Decoding EU Data Retention #4: Data Retention vs. GDPR - Squaring the Circle

PART 4.

In the previous posts of our series, we've explored how the Court of Justice of the European Union (CJEU) has reshaped the rules around retaining communications data, moving away from blanket retention towards more targeted approaches with specific exceptions. But how do these data retention mandates, permitted under the ePrivacy Directive's exceptions , interact with the overarching data protection framework in the EU – the General Data Protection Regulation (GDPR)?   

The short answer: They must coexist, and compliance with both is mandatory. Retained communications metadata (like call logs, location info, IP addresses) is undeniably personal data. Therefore, any national law requiring Telcos to retain this data must not only meet the strict criteria set by the CJEU under the ePrivacy Directive and the EU Charter of Fundamental Rights, but the processing itself must also adhere to the core principles of the GDPR.   

Let's break down how key GDPR principles apply.

Lawfulness, fairness, and transparency

Processing must have a valid legal basis and be fair and transparent to the individual.

The national law mandating data retention usually serves as the legal basis under GDPR Article 6 legal obligation or public interest task. However, this only holds if the national law itself is valid under EU law – meaning it must comply with the strict necessity and proportionality tests set by the CJEU for data retention. 

An unlawful national retention law cannot provide a lawful basis for processing under GDPR. Transparency remains challenging, as individuals are often not informed about retention for security purposes.   

Purpose limitation

Data must be collected for specified, explicit, and legitimate purposes and not further processed.

This aligns perfectly with the CJEU's insistence that retained data can only be accessed for specific, serious purposes (like combating serious crime or safeguarding national security) defined in the national law. Telcos must ensure retained data isn't used for other incompatible purposes (e.g., commercial profiling).  

Data minimisation

Data processed must be adequate, relevant, and limited to what is necessary for the purpose.

This principle is inherently strained by any general data retention mandate. However, the CJEU's rulings push towards minimisation by:

• Generally prohibiting indiscriminate retention.   

• Favouring targeted retention where possible.   

• Allowing general retention only for specific data types (like IP addresses or civil identity) under strict conditions. Telcos must ensure their systems collect and retain only the data categories explicitly required by a lawful national mandate.   

  
  

   

Storage limitation

Data must be kept in an identifiable form for no longer than necessary for the processing purposes.

This is a major point of alignment and tension. The CJEU requires strict time limits for any permissible data retention, based on objective criteria demonstrating necessity. Telcos need robust systems for automatic data deletion at the end of the mandated period.   

A significant point of friction exists with the CJEU's statement in LQDN I that Member States are not required to limit the retention period for civil identity data (like name and address). This appears to clash directly with GDPR's absolute storage limitation principle. Reconciling potentially indefinite retention of identity data with GDPR remains a legal challenge, unless ongoing necessity can be rigorously demonstrated.   

Integrity and confidentiality

Data must be processed securely, protecting against unauthorised access, loss, or damage, using appropriate technical and organisational measures.

This strongly reinforces the CJEU's demands for robust safeguards in data retention laws. Telcos must implement strong security measures (encryption, access controls, audit logs). The "watertight separation" requirement for IP addresses mandated in the Hadopi ruling is a prime example of a specific, demanding technical security measure needed under this principle.   

Accountability

The data controller (the Telco, when retaining data under legal obligation) is responsible for and must be able to demonstrate compliance with all GDPR principles.

Telcos need comprehensive documentation: records of processing activities related to retention, data protection policies addressing retention, evidence of security measures, audit logs for access, and potentially Data Protection Impact Assessments (DPIAs) for high-risk retention activities.   

Key takeaway for Telcos:

Complying with national data retention laws is not a free pass from GDPR obligations. Telcos must ensure that any retention mandate they follow is itself lawful under the strict CJEU criteria. Furthermore, the way they retain, secure, limit access to, and eventually delete that data must fully align with GDPR's core principles. This requires a holistic approach, integrating legal requirements from both data retention jurisprudence and the GDPR into their technical systems and operational procedures. Failure to do so risks not only penalties under national retention laws but also significant fines and reputational damage under the GDPR.   

Sources:

• HADOPI and the future of the CJEU's authority - European Digital Rights (EDRi) edri.org/our-work/a-complete-u-turn-in-jurisprudence-hadopi-and-the-future-of-the-cjeus-authority

• The Unbearable Lightness of Interfering with the Right to Privacy verfassungsblog.de/the-unbearable-lightness-of-interfering-with-the-right-to-privacy

• Not You Again! - Völkerrechtsblog voelkerrechtsblog.org/not-you-again

•  ECJ Ruled on Data Retention of IP Addresses in Piracy Cases eucrim.eu/news/ecj-ruled-on-data-retention-of-ip-addresses-in-piracy-cases

• CJEU in second round of privacy dispute by La Quadrature du Net: national authorities get their cake but they have to eat it with cutlery - European Law Blog europeanlawblog.eu/pub/fkjv9i49