With the official press release of the Court of Justice of the European Union (“Court”), Advocate General’s Opinion in joined cases numbered C-793/19 and C-794/19, case numbered C-140/20 and, joined cases numbered C-339/20 VD and C-397/20 SR (“Opinion”) reiterating that the wide and indiscriminate storing of electronic communications traffic and location data is only allowed if there is a substantial threat to national security has been published on 18 November 2021.

As the Court’s case-law on the storage and access to personal data produced in the electronic communications sector raises concerns in some EU member states, some national courts have referred a question to the Court for a preliminary ruling, fearing that this case-law may deprive state authorities of an essential tool to protect national security and fight crime and terrorism. Regarding the national court's questions, the Court released its Opinion, and in the Opinion presented in those cases, Advocate General believes that the answers to all the problems addressed to are already in the Court's case-law or may be deduced from it without difficulty.

According to the Opinion in the joined cases C-793/19 and C-794/19, while the Advocate General recognizes the progress made in German legislation, which demonstrates a deliberate intention to comply with the Court's case-law, it is evaluated that the general and indiscriminate storage obligation imposed by it covers a very broad range of traffic and location data. The imposed time limit on storage does not address the issue, because, aside from the circumstances authorized by national security defense, the storage of electronic communications data must be targeted due to the substantial risk caused by their widespread storage.

Furthermore, it is discussed in the Opinion in Case C-140/20 that the broad and indiscriminate keeping of traffic and location data is allowed solely by the protection of national security, which does not include the prosecution of offenses, particularly major ones. Also, it is stated that Irish Communications Act 2011 does not comply with the Directive on privacy and electronic communications because it allows, for reasons other than those inherent in the protection of national security, the preventive, broad, and indiscriminate retention of traffic and location data of all subscribers for two years.

Moreover, the Opinion assesses that access by competent national authorities to retained data does not appear to be subject to the previous review by a Court or an independent authority, as required by the Court's case-law, but rather to the discretion of a police officer of a specific rank. Additionally, while it is stated in the Opinion that the Supreme Court will have to determine whether that official meets the criteria for independent authority and whether it is a third party concerning the authority requesting access, it is also stated that that review must take place before, not after, access to the data. Further, as in previous judgment in the case, the Advocate General reiterates that a national court cannot limit the implications of a declaration of illegality of domestic legislation incompatible with EU law in time.

As per the Opinion in joined cases C-339/20 and C-397/20, it is evaluated that the two proceedings, like the three preceding proceedings, mainly concern whether the EU member states may impose a general and indiscriminate duty to keep electronic communications traffic data. As a result, even though, on that occasion, it is stated that the Advocate General believes that the Court's case-law as summarized in Case C-140/20 is appropriate in that situation.

Accordingly, the provisions concerning the processing of data traffic records set out in the Directive and the Regulation No. 596/2014 on market abuse (“Regulation No. 596/2014”) must be interpreted in light of the scheme of the EU Directive 2003/6/EC on privacy and electronic communications (“Directive 2003/6/EC”), which serves as the reference standard in this regard. As per the Opinion, neither the Directive 2003/6/EC nor the Regulation No 596/2014confers specific and autonomous powers to retain data; they solely authorize competent authorities to access data retained in existing records, that must have been derived comply with the Directive 2003/6/EC. In this matter, the Opinion specifically states that some records or recordings may be retained to fight serious crime and safeguard public security that cannot be integrated into those retained in a preventive, generalized, and indiscriminate grounds for the defense of national security, having failed which the delicate balance underlying the judgment in Case C-140/20 would be subverted. As a result, national legislation requiring electronic telecommunications enterprises to store traffic data on a broad and indiscriminate basis in the context of an inquiry into market manipulation or market manipulation and abuse is incompatible with EU law. In such cases, Advocate General evaluates in the Opinion that a national court may not restrict the duration of the effects of the incompatibility.

Simge Kılıç, Esra Temur