On 21 December 2016, the Court of Justice of the European Union ("ECJ") handed down a judgment concerning the interpretation of Article 15(1) of Directive 2002/58/EC on privacy and communications ("E-Privacy Directive") with respect to the national laws governing the retention of traffic and location data collected by service providers. The judgment was given in response to requests for preliminary rulings from Swedish and UK courts in two proceedings: Tele2 Sverige AB v. Post-och telestyrelsen (C-203/15) and Secretary of State for the Home Department v. Watson, et al. (C-698/15) ("Judgment").

The Judgment follows the 2014 case Digital Rights Ireland (C-293/12 and 594/12), in which it was held that the data retention obligation in Directive 2006/24/EC of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC ("Data Retention Directive") disproportionately interfered with the individual rights enshrined in Articles 7 and 8 of the EU Charter on Fundamental Rights ("EU Charter") (See VBB on Belgian Business Law, Volume 2014, No. 4, p. 13-14, available at www.vbb.com). As a result, the ECJ invalidated the Data Retention Directive.

Following this invalidation, the Swedish and UK courts asked the ECJ whether national legislation implementing the Data Retention Directive would also run counter to the e-Privacy Directive and the EU Charter.

In line with its prior judgment in Digital Rights Ireland, the ECJ reiterated that EU law prohibits generalised and indiscriminate surveillance, and that data concerning communications may be just as sensitive as their content because when taken as a whole it can reveal the identities of the individuals concerned, as well as details of their private lives. Based on this understanding, the ECJ observed that Member States might nonetheless have a lawful interest in retaining specific data. However, compliance with EU law requires that such an interest should be specifically mentioned in Article 15(1) of the e-Privacy Directive and its importance should be commensurate with the gravity of the intrusion on the individuals' privacy. Moreover, any measure is only legitimate insofar as the data involved is limited to the means, persons, and timeframe that are strictly necessary.

The ECJ outlined the specific conditions that Member State legislation on data retention must meet to comply with the e-Privacy Directive and the EU Charter. Specifically, such legislation must include clear and precise rules governing both the scope of the legislation and the conditions under which national authorities may be entitled to access the data. The ECJ emphasised that while these rules might vary from case to case, the legislation must stipulate when data retention is permissible based on the existence of objective criteria establishing a link between the data gathered and the state interest pursued under Article 15 of the e-Privacy Directive. In essence, access should be limited "to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime".

As a general rule, the existence of such a link is limited to individuals directly connected to the risk at hand, but in specific cases it could extend to others not involved where objective evidence shows that this would be effective in combatting the risk.

The ECJ also noted that, except in emergency situations, legislation should also require prior review by an independent body, and that the individuals targeted should be informed by the competent authorities once the information no longer jeopardises the investigation. This information is necessary to allow data subjects to seek redress in case of an unjustified infringement of their rights.

Finally, the ECJ underlined the importance of technical and organisational security measures and held that national data retention legislation must require that data collected should remain in the EU and be destroyed at the end of the retention period.

The ECJ referred the two cases back to the Swedish and UK courts that had raised the preliminary questions. These courts will now have to decide whether the national legislation complies with the requirements set forth by the ECJ.

Privacy Commission Issues Draft Recommendation on Data Protection Impact Assessments

The Privacy Commission (Commissie voor de bescherming van de persoonlijke levenssfeer/Commission de la protection de la vie privée) ("Privacy Commission") recently launched a public consultation about its draft recommendation regarding data protection impact assessments ("DPIAs").

The EU General Data Protection Regulation ("GDPR") lays down several new obligations for data controllers, including the obligation to carry out, in some cases, a DPIA. DPIAs assess the risks for the rights and freedoms of natural persons that arise or threaten to arise in connection with the processing of personal data. DPIAs also help the data controller to implement risk-mitigating measures.

The Privacy Commission's recommendation seeks to guide companies with their implementation of this new obligation and to provide answers to practical questions raised by DPIAs. In particular, the recommendation provides detailed explanations regarding: (i) the essential elements of a DPIA; (ii) the circumstances under which DPIAs are required; and (iii) the parties who should be involved in carrying out a DPIA.

The draft recommendation can be found here (Dutch) and here (French).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.