When a EU Member State wants to protect public security, it must be careful not to diminish the protection of fundamental rights protected by the EU Charter of fundamental rights, the European Convention of Human Rights and other protective laws adopted by the European Parliament and the Council. The exercise can be tricky as threats to public security are becoming more and more sophisticated: States are therefore tempted to use new possibilities opened up by digital technologies, including the monitoring of retained traffic data.

Traffic data is metadata collected and processed by a public communication provider. It can provide information about the source and destination of the communication, the date, time and duration of the communication, the equipment used for the communication (including its location) etc. Because of the growing importance of means of communication in European societies, the retention of traffic data has become a “valuable tool for criminal investigations”.

In EU law, traffic data is protected by articles 5 and 6 of Directive 2002/58/EC. The principle is easy: if a public communication provider wants to process traffic data beyond the purpose of subscription billing and interconnection payment, the public communication provider shall justify the processing either on the consent of the user, or the exemption provided by Article 15(1) of Directive 2002/58/EC. This Article provides:

Member States may adopt legislative measures to restrict the scope of the rights and obligations provided [by] this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system.

This is a tutorial targeted to EU Member States lawmakers, in order to learn how to legally process traffic data for public security purposes in a way that is compliant with Directive 2002/58/EC, the EU Charter and the CJEU Case–Law.

Step 1 – Carefully identify the purpose of your law

When a law interferes in a citizen’s exercise of fundamental rights, it has to be justified by a public interest, and the seriousness of the interference must be proportionate to the importance of the public interest that the State aims to protect.

Therefore, it is essential to:
– Clearly identify the purpose of the law
– Assess the importance of the purpose of the law for a democratic society.

A State has various ways to protect public security. For instance, it can protect public security through the prosecution of criminal offences, the prevention and prosecution of serious crime, or the prevention of national security threats. All these purposes has various importance, as it is shown by this chart:

^[CJEU, Gd. Ch., 2 October 2018, Ministerio Fiscal, C-207/16; CJEU, Gd. Ch., 6 October 2020, La Quadrature du net e. a., C-511/18.]

These purposes shall be very distinct in your law: what will be exceptionally tolerated for the prevention of national security threat will be forbidden for other purposes! For instance, if traffic data was exceptionally retained for the prevention of a national security threat, competent authorities cannot access this data for the purpose of fighting serious crime^[CJEU, Gd. Ch., 20 September 2022, SpaceNet AG, C-793/19 and C-794/19, pt 93.].

Note that the fight against serious crime cannot be assimilated to the safeguard of national security.

First, serious crime and threats to national security differ in terms of risks. The CJEU recently recalled that :

The objective of protecting national security corresponds to the primary interest in protecting the essential functions of the State and the fundamental interests of society through the prevention and punishment of activities capable of seriously destabilising the fundamental constitutional, political, economic or social structures of a country and, in particular, of directly threatening society, the population or the State itself, such as terrorist activities. ^[CJEU, Gd. Ch., 20 September 2022, SpaceNet AG, C-793/19 and C-794/19, pt 92.]

On the other hand, the prevention and prosecution of serious crime does not include the danger of directly endangering the stability of the State, the society, or the security of the population.

Second, the fight against serious crime and the prevention of national security threats are of different nature. To justify an interference in the right to private life and to personal data protection, a Member State shall demonstrate that the threat to national security is genuine and present or foreseeable^[CJEU, Gd. Ch., 6 October 2020, La Quadrature du net e. a., C-511/18, pt 137 ; CJEU, Gd. Ch., 20 September 2022, SpaceNet AG, C-793/19 and C-794/19, pt 93.].

Step 2 – Ensure that traffic data retention measures are appropriate for the purpose pursued

Because traffic data retention measures are an interference in the rights to a private life and to personal data protection, one must ensure that traffic data retention measures are the appropriate way to protect public security.

This step does not present any difficulties so far, as the CJEU recognised in 2014 that the retention of data represents “a valuable tool for criminal investigations”^[CJEU, Gd. Ch., 8 April 2014, Digital Rights Ireland Ltd, C-293/12 and C-594/12, pt 49.].

Step 3 – Evaluate the seriousness of the interference in the rights of a private life and of personal data protection

The interference of traffic data in the right to a private life and the right to personal data protection shall not be underestimated. One can think that because traffic data does not reveal the content of communications, the interference in the right to a private life is limited. It is not true. With traffic data, competent authorities can precisely monitor the activities of communications systems’ users. The CJEU affirmed in several cases that:

Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them^[CJEU, Gd. Ch., 8 April 2014, Digital Rights Ireland Ltd, C-293/12 and C-594/12, pt 27.].

It is therefore essential to evaluate the seriousness of the interference in the right to a private life, in regard to what is tolerable in a democratic society.

^[CJEU, Gd. Ch., 2 October 2018, Ministerio Fiscal, C-207/16; CJEU, Gd. Ch., 21 December 2016, Tele2 Sverige AB, C-203/18 and C-698/15; CJEU, Gd. Ch., 6 October 2020, La Quadrature du net e. a., C-511/18, pt 134-139 ; CJEU, Gd. Ch., 21 December 2016, Tele2 Sverige AB, C-203/18 and C-698/15].

