IP case law Court of Justice

of 17 Nov 2022, C-350/21 (Spetsializirana prokuratura)


JUDGMENT OF THE COURT (Sixth Chamber) 17 November 2022 (*) ‘Reference for a preliminary ruling - Processing of personal data in the electronic communications sector - Confidentiality of communications - Providers of electronic communications services - General and indiscriminate retention of traffic data and location data for a period of six months - Combating serious crime - Access to the data retained - Information to be given to data subjects - Right of appeal - Directive 2002/58/EC - Article 15, (1) and (2) - Directive (EU) 2016/680 - Articles 13 and 54 - Charter of Fundamental Rights of the European Union - Articles 7, 8, 11 and 47 and Article 52(1)’. In Case C-350/21, reference for a preliminary ruling under Article 267 TFEU from the Spetsializiran nakazatelen sad (Specialised Criminal Court, Bulgaria), made by decision of 3 June 2021, received at the Court on 4 June 2021, in the criminal proceedings brought by Spetsializirana prokuratura, THE COURT (Sixth Chamber) composed of P.G. Xuereb (Rapporteur), President of the Chamber, A. Kumin and I. Ziemele, Judges Advocate General: M. Campos Sánchez-Bordona, Registrar: A. Calot Escobar, Having regard to the written procedure Having regard to the observations submitted : - for the Danish Government, by Ms V. Pasternak Jørgensen and M. Søndahl Wolff, acting as Agents, - the Estonian Government, by M. Kriisa, acting as Agent - the Irish Government, by M. Browne, D. Fennelly, A. Joyce and M.Lane, acting as Agents, - the Spanish Government, by L. Aguilera Ruiz, acting as Agent, - the Cypriot Government, by I. Neophytou, acting as Agent, - the Hungarian Government, by M. Z. Fehér and R. KissnéBerta, acting as Agents, - the Polish Government, by B. Majczyna, acting as Agent, - the European Commission, by C.Georgieva, H. Kranenborg, P.-J. Loewenthal and F. Wilman, acting as Agents, Having regard to the decision taken, after hearing the Advocate General, to adjudicate on the case without making any submissions, hereby gives this Judgment 1 The reference for a preliminary ruling concerns the interpretation of Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 (OJ 2009 L 337, p. 1) (‘Directive 2002/58/EC’). 11) (hereinafter ‘Directive 2002/58’), and Articles 13 and 54 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data and repealing Council Framework Decision 2008/977/JHA (OJ 2016 L 119, p. 89). 2 This request was made in the context of criminal proceedings brought by the Spetsializirana prokuratura (specialised prosecutor's office, Bulgaria) for access to data relating to telephone communications made by five individuals. The legal framework European Union law Directive 2002/58 3 Recital 11 of Directive 2002/58 states: ‘Like Directive 95/46/EC [of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31)], this Directive does not deal with questions relating to the protection of fundamental rights and freedoms in connection with activities which are not governed by Community law. It therefore does not alter the existing balance between the right of individuals to privacy and the possibility for Member States to take measures such as those referred to in Article 15(1) of this Directive which are necessary for the protection of public security, defence, State security (including the economic well-being of the State in the case of activities connected with State security) and the enforcement of criminal law. Accordingly, this Directive is without prejudice to the ability of Member States to carry out lawful interception of electronic communications or to take other measures if necessary to achieve any of the above purposes, in compliance with the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the European Court of Human Rights in its judgments. Such measures must be appropriate, strictly proportionate to the aim pursued and necessary in a democratic society. They should also be subject to appropriate safeguards, in compliance with the European Convention for the Protection of Human Rights and Fundamental Freedoms’. 4 Article 4(1) and (1a) of Directive 2002/58, entitled ‘Security of processing’, provides: ‘ 1. The provider of a publicly available electronic communications service shall take appropriate technical and organisational measures to ensure the security of its services, where necessary in conjunction with the provider of the public communications network as regards network security. Taking into account the most recent technical possibilities and the cost of their implementation, these measures shall guarantee a degree of security appropriate to the existing risk. 1a. Without prejudice to the provisions of Directive [95/46], the measures referred to in paragraph 1 shall at least : - guarantee that only authorised persons may have access to personal data for legally authorised purposes, - protect personal data stored or transmitted against accidental or unlawful destruction or accidental loss, alteration, unauthorised or unlawful storage, processing, access or disclosure, and - ensure the implementation of a security policy relating to the processing of personal data. The competent national authorities shall be empowered to verify the measures taken by providers of publicly available electronic communications services and to issue recommendations on best practice concerning the level of security which those measures should achieve. 5 Article 5 of Directive 2002/58, entitled ‘Confidentiality of communications’, provides in paragraph 1: ‘Member States shall ensure, through national legislation, the confidentiality of communications by means of a public communications network and publicly available electronic communications services, as well as the confidentiality of related traffic data. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by any person other than the users concerned, without the consent of the users concerned, except where that person is legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent the technical storage necessary for the conveyance of a communication, without prejudice to the principle of confidentiality’. 6 Article 15 of that Directive, entitled ‘Application of certain provisions of Directive [95/46]’, states, in paragraphs 1 and 2: ‘ 1. Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Articles 5 and 6, Article 8(1), (2), (3) and (4) and Article 9 of this Directive where such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society, to safeguard national security, i.e. State security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communications system, as referred to in Article 13(1) of Directive [95/46]. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period of time where this is justified on one of the grounds set out in this paragraph. All measures referred to in this paragraph shall be taken in compliance with the general principles of [Union] law, including those referred to in Article 6(1) and (2) of the Treaty on European Union. [...] 2. The provisions of Chapter III of Directive [95/46] on judicial remedies, liability and sanctions shall apply to the national provisions adopted pursuant to this Directive and to the individual rights resulting from this Directive’. Directive 95/46 7 Directive 95/46 was repealed with effect from 25 May 2018 by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 (OJ 2016 L 119, p. 1). Article 3(2) of Directive 95/46 provided: ‘This Directive shall not apply to the processing of personal data : - carried out in the exercise of activities which fall outside the scope of Community law, such as those provided for in Titles V and VI of the Treaty on European Union, and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State where such processing is related to State security matters) and the activities of the State in areas of criminal law, [...] ’ 8 Article 22 of Directive 95/46, contained in Chapter III thereof, entitled ‘Judicial remedies, liability and sanctions’, read as follows: ‘Without prejudice to any administrative remedy which may be available, in particular before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide that any person shall have a right to apply to the courts for a remedy for any breach of the rights guaranteed to him by the national provisions applicable to the processing operation in question.’ Regulation 2016/679 9 Under Article1(1), Regulation 2016/679 ‘establishes rules on the protection of individuals with regard to the processing of personal data and rules on the free movement of such data’. 10 Under Article 2(2)(d) thereof, that regulation does not apply to the processing of personal data by the competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. However, it follows from Article 23(1)(d) and (h) of that regulation that the processing of personal data carried out for those purposes by private individuals falls within the scope of that regulation. 11 Article 79 of that Regulation, entitled ‘Right to an effective judicial remedy against a controller or processor’, reads as follows: ‘(1) Without prejudice to any administrative or extrajudicial remedy available to him or her, including the right to lodge a complaint with a supervisory authority under Article 77, every data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of processing of his or her personal data in breach of this Regulation. 2. Any action against a controller or processor shall be brought before the courts of the Member State in which the controller or processor has an establishment. Such an action may also be brought before the courts of the Member State in which the data subject has his habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its prerogatives as a public authority.’ Directive 2016/680 12 Under Article1(1), Directive 2016/680 ‘establishes rules on the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the protection against and prevention of threats to public security’. 13 According to Article 2(1) thereof, that directive applies to the processing of personal data by competent authorities for the purposes set out in Article1(1) thereof, the concept of ‘competent authority’ covering, as provided for in Article 3(7)(a) thereof, inter alia, ‘any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the protection against and prevention of threats to public security’. 14 Article 13 of Directive 2016/680, entitled ‘Information to be made available or provided to the data subject’, provides: ‘ 1. Member States shall provide that the controller shall make available to the data subject at least the following information: a) the identity and contact details of the controller ; b) where appropriate, the contact details of the Data Protection Officer; c) the purposes of the processing operation for which the personal data are intended; d) the right to lodge a complaint with a supervisory authority and the contact details of that authority; e) the existence of the right to request from the controller access to personal data, their rectification or erasure, and the restriction of the processing of personal data relating to a data subject. 2. In addition to the information referred to in paragraph 1, Member States shall provide by law that the controller shall, in specific cases, provide the data subject with the following additional information to enable him to exercise his rights: a) the legal basis of the processing b) the period for which the personal data will be kept or, where this is not possible, the criteria used to determine this period; c) where applicable, the categories of recipients of the personal data, including in third countries or within international organisations; d) where necessary, additional information, in particular where personal data is collected without the knowledge of the data subject. 3. Member States may adopt legislative measures to delay or limit the provision of information to the data subject pursuant to paragraph 2, or not to provide such information, where and for as long as such a measure constitutes a necessary and proportionate measure within a democratic society, having due regard to the fundamental rights and legitimate interests of the natural person concerned in order to: (a) avoid obstructing official or judicial enquiries, investigations or proceedings ; (b) avoid prejudicing the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; or (c) to protect public security (d) to protect national security e) to protect the rights and freedoms of others. 4. Member States may adopt legislative measures to determine categories of processing operations which may fall wholly or partly within any of the points listed in paragraph 3. 