The Long and Winding Road

The April 30, 2024 judgements of the Court of Justice of the EU (CJEU) mark another key moment in the complex and long-lasting legal debate on mass data retention in the European Union. Starting from the analysis of these decisions, in this blogpost I will show that, notwithstanding the CJEU’s constant intervention and its efforts to map out a clear path towards a balance point between security needs and fundamental rights protection, the direction still appears confused. Moreover, the fragmented roads taken by Member States do not seem to converge to a final common destination. In this context, the Italian case represents a paradigmatic example of a persistent misalignment among the principles and requirements established by the CJEU caselaw on data retention and the legislative solutions adopted at the national level. This ultimately demonstrates the need for a decisive EU legislators’ intervention, able to draw the future path of data retention regimes.

In fact, after the turning point determined by the Digital Rights Ireland decision invalidating the 2006 Data Retention Directive, the only EU law provision addressing retention and access to metadata is represented by Art. 15 of the e-Privacy Directive. This vague and vast discipline allows Member States to implement national legislations imposing the retention – for a specific time-period – of communications data. This exception to the general obligation to delete or anonymize metadata is allowed when “necessary, appropriate and proportionate measure within democratic society” to safeguard national and public security, including the investigation and prosecution of criminal offenses.

Adapting the words of a splendid and melancholic The Beatles’ song referred to in the headline, the cited provision and its interpretation in national contexts paved the way for the long and winding road of the data retention regime, that always led Member States to the door of the CJEU.

The CJEU road: the direction set by the judgement from April 30, 2024

The April 30, 2024 decision in the so called La Quadrature du Net II case (C-470/21) dealt, once again, with a preliminary ruling actioned by the French Conseil d’État. It concerned, in particular, the interpretation of Art. 15 ePrivacy Directive, read in the light of the Nice Charter, regarding a peculiar category of metadata deriving from electronic communications: IP address and civil identity data on users. Reaffirming its previous caselaw, in particular in La Quadrature du Net and HK v. Prokuratuur, the CJEU emphasized that the more serious the interference in fundamental rights of a data retention measure is, the more important the pursued aims must be, specifically national security or the combat against serious crimes. The Court went even further and outlined its requirements in detail. Depending on the category of data concerned as well as on the retention arrangements, the interference could be classified as limited and, thus, not require a serious purpose for its justification. This is the most innovative part of the decision: the judges entered not only in legal but also in IT technicalities by demanding national rules to ensure that IP addresses and civil identity data are kept “watertight” separated “by means of a secure and reliable computer system” (para. 87) as well as a regular review by a third-party authority (para. 126). Having these safeguards in place, a general and indiscriminate retention of these specific data categories does not allow precise conclusions to be drawn about the private life of the persons in question (para. 92): not constituting a serious interference, the bulk retention of IP addresses could therefore be imposed also for the purpose of combating criminal offences in general.

This interpretation seems to dampen the strong reject for bulk data retention expressed in the 2014 groundbreaking decision. Nonetheless, a closer look could reveal not a backtrack but, rather, a new step in a continuous process of refining the route, detailing the balancing exercise. The precise preliminary rulings’ questions actioned by Member States allowed the Court to apply the necessity and proportionality principles to heterogeneous contexts and to better explain the initial jurisprudence. This seems to be confirmed by the more and more in-depth differentiations the CJEU proposed in its recent caselaw between national security and public security purposes, but also between targeted and bulk retention; quick freeze and general and indiscriminate retention; location data and IP addresses; serious and general criminal offenses.

The described approach can be identified also in another decision, released the same day of the C-470/21 decision and focused more on the procedural guarantees concerning access to metadata: the C-178/2022 case. This judgement is based on the request for preliminary ruling from the Tribunal of Bolzano – the first one concerning data retention coming from Italy and concluding with a CJEU decision –. Here, the Court reaffirms that, considering the allocation of competences, the definition of crimes’ “seriousness” is in principle left to Member States. However, while they can consider social realities and specificities, the perimeter of “serious offenses” must comply with Art. 15 ePrivacy Directive (read in light of the Charter). This provision cannot thus be distorted by rendering the seriousness requirement “largely meaningless”, so that “access to data becomes the rule rather than the exception”. This important safeguard is confirmed by an additional guarantee: the prior review by a court or an independent administrative body. In fact, these authorities should maintain the power to refuse access to data if, in actual fact and notwithstanding the definition established by national law, the offence is manifestly not serious. This discretionary power ensures a more effective prior review, which could take into account the specific case and “the societal conditions prevailing in the Member States”.

These two judgements enter in what can be defined a gradual “constitutionalization” path of mass surveillance elaborated by the CJEU. This path aims at translating core constitutional principles into the data retention discipline and at introducing limits and safeguards. Nonetheless, the outlined road is not immune to criticism: the Court decisions suffer the specificities of the single case evaluated and the questions referred by national courts, as well as the vagueness – and the possible different interpretations – of some affirmations and requirements (e.g. how can we determined if the guarantees ensured make it “excessively difficult to identify effectively the perpetrator of a criminal offence”, as the judges said?). Moreover, the very fragmented responses adopted by Member States to the CJEU caselaw could concretely impinge on the effectiveness of the Court’s efforts. The Italian example represents an interesting case-study.

