The Case of SpaceNet and Telekom Deutschland (CJEU Data Retention Ruling)

Closed Expands Expression

Key Details

  • Mode of Expression
    Electronic / Internet-based Communication
  • Date of Decision
    September 20, 2022
  • Outcome
    Decision - Procedural Outcome, Law or Action Upheld
  • Case Number
    C‑793/19 and C‑794/19,
  • Region & Country
    Germany, Europe and Central Asia
  • Judicial Body
    Court of Justice of the European Union (CJEU)
  • Type of Law
    Telecommunication Law
  • Themes
    Digital Rights, Privacy, Data Protection and Retention
  • Tags
    Data Protection and Retention, Confidentiality

Content Attribution Policy

Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:

  • Attribute Columbia Global Freedom of Expression as the source.
  • Link to the original URL of the specific case analysis, publication, update, blog or landing page of the down loadable content you are referencing.

Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.

Case Analysis

Case Summary and Outcome

The Court of Justice of the European Union (CJEU), in two related Grand Chamber judgments, ruled that the German law on data retention is incompatible with European Union (EU) law. The case concerns joined applications by the two telecommunication services operators i.e., SpaceNet and Telekom Deutschland who challenged German Telecommunication Law (2004) on the ground that the obligation imposed on them to retain traffic and location data of their customers violates EU Law. The Administrative Court of Germany observed that the Applicants were not obligated to retain the mentioned telecommunications traffic data as per the German Telecommunication Law. The Federal Court, on appeal, concluded that the German Telecommunication Law aligns with EU law based on the argument that regulations concerning the retention of traffic data, location data, and access to such data by national authorities generally fall within the scope of Directive 2002/58. The CJEU, in line with its prior case law, held a contrary view and affirmed that EU law prohibits any national legislation that mandates the widespread and indiscriminate retention of traffic and location data for preventive purposes in combating serious crime and averting significant threats to public security.


Facts

The Applicants, SpaceNet and Telekom Deutschland provide publicly available internet and telephone services in Germany. They challenged the obligation imposed on them under Sections 113a(1) and Section 113b of the German Telecommunications Act (2004) before the Administrative Court, Cologne, Germany (Verwaltungsgericht Köln). [para 22-23] The obligation mandated the blanket retention of telephone and internet connection data for a period of ten weeks, along with the storage of location data for four weeks, without any specific targeting or differentiation. On April 20, 2018, the Administrative Court delivered its ruling made reference to CJEU’s Tele2 Sverige and Watson and Others (2016), and held that the service providers were not obligated to retain certain telecommunications traffic data as outlined in Article 113b, paragraph 3 of the German Telecommunications Law. [para 24]

The Federal Republic of Germany appealed this decision before the Federal Administrative Court (Bundesverwaltungsgericht), seeking clarification on the compatibility of the retention requirement with EU law, specifically Directive 2002/58 (Directive on Privacy and Electronic Communications). [para 25] The Federal Administrative Court, noted that the CJEU had previously established that regulations concerning the retention of traffic and location data, as well as access to such data by national authorities, generally fell within the scope of Directive 2002/58. The Court acknowledged that the retention obligation in the main proceedings limited the rights granted by Article 5(1), Article 6(1), and Article 9(1) of the directive. However, it considered whether this retention obligation could be justified under Article 15(1) of Directive 2002/58. [para 26-28]

The Federal Administrative Court made several observations, firstly, that the national legislation in question did not require the retention of all traffic and location data, as it excluded content of communications and certain categories of data. Secondly, the retention period specified in the German Telecommunication Law was shorter compared to the retention period mandated by Directive 2006/24/EC. Thirdly, the rules in place imposed strict limitations on the protection and access to the retained data. Fourthly, interpreting Article 15(1) of Directive 2002/58 as incompatible with any retention of data without reason could conflict with the Member State’s obligation to ensure security under the Charter of Fundamental Rights. Fifthly, restricting the general retention of data could unduly limit the national legislature’s authority in crime repression and public security matters. Lastly, the Federal Administrative Court considered the case law of the European Court of Human Rights, which allowed for national provisions permitting the interception of data flows in light of existing threats and technological advancements employed by criminals and terrorists. [para 32-38]


