Brussels, BE — Earlier today, Thomas von Danwitz, Judge Rapporteur of the Court of Justice of the European Union (CJEU), issued his judgment on the joint data retention cases known as Tele2 Sverige and Davis and Others. The outcome: EU member states may not impose a general obligation to retain data on providers of electronic communications services, and when law enforcement has access to retained data, they must ensure independent oversight mechanisms and remedy. This is a critically important victory for fundamental rights in the EU.

“This ruling reaffirms that existing general data retention schemes are not proportionate”, said Fanny Hidvegi, European Policy Manager at Access Now. “Member states are skirting an increasing amount of responsibility under various exceptions, be it ‘national security’ or ‘legitimate interest’. Access Now is pleased that the court did not embrace the false dichotomy of privacy versus security, and once again enforced the proper standards and explicit safeguards for fundamental rights. Judges engaged in ongoing cases all around Europe should follow the clear lines the court has drawn today against general data retention”.

Although different in scope, both cases concern the validity (and extent) of national data retention laws in Sweden and the UK, with respect to EU law. Each of the inquiries will further clarify the CJEU’s invalidation of the EU Data Retention Directive from 2014.

The court ruled that blanket data retention requirements for electronic telecommunications providers are not compatible with the fundamental rights to data protection and privacy enshrined by Article 7 and 8 of the EU Charter of Fundamental Rights, and furthermore, that such requirements make the general population using electronic services less secure, and negatively impact the freedom of expression.

“Access Now welcomes this strong ruling declaring that broad data retention is disproportionate and unnecessary, and therefore unlawful”, said Lucie Krahulcova, EU Policy Associate. “This ruling leaves no room for state-level derogations and custom interpretation, which would have been very dangerous in the current political climate. This is a clear and strong statement that the status quo needs to change ASAP to protect our rights.”

The Advocate General had previously reasoned that there is a distinction between data retention itself, and the government’s right to have access to that data, which according to some member states, falls outside the scope of EU law. The court here pushed back on this argument and declared that “since data is retained only for the purpose, when necessary, of making that data accessible to the competent national authorities, national legislation that imposes the retention of data necessarily entails, in principle, the existence of provisions relating to access by the competent national authorities to the data retained by the providers of electronic communications services”.

While ruling that general data retention is incompatible with EU law, the court also clarified the conditions for targeted data retention. Such retention must be strictly limited to those directly suspected or tangibly linked to a serious crime, and the retention is permissible only for the period that a crime is under investigation. In addition, the court introduced an important new safeguard, finding that, once it no longer jeopardizes said investigation, individuals must be notified when the government’s access to their data is granted so they may seek appropriate redress. The court also outlined that access to the targeted data can only be permitted under independent, preferably judicial, oversight, with exceptions only in the most urgent cases, relevant to national security. Even then, notice should be given to responsible authorities.

There are two interesting elements of the ruling that will require further examination, and will likely change how we approach data retention and government surveillance-related cases. First, the court establishes that “national legislation must be based on objective evidence”, and second, the ruling distinguishes between access criteria for law enforcement and national security purposes.

The CJEU’s rulings in these cases are an essential indicator for the data retention conversation in the EU. Not long ago, the Luxembourg presidency of the Council of the European Union asked member states to weigh in on whether the European Commission should develop a brand new data retention framework. Just this month, the Slovak presidency asked the Commission to present ‘solutions’ for ease of access to e-evidence. For human rights advocates and everyone living in the EU, that’s a frightening prospect. Today’s ruling provides much-needed comfort.