15 Article 54 of this Directive, entitled ‘Right to an effective judicial remedy against a controller or processor’, provides: ‘Member States shall provide that, without prejudice to any administrative or extrajudicial remedy available to them, including the right to lodge a complaint with a supervisory authority pursuant to Article 52, a data subject shall have the right to an effective judicial remedy where he considers that his rights provided for in the provisions adopted pursuant to this Directive have been infringed as a result of processing of his personal data carried out in breach of those provisions.’ Bulgarian law The ZES 16 A law passed in 2010 inserted Articles 250a to 251a into the Zakon za elektronnite saobshteniya (Electronic Communications Act, DVNo 41 of 22 May 2007, hereinafter the ‘ZES’), transposing Directive 2006/24/EC of the European Parliament and of the Council into Bulgarian law, of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54). Articles 250a to 251a of the ZES provided for general and undifferentiated retention of traffic data and location data for a period of twelve months for the purposes of combating serious crime and computer-related offences and for the purposes of tracing persons. 17 In its judgment of 8 April 2014 in Digital Rights Ireland and Others (C-293/12 and C-594/12, EU:C:2014:238), the Court declared Directive 2006/24 invalid. 18 In its judgmentNo 2/15, the Konstitutsionen sad (Constitutional Court, Bulgaria) declared unconstitutional the provisions of the ZES resulting from the law adopted in 2010 on the ground, first, that they provided for the retention of the data in question for the purposes of combating offences not of a serious nature and for the purposes of tracing individuals and, second, that the retention period was excessive. However, the Konstitutsionen sad (Constitutional Court) held that the Bulgarian Constitution did not, in principle, preclude the blanket and undifferentiated retention of data for the purposes of combating serious crime, provided that the retention period was not excessive, which appeared to be the case as regards a period of six months. More particularly, while recognising that such generalised and indiscriminate retention was aimed at all persons and not just suspects or perpetrators of serious offences, that court considered that there was practically no other means of obtaining sufficient information for the purposes of combating serious crime, as regards the period preceding the criminal offence. 19 Following that judgment, a law adopted in the course of 2015 inserted Articles 251b et seq. into the ZES, applicable to the proceedings in the main proceedings. 20 Article 251b(1) of the ZES provides: ‘Undertakings providing public electronic communications networks and/or services shall keep for 6 months the data generated or processed in the course of their business and necessary to: 1. trace and identify the source of a communication ; 2. identify the destination of a communication; 3. identify the date, time and duration of the communication; 4. identify the nature of the communication; 5. identify the nature of the user's electronic communication terminal or what appears to be his communication terminal; 6. establish the identifiers of the [telephony] cells used’. 21 In accordance with Article 251b(2) of the SES, the data are retained for various purposes, including the prevention, detection and investigation of serious crime. 22 Under Article 251c(8) of the ZES, data may be provided to the authorities responsible for the preliminary stage of criminal proceedings pursuant to the Nakazatelno-protsesualen kodeks (Code of Criminal Procedure, hereinafter ‘NPK’). 23 Pursuant to Article 251d(7) of the ZES, authorisations or refusals to grant access to data are recorded in specific registers within the courts that ordered such authorisations or refusals. Access to these registers is not public. If this record is drawn up in the context of criminal proceedings, it forms part of the case file and each party to the proceedings has access to it. 24 According to Article 251g(1) of the ZES, at the end of the six-month period and in the absence of a request for access, the data are destroyed. A report is drawn up and sent to the Komisiata za zashtita na litshni danni (Commission for the Protection of Personal Data, Bulgaria) (hereinafter the ‘CPDP’), which, in accordance with Article 261a of the ZES, supervises the storage of the data in question, guaranteeing in particular the protection and security of those data. 25 Under Article 261b of the ZES, such supervision is also carried out by a committee of the Narodno sabranie na Republika Bulgaria (National Assembly of the Republic of Bulgaria). The Code of Criminal Procedure 26 Article 159a of the NPK, entitled ‘Provision of data by undertakings providing public electronic communications networks and/or services’, provides: ‘(1) When required by the court in the course of criminal proceedings or pursuant to a reasoned order of the judge of the competent court of first instance, issued at the request of the investigating prosecutor in the preliminary phase of the proceedings, undertakings operating public electronic communications networks and/or services shall transmit data generated in the course of carrying out their activity which are necessary to: 1. track and identify the source of the connection ; 2. identify the source of the connection 3. identify the date, time and duration of the connection; 4. identify the type of connection; 5. identify the nature of the user's electronic communications terminal or what appears to be the user's communications terminal; 6. establish the identifier of the data cells used. (2) The data referred to in paragraph 1 shall be collected if this is necessary for the investigation of serious offences committed intentionally. (3) The request referred to in paragraph 1 submitted by the investigating prosecutor must state the reasons on which it is based and must include : 1. information on the offence whose prosecution requires the use of traffic data ; 2. a statement of the facts on which the request is based; and 3. information on the persons in respect of whom traffic data is requested; 4. the reasonable period of time to be covered by the record; 5. the investigating authority to which the data is to be transmitted. (4) In the