As shown through this gauge, EU law prohibits the generalised retention of traffic data that provides for no differentiation, limitation or exception according to the objective pursued.

Retention of traffic data for public security purposes shall be limited by objective criteria that meet the principles of necessity and proportionality.

Step 4 – Strict necessity and proportionality are key

Put together with the assessment of the importance of a public security interest, the evaluation of the seriousness of the interference can provide a good overview of what is allowed and what is forbidden by EU law.

As long as a law falls into the bright red cases in this table, it does not comply with article 7 and 8 of the EU Charter of Fundamental Rights that guarantee the right to a private life and the right to personal data protection.

It is therefore essential to establish objective criteria that will limit the retention of traffic data to what is strictly necessary. Objective criteria must establish a connection between the data retained and the objective pursued, and have the effect of circumscribing the extent to that measure, including the public affected^[CJEU, Gd. Ch., 21 December 2016, Tele2 Sverige AB, C-203/18 and C-698/15, pt 110.]. The CJEU already gave some examples of objective criteria that can be used by the lawmaker:

• Geographical criterion: the measure is limited to geographical areas where there exists a high risk of preparation or commission of serious criminal offences^[CJEU, Gd. Ch., 21 December 2016, Tele2 Sverige AB, C-203/18 and C-698/15, pt 111.]. For instance, a measure can be limited to geographical areas which regularly receive a very high volume of visitors or strategic locations, such as airports or stations^[CJEU, Gd. Ch., 6 October 2020, La Quadrature du net e. a., C-511/18, pt 150.].

• “Personal” criterion: the measure is limited to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime^[CJEU, Gd. Ch., 21 December 2016, Tele2 Sverige AB, C-203/18 and C-698/15, pt 119.].

Only the safeguard of national security can justify, when it is strictly necessary, the general and indiscriminate retention of traffic data. However, this retention must be limited to a strictly necessary and foreseeable period of time. Moreover, the data retained shall only be used for the safeguard of national security: it cannot be accessed by competent authorities for any other purpose.
If the measure is found strictly necessary, it is still a serious interference with the right to a private life and the right to data protection. Thus, Member States must provide minimum safeguards to individuals in order for them to be guaranteed of the effective protection of their personal data.

Step 5 – Impose minimum safeguards that provides people with sufficient guarantees of the effective protection of their personal data

Member States can guarantee individuals with sufficient guarantees of the effective protection of their personal data through different safeguards. The law shall take into consideration the vast amount of data retained, the sensitive nature of data retained or the fact that this data is subjected to automated processing^[CJEU, Gd. Ch., 20 September 2022, SpaceNet AG, C-793/19 and C-794/19, pt 69.].

1. Ensure the protection of sensitive personal data with specific safeguards

The retention of traffic data poses the risk of the processing of sensitive personal data, or revealing sensitive information, by law enforcement and intelligence authorities.

As processing of traffic data allow very precise conclusions to be drawn concerning the private lives of the persons, it can reveal sensitive information such as any information revealing the racial or ethnic origins of the individuals, as well as their political opinions, religious or philosophical beliefs, trade-union memberships, health, sexual orientation or sex life. According to EU law, such data shall not be processed without being subject to appropriate safeguards for the rights and freedoms of the data subject^[CJEU, Gd. Ch., 20 September 2022, SpaceNet AG, C-793/19 and C-794/19, pt 61 ; Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, recital 37.].

Moreover, the sensitive nature of the traffic data processed can be the result of the profession of targeted individuals. Member States should be very careful to exempt some data from the traffic data retention for the individuals whose communications are subject to the obligation of professional secrecy according to the rules of national law (lawyers, journalists, health professionals etc.)^[CJEU, Gd. Ch., 8 April 2014, Digital Rights Ireland Ltd, C-293/12 and C-594/12, pt 58.].

2. Guarantee the targeted individuals’ right to an effective remedy

To ensure the legal validity of the measure, Member States should ensure that access to traffic data by competent authorities is subject to a prior review carried out either by a Court or by an independent administrative body whose decision is binding. Only exemptions in cases of validly established urgency may be accepted by Member States law^[CJEU, Gd. Ch., 21 December 2016, Tele2 Sverige AB, C-203/18 and C-698/15, pt 120].

Member States must also guarantee individuals with the possibility of challenging the measure after their data has been retained and/or accessed. Thus, national laws must provide the obligation for competent authorities to notify the persons affected by the measure, as soon as the notification is no longer liable to jeopardise the investigations being undertaken by those authorities^[CJEU, Gd. Ch., 21 December 2016, Tele2 Sverige AB, C-203/18 and C-698/15, pt 121.].

3. Protect the retained data from unlawful access and misuse.

Directive 2002/58/EC provides the obligation of guaranteeing a particularly high level of protection and security by means of appropriate technical and organisational measures.
These measures can consist of:

• The requirement to obtain prior authorisation from the judicial authorities of a Member State
• The irreversible destruction of the data at the end of the data retention period

In any case, the law shall govern the protection and security of the data in question in a clear and strict manner in order to ensure their full integrity and confidentiality ^[CJEU, Gd. Ch., 21 December 2016, Tele2 Sverige AB, C-203/18 and C-698/15, pt 66.].