The Court of Justice of the European Union (CJEU) issued two judgments on 20 September 2022 on the legal framework governing data retention by providers of electronic communications. In both cases, the CJEU reaffirmed its prior position by limiting the retention of traffic and location data for the sake of preserving privacy.
Joined Cases C-339/20 (VD) and C-397/20 (SR) concerned a procedure initiated by the French Financial Markets Authority (AMF) regarding alleged market abuse offences. The case involves two suspects accused of insider dealing, corruption, and money laundering. AMF’s procedure was launched based on personal data generated from telephone calls during the provision of electronic communications services. The two applicants raised the argument that AMF relied on legislation contrary to European Union law to collect their communication data.
In this context, the French Supreme Court (Court of Cassation) made a request for a preliminary ruling to the CJEU on the compatibility of the provisions of the European Privacy and Electronic Communications Directive with French legislation relating to market abuse. As a preventive measure, this provides for generalised and undifferentiated storage of traffic data for one year from the day the recording is made.
The CJEU ruled that none of the texts relating to market abuse can constitute the legal basis for a general obligation to retain traffic data records held by operators of electronic communications services for the purpose of exercising powers conferred on the competent authorities in financial matters under these instruments.
General and indiscriminate retention of traffic data by operators providing electronic communications services for a year from the date on which they were recorded is not authorised as a preventive measure to combat market abuse offences, including insider trading.
In Joined Cases C-793/19 (SpaceNet) and C-794/19 (Telekom Deutschland), German internet service providers SpaceNet and Telekom Deutschland challenged before national courts the legality of the obligation to keep data relating to the traffic and the location relating to the telecommunications of their customers. The German Telecommunications Act (TKG) obliges telecommunications providers to do so for the repression of serious criminal offences or the prevention of a concrete risk to national security over several weeks.
The German federal administration court sought clarifications from the CJEU on whether the TKG is compatible with European principles. The CJEU responded that EU law precludes national legislation that provides generalised and indiscriminate retention of data traffic and location data as a preventive measure to combat serious crime and threats to public security. On the other hand, it does not oppose such retention in several cases, such as when the Member State in question is faced with a serious threat to national security.
Access Partnership is closely monitoring data protection developments. For more information, contact Chrystel Erotokritou, Compliance Manager.