The Court of Justice of the European Union (CJEU) has recently addressed the issue of the possibility of retaining traffic and location data in two of its decisions. As many people know, personal data is highly protected and can only be retained in specific cases and in a specific way. The question is whether the protection of this data is also a priority in cases where it is needed for the prevention of crime. In this article, we will present the recent CJEU judgments dealing with the above issues, which are also relevant for the Hungarian legislation.
By way of preliminary ruling, national courts may refer to the CJEU a question concerning the interpretation of EU law or the validity of an EU act in the context of a dispute before the national courts.
1. JOINED CASES C-339/20 AND C-397/20 CJEU
1.1 History
In the present case, two persons were prosecuted in France for the offence of insider dealing. They were prosecuted on the basis of information from the French Financial Markets Authority (Autorité des marchés financiers: “AMF“). The information were personal data generated from telephone calls between them and which the AMF obtained from operators providing electronic communications services.
The court, which acted on the appeal of the two persons, made a reference for a preliminary ruling to the CJEU.
In their appeal, they complained that the French legislation authorising operators providing electronic communications services to retain traffic data for a period of 1 year, on a general and indiscriminate basis, for example in order to combat infringements related to insider dealing, and that the AMF was able to require the retained data without restriction, was contrary to EU law, in particular the provisions of the Directive on privacy and electronic communications (“EC Directive”)[i].
1.2 The questions referred for a preliminary ruling
One of the questions during the proceedings was whether the national legislation which provides for the retention of data in a way as defined above was contrary to EU rules.
In the other question, the CJEU examined whether EU law must be interpreted as meaning that a national court may restrict the temporal effects of declaring a national legislation invalid, which is contrary to the provisions of the EC Directive.
1.3 Decision of the CJEU
The CJEU held in its judgment that the national legislation in question, since it allows operators providing electronic communications services to retain the traffic data of all their users with no differentiation in that regard or with no provision made for exceptions and without establishing the link required between the data to be retained and the objective pursued, falls outside of what is strictly necessary and cannot be considered to be justified, in a democratic society.
The CJEU reaffirmed its previous practice[ii] and held that the referring court cannot suspend the effects of a declaration of invalidity but can only be authorised by the CJEU in exceptional cases, on the basis of overriding considerations of legal certainty.
Thus, the national criminal court is obliged to disregard information and evidence obtained by means of the general and indiscriminate retention of traffic and location data in breach of EU law.
2. JOINED CASES C-793/19 AND C-794/19 CJEU
2.1 History
Internet and telephone service providers brought this case to the German courts, since they challenged the national legislation under which operators must retain traffic and location data relating to their customers’ communications in a general and indiscriminate manner for a certain period of time (four/ten weeks).
Although national legislation imposed a retention obligation on a wide range of users, without much justification, it did set a relatively short retention period, thereby reducing the possibility of drawing very precise conclusions based on the data and paying attention to effective legal protection against abuse and any unlawful access.
In its referred question the national court would like to know whether the national legislation could be regarded as contrary to EU law, even in the light of the above.
2.2 Decision of the CJEU
The CJEU stipulated that very precise conclusions can be drawn concerning the private lives of the persons whose data have been retained on the basis of the retention of data as defined in national rules, taking into account its duration and the categories of data retained.
Based on its practice[iii], the CJEU found that national legislation requiring the general and indiscriminate retention of traffic and location data on the grounds of combating serious crime or preventing serious threats to public security was contrary to EU law.
However, the CJEU explained that it does not conflict with national legislation for the above purposes, if the retention of data at issue is subject to compliance with the applicable substantive and procedural conditions and that the persons concerned have effective safeguards against the risks of abuse.
Furthermore, it is necessary that data should be retained only for an appropriate period of time, in the event of a real threat to national security identified by an appropriate authority, in respect of specific data, on a purpose-bound basis and in a non-discriminatory manner.
3. THE HUNGARIAN LEGISLATION
The above concerns also arise in connection with the Hungarian legislation, since the EC[iv] stipulates an insufficiently differentiated and long-term data retention obligation to the electronic communications networks.
Therefore, the Hungarian legislation is considered to be contrary not only to EU rules, but also, for example, to the practice of the Hungarian Constitutional Court, since it does not meet the requirement of purpose limitation.
In 2014, the National Authority for Data Protection and Freedom of Information expressed its doubts in its resolution[v] and expressed the need to revise the provisions of not only the EC, but also other legislation.
4. SUMMARY
With these decisions, the CJEU confirmed its previous practice that the general and indiscriminate retention of traffic and location data is contrary to EU law, even if the retention is carried out in order to prevent serious criminal offences.
However, in exceptional cases, in strict respect of the principle of proportionality, it may be required to retain specific data in a targeted way and/or for a short period of time for the purpose of combating serious crime.
As the problems examined in the present decisions also arise in connection with the Hungarian legislation, the legislative revision, which has been mentioned since 2014, is becoming increasingly urgent, since the CJEU increasingly finds national rules similar to the Hungarian legislation to be contrary to EU law.
[i] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector
[ii] Case C‑140/20
[iii] Case C-293/12 and C-594/12
[iv] section 159/A of act C of 2003 on electronic communications
[v] NAIH-1410-4/2014