August 2, 2017
by Teresa Alegra Quintel
[Joined cases C-203/15 Tele2 Sverige AB v Post-och telestyrelsen and C-698/15 Secretary of State for the Home Department v Tom Watson & Others]
In joined cases C-203/15 and C-698/15, Tele2 Sverige AB (C-203/15) and Watson (C-698/15), the CJEU set clear limits for the derogations under Article 15(1) of Directive 2002/58 (“e-Privacy Directive”), which had, after the invalidation of Directive 2006/24/EC (“Data Retention Directive”) in Digital Rights Ireland, been used to maintain national laws governing bulk data retention. Some Member States had retained the national retention frameworks that had been implemented under the Data Retention Directive, alleging that these would concern matters of national security and therefore fall outside the scope of EU Law. On the basis of the invalidated Data Retention Directive, the Swedish telecommunications provider Tele2 Sverige declared they would no longer store the data of their customers as required by the Swedish implementing legislation; in the United Kingdom, several complaints were lodged seeking the review of the UK’s Data Retention and Investigatory Powers Act.
On 21 December 2016, the Grand Chamber handed down its eagerly anticipated Post-och Telestyrelsen and Watson judgment, following the request for a preliminary ruling from Sweden and the United Kingdom. The questions referred to the Court sought to clarify whether the derogations under Article 15(1) of Directive 2002/58, read in the light of Articles 7 and 8 of the EU Charter, would allow for the general and indiscriminate retention of metadata for the purpose of fighting crime [para. 62]. Furthermore, the UK Court of Appeal sought to ascertain whether the Digital Rights Ireland judgment would lay down mandatory requirements of EU Law applicable to a Member State’s domestic regime governing law enforcement access to retained data [para. 59].
While AG Saugmandsgaard Øe found that general data retention for the purpose of fighting serious crime “may be compatible with EU Law [if it is] subject to compliance with strict requirements“[para. 116 of the AG Opinion], the CJEU held that EU law, and, in particular, the EU Charter, precludes the general and indiscriminate retention of metadata from all subscribers of telecommunications services [para. 125].
In its answer to the first question, the CJEU, other than the AG, provided a throughout analysis of the e-Privacy Directive’s structure to assess whether general data retention obligations would fall within the scope of EU Law. The Court, in order to examine the applicability of EU Law, first looked at the architecture of the e-Privacy Directive and distinguished between Article 1(3), activities falling outside the scope of the directive and Article 15(1), derogations from data subjects’ rights. The CJEU admitted that the objectives pursued in those two articles would overlap substantially [para. 72], but that Article 15 would presuppose the applicability of EU Law, as otherwise that article would be deprived of any purpose [para. 73]. The CJEU emphasized that the laws introduced under Article 15(1) of the e-Privacy Directive would therefore not fall outside the scope of EU data protection law, but were covered by the protection of both the e-Privacy Directive and the EU Charter. The Court further held that access to retained data by competent authorities would fall within the scope of that directive too [para. 77], and that consequently both retention and access to data, would only be acceptable on the basis that they are “appropriate”, “limited to what is strictly necessary” and “proportionate within a democratic society” [para. 95, 109]. If the exception in Article 15(1) e-Privacy Directive would become a general rule, then Article 5 of that directive (right to confidentiality of communications) would become meaningless [para. 89].
The CJEU unequivocally held that access to retained data by competent national authorities would presuppose prior review by either a court or an independent authority and that, for the sake of inspection and data security, retained data must be stored within the territory of the European Union [para. 114].
Furthermore, competent national authorities to whom access to the retained data had been granted, were obliged to notify the data subjects concerned of the interference with their rights as soon as such notification would no longer jeopardize the investigations. Referring to its judgment in Digital Rights Ireland, the Court made clear that “the retention of traffic and location data could […] have an effect on the use of means of electronic communications” [para. 101], as it might give an impression of “constant surveillance” for the data subjects concerned, and could affect their way of communication (Article 11 of the EU Charter) [paras. 100,101, 107].
The Court essentially followed its reasoning in earlier judgments, emphasizing the negative impact that the general retention of and the unauthorized access to personal data might entail for individuals. The CJEU required data retention to be targeted and based on the objective evidence of serious crime in order to access by law enforcement authorities (“LEAs”). As reference for such targeted retention, Member States could use a “geographical criterion” such as an area where there exists a “high risk of preparation for or commission of” [criminal offences] [para. 111].
The national legislation schemes at issue before the Court therefore exceeded the limits of what is strictly necessary and could not be justified within a democratic society read in the light of Articles 7, 8, 11 and 52(1) of the Charter [para. 107].
While from a data protection point of view the Tele2 judgment may be regarded as yet another confirmation that general data retention schemes dismantle fundamental rights and pose a significant threat to the privacy of individuals, from a law enforcement point of view, the judgment allegedly obstructs the possibility to establish clear relationships between suspects and blocks means to “dig into the past” once a crime has been perpetrated.
The judgment seeks to reverse the famous chase “for a needle in a haystack” back to an investigative search, where a suspicion must be well-founded before data may be retained. Moreover, procedural safeguards and oversight mechanisms must guarantee that data of innocent and unsuspicious persons will be retained to the least amount possible in order to avoid a general feeling of constant surveillance.
With Tele2, the CJEU thus continued the data protection and privacy friendly case-law that it had established in previous judgments and limited the possibility for Member States to derogate from the principle of confidentiality of communications for national security purposes. Referring to two recent ECtHR cases concerning mass surveillance, the CJEU confirmed that it will only accept a strict interpretation of the minimum standards concerning general data retention and mass surveillance set by both courts.
