CURIA - Documents
47 of 58
171
http://curia.europa.eu/juris/document/document_print.jsf?docid=2320...
As a preliminary point, it should be noted that the fact that, according to Article L. 851‑3 of the
CSI, the automated analysis that it provides for does not, as such, allow the users whose data is
being analysed to be identified, does not prevent such data from being classified as ‘personal data’.
Since the procedure provided for in point IV of that provision allows the person or persons
concerned by the data, the automated analysis of which has shown that there may be a terrorist
threat, to be identified at a later stage, all persons whose data has been the subject of automated
analysis can still be identified from that data. According to the definition of personal data in
Article 4(1) of Regulation 2016/679, information relating, inter alia, to an identifiable person
constitutes personal data.
Automated analysis of traffic and location data
172
It is clear from Article L. 851‑3 of the CSI that the automated analysis for which it provides
corresponds, in essence, to a screening of all the traffic and location data retained by providers of
electronic communications services, which is carried out by those providers at the request of the
competent national authorities applying the parameters set by the latter. It follows that all data of
users of electronic communications systems is verified if it corresponds to those parameters.
Therefore, such automated analysis must be considered as involving, for the providers of electronic
communications services concerned, the undertaking on behalf of the competent authority of
general and indiscriminate processing, in the form of the use of that data with the assistance of an
automated operation, within the meaning of Article 4(2) of Regulation 2016/679, covering all traffic
and location data of all users of electronic communications systems. That processing is independent
of the subsequent collection of data relating to the persons identified following that automated
analysis, such collection being authorised on the basis of Article L. 851‑3, IV, of the CSI.
173
National legislation authorising such automated analysis of traffic and location data derogates from
the obligation of principle, established in Article 5 of Directive 2002/58, to ensure the
confidentiality of electronic communications and related data. Such legislation also constitutes
interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, regardless of
how that data is used subsequently. Finally, as was stated in the case-law cited in paragraph 118 of
the present judgment, such legislation is likely to have a deterrent effect on the exercise of freedom
of expression, which is enshrined in Article 11 of the Charter.
174
Moreover, the interference resulting from the automated analysis of traffic and location data, such
as that at issue in the main proceedings, is particularly serious since it covers, generally and
indiscriminately, the data of persons using electronic communication systems. That finding is all the
more justified given that, as is clear from the national legislation at issue in the main proceedings,
the data that is the subject of the automated analysis is likely to reveal the nature of the information
consulted online. In addition, such automated analysis is applied generally to all persons who use
electronic communication systems and, consequently, applies also to persons with respect to whom
there is no evidence capable of suggesting that their conduct might have a link, even an indirect or
remote one, with terrorist activities.
175
With regard to the justification for such interference, the requirement, established in Article 52(1)
of the Charter, that any limitation on the exercise of fundamental rights must be provided for by law
implies that the legal basis which permits that interference with those rights must itself define the
scope of the limitation on the exercise of the right concerned (see, to that effect, judgment of
16 July 2020, Facebook Ireland and Schrems, C‑311/18, EU:C:2020:559, paragraph 175 and the
case-law cited).
176
In addition, in order to meet the requirement of proportionality recalled in paragraphs 130 and 131
of the present judgment, according to which derogations from and limitations on the protection of
personal data must apply only in so far as is strictly necessary, national legislation governing the
access of the competent authorities to retained traffic and location data must comply with the
requirements that emerge from the case-law cited in paragraph 132 of the present judgment. In
2/15/2021, 4:58 PM