CENTRUM FÖR RÄTTVISA v. SWEDEN JUDGMENT
agencies for the purpose of safeguarding national security fell within the
scope of the Directive on privacy and electronic communications. The
interpretation of that Directive had to take account of the right to privacy,
guaranteed by Article 7 of the Charter, the right to protection of personal
data, guaranteed by Article 8, and the right to freedom of expression,
guaranteed by Article 11. Limitations on the exercise of those rights had to
be provided for by law, respect the essence of the rights, and be
proportionate, necessary, and genuinely meet the objectives of general
interest recognised by the European Union or the need to protect the rights
and freedoms of others. Furthermore, limitations on the protection of
personal data must apply only in so far as is strictly necessary; and in order
to satisfy the requirement of proportionality, the legislation must lay down
clear and precise rules governing the scope and application of the measure
in question and imposing minimum safeguards, so that the persons whose
personal data are affected have sufficient guarantees that data will be
protected effectively against the risk of abuse.
128. In the opinion of the CJEU, national legislation requiring providers
of electronic communications services to disclose traffic data and location
data to the security and intelligence agencies by means of general and
indiscriminate transmission – which affected all persons using electronic
communications services – exceeded the limits of what was strictly
necessary and could not be considered to be justified as required by the
Directive on privacy and electronic communications read in light of the
Charter.
129. However, in La Quadrature du Net and Others the CJEU
confirmed that while the Directive on privacy and electronic
communications, read in light of the Charter, precluded legislative measures
which provided for the general and indiscriminate retention of traffic and
location data, where a Member State was facing a serious threat to national
security that proved to be genuine and present or foreseeable, it did not
preclude legislative measures requiring service providers to retain, generally
and indiscriminately, traffic and location data for a period limited to what
was strictly necessary, but which could be extended if the threat persisted.
For the purposes of combating serious crime and preventing serious threats
to public security, a Member State could also provide - if it was limited in
time to what was strictly necessary - for the targeted retention of traffic and
location data, on the basis of objective and non-discriminatory factors
according to the categories of person concerned or using a geographical
criterion, or of IP addresses assigned to the source of an Internet connection.
It was also open to a Member State to carry out a general and indiscriminate
retention of data relating to the civil identity of users of means of electronic
communication, without the retention being subject to a specific time limit.
130. Furthermore, the Directive on privacy and electronic
communications, read in light of the Charter, did not preclude national rules
37