Decision Overview

The Grand Chamber of the Court delivered a preliminary ruling in two judgments dated September 20, 2020. The primary issue before the Court was whether Article 15(1) of Directive 2002/58, read with Articles 6 to 8 and 11, Article 52(1) of the European Charter of Fundamental Rights (Charter), and Article 4(2) of the Treaty on European Union (TEU), should be interpreted as prohibiting a national legislative measure that, with some exceptions, mandates electronic communications service providers accessible to the public to retain, for the purposes outlined in Article 15(1) of the directive, the general and indiscriminate storage of essential traffic and location data of end users of these services. [para 47]

The CJEU, in its interpretation of Article 15(1) of Directive 2002/58, referred to the principles of GD v. Commissioner of An Garda Síochána and Others, (2022) that interpreting an EU law requires not only the consideration of its context and objectives but also the origin of the legislation, all of which it “forms part” [para. 49]. It emphasized that the legislative measures authorized by the directive can only aim to “limit the scope” of the rights and obligations provided for in Articles 5, 6, and 9 of the directive. The objective of Directive 2002/58 is to protect users of electronic communications services by ensuring a high level of personal data protection and privacy, regardless of the technology used. The directive prohibits any person other than users from storing communications and related data without their consent. Therefore, Article 15(1) of the directive, which allows member states to limit these rights and obligations, must be interpreted strictly and should meet one of the listed objectives in the directive. [para 50-51]

The Court referred to La Quadrature du Net and others (2020) and observed that any measures taken by member states must comply with the principles of proportionality and respect for fundamental rights guaranteed by the Charter. It observed that Article 5(1) of Directive 2002/58 enshrines the principle of confidentiality both of electronic communications and related traffic data and entails, in particular, the prohibition made, in principle, to any person other than the users to store, without their consent, these communications and these data. [para 52]

The Court highlighted that the retention of traffic data and location data constitutes an interference with the fundamental rights to respect for private life and the protection of personal data. It also recognized that such data can reveal sensitive information about individuals, leading to a detailed profile of their private lives. [Commissioner of An Garda Síochána, (2022)] [para 64-65] The Court further emphasized that any limitation on the rights and obligations provided by Directive 2002/58 must strictly and effectively meet the objectives listed in Article 15(1) of the directive. The measures taken by Member States must comply with the general principles of Union law, including proportionality and respect for fundamental rights guaranteed by the Charter. [para 67] The Court stressed the importance of reconciling legitimate interests and rights and establishing a legal framework that allows for this reconciliation. It reiterated that derogations from the protection of personal data and limitations on rights must operate within the limits of what is strictly necessary and be balanced against the objective of the general interest pursued. [para 68-70]

Furthermore, the CJEU referring to the Commissioner of An Garda Síochána and La Quadrature du Net observed that a hierarchy exists among the objectives of general interest that can justify measures under Article 15(1) of Directive 2002/58. Among these objectives, safeguarding national security is considered the most important, surpassing other objectives outlined in the directive. [para 70] In situations where a Member State faces a genuine and significant threat to national security, legislative measures permitting the generalized and indiscriminate retention of traffic and location data may be justified. However, it is crucial to have effective oversight by a Court or an independent administrative body to ensure adherence to the specified conditions and guarantees. Any injunctions issued in this regard should have a limited duration, strictly necessary to address the identified threat. [para 71]

