Keywords: Tele2 – CJEU – CFREU – directive 2002/58 – serious crime – geographical criterion.
The present Highlight focusses on an aspect of the judgment of the Court of Justice, of 21 December 2016, Tele2 Sverige. The Court decided that Art. 15, para. 1, Directive 2002/58/EC should be interpreted, under the scope of Arts 7, 8, 11 and 52, para. 1, of the Charter of Fundamental Rights of the European Union (Charter), “as precluding national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication”.
Art. 15 permits the adoption of national legislation constraining certain data users’ rights foreseen in Directive 2002/58, like confidentiality or restriction of identification. This can be done provided governments comply with the proportionality test used by the CJEU. Some safeguards should also be present, according to the provisions of Directive 95/46/EC. The Court of Justice clearly stressed the prohibition of collecting and keeping broad personal information, while it demanded maintaining strong legal safeguards when exceptions are permitted. The Court’s position here should not be overlooked. Nevertheless, it is striking to see what Luxembourg considered as an adequate criterion to limit overreaching local legislation. In para. 111 of the decision, it stated that: “As regard the setting of limits on [the retention, as a preventive measure, of traffic and location data] with respect to the public and the situations that may potentially be affected, the national legislation must be based on objective evidence which makes it possible to identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences, and to contribute in one way or another to fighting serious crime or to preventing a serious risk to public security. Such limits may be set by using a geographical criterion where the competent national authorities consider, on the basis of objective evidence, that there exists, in one or more geographical areas, a high risk of preparation for or commission of such offences”.
By using the geographical criterion with no indication as to why it can be an objective and useful tool in restricting the effects of legislative measures and the public affected, the Court may have taken a misstep. Following its reasoning, law enforcement agencies should instruct service providers to retain location and traffic data under “objective criteria, that establish a connection between the data to be retained and the objective pursued [so to] circumscribe, in practice, the extent of that measure and, thus, the public affected”. Evidence gathering in the fight against serious crime can indeed lead police forces and cooperating authorities to demarcate areas of risk of preparation for or commission of serious crime. However, outlining such zones and then withdrawing data present in the communications of people inhabiting, staying, or perchance passing by such places seems to fall short to the general argument of the Court. Especially, if collecting data based on such a geographical criterion is to be the rule. From the onset, it provides inadequate legal guarantees to the public affected to justify the “seriousness of the interference”, while not being a suitable mechanism “to identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences, and to contribute in one way or another to fighting serious crime or to preventing a serious risk to public security”. In the pertinent expression by Orla Lynskey: “Perhaps the only fly in the ointment […] is the Court’s seemingly uncritical endorsement of geographic […] profiling. It does this when it emphasises that there should be relationship between the data retained and the threat, for instance when the data pertains to a ‘geographic area’ […]. The ethical and social issues such profiling may entail would require further consideration. The Court appears to recognise this by suggesting that such profiling would need to be strictly evidence-based [but should] generalised retention measures be replaced by ad hoc location-based retention measures, the legality of the latter would itself be the subject of much controversy”.
Albeit it’s complex to find a balance where pre-emptive security is still helpful but does not excessively trump civil liberties, the safest approach would be for the Court to abstain from endorsing any given criterion. Otherwise, it interferes in the margin of appreciation of the Member States. Preferring the geographical criterion over others raises a number of concerns. It is, in fact, the easy choice and national authorities resort to it for organisational reasons, at an internal level. From the data subject’s perspective, nonetheless, being targeted on a systematic basis for residing in a specific zone might seem unjustified in a democratic society. In fact, it might even amount to a discrimination based on “ethnic or social origin”, depending on how the assessment is undertaken. And that is a negative discrimination prohibited by Art. 21, para. 1, of the Charter if not based on sufficient reasoning. What is more, these areas tend to have blurred boundaries, that can shift considerably over short periods of time. Even law enforcement often modifies them, potentially for simple logistic (if not political) reasons. As such, there is little legal certainty in a geographical criterion. Criminals move and relocate, defeating the purpose of such a standard for data retention – also when considering effectiveness, efficiency, and budget constraints. Moreover, there might not be a clear relation between the metadata produced in certain areas and the planning or, later on, the commission of any given serious crime. On the other hand, targeting a space for its prospective risk to security can be rooted on a bias assessment by the law enforcement.
In conclusion, it is unclear why the Court chose the geographical criterion and whether it should have done so at all. Firstly, choosing suitable criminal policies should be a matter of national legislation and law enforcement, not judiciary rulings. Secondly, the geographical criterion poses difficulties regarding the objectivity the Court was apparently aiming at and it might end up discriminating subjects on insufficient grounds.
* PhD researcher at the European University Institute, firstname.lastname@example.org.
 Court of Justice, judgment of 21 December 2016, joined cases C-203/15 and C-698/15, Tele2 Sverige [GC].
 Directive 2002/58/CE of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
 Tele2 Sverige [GC], cit., para. 112.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
 Tele2 Sverige [GC], cit., para. 110.
 Ibid., para. 102.
 Ibid., para. 111.
 Even if local service providers were the norm, one would have to assume to be possible to rely on the geographic benchmark alone so that “general retention obligations could […] be compatible with EU law”. The CJEU seems to suggest “that using a geographical criterion is a way to calibrate the obligation as regards the public or persons concerned” but perhaps the doubt remains on whether it has “managed to clarify the distinction between general(ised) surveillance measures and targeted surveillance measures”, in the comments of S. Stalla-Bourdillon, The CJEU in Tele2 Sverige: are general(ised) data retention obligations incompatible with EU law?, in Peeb Beeb!, 4 January 2017, peepbeep.wordpress.com.
 With the city centre as the most referred location, at least for the commission of crimes. Although with no further criticism in this respect, cf. D. Kelleher, CJEU in Tele2 rules broad data retention laws invalid, raises questions for data transfer mechanisms, post-Brexit UK, in Iapp, 21 December 2016, iapp.org.