Table of Contents: I. Introduction: data retention and future-proofing. – II. “The Lighthouse for Privacy Rights in Europe”? Past and present CJEU case law on communications data retention. – II.1 Retain in haste, repent at leisure: the legacy of Directive 2006/24/EC. – II.2. La Quadrature du Net and Privacy International: from crime to national security (and back). – II.3. CJEU guidance on “targeted” retention for serious crime. III. Future-proof data retention. – III.1. How future-proof is the case law? ePrivacy reform and judicial fears of profiling. – III.2 First national “targeted” retention laws: the exception becomes the rule? – III.3. What we talk about when we talk about data retention: tomorrow’s metadata and future necessity. – IV. Conclusion.
Abstract: In many countries worldwide, everyone’s communications metadata is pre-emptively retained by telecoms and internet service providers for possible later use by the relevant public authorities to combat crime and safeguard national security. Within the European Union, however, for nearly a decade the Court of Justice of the European Union (CJEU) has consistently rejected the pre-emptive “general and indiscriminate” retention of communications metadata for the purpose of combatting serious crime – although its position on safeguarding national security is more nuanced. For crime, the CJEU continues to insist that any retention of traffic and location data be done on a “targeted” basis, leaving the details of any such scheme to the relevant legislator (EU or national). This Article discusses the prospect of a return to EU-level data retention from a future-proofing perspective. It does so by summarising the most relevant recent CJEU case law, noting its internal consistency but arguing that its future resilience should not be taken for granted, particularly with the ePrivacy Regulation on the horizon. It offers a first analysis of efforts to implement “targeted” retention in national legal systems. Should any fresh EU legislative proposal on data retention emerge, it is argued that in addition to fully complying with the relevant CJEU standards, it will also be essential to gauge the desirability of such a reform in light of technological shifts in the information labelled “metadata”, and the intertwined condition that any such harmonising measure must be demonstrably effective over time.
Keywords: communications data retention – future-proofing – CJEU case law – crime prevention – data protection – privacy.
European Papers, Vol. 8, 2023, No 2, pp. 713-740
ISSN 2499-8249 - doi: 10.15166/2499-8249/683
* Associate professor, Utrecht University, firstname.lastname@example.org.