European justice opposed this Tuesday to States ordering telecom operators the "
generalized and undifferentiated
" collection of connection and location data, and put in safeguards for targeted or limited-time collection in the event of “
Serious threat to national security
”.
Read also: European justice upsets the transfer of personal data from companies to the United States
Asked by courts in France, Belgium and the United Kingdom, the Luxembourg-based Court of Justice of the EU (CJEU) has confirmed that EU law opposes national regulations requiring service providers “
The generalized and undifferentiated transmission or conservation
” of metadata of internet connections and telephone conversations, according to the text of the judgment.
Concretely, the metadata of internet connections and telephone conversations - which do not relate to the content of the messages but the conditions under which they were exchanged (identity, location, date, duration, etc.) - cannot be kept indefinitely and uniformly. by operators.
Controlled exemptions
The CJEU however admits framed exemptions in the event that a State faces "
a serious threat to national security, real and current or foreseeable
", which may lead it to impose, by "
legislative measures
", a conservation “
Generalized and undifferentiated
” data “
for a period of time limited to what is strictly necessary
”.
Likewise, in the "
fight against serious crime
" and "
the prevention of serious threats to public security
", a Member State may also "
provide for the targeted retention of data as well as their rapid retention
".
However, "
such an interference with fundamental rights must be accompanied by effective guarantees and monitored by a judge or an independent administrative authority
", insists the Court.
In a 2016 judgment called "
Tele2
", the CJEU ruled that member states could not impose on providers a "
generalized and undifferentiated obligation
" to collect and store data relating to traffic and location data. But several states in the The EU continue to demand such collection so that police, magistrates or intelligence services can access this data.
They are based on the EU Treaty, according to which national security "
remains the sole responsibility of each member state
".
An argument which did not convince the CJEU, for which these practices indeed contravene the European directive "
private life and electronic communications
".
Read also: Personal data: Brussels takes stock of the GDPR
The CJEU was examining in particular several decrees implementing the French code of internal security, from 2015 and 2016, attacked by the organizations La Quadrature du Net, the access provider French Data Network and the Federation of associative internet access providers. .
She was also asked about Belgian and British regulations, which imposed on operators the same type of massive data collection.
SEE ALSO
- Could we sell our personal data?
(04/10/2018)