Referral C-661/24 (Académie Fiscale and Others, 9 Oct 2024)

1. Must Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 ‘concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)’, read in conjunction with Articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the European Union, be interpreted as:
(a) precluding national legislation which lays down an obligation for operators of electronic communications services to retain and process the traffic data referred to in that legislation in the context of the provision of that network or service for a period of 4 or 12 months, as the case may be, for the purposes of taking appropriate, proportionate, preventive and remedial measures in order to prevent fraud and misuse of their networks and to prevent end users suffering harm or inconvenience, as well as to establish fraud or malicious use of the network or service or enable the perpetrators or origin thereof to be identified;
(b) precluding national legislation which allows those operators to retain and process the traffic data concerned beyond the abovementioned time limits, in the case of identified specific fraud or identified specific malicious use of the network, for the time required for its analysis and resolution or the time necessary to process that malicious use;
(c) precluding national legislation which, without laying down an obligation to request a prior opinion or to notify an independent authority, allows those operators to retain and process data other than those referred to in the law, with a view to making it possible to establish fraud or malicious use of the network or service, or to identify its perpetrator and origin;
(d) precluding national legislation which, without laying down an obligation to request a prior opinion or to notify an independent authority, allows those operators to retain and process for a period of 12 months the traffic data which they consider necessary to ensure the security and proper functioning of their electronic communications networks and services, and in particular for the detection and analysis of a potential or actual breach of that security, including identifying the origin of that breach and, in the event of a specific breach of network security, for the period necessary to process it?
2. Must Article 15(1) of Directive 2002/58/EC, read in conjunction with Articles 7, 8 and 52(1) of the Charter of Fundamental Rights, be interpreted as:
(a) precluding national legislation which allows mobile network operators to retain and process location data, without the legislation describing precisely which data are covered, in the context of the provision of that network or service, for a period of 4 or 12 months, as the case may be, where necessary for the proper functioning and security of the network or service, or to detect or analyse fraud or malicious use of the network (b) precluding national legislation which allows those operators to retain and process location data beyond the abovementioned time limits, in the event of a specific breach and in the case of specific fraud or specific malicious use?
3. If, on the basis of the answers to the first or the second question, the Constitutional Court should conclude that certain provisions of the Law of 20 July 2022 ‘on the collection and retention of identification data and metadata in the electronic communications sector and the provision of such data to the authorities’ infringe one or more of the obligations arising from the provisions referred to in those questions, may it maintain on a temporary basis the effects of the abovementioned provisions of the Law of 20 July 2022 in order to avoid legal uncertainty and to enable the data previously collected and retained to continue to be used for the objectives pursued by the law?