time to what is strictly necessary – National measures providing for the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems – National measures providing for recourse to an instruction requiring providers of electronic communications services to undertake, for a specified period of time, the expedited retention of traffic and location data – Objective of combating serious crime and preventing serious threats to public security – Permissible – Conditions
(Charter of Fundamental Rights of the European Union, Arts 7, 8, 11 and 52(1); European Parliament and Council Directive 2002/58, as amended by Directive 2009/136, Art. 15(1))
(see paragraphs 51-57, 62-65, 71-74, 83-87, 91-93, 97-101, operative part 1)
2. Approximation of laws – Telecommunications sector – Processing of personal data and the protection of privacy in the electronic communications sector – Directive 2002/58 – Power of Member States to limit the scope of certain rights and obligations – National measures requiring providers of electronic communications services to retain, generally and indiscriminately, traffic and location data – Access of national authorities to retained data for the purpose of criminal investigations – Authorisation of access given by a police officer, assisted by a unit established within the police service which enjoys a degree of autonomy in the exercise of its duties – Access subject to subsequent judicial review – Not permissible
(Charter of Fundamental Rights of the European Union, Arts 7, 8, 11 and 52(1); European Parliament and Council Directive 2002/58, as amended by Directive 2009/136, Art. 15(1))
(see paragraphs 106-112, operative part 2)
3. Approximation of laws – Telecommunications sector – Processing of personal data and the protection of privacy in the electronic communications sector – Directive 2002/58 – Power of Member States to limit the scope of certain rights and obligations – National measures requiring providers of electronic communications services to retain, generally and indiscriminately, traffic and location data – Objective of combating serious crime and preventing serious threats to public security – Not permissible – Declaration of invalidity of national legislation laying down those measures owing to its incompatibility with EU law – No power for the national court to limit the temporal effects of that declaration
(Charter of Fundamental Rights of the European Union, Arts 7, 8, 11 and 52(1); European Parliament and Council Directive 2002/58, as amended by Directive 2009/136, Art. 15(1))
(see paragraphs 118, 119, 122-128, operative part 3)
Résumé
In recent years, the Court of Justice has ruled, in several judgments, on the retention of and access to personal data in the field of electronic communications. (1)
In particular, by two judgments of the Grand Chamber, of 6 October 2020, (2) the Court confirmed its case-law resulting from the judgment in Tele2 Sverige as to the disproportionate nature of the general and indiscriminate retention of traffic and location data. It also clarified inter alia the extent of the powers that the Directive on privacy and electronic communications recognises Member States have in respect of the retention of those data for the purposes of safeguarding of national security and combating crime.
In this case, the request for a preliminary ruling was submitted by the Supreme Court (Ireland) in the context of civil proceedings brought by a person sentenced to life imprisonment for a murder committed in Ireland. That person challenged the compatibility with EU law of certain provisions of national law on the retention of data generated in the context of electronic communications. (3) Pursuant to that law, (4) traffic and location data relating to the telephone calls of the person charged had been retained by providers of electronic communications services and made accessible to the police authorities. The referring court’s doubts related in particular to the compatibility with the Directive on privacy and electronic communications, (5) read in the light of the Charter, (6) of a system of the general and indiscriminate retention of those data, in connection with combating serious crime.
In its judgment, the Court, sitting as the Grand Chamber, confirms, while also providing detail as to its scope, the case-law resulting from the judgment in La Quadrature du Net and Others by recalling that the general and indiscriminate retention of traffic and location data relating to electronic communications is not permitted for the purposes of combating serious crime and preventing serious threats to public security. It also confirms the case-law resulting from the judgment in Prokuratuur (Conditions of access to data relating to electronic communications), (7) in particular as regards the obligation to make access by the competent national authorities to those retained data subject to a prior review carried out either by a court or by an administrative body that is independent in relation to a police officer.
Findings of the Court
The Court holds, in the first place, that the Directive on privacy and electronic communications, read in the light of the Charter, precludes legislative measures which, as a preventive measure, for the purposes of combating serious crime and preventing serious threats to public security, provide for the general and indiscriminate retention of traffic and location data. Having regard, first, to the dissuasive effect on the exercise of the fundamental rights (8) which is liable to result from the retention of those data, and, second, to the seriousness of the interference entailed by such retention, it is necessary for that retention to be the exception and not the rule in the system established by that directive, such that those data should not be retained systematically and continuously. Crime, even particularly serious crime, cannot be treated in the same way as a threat to national security, since to treat those situations in the same way would be likely to create an intermediate category between national security and public security for the purpose of applying to the latter the requirements inherent in the former.