The Italian road: an inevitable shortcut?

The CJEU jurisprudence opened a reform debate in several Member States (i.e. Belgium, Germany, UK – before the Brexit -), leading to rediscuss national data retention and access regimes. Nonetheless, in Italy the political and judicial dialogue was almost non-existent. Italian courts mainly adopted “reassuring” interpretations of the supranational jurisprudence, with the purpose of preserving the admissibility of relevant evidence in criminal proceedings. Only in recent times, particularly after the HK v. Prokuratuur decision, the legislative and judicial attention to internal provisions’ compliance with EU law – and particularly with CJEU principles – finally took off. In 2021, the Parliament approved significant modifications to Art. 132 of the Privacy Code. This controversial Article disciplines the retention obligation imposed on service providers as well as the access to metadata for security and investigative purposes. The 2021 reform introduced for the first time the judge’s prior authorization for accessing metadata and the definition of serious crimes legitimizing the access by law enforcement authorities – offences punishable under national law by a maximum term of imprisonment of at least three years –. Notwithstanding the introduction of more profound and unprecedented safeguards, the Bolzano Tribunal raised doubts on the compatibility of such provisions with the EU law, considering: i) that the threshold of “seriousness” covered also offences causing limited social disturbance; ii) that courts lack margin of discretion to refuse the authorization on the basis of an actual evaluation of the offence under investigation. The derived preliminary ruling, resulted in the above-analysed C-178/22 CJEU decision, could lead to reinterpret the current metadata acquisition discipline in Italy.

While belated guarantees have been introduced on the access side, it’s worth underlining that the data retention regime remains still completely uncovered by legislative and judicial considerations. Notwithstanding the objections raised by the Italian Data Protection Authority and several scholars, the current legislation maintains a generalized and indiscriminate retention period of 72 months(!). In fact, Art. 132 Privacy Code establishes a 24 months retention for telephone metadata and 12 months for Internet metadata; however, the so called Legge Europea 2017 extended, in the aftermath of terroristic attacks in the EU, the retention period only with reference to the fight of specific serious crimes (i.e. terrorism, organized crime such as mafia). Since service providers cannot know in advance for what kind of offences law enforcement authorities would request access to data, they are de facto obliged to retain metadata for the longest time period of 72 months, thus transforming the exception into general rule.

Moreover, the data retention provision does not establish any form of targeted retention – i.e. geographic areas limitations – for the purpose of combating serious crimes and preventing serious threats to public security. This limitation could reveal inadequate to tackle crimes – such as mafia – not characterized by a limited area of intervention. Nonetheless, the Italian legislators and courts always avoided questioning the legitimacy of the bulk retention regime: this demonstrates a sort of reluctance towards the principles established by the CJEU and confirmed also in the Spetsializirana prokuratura case. Such an approach seems to be based on the belief that solid safeguards concerning the access phase are sufficient to protect fundamental rights from unlawful and disproportionate acquisition of personal information, without considering the bulk retention as a per se severe intrusion in the private sphere.

A journey with a blurred destination?

During the last decade, the CJEU put significant efforts in determining the limits of mass data retention and access to metadata. Nevertheless, the step by step – or case by case – path outlined by the Court doesn’t yet reveal a clear destination. It is undeniable that the CJEU judgements prompted several Member States to adopt more rights-oriented legislative reforms, introducing new relevant safeguards. At the same time, attributing to EU judges alone the delicate task of mapping out the road towards a “constitutionalization” of mass surveillance practices doesn’t represent a long-term and effective strategy.

The inevitable margin of interpretation and definitory powers left to Member States – also due to the peculiar EU institutional architecture – allowed the creation of a fragmented regulatory scenario: national solutions adapted only slowly, partially and reluctantly to the standards and requirements fixed by the supranational caselaw. The continuous dialogue between Member States and the CJEU, as well as national courts and supranational judges, often produced legal tensions, exacerbated by the clash between pro-security approaches (by law enforcement authorities) and data protection activists.

In this context, the EU legislators cannot stay silent: on the contrary, they should come into play, promoting a serious regulatory debate and de-escalating dangerous polarizations. The divergent roads established by national policymakers should not necessarily converge. However, a harmonization in terms of shared basic principles and safeguards could finally help Member States navigating the layered CJEU caselaw as well as identifying viable concrete regulatory disciplines. Undoubtedly, attaining a political compromise able to comply with the high standards set by Court’s decisions and, at the same time, to be accepted at the national level is, at this point, quite a hard task. And the recent advancements are not encouraging: on the one hand the debate on a new ePrivacy Regulation seems to be in a deadlock. On the other hand, the serious concerns expressed by the EDPB on the last available Regulation’s draft show the attempt of several States to water down and rediscuss the CJEU caselaw’s principles. A trend that seems to be confirmed by the affirmation of the EU High-Level Group on access to data for effective law enforcement.

In this scenario, the long and winding data retention road that leads Member States to the CJEU door will probably never disappear, taking up once again The Beatles’ song. And the stakes are high, especially in a context characterized by technological advancements that made reality the creation of biometric data scraping on the web, social scoring systems and emotion recognition based on vast retention and processing of personal data. As Rodotà strongly highlighted, “we may believe that we are only discussing data protection; in fact we are dealing with the destiny of our social organisations, their present and – above all – their future”.