In a landmark ruling, the European Court of Justice (ECJ) has clarified the possibilities for member states to Data retention significantly expanded. How far the boundaries have been pushed.
Data retention does not necessarily encroach on fundamental rights
As recently as 2016, the ECJ ruled in principle that the Data retention declared incompatible with EU fundamental rights (C-203/15). In 2020, the principles have already been watered down: the Data retention may now be used against severe Criminal offenses can be used.
With the current ruling, the ECJ goes one step further. The judges decide "that the general and indiscriminate retention of IP addresses does not necessarily constitute a serious interference with fundamental rights."
Link tip: ECJ judgment C 470/21
The Court added that "EU law does not preclude national legislation which allows the competent national authority to identify a person suspected of having committed a criminal offense for the sole purpose of doing so."
In fact, the ECJ means: every possible criminal offense - and in this specific case, the prosecution of copyright infringements.
Data retention also permitted for copyright infringements
The present proceedings concerned the legality of the actions of the French authority "Hadopi". Hadopi takes targeted action against copyright infringements on the Internet. By decree, Hadopi is authorized to trace the identity of illegal file sharers via the IP address to investigate. For the first two infringements, the illegal file sharers initially "only" receive a warning. Each further Infringement can be prosecuted under criminal law.
After the four French civil rights organizations La Quadrature du Net (LQDN), Fédération des fournisseurs d'accès à Internet associatifs, Franciliens.net and French Data Network brought an action against the decree, the French state asked the ECJ whether this kind of Data retention is compatible with Union law.
According to the ECJ ruling, Member States may impose an obligation on internet access providers to retain IP addresses generally and indiscriminately if they Criminal offenses want to pursue.
"If such access to IP addresses were not granted, there would be a real risk of systemic impunity of Criminal offensesthat are committed online or whose commission or preparation is facilitated by the characteristics of the Internet," the judges added in their decision.
However, the ECJ restricts: such storage must not allow precise conclusions to be drawn about the private life of the person concerned. To ensure this, national regulations must provide for the separation of different categories of personal data. Internet access providers must therefore only be able to find out the identity of the suspect from the stored data record - even after this ruling, no more is permitted.
What is data retention?
With the Data retention telecommunications and Internet providers are obliged to provide certain Traffic data of its users for a certain period of time. This data includes, among other things
- Telephone connections: Who called whom and when (phone numbers, time and duration of the call).
- Internet use: Which IP addresses were used, which websites were visited and when.
- E-mail traffic: Sender and recipient of e-mails, time and date of communication.
- Location data: Where cell phones are or have been located (e.g. through cell phone cells).
The stored data may be used by law enforcement authorities and intelligence services for the investigation and prevention of Criminal offenses can be used.
German 
English 
Italian 
French