EU High Court Tightens Screws on States’ Data-Retention Laws

(CN) – Europe’s highest court on Wednesday continued to chip away at member states’ orders to retain citizens’ personal data, ruling that laws in Sweden and Britain requiring telecoms to retain subscriber data indiscriminately are unconstitutional.

Following the European Court of Justice’s landmark 2014 ruling in Digital Rights Ireland – which struck down EU laws requiring telephone and electronic communications providers to collect and retain subscribers’ traffic and location data – Swedish telecommunications company Tele2 Sverige told authorities it would no longer comply with data-retention laws and intended to erase the data it had on file.

Meanwhile, three British citizens challenged the United Kingdom’s data-retention requirements in light of the Digital Rights Ireland ruling. Both the British and Swedish courts handling the challenges asked the EU high court to weigh in once again on whether national laws requiring data retention for purposes other than fighting serious crime are constitutional.

Not surprisingly, the Luxembourg-based high court said they are not.

“EU law precludes national legislation that prescribes general and indiscriminate retention of data,” the court wrote.

And while the justices acknowledged that EU law also allows member states to legislate derogations from the guarantee of confidentiality of communications, the reasons for doing so must pertain solely to national security – and the list of reasons is exhaustive, the court ruled.

“Given the seriousness of the interference in the fundamental rights concerned represented by national legislation which, for the purpose of fighting crime, provides for the retention of traffic and location data, only the objective of fighting serious crime is capable of justifying such a measure,” the court wrote.

And because both Sweden and Britain’s data-retention requirements do not require tying data retention to public security, “national legislation such as that at issue in the main proceedings therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society,” the court said.

However, the high court noted that EU law allows for national legislation for targeted retention of data provided it’s used to fight serious crime, limited to what is strictly necessary, respects citizens’ right to privacy and based on objective evidence. And national authorities must have clear guidelines on when and how they can access retained data, the court said.

“It is essential that access to retained data should, except in cases of urgency, be subject to prior review carried out either by a court or by an independent administrative body,” the court ruled.