EU: Member State data retention regimes - what's changed? The answer is very little

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

Member State data retention regimes - what's changed? The answer is very little so far
Follow us: | | Tweet

The mass data retention across EU Member States was declared unlawful in 2014 by the ECJ saying it had been so since the day it was adopted in 2006. Since then a second case in 2016 confirmed the court's findings. Any rational person might have asked what has been the response of the Commission, which is responsible for upholding the rule of law, over the past 3 years?

See: 2014: "Digital Rights Ireland and Seitlinger and others": The Court of Justice declared the Data Retention Directive to be invalid (Press release, pdf) and Judgment (pdf) and in December 2016: Watson/Tele2 Sverige AB case: The Members States may not impose a general obligation to retain data on providers of electronic communications services (Press release, pdf) and Full-text of CJEU judgment (pdf).

A review by Eurojust summarises current national laws and the observations of law enforcement agencies (LEAs) in answer to a questionnaire: Data retention regimes in Europe in light of the CJEU ruling of 21 December 2016 in Joined Cases C-203/15 and C-698/15 - Report (LIMITE doc no:10098-17, pdf). [1] At the outset the report says:

"For the sake of this questionnaire, the term ‘data retention’ applies to non-content data (subscriber information, traffic, location and other transactional data) retained by Internet Service Providers (ISPs)." [ie: metadata]

Mandatory data retention regimes

"three types of legal regimes emerge from the replies:

- The vast majority of the countries do not have targeted data retention rules within the categories of location/traffic data, users/subscribers, and means of communication (internet/telephone).

- One country (DE) reported that it excludes some targeted users/subscribers from the retention obligation in the legislation that is to come into force in July 2017, as is the situation for (...) data pertaining to telephone connections to and from persons, public authorities or organisations in the social or the church domain that offer anonymous counselling as well as (...) data about websites being visited or regarding e-mail. This legislative model approaches the targeting criterion detailed in the CJEU judgement, but differs in so far as it stipulates data that may not be retained from a particular category of users/subscribers as opposed to targeting specific data to be retained.

- Finally, some countries (AT, NL, RO, SI, SK) reported that they do not have data retention laws for law enforcement purposes only, following the annulment of their previous laws by their constitutional/high courts in accordance with the DRD judgement. As a result, they all reported using data collected by private operators for business or/and commercial purposes. The questionnaire did not address the retention scheme in this context."

Judicial review

"The vast majority of the respondents (23) outline that a judicial review is required, prior to or after the request for access has been made. In most countries, prior authorisation/judicial review is required before access is granted to law enforcement (LEA). This review takes the form of a court order/order of an investigative judge, or an order by a prosecutor (...)

Two countries (BE and DE) reported restrictions regarding the access to data related to professions enjoying privileged communications (e.g.: lawyers, journalists, doctors)."

Impact of CJEU ruling

"The effect of the CJEU ruling on the availability and admissibility of evidence gathered from ISPs is or will consequently also be noticeable in the area of cross-border judicial cooperation in criminal investigations.

Both the ability of authorities to provide data to other countries upon their request as well as the possibility to receive and use data gathered from other countries, could potentially be affected by the CJEU ruling."


"The data retention legislative framework has either been changed, is currently being reviewed and/or has been subject to developing judicial precedent in a significant number of countries. With so many countries currently reviewing their domestic legislation to design data retention regimes that meet the requirements of the judgement, and so many variables at play, the potential for continued legislative disharmony within in the European Union is considerable."

Annex 1 contains useful national responses to the Questionnaire (pp.14-23).

Council Presidency Note

The Presidency has circulated a Note to Member States which is largely devoted to exploring how they can work around the court judgments: Retention of communication data for the purpose of prevention and prosecution of crime - specific elements in light of the ECJ case-law = exchange of views (LIMITE doc no: 13845-17, pdf).

The CJEU was clear the collection of data has to be restricted to and targeted on terrorism and serious crime if it is to meet the test of proportionality. This Note appears to want any changes to apply to crime as a whole.

Further reading

Council calls in the "experts" to try and get round the law (Statewatch)


[1] Previous: Eurojust’s analysis of EU Member States’ legal framework and current challenges on data retention (LIMITE doc no:13085-15, dated 26 October 2015, pdf)

Search our database for more articles and information or subscribe to our mailing list for regular updates from Statewatch News Online.

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error