Since joining the European Union, Malta has been subject to the rules passed by the European institutions in Brussels and Maltese courts should also follow the decisions (preliminary rulings) handed down by the Court of Justice of the European Union (CJEU) in Luxembourg.

National courts of member states have the power to refer a case to the CJEU when the case relates to the interpretation or validity of an EU legislation. The Court of the member state will then adopt that interpretation when deciding the local case before it. So, by way of example, if a Court in Malta is faced with an issue threading on EU law, it may refer the point to the CJEU. The CJEU will then assist by interpreting the matter.

In 2021, there were 587 preliminary references submitted by national courts to the CJEU. Following a referral, the CJEU hands down its preliminary ruling. The CJEU does not itself apply EU law to a dispute brought by a referring court (National Court), as its role is only to help resolve it. Ultimately it is the role of the national court to draw conclusions from the CJEU’s preliminary ruling. It is important to highlight that preliminary rulings are binding both on the referring court (National court referring the case to the CJEU) and on all courts in member states.

An interesting decision by the CJEU (delivered on the 20th September 2022) related to the interpretation of the Privacy and Electronic Communications Directive 2002 with respect to the retention of electronic data of customers. Having national laws that oblige service providers to retain electronic data for the purposes of fighting crime is not something that should be taken lightly. This was the matter in the referral to the CJEU in Federal Republic of Germany vs SpaceNet AG and Telekom Deutschland GmbH.

German law obliges telecommunications providers in Germany to store traffic data of its customers to whom it provides internet access. SpacNet AG and Telekom Deutschland GmbH sought a declaration from the CJEU confirming that they are not obliged to store data traffic of its customers (end-users). SpaceNet and Telekom Deutschland provides publicly available internet access services in Germany.

In addition, Telekom Deutschland also provides publicly available telephone services in Germany. Both companies sought to challenge German law before the German Courts and in fact the Cologne Administrative Court (Verwaltungsgericht Köln) declared that SpaceNet AG and Telekom Deutschland were not obliged to store the aforementioned data relating to its users given that that retention obligation was contrary to EU law.

Consequently, the Federal Republic of Germany appealed and the Federal Administative Court in Germany referred the matter to the CJEU to establish whether that retention obligation was contrary to EU law.

In its considerations, the CJEU, held that first and foremost, measures taken by Member States must comply with the general principles of EU law, which include the principle of proportionality, and ensure respect for the fundamental rights guaranteed by the Charter.

The court observed that in previous judgements, such as in the Commissioner of An Garda Síochána and Others case, the CJEU had ruled that the obligation to retain traffic data to be readily available to the competent national authorities, raises compatability issues with the rights and freedoms of individuals as protected by the Charter of Fundamental Rights of the European Union.

In particular, such obligation could be incompatible with the respect for private and family life, protection of personal data and freedom of expression and information. The latter constitutes one of the essential foundations of a pluralist, democratic society.

The court explained that traffic and location data may reveal information on a significant number of aspects of the private life of persons, including sensitive information such as sexual orientation, political opinions, religious, philosophical, societal or other beliefs and state of health. Such data enjoys special protection under EU law.

Taken as a whole, such data may allow very precise conclusions to be drawn concerning the private lives of the persons concerned. As a result of such data, one would be able to ascertain the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by the persons whose data have been retained.

The retention obligation laid down by the German legislation applies to a very broad set of traffic and location data which in essence corresponds to practically the entire population without those persons being, even indirectly, in a situation liable to give rise to criminal prosecutions. The court argued that the German legislation at issue requires the general retention, without a reason, and without any distinction in terms of personal, temporal or geographical factors, of most traffic and location data. Thus such data retention obligation could never be regarded as a targeted retention of data.

Secondly, the court noted that a data retention obligation has to be limited in time. In the case of the German legislation, the periods of data retention were limited to four (4) weeks for location data and to ten (10) weeks for other data, notwithstanding these short periods, taken as a whole, the data retained may enable very precise conclusions to be drawn on the private life of the persons whose data have been retained and enables the possibility of establishing a profile of those persons.

The CJEU also noted that not all crime, even of a particularly serious nature, can be treated in the same way as a threat to national security. Such crime must have the capability of seriously destabilising the fundamental constitutional, political, economic or social structures of a country and, in particular, of directly threatening society, the population or the State itself, such as terrorist activities.

Therefore, on the basis of the aforestated reasons, the CJEU ruled that the Privacy and Electronic Communications Directive 2002 precludes national legislative measures which provide for the general and indiscriminate retention of data traffic and location data of its end-users.

Threat to national security

However, it does not preclude legislative measures that require providers of electronic communication services to retain general and indiscriminate traffic, location data or IP addresses or civil identity of users of electronic communications systems, in situations where the mMember state concerned is faced with a serious threat to national security.

The court went on to say that the national security threat has to be genuine and present or foreseeable and that the obligation to retain data has to be limited in time to what is strictly necessary.

Finally, the court held that such measures should be subject to an effective review either by a court or by an independent administrative body whose decision is final and binding. Such an effective review process is important to verify that the aforementioned conditions and safeguards are abided by and there is no risk for abuse.

This preliminary ruling serves as a warning to all EU member states, that electronic data gathering obligations with the excuse of fighting crime may be contrary to EU Law.

Dr Clive Gerada is an Associate at Azzopardi, Borg and Associates Advocates.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.