CURIA - Documents
35 of 58
http://curia.europa.eu/juris/document/document_print.jsf?docid=2320...
question must comply with, inter alia, national constitutional law and the requirements of the
ECHR.
104
It follows from the foregoing considerations that national legislation which requires providers of
electronic communications services to retain traffic and location data for the purposes of protecting
national security and combating crime, such as the legislation at issue in the main proceedings, falls
within the scope of Directive 2002/58.
Interpretation of Article 15(1) of Directive 2002/58
105
It should be noted, as a preliminary point, that it is settled case-law that, in interpreting a provision
of EU law, it is necessary not only to refer to its wording but also to consider its context and the
objectives of the legislation of which it forms part, and in particular the origin of that legislation
(see, to that effect, judgment of 17 April 2018, Egenberger, C‑414/16, EU:C:2018:257,
paragraph 44).
106
As is apparent from, inter alia, recitals 6 and 7 thereof, the purpose of Directive 2002/58 is to
protect users of electronic communications services from risks for their personal data and privacy
resulting from new technologies and, in particular, from the increasing capacity for automated
storage and processing of data. In particular, that directive seeks, as is stated in recital 2 thereof, to
ensure that the rights set out in Articles 7 and 8 of the Charter are fully respected. In that regard, it
is apparent from the Explanatory Memorandum of the Proposal for a Directive of the European
Parliament and of the Council concerning the processing of personal data and the protection of
privacy in the electronic communications sector (COM (2000) 385 final), which gave rise to
Directive 2002/58, that the EU legislature sought to ‘ensure that a high level of protection of
personal data and privacy will continue to be guaranteed for all electronic communications services
regardless of the technology used’.
107
To that end, Article 5(1) of Directive 2002/58 enshrines the principle of confidentiality of both
electronic communications and the related traffic data and requires, inter alia, that, in principle,
persons other than users be prohibited from storing, without those users’ consent, those
communications and that data.
108
As regards, in particular, the processing and storage of traffic data by providers of electronic
communications services, it is apparent from Article 6 and recitals 22 and 26 of Directive 2002/58
that such processing is permitted only to the extent necessary and for the time necessary for the
marketing and billing of services and the provision of value added services. Once that period has
elapsed, the data that has been processed and stored must be erased or made anonymous. As regards
location data other than traffic data, Article 9(1) of that directive provides that that data may be
processed only subject to certain conditions and after it has been made anonymous or the consent of
the users or subscribers has been obtained (judgment of 21 December 2016, Tele2, C‑203/15 and
C‑698/15, EU:C:2016:970, paragraph 86 and the case-law cited).
109
Thus, in adopting that directive, the EU legislature gave concrete expression to the rights enshrined
in Articles 7 and 8 of the Charter, so that the users of electronic communications services are
entitled to expect, in principle, that their communications and data relating thereto will remain
anonymous and may not be recorded, unless they have agreed otherwise.
110
However, Article 15(1) of Directive 2002/58 enables the Member States to introduce exceptions to
the obligation of principle, laid down in Article 5(1) of that directive, to ensure the confidentiality
of personal data, and to the corresponding obligations, referred to, inter alia, in Articles 6 and 9 of
that directive, where such a restriction constitutes a necessary, appropriate and proportionate
measure within a democratic society to safeguard national security, defence and public security, and
the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use
of the electronic communication system. To that end, Member States may, inter alia, adopt
legislative measures providing for the retention of data for a limited period justified on one of those
2/15/2021, 4:58 PM