The Court of Justice of the European Union (CJEU) has held that EU law prohibits a general and indiscriminate retention of telecommunication meta-data. The court nevertheless held that EU states can require that telecom providers engage in targeted and limited retention of meta-data solely for the purpose of facilitating the fight against serious crime.
The CJEU’s judgment was based on the court’s findings that general and indiscriminate retention of telecommunication meta-data would allow governments to draw precise conclusions concerning the private lives of individuals whose data was retained and can lead individuals to feel that their private lives are subject to constant surveillance. The court held that such invasion of privacy can only be permitted to the extent strictly necessary and justified.
Consequently, the CJEU determined that EU states can adopt national legislation that requires targeted retention of telecommunication meta-data only if that such legislation is clear, precise and provides sufficient guarantees against risks of misuse.
The judgment determined it essential that access to retained data be subject to prior review carried out by either a court or an independent body, except in cases of urgency. The court’s judgment goes a step further, holding that governmental authorities to whom access to the retained data is granted must notify the individuals whom the data is about as soon as that notification no longer jeopardizes the investigation.
Click here to read the CJEU’s judgment in Tele2 Sverige AB v. Post- och telestyrelsen.