Decoding EU Data Retention #2: Navigating the Exceptions - When Can Data Be Retained?

PART 2.

In our last post, we saw how the Court of Justice of the European Union (CJEU) invalidated the old Data Retention Directive in the Digital Rights Ireland case, ruling that blanket, indiscriminate retention of everyone's communications data violates fundamental rights. This raised a critical question: Is any form of data retention allowed under EU law?   

The short answer is yes, but only under very specific and strictly controlled circumstances. The CJEU, in subsequent rulings like Tele2/Watson (2016) and La Quadrature du Net I (2020), confirmed the general ban but carved out narrow exceptions, acknowledging the legitimate needs of law enforcement and national security.   

Think of it less as opening the floodgates and more as allowing specific, controlled streams under strict supervision. Here’s a breakdown of the main exceptions identified by the Court:

1. Targeted retention (for serious crime / public security)

This was one of the first exceptions hinted at in Tele2/Watson. Instead of retaining everyone's data, national laws can allow for the retention of traffic and location data that is targeted. This targeting must be:   

• Limited by category: Based on objective, non-discriminatory criteria linked to specific categories of people (e.g., individuals suspected of involvement in serious crime) or specific geographical areas (e.g., locations with a high risk of serious crime being prepared or committed).   

  
  

• Purpose-bound: Strictly for the purpose of fighting serious crime or preventing serious threats to public security.   

  
  

• Time-limited: Retained only for the period that is strictly necessary (though this period can potentially be renewed if the justification persists).   

2. General retention for serious national security threats

In the La Quadrature du Net I rulings, the CJEU acknowledged a significant exception for national security. Member States can order the general and indiscriminate retention of traffic and location data, but only under these very strict conditions:   

• Justification: The Member State must be facing a serious threat to national security that is proven to be genuine and present or foreseeable.   

  
  

• Time limit: The retention order must be limited in time to what is strictly necessary to address the threat (though it can be renewed if the threat persists).  

   

• Review: The decision imposing the retention order must be subject to effective review by a court or an independent administrative body whose decision is binding.  

   

3. General retention of specific data types: IP addresses and civil identity

La Quadrature du Net I also carved out exceptions for the general retention of specific, less sensitive (in the Court's view) categories of data :   

• IP addresses: General retention of IP addresses assigned to the source of a connection is permissible for safeguarding national security, combating serious crime, and preventing serious threats to public security. This retention must be limited in time to what is strictly necessary. We'll dive deeper into IP addresses in the next post, as later rulings added more nuance.  

  
  

• Civil identity data: General retention of data relating to the civil identity of users (e.g., subscriber name and address) is allowed for safeguarding national security, combating crime (potentially including non-serious crime), and safeguarding public security. Controversially, the Court stated in LQDN I that Member States are not required by the ePrivacy Directive to limit the retention period for this specific data category, creating potential tension with GDPR's storage limitation principle.   

  
  

4. Expedited retention ('quick freeze')

The CJEU also confirmed that authorities can order Telcos to quickly preserve specific traffic and location data that they already hold for a defined period. This 'quick freeze' is permissible for combating serious crime or safeguarding national security and must be subject to effective judicial review.   

Strict necessity and safeguards are key

It's crucial to understand that all these exceptions are subject to the overarching principles of strict necessity and proportionality. Any national law implementing these exceptions must include clear, precise rules and robust safeguards against abuse, including rules on data security and access controls. Access to retained data generally requires prior review by a court or an independent body.   

Key EU data retention takeaway for telcos

In our next post, we'll delve deeper into the specific rules surrounding IP address retention, a particularly complex area further refined by the CJEU's most recent rulings.

Sources:

• https://ccdcoe.org/incyder-articles/eu-data-retention-directive-invalid/

• https://cms-lawnow.com/en/ealerts/2014/04/ecj-declares-the-data-retention-directive-to-be-invalid-what-s-next

• https://www.jonesday.com/en/insights/2014/04/eu-data-retention-directive-declared-null-and-void--what-is-next-and-how-the-ruling-has-been-received-in-the-member-states

• https://charter.humanrights.at/caselaw/detail/21

• https://maint.loc.gov/law/help/eu-data-retention-directive/eu-data-retention-directive.pdf