Sweden

Court of Justice of the European Union: Tele2 Sverige AB v Post-ochtelestyrelsen

IRIS 2017-2:1/3

Svetlana Yakovleva

Institute for Information Law (IViR), University of Amsterdam & De Brauw, Blackstone, Westbroek

On 21 December 2016, the Court of Justice of the European Union (CJEU) delivered a judgment in joined cases Tele2 Sverige AB v. Post-och telestyrelsen and Secretary of State for the Home Department v. Tom Watson and Others (Cases C-203/15 and C-698/15). This judgment concerns the interpretation of Article 15(1) of the e-Privacy Directive (2002/58/EC) (see IRIS 2002-7/10) in light of Articles 7 (respect for private life) and 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union (the Charter).

The judgment addresses two requests for a preliminary ruling from the Swedish Administrative Court of Appeal (Kammarrätten i Stockholm) and the Court of Appeal of England and Wales following the invalidation of the Data Retention Directive (2006/24/EC) by CJEU in the Digital Rights Ireland case (C-293/12). In the latter judgment, the CJEU held that the general obligation to retain traffic data and location data that member States could impose on the public telecommunications and network services providers under the Data Retention Directive constituted a serious interference with the fundamental rights laid down in Articles 7 and 8 of the Charter. This interference was not limited to what was strictly necessary and, therefore, could not be justified under Article 52(1) of the Charter on the limitation of rights.

The requests for a preliminary ruling concerned national legislation of Sweden, and England and Wales that transposed the invalidated Data Retention Directive. Similar to the invalidated Directive, this legislation contained general obligations for electronic communications service providers to retain data, pertaining to those communications, and allowed access by competent authorities to the retained data. The courts essentially asked whether such legislation could be justified under Article 15 of the e-Privacy Directive that allows member States to introduce exceptions to the principles of confidentiality of personal data and corresponding obligations referred to in articles 6 (traffic data), 8 (calling identification) and 9 (location data).

Relying on its settled case law and, specifically on the judgment in Digital Rights Ireland, the CJEU held that Article 15 of the e-Privacy Directive does not justify national legislation that requires general and indiscriminate retention of all traffic and location data of all subscribers and registered users with respect to all means of electronic communications, even with the purpose of fighting crime. The CJEU also clarified that this Article, read in the light of Articles 7, 8, 11 and Article 52(1) of the Charter, could, however, justify national legislation that requires “as a preventive measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary.” To meet the necessity test, such legislation must first “lay down clear and precise rules governing the scope and application of such a data retention measure and impose minimum safeguards.” Secondly, such legislation must “meet objective criteria that establish a connection between the data to be retained and the objective pursued.” In addition, such a connection must be based on “objective evidence.”

The CJEU also ruled that Article 15 of the e-Privacy Directive equally precludes national legislation from granting the competent national authorities access to retained data, unless such legislation pursues the objective proportionate to the seriousness of the interference in fundamental rights entailed by such access, and that such access is “limited to what is strictly necessary.” The CJEU underscored that in the area of the prevention, investigation, detection and prosecution of criminal offences, only the objective of fighting serious crime meets the proportionality test. In order to meet the necessity requirement, the national legislation must lay down “the substantive and procedural conditions governing the access of the competent national authorities to the retained data.” In particular, “access of the competent national authorities to retained data should, as a general rule … be subject to a prior review carried out either by a court or by an independent administrative body.” Furthermore, the national legislation must require that the data is within the European Union and is subject to irreversible destruction at the end of the data retention period.

In conclusion, it should be noted that the CJEU judgment only gives an interpretation of the relevant EU law. It is for the referring courts to determine whether, and to what extent the national legislation concerned meets the requirements stemming from Article 15 of the e-Privacy Directives, as interpreted by the CJEU in the light of the Charter.