On 21 December 2016, the Court of Justice of the European Union ("CJEU") issued another
remarkable ruling on data retention (Joined Cases C-203/15 (Tele2 Sverige AB v. Post- och
telestyrelsen) and C-698/15 (Secretary of State for the Home Department v. Watson et al.)). Another,
because data retention had already been a big topic in 2014, when CJEU decided (Joined Cases C-
293/12 and C-594/12) to invalidate Directive 2006/24/EC, due to its disproportionate interference in the
fundamental rights recognized in arts. 7 (respect for private and family life) and 8 (protection of
personal data) of the EU Charter.
The 2016 judgment extends the scope and effects of the 2014 decision to the national sphere. It
specifically refers to the Swedish and UK data retention and access regimes and to their compatibility
with Art. 15(1) of the ePrivacy Directive (Directive 2002/58/EC). Art. 15 contains an exception to the
principle of confidentiality of communications and related traffic (e.g. name and address of subscribers
involved, time of the communication or telephone numbers and IP addresses used) and location (i.e.
data indicating the geographic position of the user) data. Pursuant to this exception, Member States
may adopt legislative measures to restrict the scope of the principle of confidentiality when it is
necessary, appropriate and proportionate within a democratic society to, among other purposes,
safeguard public security or prevent, investigate, detect and prosecute criminal offences.
CJEU makes an interpretation of Art. 15(1) in light of the impact that data retention and access regimes
have on privacy and protection of personal data and concludes that:
• to be acceptable, legislation on data retention must contain objective criteria that make it
possible to establish a connection between the data to be retained and the objective which is
pursued. Safeguards must be in place limiting retention to the data which is likely to reveal a
link with serious criminal offences and to contribute to fight serious crimes or prevent a serious
risk to public security. Member States' laws allowing for the general and indiscriminate
retention of all traffic and location data of subscribers and registered users with respect to all
means of electronic communications exceed the limit of what is strictly necessary and,
therefore, cannot be justified within a democratic society;
• and when it comes to access regimes aimed at combatting crime, there are several aspects
that national legislations need to necessarily consider. First, that for the measure to be
proportionate to the importance of its interference in fundamental rights, only serious crimes
justify access by the public authorities to the data. Second, that access must be subject to prior
review by a court or independent administrative authority which ensures that access is limited
to what is strictly necessary. Lastly, the national legislation must stipulate that the data cannot
be transferred outside the EU; otherwise, control by an independent authority of compliance
with the requirements of protection and security in the processing of personal data would not
be guaranteed, resulting in a breach of art. 8(3) of the Charter.
It seems that there is ample room for adjustment of the relevant Serbian law to the new European
developments concerning data retention.
The Electronic Communications Act of 2010 (ECA) – which regulates the data retention – in Articles.
128 and 129 provides for the obligation of telecom operators to retain a set of traffic and location data
(including the source, destination and type of communication, and identification of the users' terminal
equipment) pertaining to electronic communications services they provide. The obligation is general
and indiscriminate, since the data concerning every communication must be retained for a period of 12
months. Irrespective of whether the specific communication may be useful for protecting legitimate
state interests, such as the interest to combat crime, or not, the telecom operator must retain for twelve
months the personal data concerning the communication. This is contrary to what CJEU has just said
about the requirement that there must exist a connection between the data to be retained and the
objective which is pursued.
With respect to access to the retained data, Serbian legislation does contain important safeguards
aimed at preventing the inadequate and abusive use of this right by the authorities. In the approach
more aligned with that of CJEU, access without the users' consent is permitted only when the data is
necessary in order to conduct criminal proceedings or protect the security of the Republic of Serbia. In
both cases, such access can be only temporary and must be authorized by a court decision.
Interestingly to note, the access-related requirements of judicial authorization were not foreseen in
ECA's initial wording, but only included after the Serbian Constitutional Court ruled in 2013 that retained
data are covered by the constitutionally protected right to secrecy of communications. That right can
solely be restricted by a court decision and for limited time.
It seems reasonable to conclude that "conducting criminal proceeding", as the basis for lawful access to
retained data under Serbian law, is broader than what ePrivacy Directive's "detection and prosecution
of criminal offences" – as now interpreted by CJEU – means. CJEU has just said that "combating
serious crime" – and not just any crime – justifies access to data retained in telecom traffic.