A general obligation to retain data may be compatible with EU law, but strict requirements must be satisfied, according to an advocate general of the European Union Court of Justice.
Advocate General Henrik Saugmandsgaard Øe's opinion, delivered today, covers two cases, one of them the action brought by MPs Tom Watson, David Davis and others against rules in the UK's Data Retention and Investigatory Powers Act 2014, with associated regulations and a code of practice, that authorise the Home Secretary to require public telecommunications operators to retain all communications data – excluding the content of the communications – for up to 12 months. The other case concerned a Swedish law requiring providers of electronic communication services to retain certain personal data of their subscribers.
The Administrative Court of Appeal in Stockholm and the Court of Appeal in London each asked the CJEU for a preliminary ruling on whether a general obligation to retain data is compatible with EU law, in particular the Directive on Privacy and Electronic Communications and certain provisions of the EU Charter of Fundamental Rights.
Mr Øe noted that the data concerned made it possible to identify and locate the source and the destination of the information, data relating to the date, time and duration of communication and data identifying the type of each communication and the type of equipment used.
His opinion, which is likely to be followed by the court, states that a general obligation to retain data may be compatible with EU law, but action by member states pursuant to such an obligation must satisfy strict requirements – it being for the national courts to decide whether those requirements are satisfied.
First, the general obligation, and accompanying guarantees, must be laid down by legislative or regulatory measures possessing the characteristics of accessibility, foreseeability and adequate protection against arbitrary interference.
Secondly, the obligation must respect the essence of the right to respect for private life and the right to the protection of personal data laid down by the Charter.
Thirdly, EU law requires that any interference with the fundamental rights should be in the pursuit of an objective in the general interest. The advocate general considers that only the fight against "serious crime" is an objective capable of justifying a general obligation to retain data – combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings are not.
Fourthly, the general obligation to retain data "must be strictly necessary to the fight against serious crime", which means that no other measure or combination of measures could be as effective while at the same time interfering to a lesser extent with fundamental rights. It must also respect the conditions set out in the judgment in the 2014 Digital Rights Ireland case as regards access to the data, the period of retention and the protection and security of the data, in order to limit the interference with the fundamental rights to what is strictly necessary.
Finally, the general obligation to retain data must be proportionate, within a democratic society, to the objective of the fight against serious crime, which means that "the serious risks engendered by that obligation within a democratic society must not be disproportionate to the advantages it offers in the fight against serious crime".