Regarding the prevention, investigation, detection, and prosecution of criminal offenses, the Court emphasized that only serious crimes and threats to public security can warrant interferences with fundamental rights. Non-serious interferences cannot be justified by this objective. [para 73] Furthermore, the Court ruled that generalized and indiscriminate retention of traffic and location data for combating serious crime goes beyond what is strictly necessary and encroaches upon the right to privacy. Instead, such retention should be an exceptional measure rather than the norm, with data not subjected to systematic and continuous storage. However, targeted storage of specific data, such as IP addresses and user identities, for a strictly necessary and renewable period may be permissible. Additionally, an injunction for the rapid storage (quick freeze) of data by electronic communications service providers, subject to effective judicial review and clear rules, can be justified, provided there are robust safeguards in place to prevent abuse and protect the rights of individuals involved. [para 74-75]

On the subject of a measure that entails the generalized and undifferentiated retention of most traffic data and location data for several weeks, the Court observed that the German Telecommunication Law raises significant concerns. Firstly, the scope of the retained data encompassed a wide range of information, including details necessary to identify the source and destination of communications, timing, and location data. Although the legislation excluded the retention of content and website data, the preservation of IP addresses enabled comprehensive tracking of users’ online activities, thereby infringing on their privacy rights. Furthermore, the Court noted that the legislation applied to almost the entire population without any link to criminal proceedings. It imposed a broad and indiscriminate retention of traffic and location data without reasonable justification, resembling the characteristics of previous cases where such practices were deemed problematic. The fact that professional users subject to secrecy obligations, such as lawyers, doctors, and journalists, were also affected by data retention further compounded the concerns. [para 76-82]

The Court emphasized that the seriousness of the interference with privacy rights is not solely dependent on the retention period or the quantity of data but rather on the risk that the retained data, when considered collectively, can provide detailed insights into individuals’ private lives. Even a limited amount of data or a short retention period can enable precise profiling and intrusion into the privacy of internet users. Regarding safeguards, the Court highlighted that the storage and access to retained data constitute separate interferences with fundamental rights, necessitating distinct justifications. The protection against misuse and unlawful access to the stored data requires compliance with conditions outlined in previous case law interpreting Directive 2002/58. Lastly, the Court addressed the argument equating particularly serious crime with a threat to national security. It clarified that while serious crime warrants interference with fundamental rights, a threat to national security must be real and present or at least foreseeable, necessitating concrete circumstances to justify generalized and undifferentiated data retention. The Court distinguished between the nature and severity of threats to national security and general public security, underscoring that they require different considerations and justifications. [para 88-94]

On the subject of measures providing for targeted storage, rapid storage, or storage of IP addresses, the CJEU observed that generalized and undifferentiated retention allows for the effective achievement of the objectives sought by these measures. The Court clarified that the effectiveness of criminal proceedings relies on the availability of various investigative tools, and Directive 2002/58 allows member states to adopt both targeted and generalized retention measures for combating serious crime and protecting public security. The retention of data related to the civil identity of electronic communication users contributes to fighting serious crime, but Directive 2002/58 does not prohibit the general retention of such data. National legislation can require verification of official documents and recording of buyer information for means of electronic communication acquisition. However, the general retention of IP addresses constitutes a serious interference with fundamental rights, such as privacy and freedom of expression. [para 96-99]

The Court stated that a legislative measure for the generalized retention of IP addresses can be justified if strict conditions and guarantees are in place, and it is necessary for the fight against serious crime and the prevention of serious threats to public security. Targeted retention and expeditious retention measures for traffic and location data can be based on objective factors and geographical criteria, without requiring advanced knowledge of specific places or individuals involved in serious crimes. The Court emphasized that targeted storage should be based on non-discriminatory elements and subject to proportionality and strict compliance with material and procedural conditions. The duration of targeted storage measures should be strictly necessary, and distinctive criteria other than personal or geographical can be considered. However, the generalized and undifferentiated retention of data cannot be justified, even if difficulties arise in defining specific cases for targeted storage. Rapid retention of data during processing and storage periods can be allowed, subject to effective judicial review and fixed timeframes. [para 116-122]

