ECJ ruling on data retention

In a landmark ruling, the European Court of Justice (ECJ) has significantly extended the possibilities for member states to retain data.

In a landmark ruling, the European Court of Justice (ECJ) has significantly extended the possibilities for member states to retain data. How far the boundaries have been pushed.

Data retention does not necessarily encroach on fundamental rights

As recently as 2016, the ECJ declared data retention incompatible with EU fundamental rights in a landmark ruling (C-203/15). In 2020, the principles have already been softened: data retention may now be used against serious crimes.

With the current ruling, the ECJ goes one step further. The judges decide "that the general and indiscriminate retention of IP addresses does not necessarily constitute a serious interference with fundamental rights." 

Link tip: ECJ judgment C 470/21

The Court added that "EU law does not preclude national legislation which allows the competent national authority to identify a person suspected of having committed a criminal offense for the sole purpose of doing so."

In fact, the ECJ means: every possible criminal offense - and in this specific case, the prosecution of copyright infringements.

Data retention also permitted for copyright infringements

The present proceedings concerned the legality of the actions of the French authority "Hadopi". Hadopi takes targeted action against copyright infringements on the internet. By decree, Hadopi is authorized to determine the identity of illegal file sharers via their IP address. For the first two infringements, the illegal file sharers initially "only" receive a warning. Any further infringement can be prosecuted.

After the four French civil rights organizations La Quadrature du Net (LQDN), Fédération des fournisseurs d'accès à Internet associatifs, and French Data Network filed a lawsuit against the decree, the French state asked the ECJ whether this type of data retention is compatible with EU law.

According to the ECJ ruling, Member States may impose a general and indiscriminate obligation on internet access providers to retain IP addresses if they wish to prosecute criminal offenses.

"Moreover, if such access to IP addresses were not granted, there would be a real risk of systemic impunity for criminal offenses committed online or whose commission or preparation is facilitated by the characteristics of the Internet," the judges added in their decision.

However, the ECJ restricts: such storage must not allow precise conclusions to be drawn about the private life of the person concerned. To ensure this, national regulations must provide for the separation of different categories of personal data. Internet access providers must therefore only be able to find out the identity of the suspect from the stored data record - even after this ruling, no more is permitted.

What is data retention?

With data retention, telecommunications and internet providers are obliged to store certain traffic data of their users for a certain period of time. This data includes, among other things

  • Telephone connections: Who called whom and when (phone numbers, time and duration of the call).
  • Internet use: Which IP addresses were used, which websites were visited and when.
  • E-mail traffic: Sender and recipient of e-mails, time and date of communication.
  • Location data: Where cell phones are or have been located (e.g. through cell phone cells).


The stored data can be used by law enforcement agencies and intelligence services to investigate and prevent criminal offenses.

Share this post :