Utilizziamo cookies e tecnologie similari per migliorare l’esperienza all’interno del sito e offrire all’utente un servizio di maggior valore. I cookie presenti su questo sito sono cookie tecnici per garantire il funzionamento del sito e cookie analitici, anche di terze parti, utilizzati da noi e dai nostri partner per misurare le performance del Sito e capire i contenuti che vi interessano. Per accettare i cookie clicca «accetta i cookie analitici». Per rifiutare i cookie clicca «rifiuta i cookie analitici». Per maggiori informazioni ti invitiamo a leggere la nostra Cookie Policy.



The EU Court of Justice rules on the retention of traffic data

PrintMailRate-it
​​published on 27 April 2022 | reading time approx. 3 minutes

A few months after Italy reform on data retention, due to the Law Decree of 30 September 2021, n. 132 which amended Article 132 of Legislative Decree 196/2003, on April 5, 2022, the EU Court of Justice ruled again on data retention issue, because of the sentence issued as a result of the proceeding C-140/20.

The contest the issue raised in was a murder trial ended in 2015 with a life sentence issued by an Irish court that based its judgement on traffic and location data relating to telephone calls.

The defendant had challenged the use of such an evidence, arguing that the Communications (Retention of Data) Act of 2011, regulating the retention of traffic and/or location, and that enabled the Authorities to access the mentioned data, violated the rights accorded by Union law (EU Directive 2022/58 / EC) concerning the processing of personal data and the protection of privacy in the electronic communications sector. Therefore, the Court of Justice of the European Union was consulted by way of a preliminary ruling.
The Court of Justice was therefore called upon to state on the compatibility between Article 15 of Directive 58/2002 and local law allowing Member States to use data relating to traffic or location for crime prevention and protection of public safety reasons and, if so, under what conditions.

The mentioned Article 15, in paragraph 1, states that “Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.”.

As a result of the preliminary ruling procedure, in the judgment final provisions, the Court clarified that article 15, paragraph 1, of Directive 58/2002 operates as a limit to the local legislative power for it denies the possibility to introduce preventive measures involving, for the purposes of fighting crime or protecting public security, the generalized and undifferentiated storage of traffic data and location data.

Conversely, the Court stated that are in compliance with European law provisions aimed at introducing, for the same purposes of preventing offenses and protecting public safety, measures providing:
  • a) the targeted retention of traffic and location data which is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion, for a period that is limited in time to what is strictly necessary, but which may be extended;
  • b) the general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a period that is limited in time to what is strictly necessary;
  • c) the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems;
  • d) recourse to an instruction requiring providers of electronic communications services, by means of a decision of the competent authority that is subject to effective judicial review, to undertake, for a specified period of time, the expedited retention of traffic and location data in the possession of those service providers.

The Court has in any case clarified that these provisions must necessarily guarantee, by means of clear and precise rules that the retention of the data in question is subject to compliance with the relevant substantive and procedural conditions and that the persons concerned have effective guarantees against the risk of abuse.

In the judgement the Court specified that the competent authorities can adopt rapid measures for the retention of traffic and location data even during the early stages of investigations, if public safety is at risk.
However, the Court continues, the processing cannot be entrusted to the police without the intervention of the judicial authority.

The intervention of the Court of Justice did not therefore exclude the possibility for Member States to adopt preventive measures on the use of these data, provided that certain conditions and guarantees are respected.

 DATA PROTECTION BITES

CONTACT

Contact Person Picture

Flavia Salvatore

Senior Professional

+39 02 6328 841

Invia richiesta

 RÖDL & PARTNER ITALY

​Discover more about our offices in Italy. Read more »
Deutschland Weltweit Search Menu