decision referred to in paragraph 1, the court shall indicate: 1. the data to be included in the record ; 2. the reasonable period of time to be covered by the report; and 3. the investigating authority to which the data is to be transmitted. (5) The period for which the transmission of data may be requested and ordered in accordance with paragraph 1 may not exceed six months. (6) Where the report contains information that is not related to the circumstances of the case and does not contribute to their clarification, the judge who issued the investigation decision must order its destruction on the basis of a reasoned written proposal by the supervising public prosecutor. Destruction will be carried out in accordance with a procedure established by the Chief Public Prosecutor. Within seven days of receipt of the order, the companies referred to in paragraph 1 and the supervising prosecutor must submit the data destruction reports to the judge who issued the order.’ The Criminal Code 27 Pursuant to Article 11(2) of the Nakazatelen kodeks (Criminal Code), offences are committed intentionally if the perpetrator was aware of the socially dangerous nature of the act, foresaw its consequences for society and willed or allowed it to be carried out. 28 Under Article 93(7) of the Criminal Code, a serious offence is an offence punishable by ‘deprivation of liberty’ for more than five years or by ‘life imprisonment’. The main proceedings and the questions referred for a preliminary ruling 29 The specialised prosecution requested the Spetsializiran nakazatelen sad (Specialised Criminal Court, Bulgaria), the referring court, to adopt, on the basis of Article 159a of the NPK, an order granting it access to traffic data and location data concerning the mobile telephone calls of five persons involved, in its view, in the criminal activity of distributing cigarettes without tax stamps. The specialised public prosecutor specified that the data to which he wished to have access would be used for the purposes of criminal proceedings against those persons. 30 The national court observes that it found, after examining the documents in the file, that the five persons referred to in the request from the specialised public prosecutor's office were likely to be involved in the criminal activity at issue, that that activity constituted a serious offence committed intentionally and that there was evidence in the file that the telephone numbers referred to in that request may have been used in the course of that activity. Therefore, in accordance with national law, that application should be granted. 31 However, the national court questions whether a decision granting the application of the specialised public prosecutor's office would comply with European Union law. 32 On the one hand, the Court has already held that generalised and undifferentiated retention of traffic data and location data for the purposes of combating serious crime is not compatible with European Union law. 33 However, on the other hand, the Konstitutsionen sad (Constitutional Court) held, explicitly in its judgmentNo 2/15 and then implicitly in its judgmentNo 15 of 17 November 2020, that the generalised and undifferentiated retention of traffic data and location data, as provided for by the Bulgarian legislation at issue in the main proceedings, complies with the Bulgarian Constitution, on the basis of arguments which have not yet been examined by the Court. Moreover, that legislation contains additional safeguards constituting, where appropriate, an effective balancing factor and capable of justifying such generalised retention of data. Those safeguards have not yet been examined by the Court either. 34 Thus, first, the national legislation at issue in the main proceedings provides that the general and undifferentiated retention of traffic data and location data is limited to a period of six months. 35 Second, access to the data thus stored is authorised only for the purposes of investigations into a serious offence committed intentionally, that is to say, an offence punishable by deprivation of liberty for more than five years and committed intentionally. 36 Third, although, in the view of the national court, the national legislation at issue in the main proceedings does not comply, in certain respects, with the requirements of Union law relating to the retention and use of traffic data and location data, it nevertheless satisfies those requirements in other respects and even offers a higher level of protection. In fact, the general and undifferentiated retention of data provided for by this national regulation, as well as access to this data, would be based on clear and precise rules. General access to all retained data would be ruled out and access to such data would only be provided in respect of persons suspected of having committed a criminal offence. Access would be granted following a prior judicial review based on a reasoned request from the criminal authorities. Finally, the national legislation at issue in the main proceedings provides that providers of electronic communications services must take appropriate technical and organisational measures to prevent any misuse of or unlawful access to the data stored, and those measures are reinforced by the involvement of the CPDP and the competent committee of the National Assembly. 37 The national court also points out that, contrary to the requirements of European Union law, the national legislation at issue in the main proceedings does not contain an express rule intended to ensure that access to the data stored is limited to what is strictly necessary in the light of the objective pursued. However, Bulgarian case-law requires that such access be granted only if there is reasonable suspicion that the data subject has participated in criminal activity. Furthermore, the national legislation at issue in the main proceedings makes authorisation of such access subject to the condition that it concerns only a reasonable period of time not exceeding six months. 38 Accordingly, the question arises whether those requirements are sufficient for that legislation to be regarded as guaranteeing that access is limited to what is ‘strictly necessary’. 