ECJ declares Bulgarian data retention unlawful
Last week, the European Court of Justice (ECJ) once again declared a regulation on data retention to be unlawful. A corresponding provision in the Bulgarian Electronic Communications Act thus violates EU law.
The highest European court ruled that general and indiscriminate retention of traffic and location data is not compatible with EU law. According to the court, such data can be used to draw very precise conclusions about people’s private lives. For example, habits of daily life, permanent or temporary places of residence or activities carried out can be read – even with a short storage period.
Furthermore, the judges criticized the lack of a provision to inform persons whose data had been accessed. The Bulgarian law also does not provide for a legal remedy against unlawful access to the data.
Constitutional court had overturned original regulation
Bulgaria first introduced data retention in 2010, obliging telecommunications providers and Internet service providers to retain telephone and Internet connection data for at least one year. However, the Bulgarian Constitutional Court overturned this regulation in 2015. However, they mainly criticized the long storage period.
Only a short time later, the parliament in Sofia passed a revised regulation on data retention. In it, the storage period was shortened to six months. Telecommunications and Internet providers must now store the source and destination of a connection, as well as the date, time and duration of the connection. Law enforcement agencies can obtain access to this data on the basis of a court order, among other things, to investigate serious criminal offenses.
In the current proceedings, a Bulgarian criminal court had appealed to the ECJ. The Bulgarian public prosecutor’s office had requested the court to hand over the communications traffic data of several individuals in criminal proceedings. Under Bulgarian law, the data should have been handed over, but the court had doubts about whether the national rules were compatible with EU law.
The European Court of Justice does not rule on the national dispute, but national courts are bound by its case law.
ECJ has repeatedly banned warrantless data retention
Data retention has been criticized for years because it represents a deep intrusion into the fundamental rights of all citizens and because there is a great risk of misuse.
In Denmark, data retention also caused one of the country’s biggest miscarriages of justice (in German) in 2019: Incorrectly analyzed connection and movement data had been cited as evidence in thousands of court cases over several years.
The ECJ has already banned general and indiscriminate data retention several times in the past. This concerned, among others, the regulations in Estonia (in German), France, Great Britain and in Belgium (in German) as well as in Ireland (in German). In these cases, the Court has repeatedly made it clear that national regulations that provide for general and indiscriminate data retention of traffic and location data as a preventive measure are not compatible with EU law. The storage of such data constitutes an interference with the fundamental rights to respect for private life and to the protection of personal data.
Only in September, the highest European court had also overturned the German data retention (in German), which had already been suspended since 2017. In this ruling, the ECJ had also reaffirmed its previous case law on data retention.
In October, the FDP-led Federal Ministry of Justice then submitted a proposal for a procedure limited to specific cases of suspicion for securing telecommunications data held by providers. In the past, the European Court of Justice has ruled that such a procedure is permissible for the purpose of combating serious crime or protecting national security. The Federal Ministry of the Interior is of the opinion that such a “quick freeze” procedure is not sufficient. (js)