The European Commission made it clear on September 16, 2015, that the issue of whether to introduce national data retention laws is a national decision. The European Commission has no intention of going back on this statement or reopening old discussions. In the absence of EU rules, Member States are free to maintain their current data retention systems or set up new ones, provided, of course, that they comply with basic principles under EU law, such as those contained in the ePrivacy Directive.

The previous Data Retention Directive was adopted in the context of the terrorist attacks in London and in Madrid that made it crucial to harmonize national provisions regarding data retention for the purpose of prevention, investigation, detection and prosecution of criminal offences. The directive required telecommunication and Internet service providers to retain traffic and location data, as well as related data to identify the user, for up to two years, and to provide it to law enforcement and security agencies on request. However, it did not permit the retention of the content of the communication.

The European Court of Justice invalidated the above-mentioned directive in April 2014 on the grounds that the blanket retention of data constituted an unjustified infringement of the fundamental rights to privacy and protection of personal data. The court took the view that the directive pursued legitimate aims, namely the fight against serious crime and the general objective of public security, but was not limited to what is strictly necessary.

According to the court’s recommendations, such legislation should, to name but a few: require a link between the retention of data and a threat to public safety; provide some exceptions for persons whose communications are subject to the obligation of professional secrecy; be limited to a particular time period, geographical zone or circle of people likely to be involved in a serious crime; and, most of all, establish a prior review carried out by a court or by an independent administrative body for limiting access to the data collected, to what is strictly necessary for the purpose of attaining the objective pursued.

Since the invalidation of the directive, most European countries have annulled on the same grounds their national laws that implemented the directive’s provisions. However, France departs from the general orientation as, instead of invalidating its current data retention law, it is currently proposing a new surveillance law that is already the subject of massive public criticism for not taking into account the requirements set out by the European Court of Justice. The most controversial provision is one that permits intelligence agencies to analyze all traffic and log data to identify potential terrorist threats, whereas the Court of Justice said the retention of traffic data involving the entire population is a disproportionate infringement of privacy.

By contrast, several countries − among them, Germany, Belgium and the Netherlands − after the invalidation of their national laws, are also proposing new legislation on data retention but appear to be more careful to conform to the recent European requirements on the matter. At this point, however, none of them has been enacted into law.

For more information on the data retention directive, please refer to our prior post, The Court of Justice of the EU Declares Invalid the Data Retention Directive 2006/24.