CURIA - Documents
39 of 58
http://curia.europa.eu/juris/document/document_print.jsf?docid=2320...
Directive 2002/58 provides that the Member States may adopt a measure derogating from the
principle that communications and the related traffic data are to be confidential where such a
measure is ‘necessary, appropriate and proportionate … within a democratic society’, in view of the
objectives set out in that provision. Recital 11 of that directive specifies that a measure of that
nature must be ‘strictly’ proportionate to the intended purpose.
130
In that regard, it should be borne in mind that the protection of the fundamental right to privacy
requires, according to the settled case-law of the Court, that derogations from and limitations on the
protection of personal data must apply only in so far as is strictly necessary. In addition, an
objective of general interest may not be pursued without having regard to the fact that it must be
reconciled with the fundamental rights affected by the measure, by properly balancing the objective
of general interest against the rights at issue (see, to that effect, judgments of 16 December 2008,
Satakunnan Markkinapörssi and Satamedia, C‑73/07, EU:C:2008:727, paragraph 56; of
9 November 2010, Volker und Markus Schecke and Eifert, C‑92/09 and C‑93/09, EU:C:2010:662,
paragraphs 76, 77 and 86; and of 8 April 2014, Digital Rights, C‑293/12 and C‑594/12,
EU:C:2014:238, paragraph 52; Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017,
EU:C:2017:592, paragraph 140).
131
Specifically, it follows from the Court’s case-law that the question whether the Member States may
justify a limitation on the rights and obligations laid down, inter alia, in Articles 5, 6 and 9 of
Directive 2002/58 must be assessed by measuring the seriousness of the interference entailed by
such a limitation and by verifying that the importance of the public interest objective pursued by
that limitation is proportionate to that seriousness (see, to that effect, judgment of 2 October 2018,
Ministerio Fiscal, C‑207/16, EU:C:2018:788, paragraph 55 and the case-law cited).
132
In order to satisfy the requirement of proportionality, the legislation must lay down clear and
precise rules governing the scope and application of the measure in question and imposing
minimum safeguards, so that the persons whose personal data is affected have sufficient guarantees
that data will be effectively protected against the risk of abuse. That legislation must be legally
binding under domestic law and, in particular, must indicate in what circumstances and under which
conditions a measure providing for the processing of such data may be adopted, thereby ensuring
that the interference is limited to what is strictly necessary. The need for such safeguards is all the
greater where personal data is subjected to automated processing, particularly where there is a
significant risk of unlawful access to that data. Those considerations apply especially where the
protection of the particular category of personal data that is sensitive data is at stake (see, to that
effect, judgments of 8 April 2014, Digital Rights, C‑293/12 and C‑594/12, EU:C:2014:238,
paragraphs 54 and 55, and of 21 December 2016, Tele2, C‑203/15 and C‑698/15, EU:C:2016:970,
paragraph 117; Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017, EU:C:2017:592,
paragraph 141).
133
Thus, legislation requiring the retention of personal data must always meet objective criteria that
establish a connection between the data to be retained and the objective pursued (see, to that effect,
Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017, EU:C:2017:592, paragraph 191 and
the case-law cited, and judgment of 3 October 2019, A and Others, C‑70/18, EU:C:2019:823,
paragraph 63).
–
Legislative measures providing for the preventive retention of traffic and location data for the
purpose of safeguarding national security
134
It should be observed that the objective of safeguarding national security, mentioned by the
referring courts and the governments which submitted observations, has not yet been specifically
examined by the Court in its judgments interpreting Directive 2002/58.
135
In that regard, it should be noted, at the outset, that Article 4(2) TEU provides that national security
remains the sole responsibility of each Member State. That responsibility corresponds to the
2/15/2021, 4:58 PM