2. EU legal background

Use of electronic communication networks and services is protected by fundamental rights, notably the universal rights to privacy (private communication), data protection, and freedom of speech (particularly aspects concerning risk of chilling effect and protection of journalistic sources). To ensure the effectiveness of these rights in the context of electronic communication, the e-Privacy Directive (2002/58/EC) lays down an obligation to ensure that national legislation provides for a duty of confidentiality of e-com providers (“providers”) (Article 5), as well as an obligation to delete or anonymize traffic data once the data are “no longer necessary for the purpose of the transmission of a communication” (Article 6(1)). Exception is made for a limited period with respect to data necessary for “subscriber billing” and “interconnection payments” (Article 6(2)).

Data storage could also be permitted by consent from the subscriber. This alternative is of little relevance in the context of crime prevention and investigation, and not considered here.

Pursuant to Article 9 “location data other than traffic data” may be processed only when made anonymous.

Pursuant to the Directive Article 15, national law may restrict the scope of these provisions, provided the restriction is,

a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e., State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph.

Data generated by use of electronic communications services are important to the police in their crime countering operations. In the pre-digital age telecom providers often stored such data and the police could access them under legal powers of seizure or production order. To ensure that traffic and location data would be available to the police also after the e-Privacy Directive, some countries (referring to Article 15), imposed an obligation on providers to retain data related to use of their services. Noticing that differences between national regulations hampered the internal marked, the EU reacted by enacting the Data Retention Directive (2006/24/EC) (“DRD”),

DRD recital 5 and 6.

which aimed to harmonize data retention rules across the Member States and EEC-countries. DRD acknowledged that such data are important to the prevention, detection, investigation, and prosecution of crime,

DRD recital 7 to 9.

and compelled Member States to impose a legal obligation on providers to retain metadata for a period of minimum six months and maximum two years. The data was to be made available to the police for the purpose of combating serious crime.

In 2014, in the case Digital Rights Ireland,

Judgment 8 April 2014; joined cases C-293/12 and C-594/12.

DRD was voided by the European Court of Justice, as incompatible with the fundamental rights to privacy and data protection laid down in the EU Charter of Fundamental Rights (2012/C 326/02) Articles 7 and 8.

The claim that DRD was also incompatible with the right to freedom of speech, was not considered as the Court had concluded already with a violation of privacy and data protection (ibid., para. 70).

Since 2014, the Court has further developed its jurisprudence on the matter, indicating that there is some scope for data retention. To analyse this case-law is out of scope of this study.