Recently, the Court of Justice of the European Union (CJEU) issued a new landmark decision on the retention of data by EU Member States (C-511/18).
The Court clearly states that the general, unselective transmission and – in particular – retention of traffic and location data for the purpose of monitoring individuals in the EU is not allowed and violates EU law. Data are only to be stored for a limited period of time. Exceptions are only possible in the fight against serious crime or in the specific case of a threat to national security.
At least in parts, the CJEU prohibits various Member States and their security and enforcement agencies from generally retaining data. Those states will have to adapt their respective national regulations. However, the CJEU decision may not only affect EU Member States, but may have unexpected implications for third countries, such as Switzerland, with regards to data protection.
The CJEU’s decision Schrems II (C-311/18) had an immediate and direct effect on flows of personal data from the EU to third countries. It de facto eliminated the EU-US Data Privacy Shield and required companies to re-evaluate their data transfers to third countries and, where necessary, adapt existing safeguards.
The effect of the CJEU’s recent decision on data retention is less evident but twofold. It adds an additional layer of complexity for assessing the legal risks of data transfers to third countries in the aftermath of Schrems II. Moreover, it is likely to affect the European Commission’s review of adequacy decisions. Some countries, like Switzerland, benefit from an EU adequacy decision facilitating the flow of personal data from the EU (and Norway, Liechtenstein and Iceland). Others, such as the United Kingdom, are currently seeking an adequacy decision from the European Commission.
With regard to retaining or obtaining a positive EU adequacy decision, countries engaging in significantly more data retention than the CJEU considers acceptable may come under additional scrutiny. In those countries, companies for which cross-border personal data transfers are business critical are well advised to closely monitor the situation and prepare for adverse effects.