The Directive on privacy and electronic communications is applicable, in principle, when the providers of electronic communication services are obliged by law to retain the data of their subscribers and to allow the public authorities access to that data, irrespective of whether those obligations are imposed on national security grounds
The Court of Justice has in recent years given rulings on the retention of personal data and access to that data. That case-law, in particular the Tele Sverige and Watson judgment – in which the Court held that the Member States cannot impose on the providers of electronic communication services an obligation of general and indiscriminate retention of data – is a cause of concern for some Member States, who consider that they are deprived of an instrument they regard as necessary for the purposes of safeguarding national security and combating crime and terrorism.
That concern has been highlighted in four references for a preliminary ruling, sent by the Conseil d’État (Council of State, France) (Joined Cases C-511/18 and C-512/18, La Quadrature du Net and Others,), the Cour constitutionnelle de Belgique (Constitutional Court, Belgium) (Case C-520/18, Ordre des barreaux francophones et germanophone and Others) and the Investigatory Powers Tribunal (UK) (Case C-623/17, Privacy International). In those cases the primary issue is the problem of the application of the Directive on privacy and electronic communications to activities relating to national security and combatting terrorism.
In today’s Opinions on those references for a preliminary ruling, Advocate General Manuel Campos Sánchez-Bordona first dispels the doubts concerning the applicability of the Directive in that area. He states that the Directive excludes from its application activities that are aimed at safeguarding national security and are carried out by the public authorities on their own account, without requiring the cooperation of private parties and not, therefore, imposing obligations on the latter in relation to the management of their businesses. On the other hand, when the cooperation of private parties, on whom certain obligations are imposed, is required, even when that is on grounds of national security, that brings those activities into an area governed by EU law: the protection of privacy enforceable against those private actors. Accordingly, the Directive is applicable, in principle, where providers of electronic services are required by law to retain data belonging to their subscribers and to allow the public authorities to have access to such data, as in the cases under consideration, irrespective of whether those obligations are imposed on such providers for reasons of national security.
Further, the Directive empowers the Member States to adopt legislative measures which, in the interests of national security, affect the activities of individuals subject to the authority of those States by restricting their rights. The Advocate General states that limitations on the obligation to guarantee the confidentiality of communications and related traffic data must be interpreted strictly and with regard to the fundamental rights enshrined in the Charter.
Mr Campos Sánchez-Bordona proposes that the case-law of the Court of Justice laid down in the Tele2 Sverige and Watson judgment should be upheld, stressing that a general and indiscriminate retention of all traffic and location data of all subscribers and registered users is disproportionate. However, he recognises the usefulness of an obligation to retain data for the purposes of safeguarding national security and combating crime. Consequently, he recommends limited and discriminate retention (that is, the retention of specific categories of data that are absolutely essential for the effective prevention and control of crime and the safeguarding of national security for a determinate period adapted to each particular category, and limited access to that data (subject to: a prior review carried out either by a court or by an independent administrative authority; to the data subjects being notified – provided that does not jeoparise ongoing investigations –, and to the adoption of rules to avoid misuse of, and unlawful access to, that data. Nonetheless, the Advocate General adds that there is no reason why, in exceptional situations characterised by an imminent threat or an extraordinary risk warranting the official declaration of a state of emergency, national legislation should not make provision, for a limited period, for the possibility of imposing an obligation to retain data that is as extensive and general as is deemed necessary.
In response to the first of the doubts raised by the Conseil d’État, the Advocate General states that the Directive precludes the French legislation which, against a background of serious and persistent threats to national security, in particular the terrorist threat, imposes on operators and providers of electronic communications services the obligation to retain, in a general and indiscriminate fashion, the traffic and location data of all subscribers, as well as data that can be used to identify the creators of the content offered by the providers of those services. He states that, as recognised by the Conseil d’État itself, the obligation to retain data imposed by the French legislation is general and indiscriminate, and therefore is a particularly serious interference in the fundamental rights enshrined in the Charter. The Advocate General recalls that, in the Tele2 Sverige and Watson judgment, the Court rejected the possibiltiy of general and indiscriminate retention of personal data in the context of the fight against terrorism. The Advocate General maintains that the fight against terrorism must not be considered solely in terms of practical effectiveness, but in terms of legal effectiveness, so that its means and methods should be compatible with the requirements of the rule of law, under which power and strength are subject to the limits of the law and, in particular, to a legal order that finds in the defence of fundamental rights the reason and purpose of its existence. Further, the French legislation is again incompatible with the Directive in that it imposes no obligation to notify the data subjects of the processing of their personal data by the competent authorities, in order to ensure that those persons can exercise their right to effective judicial protection – other than when such notification jeopardises the actions of those authorities.
On the other hand, the Directive does not preclude national legislation which permits the real-time collection of traffic and location data of individuals, provided that those activities are carried out in accordance with established procedures for accessing legitimately retained personal data and are subject to the same safeguards.
In Case C-520/18, the Advocate General proposes that the Court of Justice should reply to the Cour constitutionnelle de Belgique that the Directive precludes legislation which, like the Belgian legislation, has as its objectives not only the fight against terrorism and serious crime, but also defence of the territory, public security, the investigation, detection and prosecution of less serious offences and, in general, any other objective provided for in Article 23(1) of Regulation 2016/69. 2 The reason is that, even though access to the data retained is subject to precisely prescribed safeguards, there is again imposed on the operators and providers of electronic communication services a general and indiscriminate obligation, which applies permanently and continuously, to retain traffic and location data that is processed in the course of the provision of those services, which is incompatible with the Charter.
As regards the question whether, in the event that national legislation is incompatible with EU law, its effects could be temporarily maintained, the Advocate General considers that a national court may, if its domestic law so permits, maintain the effects of legislation such as the Belgian legislation, on an exceptional and temporary basis, even where that legislation is incompatible with EU law, if maintaining those effects is justified by overriding considerations relating to threats to public security or national security that cannot be addressed by other means or other alternatives, but only for as long as is strictly necessary to correct the incompatibility with EU law.
Last, in Case C-623/17 the issue to be determined is whether national legislation is compatible with the Directive when it imposes on a provider of electronic communications networks the obligation to supply to the UK Security and Intelligence Agencies bulk communications data after general and indiscriminate collection. The Advocate General considers that, notwithstanding Article 4 TEU – under which national security is the exclusive responsibility of each Member State – the Directive precludes the UK legislation.
 Joined Cases C-293/12 Digital Rights Ireland and Others and C-594/12 Seitlinger and Others, in which the Court declared the invalidity of Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54). The Court held that that directive permitted disproportionate interference in the right to respect for private and family life and the right to protection of personal data, recognised by the Charter of Fundamental Rights of the European Union (‘the Charter’) (see Press Release No 54/2014). Joined Cases C-203/15 Tele2 Sverige and C-698/15 Watson and Others, in which the Court interpreted Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37)(‘the Directive’). That article permits the Member States ― on the grounds of, inter alia, protection of national security ― to adopt ‘legislative measures’ to restrict the scope of certain rights and obligations provided for in the Directive (see Press Release No 145/16). Case, C-207/16 Ministerio Fiscal, which confirmed that interpretation (see Press Release No 141/18).
 Regulation 2016/69 (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).