However, the Directive on privacy and electronic communications, read in the light of the Charter, does not preclude legislative measures which provide, for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security, for the targeted retention of traffic and location data which is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion, for a period that is limited in time to what is strictly necessary, but which may be extended. It adds that such a retention measure covering places or infrastructures that regularly receive a very high volume of visitors, or strategic locations, such as airports, stations, maritime ports or tollbooth areas, may allow the competent authorities to obtain information as to the presence in those places or geographical areas of persons using a means of electronic communication within those areas and to draw conclusions as to their presence and activity in those places or geographical areas for the purposes of combating serious crime. In any event, the fact that it may be difficult to provide a detailed definition of the circumstances and conditions under which targeted retention may be carried out is no reason for the Member States, by turning the exception into a rule, to provide for the general retention of traffic and location data.
That directive, read in the light of the Charter, also does not preclude legislative measures that provide, for the same purposes, for the general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a period that is limited in time to what is strictly necessary, as well as data relating to the civil identity of users of electronic communications systems. As regards that latter aspect, the Court holds more specifically that neither the Directive on privacy and electronic communications nor any other act of EU law precludes national legislation, which has the purpose of combating serious crime, pursuant to which the purchase of a means of electronic communication, such as a pre-paid SIM card, is subject to a check of official documents establishing the purchaser’s identity and the registration, by the seller, of that information, with the seller being required, should the case arise, to give access to that information to the competent national authorities.
The same is the case for legislative measures which allow, also for the purposes of combating serious crime and preventing serious threats to public security, recourse to an instruction requiring providers of electronic communications services by means of a decision of the competent authority that is subject to effective judicial review, to undertake, for a specified period of time, the expedited retention (quick freeze) of traffic and location data in their possession. Only actions to combat serious crime and, a fortiori, to safeguard national security are such as to justify that retention, on the condition that the measure and access to the retained data comply with the limits of what is strictly necessary. The Court recalls that such a retention measure may be extended to traffic and location data relating to persons other than those who are suspected of having planned or committed a serious criminal offence or acts adversely affecting national security, provided that those data can, on the basis of objective and non-discriminatory factors, shed light on such an offence or acts adversely affecting national security, such as data concerning the victim thereof, and his or her social or professional circle.
However, the Court indicates next that all the abovementioned legislative measures must ensure, by means of clear and precise rules, that the retention of data at issue is subject to compliance with the applicable substantive and procedural conditions and that the persons concerned have effective safeguards against risks of abuse. The various measures for the retention of traffic and location data may, at the choice of the national legislature and subject to the limits of what is strictly necessary, be applied concurrently.
In addition, the Court states that to authorise, for the purposes of combating serious crime, access to those data retained generally and indiscriminately in order to address a serious threat to national security would be contrary to the hierarchy of objectives of public interest which may justify a measure taken pursuant to the Directive on privacy and electronic communications. (9) That would be to allow access to be justified for an objective of lesser importance than that which justified its retention, namely the safeguarding of national security, which would risk depriving of any effectiveness the prohibition on a general and indiscriminate retention for the purpose of combating serious crime.
In the second place, the Court holds that the Directive on privacy and electronic communications, read in the light of the Charter, precludes national legislation pursuant to which the centralised processing of requests for access to data retained by providers of electronic communications services, issued by the police in the context of the investigation or prosecution of serious criminal offences, is the responsibility of a police officer, who is assisted by a unit established within the police service which enjoys a degree of autonomy in the exercise of its duties, and whose decisions may subsequently be subject to judicial review. First, such a police officer does not fulfil the requirements of independence and impartiality which must be met by an administrative body carrying out the prior review of requests for access issued by the competent national authorities, as he or she does not have the status of a third party in relation to those authorities. Second, while the decision of that officer may be subject to subsequent judicial review, that review cannot be substituted for a review which is independent and, except in duly justified urgent cases, undertaken beforehand.
In the third place, lastly, the Court confirms its case-law according to which EU law precludes a national court from limiting the temporal effects of a declaration of invalidity which, pursuant to national law, it is bound to make as regards national legislation requiring providers of electronic communications services to retain, generally and indiscriminately, traffic and location data, owing to the incompatibility of that legislation with the Directive on privacy and electronic communications. However, the Court recalls that the admissibility of evidence obtained by means of such retention is, in accordance with the principle of procedural autonomy of the Member States, a matter for national law, subject to compliance, inter alia, with the principles of equivalence and effectiveness.