CJEU brings untargeted “just in case” data retention to its end
By Peter Schaar
(translated by Douwe Korff)
This article is a free translation of my comment for the German news service Heise Online
The judgment of the CJEU on compulsory data retention is remarkable for two reasons. First, the Court essentially agrees with the critics of data retention: The general, suspicionless retention of telecommunication data is incompatible with both the fundamental right to respect for private life, and wth the fundamental right to data protection. The second, broader message is that the CJEU sees itself as the guardian of the civil and political rights enshrined in the EU Charter of Fundamental Rights, and will correct the European legislator if the latter exceeds the limits set by the Charter.
The Court does not deny that it is in the public interest to fight against serious crime, in particular organised crime and terrorism. However:
such an objective of general interest, however fundamental it may be, does not, in itself, justify a retention measure such as that established by Directive 2006/24 [the Data Retention Directive] being considered to be necessary for the purpose of that fight. (para. 51)
As the Court puts it, with reference to its settled case-law:
derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary. (para. 52)
So far, one could think that the Court – like the German Constitutional Court
– felt that all-encompassing data retention is not fundamentally contrary to human rights. However, the Luxembourg Court goes further than that, when it notes that:
Directive 2006/24 affects, in a comprehensive manner, all persons using electronic communications services, but without the persons whose data are retained being, even indirectly, in a situation which is liable to give rise to criminal prosecutions. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. …
Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences. (paras. 58 – 59)
In the above, the Court clearly rejects suspicionless mass retention of data “just in case” they may be useful in future. By contrast, the judgment does not reject the possibility of limited, targeted retention of data. This corresponds to a green light for the “quick-freeze” model of data retention, under which judicial court orders can be issued to retain specific categories of relevant data for specified, limited periods, when there are concrete indications that a serious crime is being planned or in process.
The Court points to a series of other serious defects in the Data Retention Directive, that had also already been noted by the German Constitutional Court: lack of clarity in the definition of “serious crime”; unclear, insufficiently precise rules on the access to and use of the retained data; and a lack of rules on technical and organisatorial measures needed to ensure the security of the data. The Directive also failed to contain provisions to protect data that are subject to special rules on confidentiality, such as attorney – client communications.
The judgment of the CJEU dramatically changes the legal landscape: all of a sudden Germany is the only EU Member State with national legal rules that meet the European requirements, simply because the German rules do not allow for “just in case” data retention (Vorratsdatenspeicherung).
Hopefully, the EU institutions will draw the right conclusions from the message of the Court. The judgment points the way for other measures that would also lead to massive, suspicionless data retention “just in case”: the planned European Passenger Name Records (PNR)- and Entry-Exit Registers should be scrapped, as should the introduction of suspicionless mass data retention, envisaged in the German Grand Coalition Agreement.
– o – O –o –
? BVerfG, 1 BvR 256/08 vom 2.3.2010, available at:
? See Peter Schaar: “Quick Freeze” instead of data retention, Federal Commissioner for Data Protection and Freedom of Information, 15 June 2010, at:
The German Government endorsed this suggestion but it was highhandedly rejected by the European Commission. See:
? On 10 April 2014, a Swedish ISP announced it had deleted all retained customer data in response to the CJEU judgment; and the relevant Swedish regulatory authority informed the government that it will not take action against the ISP for non-compliance with the Swedish law implementing the Directive – thus effectively suspending the application of the law. See:
- Safe Harbor – No Future?
Keynote on the conference „New Directions in Cyber Security“ Berlin, 1 October 2015 Safe Harbor – No Future? How the General Data Protection Regulation and the rulings of the Court of Justice of the European Union (CJEU) will influence transatlantic data transfers Ladies and gentlemen, One week ago, the Advocate General...
- New ECJ ruling on data retention: Preservation of civil rights even in difficult times!
Translation – German version see here. The European Court of Justice has made a Christmas present to more than 500 million EU citizens. With its new judgment on data retention (C-203/15 of 21 December 2016) – the highest court of the European Union stresses the importance of fundamental rights. All...
- Privacy Shield: „Wir brauchen viel engere Grenzen“
Interview des EAID-Vorsitzenden Peter Schaar für die Zeitschrift Der Spiegel (Nr. 29/2016/16.7.2016 http://www.spiegel.de/spiegel/) „Wir brauchen viel engere Grenzen“ „Privacy Shield“ heißt eine neue Datenschutzvereinbarung zwischen der EU und den USA. Sie ersetzt die Abmachung „Safe Harbor“, die der Europäische Gerichtshof (EuGH) 2015 kassiert hatte. Sind europäische Daten in den USA...