39 Finally, the national court observes that, in accordance with the Court's case-law, the law of the Member States must lay down minimum requirements to ensure that individuals whose personal data are stored have effective protection against misuse and unlawful use of those data. The national legislation at issue in the main proceedings does not provide either for the right of interested parties to be informed of the fact that access to their traffic and location data has been authorised or for the right to challenge the lawfulness of such authorisation. The national court wonders, however, whether the requirement laid down in the Court's case-law also applies where authorisation is granted by a court merely on application by the public prosecutor, and in the absence of any involvement of the data subject. 40 In those circumstances, the Spetsializiran nakazatelen sad (Specialised Criminal Court) decided to stay proceedings and to refer the following questions to the Court for a preliminary ruling: ‘(1) Does a national law (Article 251b(1) of the [ZES]) providing for the general and indiscriminate retention of all traffic data (data relating to the traffic and location of users of electronic communications) for a period of six months, in order to combat serious crime, comply with the combined provisions of Article 15(1), Article 5(1) and recital 11 of Directive [2002/58], where the national law provides for certain safeguards? (2) A national law (Paragraph 159a of the [NPK]) which does not restrict access to traffic data to cases in which it is strictly necessary and which does not provide, in respect of persons whose traffic data have been consulted by the authorities responsible for the criminal proceedings the right to be informed thereof where that information does not obstruct the criminal proceedings or does not provide them with a means of redress against unlawful access, comply with the combined provisions of Article 15(1), Article 5(1) and recital 11 of Directive 2002/58? ’ 41 By letter of 5 August 2022, the Sofiyski gradski sad (Sofia City Court, Bulgaria) informed the Court that, following a legislative amendment which entered into force on 27 July 2022, the Spetsializiran nakazatelen sad (Specialised Criminal Court) had been dissolved and that certain criminal cases brought before that court, including the case in the main proceedings, had been transferred with effect from that date to the Sofiyski gradski sad (Sofia City Court). The questions referred for a preliminary ruling Introductory observations 42 First, it is common ground that, even before the present reference for a preliminary ruling was made, the Court has already held, in particular in its judgment of 6 October 2020 in La Quadrature du Net and Others v Commission of the European Communities (C-511/18, C-512/18 and C-520/18, EU:C:2020: 791, paragraphs 141 and 168), that Union law, and more particularly Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union (‘the Charter’), precludes legislative measures providing, as a preventive measure, for the purposes of combating serious crime, for the general and indiscriminate retention of traffic data and location data. 43 Following a detailed examination of the various legitimate interests and rights at issue, that case-law was confirmed by the judgment of 5 April 2022 in Commissioner of An Garda Síochána and Others (C-140/20, EU:C:2022:258). In particular, the Court examined and rejected, in paragraphs 68 to 101 of that judgment, the argument that only general and undifferentiated retention of traffic data and location data would make it possible effectively to combat serious crime. 44 That finding cannot be called into question by the arguments put forward in the present proceedings before the Court, according to which, on the one hand, generalised retention is, under Regulation 2016/679, permitted and authorised in several sectors, such as camera surveillance, and, on the other hand, the possibility of carrying out targeted retention, as advocated in the Court's case-law, presupposes that it is possible to make a selection from among potential offenders or among potential victims, thereby undermining the presumption of innocence and infringing, as regards potential victims, the principle of equal treatment. 45 The fact that the retention of personal data by means of camera surveillance may comply with European Union law does not affect the finding that the general and undifferentiated retention of traffic data and location data does not, given the differences in nature and scope between those two forms of surveillance. 46 In addition, it should be borne in mind that the Court emphasised, in paragraphs 78 and 101 of its judgment of 5 April 2022 in Case C-140/20 Commissioner of An Garda Síochána and Others (EU:C:2022:258), that, in order to comply with Union law, targeted retention in relation to categories of persons must be based on ‘objective and non-discriminatory factors’, so that it cannot, by its very nature, discriminate against the persons concerned. Similarly, such targeted retention cannot undermine the presumption of innocence, since it is merely an investigative tool available to the competent authorities for the purpose of establishing whether a criminal offence has been committed. 47 Secondly, the Court has already held that, where traffic data and location data have exceptionally been retained in a generalised and indiscriminate manner for the purpose of safeguarding national security against a threat which proves to be real and present or foreseeable the national authorities responsible for criminal investigations may not have access to those data in the context of criminal proceedings, on pain of depriving the prohibition on such retention for the purposes of combating serious crime of any useful effect (judgment of 5 April 2022, Commissioner of An Garda Síochána and Others v Commission of the European Communities (Case C-268/00)). a., C-140/20, EU:C:2022:258, paragraph 100). The first question 48 By its first question, the national court seeks essentially to ascertain whether Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, is to be interpreted as precluding national legislation which provides, as a preventive measure, for the purpose of combating serious crime, general and indiscriminate retention of traffic data and location data where, first, that legislation limits such general and indiscriminate retention to a period of six months and, second, it provides for a number of guarantees as regards retention of and access to the data in question. 