(Jan. 19, 2017) On December 21, 2016, the European Court of Justice (ECJ) delivered a judgment striking down Sweden’s Data Retention Act as inconsistent with provisions of the Charter of Fundamental Rights of the European Union. (Joined Cases C-203/15 & C-698/15, Tele 2, Sverige AB v Post-och Telestyrelsen and Secretary of State for the Home Department v. Watson, Brice, and Lewis (Dec. 21, 2016), CURIA.)
Fifteen EU Member States (including Sweden and the United Kingdom) as well as the European Commission submitted materials to the ECJ for consideration in the cases. (Id.) A number of Member States of the European Union have amended their data retention laws following the ECJ’s 2014 landmark decision Digital Rights Ireland (C-293/12 and C-594/12). (The Data Retention Saga Continues: European Court of Justice and EU Member States Scrutinize National Data Retention Laws, JONES DAY (Aug. 11, 2016); Joined Cases C-293/12 & C-594/12, Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources (Apr. 8, 2014), CURIA; Theresa Papademetriou, Court of Justice of the European Union: Data Retention Directive Held Invalid, GLOBAL LEGAL MONITOR (May 21, 2014).)
Background
In 2003, the Swedish Parliament adopted a Data Retention Act requiring Swedish Telecom and Internet providers to collect and retain metadata on the calls and other communications of its customers, including the time, location, and duration of the communications, for six months. (16a, 16d§§ Lagen om elektronisk kommunikation (LEK) (Datalagringslagen) [Data Retention Act] (Svensk författnignssamling [SFS] 2003:389), LAGEN.NU.) Even after the ECJ declared, in its decision on Digital Rights Ireland, that the Data Retention Directive 2006/24/EC infringed privacy rights, a Stockholm Administrative District Court upheld the country’s Data Retention Act, arguing that the Swedish law was more well-defined than the Directive had been. (Elin Hofverberg, Sweden: Internet Service Provider Appeals Data Retention Obligation, GLOBAL LEGAL MONITOR (Nov. 7, 2014).) However, the Swedish Internet service provider Tele 2 stopped collecting data on its customers and appealed the district administrative court’s decision to the Sweden’s Administrative Court of Appeal. (Id.; Administrative District Court Stockholm, Case No. 14891-14 (Oct. 13, 2014) (in Swedish) (on file with author).)
The Administrative Court of Appeal referred the case to the ECJ with the following questions:
- Is a general obligation to retain traffic data covering all persons, all means of electronic communication and all traffic data without any distinctions, limitations or exceptions for the purpose of combating crime … compatible with Article 15(1) of Directive 2002/58/EC, taking account of Articles 7 and 8 and Article 52(1) of the Charter? (ECJ ¶ 51.)
- [W]hether Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and Article 52(1) of the Charter, must be interpreted as precluding national legislation governing the protection and security of traffic and location data, and more particularly, the access of the competent national authorities to retained data, where that legislation does not restrict that access solely to the objective of fighting serious crime, where that access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union. (Id. ¶ 114.)
European Court of Justice Findings
The ECJ Grand Chamber heard the joined cases C-203/15 and C-698/15 as part of a preliminary ruling request from the Administrative Court of Appeal in Stockholm and the Court of Appeal (England & Wales) (Civil Division). (Id. ¶ 1.) The ECJ found that in addition to possibly violating articles 7 (privacy) and 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union, the Swedish law also raised questions regarding a possible violation of article 11 (freedom of expression) of the Charter. (Id. ¶ 92.) In its December 21, 2016, judgment, the Court found that requiring data retention by service providers may only be allowed when it constitutes a ”necessary, appropriate and proportionate measure within a democratic society” and only when retained “for a limited period” and justified by the objectives listed in article 15 (1) of Directive 2002/58 on Privacy and electronic communications. (Id. ¶ 95; Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications), EUR-LEX; Charter of Fundamental Rights of the European Union, 2012/C 326/02, 2012 OJ (C 326) 391, EUR-LEX.)
The ECJ further found that the information collected by Swedish service providers enabled intimate details to be concluded about a person’s “everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them” (id. ¶ 99) and could ultimately make the person affected “feel that [his/her] private [life is] the subject of constant surveillance” (id. ¶ 100).
The Court went on to argue that although the law does not directly adversely affect the content of communications (as it only recorded metadata), “the retention of traffic and location data could nonetheless have an effect on the use of means of electronic communication, and, consequently, on the exercise by the users thereof of their freedom of expression, guaranteed in Article 11 of the Fundamental Rights Charter.” (Id. ¶ 101.) Moreover, in answering the second question quoted above, regarding when data retention is permissible, the ECJ found that the data retained can only be accessed with the “objective of fighting serious crimes” (id. ¶ 115) or if “vital national security, defence or public security” is at stake (id. ¶¶ 119 & 125). In addition, such access requires prior judiciary review, and the collected information is stored within the European Union. (Id. ¶ 125.)
Finally, the ECJ concluded that the Charter of Fundamental Rights precluded the adoption and enforcement of such laws as the Swedish Data Retention Act as it “provide[d] for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.” (Id. ¶ 134 (1).) However, according to the ECJ, the EU Member States are still allowed to adopt laws that retain traffic and location data as long as the purpose of the legislation is to fight serious crimes, and all “retention of the data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary.” (Id. ¶ 108.) Such categories need to be defined based on objective evidence, according to the Court; for example, the identification of specified geographical areas that are at high risk of being breeding grounds for the preparation of serious crimes. (Id. ¶ 111.)