26
CENTRUM FÖR RÄTTVISA v. SWEDEN JUDGMENT
minimum safeguards, so that the persons whose data has been retained have sufficient
guarantees of the effective protection of their personal data against the risk of misuse.
That legislation must, in particular, indicate in what circumstances and under which
conditions a data retention measure may, as a preventive measure, be adopted, thereby
ensuring that such a measure is limited to what is strictly necessary. ...
110. Second, as regards the substantive conditions which must be satisfied by
national legislation that authorises, in the context of fighting crime, the retention, as a
preventive measure, of traffic and location data, if it is to be ensured that data
retention is limited to what is strictly necessary, it must be observed that, while those
conditions may vary according to the nature of the measures taken for the purposes of
prevention, investigation, detection and prosecution of serious crime, the retention of
data must continue nonetheless to meet objective criteria, that establish a connection
between the data to be retained and the objective pursued. In particular, such
conditions must be shown to be such as actually to circumscribe, in practice, the
extent of that measure and, thus, the public affected.
111. As regard the setting of limits on such a measure with respect to the public and
the situations that may potentially be affected, the national legislation must be based
on objective evidence which makes it possible to identify a public whose data is likely
to reveal a link, at least an indirect one, with serious criminal offences, and to
contribute in one way or another to fighting serious crime or to preventing a serious
risk to public security. Such limits may be set by using a geographical criterion where
the competent national authorities consider, on the basis of objective evidence, that
there exists, in one or more geographical areas, a high risk of preparation for or
commission of such offences.
112. Having regard to all of the foregoing, ... Article 15(1) of Directive 2002/58,
read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, must be
interpreted as precluding national legislation which, for the purpose of fighting crime,
provides for the general and indiscriminate retention of all traffic and location data of
all subscribers and registered users relating to all means of electronic
communication.”
The CJEU also examined a question by the Court of Appeal (England &
Wales) (Civil Division) as to whether, in the Digital Rights judgment, the
Court had interpreted Article 7 or 8 of the Charter in such a way as to
expand the scope conferred on Article 8 of the Convention by the European
Court of Human Rights. The CJEU stated:
“127. As a preliminary point, it should be recalled that, whilst, as Article 6(3) [of
the Treaty on European Union] confirms, fundamental rights recognised by the
[Convention] constitute general principles of EU law, the [Convention] does not
constitute, as long as the European Union has not acceded to it, a legal instrument
which has been formally incorporated into EU law ... .
128. Accordingly, the interpretation of Directive 2002/58, which is at issue in this
case, must be undertaken solely in the light of the fundamental rights guaranteed by
the Charter ... .
129. Further, it must be borne in mind that the explanation on Article 52 of the
Charter indicates that paragraph 3 of that article is intended to ensure the necessary
consistency between the Charter and the [Convention], ‘without thereby adversely
affecting the autonomy of Union law and ... that of the Court of Justice of the
European Union’ (judgment of 15 February 2016, N., C-601/15 PPU, EU:C:2016:84,