49 As regards, first, the existence of a limitation on the retention period, it is clear from the Court's case-law that the retention of traffic data or location data which may provide information about communications made by a user of a means of electronic communication or about the location of the terminal equipment used by him is in any event of a serious nature, irrespective of the length of the storage period or the quantity or nature of the data stored, where that set of data is capable of allowing very precise conclusions to be drawn concerning the private life of the data subject or data subjects (judgment of 20 September 2022 in Joined Cases C-793/19 and C-794/19 SpaceNet and Telekom Deutschland EU: C:2022:702, paragraph 88). 50 In that regard, even the storage of a limited amount of traffic data or location data or the storage of such data over a short period is capable of providing very precise information about the private life of a user of a means of electronic communication. Moreover, the quantity of the data available and the very precise information on the private life of the data subject resulting therefrom can be assessed only after consultation of that data. However, the interference resulting from the storage of that data necessarily occurs before the data and the resulting information can be consulted. Thus, the assessment of the seriousness of the interference constituted by the storage is necessarily made in the light of the risk generally associated with the category of data stored for the private life of the data subjects, regardless, moreover, of whether or not the information relating to private life resulting therefrom is of a sensitive nature in practice (Case C-793/19 and C-794/19 SpaceNet and Telekom Deutschland, EU:C:2022:702, paragraph 89). 51 Thus, in the case giving rise to the judgment in Joined Cases C-793/19 and C-794/19 SpaceNet EU:C:2022: 702), the Court held that a set of traffic data and location data stored for the periods at issue in that case, namely ten weeks and four weeks respectively, could allow very precise conclusions to be drawn about the private lives of the persons whose data are stored, such as habits of daily life, permanent or temporary places of residence, daily or other movements, activities pursued, social relations of those persons and the social circles frequented by them, and thus to establish a profile of those persons (see, to that effect, judgment of 20 September 2022, SpaceNet and Telekom Deutschland, C-793/19 and C-794/19, EU: C:2022:702, paragraph 90). 52 The same applies a fortiori to the general and undifferentiated retention of traffic data and location data for a longer period, such as the six-month period at issue in the main proceedings. 53 Second, as regards the existence of safeguards in relation to the retention of and access to the data at issue, the national court notes, first, that the general and undifferentiated retention of traffic and location data provided for by the national legislation at issue in the main proceedings is based on clear and precise rules governing the scope and application of that measure. 54 Next, the national court observes that the national legislation at issue in the main proceedings provides that providers of electronic communications services must take appropriate technical and organisational measures to prevent any misuse of or unlawful access to the data stored. 55 Finally, access to stored data is subject to clear and precise rules which preclude general access to that data. 56 First, the fact that the retention of traffic data and location data provided for by the national legislation at issue in the main proceedings is based on clear and precise rules governing the scope and application of that measure does not alter the finding that that legislation provides for the general and indiscriminate retention of traffic data and location data. 57 On the other hand, the Court has certainly held that Article 15(1) of Directive 2002/58 does not allow the Member States to derogate from Article 4(1) and Article 4(1a) thereof, which require providers of electronic communications services to take appropriate technical and organisational measures to ensure effective protection of the data stored against the risks of misuse and against any unlawful access to those data (judgment of 21 December 2016 in Tele2 Sverige and Watson and Others v Commission of the European Communities (Case C-46/01)). a., C-203/15 and C-698/15, EU:C:2016:970, paragraph 122). 58 However, data retention and access constitute separate interferences with the fundamental rights guaranteed by Articles 7 and 11 of the Charter, requiring separate justification under Article 52(1) thereof. It follows that the existence of obligations on providers of electronic communications services to ensure the security and protection of data stored by them cannot, like national legislation ensuring full compliance with the conditions resulting from the case-law interpreting Directive 2002/58 as regards access to stored data, be capable of limiting or even remedying the serious interference with the rights guaranteed by Articles 5 and 6 of that directive and by the fundamental rights of which those articles are the embodiment, which would result from the general retention of those data provided for by that national legislation (see, by analogy, judgment of 5 April 2022, Commissioner of An Garda Síochána e. a., C-140/20, EU:C:2022:258, paragraph 47, and Case C-793/19 and C-794/19 SpaceNet and Telekom Deutschland, EU:C:2022:702, paragraph 91). 59 The same applies to the supervision of that retention by bodies such as the CPDP and the competent committee of the National Assembly, to which the national court refers, given that, while such supervision is capable of reducing the risks of unlawful disclosure of the data retained, it is not capable of eliminating the risks, referred to in paragraph 50 of this judgment, which such retention entails. 