On 21 December 2016, the Court of Justice of the European Union (“CJEU”) issued another remarkable ruling on data retention (Joined Cases C-203/15 (Tele2 Sverige AB v. Post- och telestyrelsen) and C-698/15 (Secretary of State for the Home Department v. Watson et al.)). Another, because data retention had already been a big topic in 2014, when CJEU decided (Joined Cases C-293/12 and C-594/12) to invalidate Directive 2006/24/EC, due to its disproportionate interference in the fundamental rights recognized in arts. 7 (respect for private and family life) and 8 (protection of personal data) of the EU Charter.

The 2016 judgment extends the scope and effects of the 2014 decision to the national sphere. It specifically refers to the Swedish and UK data retention and access regimes and to their compatibility with Art. 15(1) of the ePrivacy Directive(Directive 2002/58/EC). Art. 15 contains an exception to the principle of confidentiality of communications and related traffic (e.g. name and address of subscribers involved, time of the communication or telephone numbers and IP addresses used) and location (i.e. data indicating the geographic position of the user) data. Pursuant to this exception, Member States may adopt legislative measures to restrict the scope of the principle of confidentiality when it is necessary, appropriate and proportionate within a democratic society to, among other purposes, safeguard public security or prevent, investigate, detect and prosecute criminal offences.

CJEU makes an interpretation of Art. 15(1) in light of the impact that data retention and access regimes have on privacy and protection of personal data and concludes that:

  • to be acceptable, legislation on data retention must contain objective criteria that make it possible to establish a connection between the data to be retained and the objective which is pursued. Safeguards must be in place limiting retention to the data which is likely to reveal a link with serious criminal offences and to contribute to fight serious crimes or prevent a serious risk to public security. Member States’ laws allowing for the general and indiscriminate retention of all traffic and location data of subscribers and registered users with respect to all means of electronic communications exceed the limit of what is strictly necessary and, therefore, cannot be justified within a democratic society;
  • and when it comes to access regimes aimed at combatting crime, there are several aspects that national legislations need to necessarily consider. First, that for the measure to be proportionate to the importance of its interference in fundamental rights, only serious crimes justify access by the public authorities to the data. Second, that access must be subject to prior review by a court or independent administrative authority which ensures that access is limited to what is strictly necessary. Lastly, the national legislation must stipulate that the data cannot be transferred outside the EU; otherwise, control by an independent authority of compliance with the requirements of protection and security in the processing of personal data would not be guaranteed, resulting in a breach of art. 8(3) of the Charter.

It seems that there is ample room for adjustment of the relevant Serbian law to the new European developments concerning data retention.

The Electronic Communications Act of 2010 (ECA) – which regulates the data retention – in Articles. 128 and 129 provides for the obligation of telecom operators to retain a set of traffic and location data (including the source, destination and type of communication, and identification of the users’ terminal equipment) pertaining to electronic communications services they provide. The obligation is general and indiscriminate, since the data concerning every communication must be retained for a period of 12 months. Irrespective of whether the specific communication may be useful for protecting legitimate state interests, such as the interest to combat crime, or not, the telecom operator must retain for twelve months the personal data concerning the communication. This is contrary to what CJEU has just said about the requirement that there must exist a connection between the data to be retained and the objective which is pursued.

With respect to access to the retained data, Serbian legislation does contain important safeguards aimed at preventing the inadequate and abusive use of this right by the authorities. In the approach more aligned with that of CJEU, access without the users’ consent is permitted only when the data is necessary in order to conduct criminal proceedings or protect the security of the Republic of Serbia. In both cases, such access can be only temporary and must be authorized by a court decision.

Interestingly to note, the access-related requirements of judicial authorization were not foreseen in ECA’s initial wording, but only included after the Serbian Constitutional Court ruled in 2013 that retained data are covered by the constitutionally protected right to secrecy of communications. That right can solely be restricted by a court decision and for limited time.

It seems reasonable to conclude that “conducting criminal proceeding”, as the basis for lawful access to retained data under Serbian law, is broader than what ePrivacy Directive’s “detection and prosecution of criminal offences” – as now interpreted by CJEU – means. CJEU has just said that “combating serious crime” – and not just any crime – justifies access to data retained in telecom traffic.