SpaceNet AG and Telekom Deutschland GmbH provide internet access services in Germany. Telekom Deutschland also provides telephone services. They issued proceedings in the German courts challenging German law obliging them to retain, as from 1 July 2017, traffic and location data relating to their customers’ telecommunications.

Under German law, providers of electronic communications services are required to retain, in a general and indiscriminate way, for several weeks, most of the traffic and location data of their end users for the purposes of, inter alia, prosecuting serious criminal offences or preventing a specific risk to national security.

The German court asked the CJEU whether EU law precludes such national legislation. In particular, it queried the legitimacy of the German retention obligation given that it covers less data and a shorter retention period (four or ten weeks) than the national legislation examined by the CJEU in previous cases, e.g. in Cases C-511/18, C-512/18 and C-520/18 La Quadrature du Net and Others. In the German court’s view, those elements of German law reduced the risk that the retained data might allow precise conclusions to be drawn in relation to the private life of customers whose data had been retained. In addition, it said that German law included safeguards to ensure the protection of retained data against the risks of abuse and unlawful access.

The CJEU disagreed and confirmed its previous case law, finding that EU law precludes any national legislation which requires the general and indiscriminate retention of traffic and location data as a preventative measure for the purposes of combating serious crime and preventing serious threats to public security.

However, the CJEU said, EU law does not preclude national legislation, which:

• allows for providers of electronic communications services to be ordered to retain, generally and indiscriminately, traffic and location data for the purposes of safeguarding national security where the Member State in question is confronted with a serious threat to national security that is genuine and present or foreseeable; such order must be subject to review, either by a court or by an independent administrative body, and can only be given for a period that is strictly necessary, although it may be extended if the threat persists;
• provides for the targeted retention of traffic and location data for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security; such provision must be limited geographically or to categories of people (based on objective and non-discriminatory factors) for a period limited to what is strictly necessary, although it may be extended;
• provides, for the same purposes, for the general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a period limited to what is strictly necessary;
• provides, for the purposes of safeguarding national security, combating crime and safeguarding public security, for the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems; and
• allows, for the purposes of combating serious crime and, a fortiori, safeguarding national security, for providers of electronic communications services to be ordered to undertake, for a specified period, the expedited retention of traffic and location data in their possession.

Such national legislation must ensure that the retention of data is subject to compliance with substantive and procedural conditions and that the people concerned are protected from the risks of abuse.

As for the German law in question, the CJEU noted that the retention obligation for telecoms communications covers, inter alia, the data necessary to identify the source of a communication and its destination, the date and time of the start and end of the communication or, for SMS communications, multimedia or similar messages, the time of dispatch and receipt of the message and, in the case of mobile use, the designation of the cell sites used by the caller and the recipient at the start of the communication. As for internet access services, the CJEU noted that the German law covers, inter alia, the IP address assigned to the subscriber, the date and time of the start and end of internet use from the assigned IP address and, in the case of mobile use, the designation of the cell sites used at the beginning of the internet connection. The data enabling the geographical location to be identified, as well as the directions of maximum radiation of the antennas serving the cell site in question, are also retained.

Therefore, the CJEU said, the retention obligation in question applied to a very broad set of traffic and location data, which corresponded to the data examined in the previous judgments mentioned above. In the CJEU’s view, such data allowed for precise conclusions about the private lives of customers to be drawn, including their everyday habits, places of residence, daily movements, activities, relationships and preferred social environments and for a profile of them to be put together.

As for the safeguards provided under German law, the CJEU said that the retention of and access to the data concerned constituted separate interferences with the fundamental rights of the people concerned, requiring a separate justification. National legislation that requires the conditions established by case law to be met in relation to access to retained data, cannot, by its very nature, be capable of either limiting or remedying such serious interference with fundamental rights. (Joined Cases C-793/19 and C-794/19 Bundesrepublik Deutschland v SpaceNet AG and Telekom Deutschland GmbH EU:C:2022:702 (20 September 2022) — to read the judgment in full, click here).