104
BIG BROTHER WATCH AND OTHERS v. THE UNITED KINGDOM JUDGMENT
and thus, ultimately, to public security. However, it failed to satisfy the
requirement of proportionality.
226. Firstly, the directive covered, in a generalised manner, all persons
and all means of electronic communication as well as all traffic data without
any differentiation, limitation or exception being made in the light of the
objective of fighting against serious crime. It therefore entailed an
interference with the fundamental rights of practically the entire European
population. It applied even to persons for whom there was no evidence
capable of suggesting that their conduct might have a link, even an indirect
or remote one, with serious crime.
227. Secondly, the directive did not contain substantive and procedural
conditions relating to the access of the competent national authorities to the
data and to their subsequent use. By simply referring, in a general manner,
to serious crime, as defined by each Member State in its national law, the
directive failed to lay down any objective criterion by which to determine
which offences might be considered to be sufficiently serious to justify such
an extensive interference with the fundamental rights enshrined in Articles 7
and 8 of the Charter. Above all, the access by the competent national
authorities to the data retained was not made dependent on a prior review
carried out by a court or by an independent administrative body whose
decision sought to limit access to the data and their use to what was strictly
necessary for the purpose of attaining the objective pursued.
228. Thirdly, the directive required that all data be retained for a period
of at least six months, without any distinction being made between the
categories of data on the basis of their possible usefulness for the purposes
of the objective pursued or according to the persons concerned. The CJEU
concluded that the directive entailed a wide-ranging and particularly serious
interference with the fundamental rights enshrined in Articles 7 and 8 of the
Charter, without such an interference being precisely circumscribed by
provisions to ensure that it was actually limited to what was strictly
necessary. The CJEU also noted that the directive did not provide for
sufficient safeguards, by means of technical and organisational measures, to
ensure effective protection of the data retained against the risk of abuse and
against any unlawful access and use of those data.
(b) Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the
Home Department v Tom Watson and Others (Cases C-203/15 and
C-698/15; ECLI:EU:C:2016:970)
229. In Secretary of State for the Home Department v. Watson
and Others, the applicants had sought judicial review of the legality of
section 1 of the Data Retention and Investigatory Powers Act 2014
(“DRIPA”), pursuant to which the Secretary of State could require a public
telecommunications operator to retain relevant communications data if he
considered it necessary and proportionate for one or more of the purposes