Burn After Reading is a black comedy spy movie by the Coen brothers. It could also be an extreme encapsulation of the core of data retention rules applicable to communications providers: data should only be kept for as long as:

  • There is an administrative need to keep it to carry out your business or support functions (e.g. billing); or
  • It is required to demonstrate compliance for audit purposes or for legislative requirements (e.g. in case of an order to intercept communications for law enforcement).

A recent judgment of the Court of Justice of the EU (CJEU) on the German data retention law offers a reminder that keeping data for longer than necessary is risky. The problem is that different data retention periods apply to different situations – there is no one-size fits all solution. This blog post offers our thoughts on the CJEU judgment and how to try to solve this problem with a practical compliance strategy.

CJEU Judgment on German Data Retention Law

SpaceNet and Telkom Deutschland, two communications providers in Germany, recently argued before the German Federal Administrative Court that national requirements to store traffic data breached the ePrivacy Directive, European Court of Human Rights (ECHR) and Treaty on European Union (TEU), and the matter was referred to the CJEU for a preliminary ruling.

The CJEU started by comparing this case with previous judgments in which the CJEU was called upon to determine the lawfulness of national data retention rules. The CJEU found that:

  1. Compared to Tele2 Sverige and Watson and Others, German law does not require the retention of all communications traffic data, and it excludes from its scope the content of communication and data relating to websites visited, etc.
  2. Compared La Quadrature du Net, where the retention period was one year; and Tele2 Sverige and Watson and Others, where the retention period for two years, German retention periods for data are stipulated as four weeks for location data and ten weeks for other data – however, the CJEU found that the German authorities can still make “precise conclusions” of the persons involved in the data being retained, and this could interfere with Articles 7 and 8 of the ECHR despite the referring court arguing the risk would be “at least considerably reduced” due to the shorter retention periods.
  3. Additionally, German data retention rules provide for strict limitations regarding the protection of retained data and access, and abuse of access. The retained data can only be used for fighting serious crime or prevention of a specific risk to a person’s physical integrity, life, or freedom.
  4. Any ruling that general and indiscriminate retention is incompatible with EU law would conflict with the Member States’ right to security as enshrined in Article 6 of the ECHR, as well as its ability to lay down legislation for the purposes of crime and public security which remains the sole responsibility of each Member State, under the EU subsidiarity principle.
  5. The referring court pointed to ECHR case law that held that Article 8 of the ECHR does not preclude national provisions where there are threats to national security regarding the interception of cross-border data flows.
  6. Finally, in La Quadrature du Net, the CJEU found that Article 15(1) of the ePrivacy Directive does preclude legislative measures in which provider “as a preventative measure, for the general and indiscriminate retention of traffic and location data”; but it does not preclude measures for the purposes of safeguarding national security, combatting serious crime and preventing serious threats to public security.

The CJEU sought to find a balance between the different interests and rights, as mentioned above, and held that measures that derogate from the principle of confidentiality must be “necessary, appropriate and proportionate” to be lawful. On this basis, the CJEU concluded that Article 15(1) of the ePrivacy Directive prohibits the adoption or application of national legislation that requires general and indiscriminate retention of traffic and location data subject to the following exceptions.

Crime Serious Crime Public Security National Security
Allow recourse to an instruction requiring providers of electronic communications services to retain, generally and indiscriminately, traffic and location data in situations where the Member State concerned is confronted with a serious threat to national security that is shown to be genuine and present or foreseeable, where the decision imposing such an instruction is subject to effective review, either by a court or by an independent administrative body whose decision is binding, the aim of that review being to verify that one of those situations exists and that the conditions and safeguards which must be laid down are observed, and where that instruction may be given only for a period that is limited in time to what is strictly necessary, but which may be extended if that threat persists; N N N Y
Provide for the targeted retention of traffic and location data which is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion, for a period that is limited in time to what is strictly necessary, but which may be extended; N Y Y Y
Provide for the general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a period that is limited in time to what is strictly necessary; N Y Y Y
Provide for the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems; Y N / not mentioned Y Y
Allow recourse to an instruction requiring providers of electronic communications services, by means of a decision of the competent authority that is subject to effective judicial review, to undertake, for a specified period of time, the expedited retention of traffic and location data in the possession of those service providers. N Y N Y

Comment

So, what are the practical implications for global communications businesses from a data retention compliance perspective? The risk from a corporate perspective of applying a single data retention period is that you breach privacy law where you retain it too long and fail to fulfil your data retention requirements for law enforcement purposes if you delete it too soon. In addition, the difference between data required for billing purposes (where a harmonized date may be possible) and the data required for law enforcement (e.g. location, which is generally not necessary for billing purposes but vital for law enforcement) further complicates the data design requirement.

In the past, communications companies were broadly keeping data for 12 months and justifying doing so with reference to billing. But regulators – in particular, privacy regulators – are paying more attention to this now, and there is a risk that excessive retention of data supposedly for billing purposes will lead to enforcement action. For example, given the very short retention period for German law enforcement and the strict requirement to limit data retention for billing purposes to that which is necessary for billing, and Germany’s long-standing close scrutiny of privacy issues, the risks here are not insubstantial.

Moreover, the application of the new EU Electronic Communications Code has expanded the definition of communications providers to include new digital communications, such as instant messaging apps and cloud services, thus extending by implication national data retention rules to all digital market players, including those who would previously not be subject to the ePrivacy Directive.

Our firm has developed extensive experience on these issues and regularly tracks the relevant data retention rules in all major jurisdictions globally. Based on our experience, we are able to define a data architecture which automates the process of complying with multiple national data retention rules. Data required for billing could be treated in a harmonized way and justified by objective argument. Data retained only to fulfil law enforcement obligations would then be “tagged” by country and automatically deleted to the timescale required by that company. If you would like to discuss in confidence how we can assist with your data retention requirements, please get in touch.