The Court of Justice ruled that the imposition of a general and undifferentiated obligation to retain telecommunications data by telecommunication operators is incompatible with the EU law. Member States will have to adapt national legislation to the provisions of the Community. Retention and storage of such data should be an exception, rather than a rule, and its scope and duration of retention should not exceed an absolute necessity.
On December 21st, 2016, the European Court of Justice issued a judgement in which it stated that Member States may not impose on telecom operators a general obligation to retain data and, therefore, that the provisions of national law providing generalized and undifferentiated data retention is incompatible with EU law.
Invalidity with consequences
The judgement in combined cases C-203/15 Tele2 Sverige AB/ Post-ochtelestyrelsen and C-698/15 Secretary of State for the Home Department/Tom Watson and others is related indirectly to the earlier judgement of the Court of April 8th, 2014, in Digital Rights Ireland and others case, Ref. No. C-293/12 and C-594/12). The ECJ found in it that the Directive 2006/24/EC of the European Parliament and of the Council of March 15th, 2006, (the so-called “Retention Directive”) is incompatible with the Charter of Fundamental Rights. In relation to the recognition of the retention directive as invalid, there were doubts about national rules which implemented its provisions. In the case of Poland, it means the provisions of the act of July 16th, 2004 – the Telecommunications Law. Deeming the retention directive as invalid did not result in an automatic loss of power of the national provisions concerning the retention of data, however, it was the reason for contesting national rules related to the retention of telecommunications data. The present Judgement of the Court is the result of just such cases, initiated simultaneously in Sweden and the UK.
The essence of the processed cases was to determine whether the Member States may require telecommunications service providers to retain telecommunications data (data retention) on a large scale, or whether such an obligation is incompatible with the Charter of Fundamental Rights and to answer the question whether there are cases that justify the retention of such data, and if so, what measures should accompany it in order to avoid infringement of the rights of citizens.
Retention (only) in justified cases
The judgement settles the matter clearly – generalized and undifferentiated data retention of traffic and location is incompatible with the European Union law.
In the substantiation of the decision the Court pointed out the provisions allowing retention of telecommunications data on a large scale allows to draw very specific conclusions about the private life of individuals whose data has been retained, and the fact that users of electronic communications services do not know these data are retained may give rise to the impression their private life is subject to constant supervision. According to the Court, such interference may be justified only by combating serious crime.
The Court therefore granted the Member States the right to provide individual data retention laws by way of prevention, but only in order to combat serious crime or the prevention of serious threats to public safety. And only on condition such retention will not go beyond the absolute necessity and the provisions adopted in this regard will be clear and detailed and will provide sufficient safeguards to protect the data against the risk of their abuse.
Freedom and protection of data
As regards the access by relevant national authorities to the retained data, the Court found the rules governing these issues should be based on objective criteria which would the determination of the circumstances and the conditions for granting access to the data to the competent national authorities. The Court also concluded access to stored data, except in urgent cases, should be subject to prior scrutiny by a court or other independent body and the competent national authorities, who have been granted access to the retained data, and that they should inform the persons concerned. In addition, the national legislation should lay down an obligation to retain them within the Union, and an obligation of irreversible deletion after that period.
For observers and experts in European law and jurisprudence, the Court’s judgement is not surprising. It fits in the course chosen by the Union – a right one, in my opinion – towards the protection of personal data and liberties of EU citizens. However, in the view of a growing sense of threat of terrorist attacks, or uncertain political situations in some Member States, there may be voices that the judgement makes it difficult to take effective actions by the national authorities to combat terrorist or criminal activities.
What about Poland? Will we have to amend out legislation after the judgement? Everything seems to indicate so.
Statutory general renovation
First of all, the provisions of the Act of July 16th, 2004, the Telecommunications Law, should be changed in respect of the provisions providing for mandatory retention of telecommunication data of a general nature. In particular, article 180a paragraph 1 of the Telecommunications Law, the provisions of which must now be understood as a manifestation of a general and indiscriminate data retention – this one was recognized by the Court as incompatible with the European law. These provisions provide for an obligation of the retention and storage of traffic data and location data for 12 months.
According to the findings of the Court, the change in the telecommunications law should consist of transforming the general obligation to store telecommunications data to an individual and specific obligation, used only to combat crime.
The legislature will also have to verify a series of laws governing access to the retained data by relevant departments responsible for security. For example, the Law on the Police provides for access to the retained data in order to prevent or detect crime, but also “in order to save human life or health, or to support search or rescue operations.”
In this case, it should be emphasized that the Court provided for the possibility of access to such data, provided it will be implemented on the basis of objective criteria and will be limited by the purpose, i.e. the fight against serious crime. This access should take place within the framework of appropriate and reliable procedures, in particular the obligation to provide for prior permission of the competent court or other independent state authority. Therefore, in this case it means the need to adapt the current provisions to the above mentioned requirements.
The Ombudsman, the Police and compliance
To sum up: Member States will be obliged to adopt legislation in accordance with the above mentioned decision or to adapt its existing legislation to it. In the case of Poland it means the need to change the general requirement of data retention to an individual one, carried out only and exclusively for the purpose of combating serious crime. Retention of such data should be an exception, rather than a rule, and the scope of data or the retention period should not go beyond what is absolutely necessary to combat crime.
Soon we’ll find out about how the Court’s ruling will be applied in practice. On the 10th of February, 2016, Adam Bodnar, the Ombudsman submitted to the Constitutional Court a proposal for the amendment of the Act on Police, in which he asked to examine the compatibility of the rules governing the use of operational control and wiretaps, gathering telecommunication, postal and Internet data with the Polish Constitution, the Convention for the Protection of Human Rights and Fundamental Freedoms and the Charter of Fundamental Rights of the European Union.
The question whether the Constitutional Court, recognizing the request of the Ombudsman, will be based on the commented Court judgement remains open.