60 In the light of all the foregoing considerations, the answer to the first question referred for a preliminary ruling is that Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as precluding national legislation which provides, as a preventive measure, for the retention of data for the purposes of the fight against crime, for the purposes of combating serious crime and preventing serious threats to public security, general and indiscriminate retention of traffic data and location data, even if that legislation limits such general and indiscriminate retention to a period of six months and provides for a number of safeguards as regards retention of and access to the data in question. The second question 61 By its second question, the court asks, in essence, whether Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as precluding national legislation on the retention of and access to personal data which, on the one hand, does not explicitly provide that access to stored data is limited to what is strictly necessary in order to achieve the aim pursued by that storage and, secondly, does not grant persons whose data have been the subject of such access the right to be informed, including where that information does not preclude criminal proceedings, and to have a legal remedy against unlawful access. 62 At the outset, it should be borne in mind that it is open to the Member States to provide in their legislation that access to traffic data and location data may take place for the purposes of combating serious crime or safeguarding national security where those data are stored by a provider in a manner consistent with Articles 5, 6 and 9 or Article 15(1) of Directive 2002/58 (see, to that effect, judgment of 6 October 2020 in La Quadrature du Net e. a. (C-511/18, C-512/18 and C-520/18, EU:C:2020:791, paragraph 167). The first part of the second question 63 As regards the question whether the national legislation concerned must provide, in a clear and precise manner, that access to stored data is limited to what is strictly necessary in order to achieve the objective pursued by that storage, it follows from the case-law that, in order to satisfy the requirement of proportionality, according to which derogations from, and limitations on, the protection of personal data must be kept within the limits of what is strictly necessary, it is for the competent national authorities to ensure, in each individual case, that both the category or categories of data referred to and the period for which access to them is requested are, having regard to the circumstances of the case, limited to what is strictly necessary for the purposes of the investigation in question (judgment of 2 March 2021 in Case C-746/18 Prokuratuur (Conditions of access to data relating to electronic communications) EU: C:2021:152, paragraph 38, and the case-law cited therein). 64 Furthermore, while it is for national law to determine the conditions under which such access is to be granted, national legislation must, in order to satisfy the requirement of proportionality, lay down clear and precise rules governing the scope and application of the measure at issue and imposing minimum requirements, so that the persons whose personal data are concerned have sufficient safeguards to protect those data effectively against the risks of misuse. In particular, national legislation governing access by the competent authorities to stored traffic data and location data, adopted under Article 15(1) of Directive 2002/58, cannot be limited to requiring that access by the authorities to the data be in accordance with the purpose pursued by that legislation, but must also lay down the material and procedural conditions governing that use (see, to that effect, Case C-140/20 Commissioner of An Garda Síochána and Others, C-140/20, EU:C:2022:258, paragraphs 103 and 104, and the case-law cited). 65 It follows that national legislation on the storage of and access to personal data must contain provisions making it clear, in a clear and precise manner, that access to stored data must be limited to what is strictly necessary in order to achieve the objective pursued by that storage. 66 It is for the national court to ascertain whether the national legislation at issue in the main proceedings complies with that requirement, taking into account, in particular, the fact that that legislation appears to be limited, as regards the extent of the access to be granted, to requiring that it relate only to a reasonable period of time not exceeding six months. 67 In the light of the foregoing, the answer to the first part of the second question is that Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as precluding national legislation which does not provide, in a clear and precise manner, that access to stored data is limited to what is strictly necessary to achieve the aim pursued by that storage. The second part of the second question 68 As regards the question whether the national legislation concerned must provide that persons whose data have been accessed are to be informed where that information does not impede criminal proceedings and have a means of redress against unlawful access, it should be noted that authorisation to access traffic data and location data which have been stored, such as that provided for by the national legislation at issue in the main proceedings, necessarily relates to two types of processing of personal data, namely, first, the making available of those data by telecommunications service providers which have retained those data and, second, the use of the data thus made available by the national authorities responsible for criminal investigations. 69 That latter processing, which is the only one referred to in the second question referred for a preliminary ruling, falls within the scope of Directive 2016/680, as is apparent from Articles1(1) and 2(1) of that directive. It follows that, in order to answer that aspect of the second question, the relevant provisions of that directive must be taken into account. 