Referral C-661/24 (Académie Fiscale and Others, 9 Oct 2024)
1. Must Article 15(1) of Directive 2002/58/EC of the European Parliament and
of the Council of 12 July 2002 ‘concerning the processing of personal data and the
protection of privacy in the electronic communications sector (Directive on
privacy and electronic communications)’, read in conjunction with Articles 7, 8
and 52(1) of the Charter of Fundamental Rights of the European Union, be
interpreted as:
(a) precluding national legislation which lays down an obligation for operators
of electronic communications services to retain and process the traffic data
referred to in that legislation in the context of the provision of that network or
service for a period of 4 or 12 months, as the case may be, for the purposes of
taking appropriate, proportionate, preventive and remedial measures in order to
prevent fraud and misuse of their networks and to prevent end users suffering
harm or inconvenience, as well as to establish fraud or malicious use of the
network or service or enable the perpetrators or origin thereof to be identified;
(b) precluding national legislation which allows those operators to retain and
process the traffic data concerned beyond the abovementioned time limits, in the
case of identified specific fraud or identified specific malicious use of the
network, for the time required for its analysis and resolution or the time necessary
to process that malicious use;
(c) precluding national legislation which, without laying down an obligation to
request a prior opinion or to notify an independent authority, allows those
operators to retain and process data other than those referred to in the law, with a
view to making it possible to establish fraud or malicious use of the network or
service, or to identify its perpetrator and origin;
(d) precluding national legislation which, without laying down an obligation to
request a prior opinion or to notify an independent authority, allows those
operators to retain and process for a period of 12 months the traffic data which
they consider necessary to ensure the security and proper functioning of their
electronic communications networks and services, and in particular for the
detection and analysis of a potential or actual breach of that security, including
identifying the origin of that breach and, in the event of a specific breach of
network security, for the period necessary to process it?
2. Must Article 15(1) of Directive 2002/58/EC, read in conjunction with
Articles 7, 8 and 52(1) of the Charter of Fundamental Rights, be interpreted as:
(a) precluding national legislation which allows mobile network operators to
retain and process location data, without the legislation describing precisely which
data are covered, in the context of the provision of that network or service, for a
period of 4 or 12 months, as the case may be, where necessary for the proper
functioning and security of the network or service, or to detect or analyse fraud or
malicious use of the network (b) precluding national legislation which allows those operators to retain and
process location data beyond the abovementioned time limits, in the event of a
specific breach and in the case of specific fraud or specific malicious use?
3. If, on the basis of the answers to the first or the second question, the
Constitutional Court should conclude that certain provisions of the Law of 20 July
2022 ‘on the collection and retention of identification data and metadata in the
electronic communications sector and the provision of such data to the authorities’
infringe one or more of the obligations arising from the provisions referred to in
those questions, may it maintain on a temporary basis the effects of the
abovementioned provisions of the Law of 20 July 2022 in order to avoid legal
uncertainty and to enable the data previously collected and retained to continue to
be used for the objectives pursued by the law?
Case details on the CJEU website
(external link)
Disclaimer