However, the Court left a potential loophole that might be exploited by law enforcement authorities: with the geographical criterion, the Court seems to render national LEAs a certain margin of discretion when determining the area in which data may be retained. Yet, national courts will have to assess the proportionality of requests for targeted retention and will (hopefully) be able to determine appropriate geographical limits. This might, however, lead to disparities among the Member States.
In the near future, the e-Privacy Regulation, as lex specialis to the General Data Protection Regulation, will repeal the e-Privacy Directive and, due to a broadened scope, also be applicable to so-called Over-The-Top (“OTT”) service providers. The proposal does not include any specific provisions in the field of data retention and Member States are therefore free to maintain or establish national data retention frameworks that provide for targeted retention measures as stipulated by the Tele2 judgment. As the judgment blocked the creation of a legal basis to retain data on a general scale, it is highly doubtful that such a legal basis could be established by either the e-Privacy Regulation itself or by the national laws in the Member States. The e-Privacy Regulation will certainly change the work of law enforcement authorities, as the Tele2 judgment will then also affect OTT-services providers and metadata will probably be less available for LEAs as is currently the case.
As has been shown by recent terrorist attacks in countries where data was retained on a general basis, these incidents could not be prevented although the perpetrators were known to the law enforcement and security agencies beforehand. One could therefore ask the question whether it would have been advisable to allocate the resources in surveilling those that are knowingly dangerous instead of “wasting” them by storing the data of an entire population on a “just in case” basis.
Whether a public that commonly chooses convenience over data protection and is willing to give up (parts of) their privacy for (alleged) security will acknowledge the importance of the Tele2 judgment remains to be seen.
As emphasized by the AG, the risks associated with access to communications data may be as great or even greater than those arising from access to the content of communications, since metadata, by means of automated processing, “can facilitate the almost instantaneous cataloguing of entire populations, something which the content of communications does not” [para. 259].
 Joined Cases C 203/15 and C 698/15, Tele2 Sverige AB (C 203/15) and Watson (C 698/15), ECLI:EU:C:2016:970, 21 December 2016.
 Joined Cases C 293/12 and C 594/12, Digital Rights Ireland Ltd (C 293/12) and Seitlinger (C 594/12), ECLI:EU:C:2014:238, 8 April 2014. For an in-depth analysis of the Digital Rights Ireland judgment see: Franziska Boehm and Mark D. Cole: Data Retention after the Judgement of the Court of Justice of the European Union. Study for the Greens/EFA Group in the European Parliament. Münster/Luxembourg, 30 June 2014.
 Opinion of Advocate General Saugmandsgaard Øe delivered on 19 July 2016 in Joined Cases C‑203/15 and C‑698/15 Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson, Peter Brice, Geoffrey Lewis  ECLI:572.
 „CJEU Opposes General Data Retention Regime (Case Tele 2 Sverige)“, in: eucrim The European Criminal Law Associations’ Forum, 2016/04.P. 164.
 Roman Zakharov v Russia App no 47143/06 (ECtHR, 4 December 2015) and Szabó and Vissy v Hungary App no 37138/14 (ECtHR, 12 January 2016).
 For an in-depth analysis, please see: Mark D. Cole and Annelies Vandendriessche, “Case Note: From Digital Rights Ireland and Schrems in Luxembourg to Zakharov and Szabó/Vissy in Strasbourg: What the ECtHR Made of the Deep Pass by the CJEU in the Recent Cases on Mass Surveillance Roman Zakharov v Russia (Appno47143/06) and Szabó andVissy v Hungary (Appno.37138/14),” European Data Protection Law Review, Volume 2, Number 1 (Brussels, Berlin, n.d.).
 European Commission: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications). COM (2017) 10 final, Brussels, 10.1.2017. P.3.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ L 119/1. (“General Data Protection Regulation”, “GDPR”).
 Over-the-top content (OTT) is the delivery of audio, video, and other media over the Internet without the involvement of a multiple-system operator in the control or distribution of the content.
Examples of OTT Services include chat applications (WhatsApp, WeChat, Facebook Messenger); Streaming video services (Netflix, Amazon Prime, YouTube); Voice Calling and Video chatting services (e.g. Skype, Facetime).
OTT service providers rely on IP based networks to reach customers.
 Terrorist attack in Berlin on 19 December 2016, attack on the Champs-Élyées in Paris on 20 April 2017, attack in Manchester Arena on 22 May 2017, and attack in London on 04 June 2017.
 Ian Cobain et al., “Salman Ramadan Abedi Named by Police as Manchester Arena Attacker,” The Guardian, May 23, 2017, sec. UK news, http://www.theguardian.com/uk-news/2017/may/23/manchester-arena-attacker-named-salman-abedi-suicide-attack-ariana-grande. “Champs-Élysées Attacker Was Known to French Police,” France 24, April 21, 2017, http://www.france24.com/en/20170421-france-paris-champs-elysees-attacker-chelles-known-police.“Mutmaßlicher Attentäter Amri: Der meistgesuchte Mann Europas,” Frankfurter Allgemeine Zeitung, December 22, 2016, http://www.faz.net/aktuell/politik/anschlag-in-berlin/nach-anschlag-in-berlin-anis-amri-war-der-polizei-bekannt-14587195.html. (Note that there was no general data retention regime in place in Germany at that time).RSI Blog