70 As regards, first, the question relating to the right of the data subject to be informed of the processing of personal data concerning him by the national authorities competent in criminal investigations, the Court has held, in relation to a factual situation prior to the entry into force of Directive 2016/680, that it is important that the competent national authorities to which access to the stored data has been granted should inform the data subjects, in the context of the applicable national procedures, from the moment when such disclosure is not likely to jeopardise the investigations carried out by those authorities, where that information is, in fact, necessary to enable those persons to exercise, in particular, the right of appeal, expressly provided for in Article 15(2) of Directive 2002/58, read in conjunction with Article 22 of Directive 95/46, in the event of a breach of their rights (see, to that effect, judgment of 21 December 2016, Tele2 Sverige and Watson and Others v Commission, [2016] ECR I-0000, paragraph 1, and judgment of 21 December 2016, paragraph 2, in Case C-46/01, [2016] ECR I-0000, paragraph 2, in conjunction with Article 22 of Directive 95/46). a., C-203/15 and C-698/15, EU:C:2016:970, paragraph 121). 71 That obligation to inform the data subject was confirmed in Article 13 of Directive 2016/680, from which it follows that, while Member States may adopt legislative measures to delay, limit or even eliminate the provision of information to the data subject, provided that such a measure complies with the requirements set out in paragraph 3 of that article, national legislation which would exclude, as a general rule, any right to information would not comply with Union law. 72 As regards, secondly, the question concerning the right of appeal of the person concerned, it should be noted at the outset that such a right is explicitly guaranteed in Article 15(2) of Directive 2002/58, read in conjunction with Article 79 of Regulation 2016/679 (see, by analogy, as regards Article 22 of Directive 95/46, judgment of 21 December 2016, Tele2 Sverige and Watson and Others, C-203/15 and C-698/15, EU:C:2016:970, paragraph 121; see, to that effect, judgment of 6 October 2020, La Quadrature du Net and Others, C-511/18, C-512/18 and C-520/18, EU:C:2020:791, paragraph 190). 73 As regards the processing of personal data falling within the scope of Directive 2016/680, Article 54 thereof provides that an individual has the right to an effective judicial remedy where he considers that his rights provided for in the provisions adopted pursuant to that directive have been infringed as a result of processing of his personal data carried out in breach of those provisions. 74 In that regard, it is settled case-law that, in the absence of Union rules on the matter, it is for the domestic legal system of each Member State, by virtue of the principle of procedural autonomy, to lay down the procedural rules governing actions for safeguarding rights which individuals derive from Union law, provided, however, that they are not less favourable than those governing similar situations subject to national law (principle of equivalence) and that they do not render impossible in practice or excessively difficult the exercise of rights conferred by Union law (principle of effectiveness) (judgments of 6 October 2020, La Quadrature du Net e. a., C-511/18, C-512/18 and C-520/18, EU:C:2020:791, paragraph 223, and the case-law cited, and of 2 March 2021, Prokuratuur (Conditions of access to data relating to electronic communications), C-746/18, EU:C:2021:152, paragraph 42). 75 However, where access to stored data requires an authorisation issued by a national court, the principle of effectiveness does not appear to be complied with. Contrary to what the Cypriot Government argued in its written observations, such authorisation is not in itself sufficient to ensure effective protection of data subjects against the risks of misuse and unlawful access to data concerning them where, as in the present case the national legislation at issue provides that that authorisation is granted solely on the basis of a request made by the national authorities responsible for criminal investigations, without the persons concerned having been heard and, consequently, without the court competent to issue such authorisation having been able to take account of any objections of those persons. 76 In the light of the foregoing, the answer to the second part of the second question referred for a preliminary ruling is that Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, and Articles 13 and 54 of Directive 2016/680 must be interpreted as precluding national legislation providing for access, by the national authorities responsible for criminal investigations to lawfully stored traffic data and location data without ensuring that the persons whose data have been accessed by those national authorities are informed to the extent provided for by Union law and without providing them with a means of redress against unlawful access to those data. Costs 77 Since, as regards the parties to the main proceedings, the proceedings have the character of an incident raised before the national court, it is for that court to make a decision as to costs. Costs incurred in submitting observations to the Court, other than those of those parties, are not recoverable. For those reasons, the Court (Sixth Chamber) ruled Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding : - national legislation providing, as a preventive measure, for the purpose of combating serious crime and preventing serious threats to public security, for the general and undifferentiated retention of traffic data and location data, even if that legislation limits such general and undifferentiated retention to a period of six months and provides for a number of safeguards as regards retention of and access to the data in question ; - national legislation which does not provide, in a clear and precise manner, that access to stored data is limited to what is strictly necessary to achieve the purpose of that storage. 2) Article 15(1) of Directive 2002/58, as amended by Directive 2009/136, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights, and Articles 13 and 54 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, on the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data and repealing Council Framework Decision 2008/977/JHA, must be interpreted as meaning that : they preclude national legislation providing for access by national authorities responsible for criminal investigations to lawfully stored traffic data and location data without ensuring that persons whose data have been accessed by those national authorities are informed to the extent provided for by Union law, and without providing them with a means of redress against unlawful access to those data. Signatures * Language of the case: Bulgarian.
Disclaimer