On the subject of accessing data stored in a generalized and undifferentiated manner, the Court observed that authorizing access to such data for the fight against serious crime would create an unjustifiable disparity between Member States. The Court emphasized that access to traffic data and location data should be justified by the objective of general interest for which the data was retained, and only if the importance of the access objective exceeds that of the objective justifying the retention. The Court further stated that data stored in a generalized and undifferentiated manner cannot be accessed to fight serious crime, except in exceptional cases where the data is stored for safeguarding national security. The Court concluded that national legislative measures allowing generalized and undifferentiated retention of traffic data and location data for the fight against serious crime and public security threats are precluded. However, national measures may allow targeted storage based on non-discriminatory elements, retention of IP addresses, retention of user identity data, and temporary storage under specific conditions that ensure compliance and protection against abuse. Effective review by a Court or independent administrative body is required, and clear rules must govern data retention. [para 126-130]

In conclusion, the CJEU reaffirmed its previous case law (G.D. v Commissioner of An Garda Síochána and La Quadrature du Net and Others) and ruled that EU law prohibits national legislation that requires the general and indiscriminate retention of traffic and location data as a preventive measure against serious crime and public security threats. However, the CJEU clarified that EU law does not prohibit national legislation in certain cases. [para 131] This includes;

  • Providers of electronic communications services may be ordered to retain traffic and location data in a general and indiscriminate manner to safeguard national security when a genuine and present or foreseeable serious threat to national security exists. However, such orders must be reviewed by a court or an independent administrative body and can only be given for a strictly necessary period, with the possibility of extension if the threat persists.
  • Targeted retention of traffic and location data can be permitted to safeguard national security, combat serious crime, and prevent serious threats to public security. This provision should be limited geographically or based on objective and non-discriminatory factors related to specific categories of people. The retention period should be strictly necessary but can be extended if required.
  • The general and indiscriminate retention of IP addresses associated with internet connections can be allowed to safeguard national security, with a limited retention period that is strictly necessary.
  • Data related to the civil identity of users of electronic communications systems can be retained in a general and indiscriminate manner to safeguard national security, combat crime, and protect public security.
  • Providers of electronic communications services can be ordered to expedite the retention of traffic and location data they possess for a specified period to combat serious crime and safeguard national security.

The CJEU highlighted that such legislation must include safeguards to protect individuals from abuse. On the German Telecommunication Law, the CJEU held that it is incompatible with EU Laws on the reasoning that, firstly, the retention obligation covers a broad set of data that is indiscriminate as to individuals, time, and geography. It does not qualify as targeted data retention. Secondly, the quantity and diversity of the retained data, regardless of the retention period or the amount of data, allow for precise conclusions and the establishment of detailed profiles about individuals’ private lives. Therefore, the retention of traffic and location data is considered serious, regardless of specific factors. Lastly, the safeguards aimed at protecting the stored data against misuse and unauthorized access are separate from the retention itself. The CJEU emphasized that complying with the conditions established by case law for accessing retained data does not justify or remedy the serious interference with individuals’ rights resulting from the general retention of such data.


Decision Direction

Quick Info

Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.

Expands Expression

The Judgment confirms that under EU law, the general and indiscriminate retention of traffic and location data is prohibited, except in instances involving a significant national security threat. However, to combat serious crimes, Member States are permitted, while adhering strictly to the principle of proportionality, to establish measures such as targeted or expedited retention of specific data and the general and indiscriminate retention of IP addresses.

Global Perspective

Quick Info

Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.

Table of Authorities

Related International and/or regional laws

Case Significance

Quick Info

Case significance refers to how influential the case is and how its significance changes over time.

The decision establishes a binding or persuasive precedent within its jurisdiction.

The CJEU’s ruling is binding both on the referring court and on all courts in Member States.

Official Case Documents

Have comments?

Let us know if you notice errors or if the case analysis needs revision.

Send Feedback