Home / Publications / Storage of traffic data of users of electronic co...

Storage of traffic data of users of electronic communications


Owing to the threats linked to terrorist attacks and a rise in organised crime in recent years, the European Union (EU) has adopted a number of legal acts whose purpose is to encourage the prevention, investigation, detection and prosecution of serious criminal offences. One of those acts is Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks (Data Retention Directive), which imposed on operators the mandatory storage of all traffic, location and other data required for the identification of a subscriber or user.

The Directive in question was transposed into Slovenian legal order by the Electronic Communications Act (ZEKom-1), which in section XIII "Storage of data" determined the mandatory preventive and non-selective storage of specific traffic data associated with the use of telecommunications services (e.g. telephone services in the fixed and mobile network, internet access, e-mail and internet telephony). Pursuant to the ZEKom-1, operators were obliged to store data about the identity of a person, the type of communication means, and about the time, place and frequency of communication. By doing this, extensive databases were generated, which were stockpiling data for 14 or 8 months and from which it was possible to elucidate very detailed facts about the life of any individual who uses electronic communication services.

Since the Data Retention Directive provided no objective criterion (the same also applying to the ZEKom-1) and because the fight against the most serious forms of crime covered practically all individuals in general, all electronic communication means and all traffic-related data, profound dissenting positions were expressed between the European Commission and the Member States in the Directive's implementation alone. As always, the Court of Justice of the EU (ECJ) had the final say in the dispute. In joined cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others, it ruled on 8 April 2014 that the Data Retention Directive pursues legitimate objectives (public interest and public safety) that it is otherwise appropriate in order to achieve those objectives. Nevertheless, in the opinion of the ECJ, the infringement on the fundamental right to privacy and protection of personal data is excessive. For this reason, the ECJ declared the Data Retention Directive invalid.

At the initiative of the Information Commissioner, the Constitutional Court of the Republic of Slovenia (Constitutional Court) repealed all the provisions of section XIII of the ZEKom-1 with the Constitutional Decision No U-I-65/13-19 of 3 July 2014, thereby following the ruling of the ECJ. The Constitutional Court stressed that such processing of data is an exceptionally invasive infringement upon the information privacy of the entire population, both in terms of the shear volume of the people and the nature of the data concerned. Therefore, without objective criteria for the storage of such data, such processing cannot be seen as necessary and does not satisfy the proportionality criterion in the narrower sense. It also brought attention to the pronounced risk of the data also being accessed by unauthorised persons or that the data could be used for unlawful purposes, while the sense of constant supervision for an individual which such measure causes was also noted. Unlike the Data Retention Directive, the ZEKom-1 even failed to limit the mandatory storage of traffic data only to specific (serious) criminal offences.

What implications will the annulment of the disputed provisions have? The provisions of Articles 162 through 169 of the ZEKom-1 were annulled retrospectively. As a result, the Constitutional Court ordered the immediate destruction of all stored data. However, since the Data Retention Directive nonetheless pursued a completely legitimate goal, we can expect the European Commission to soon begin drawing up a new draft directive, which in light of the judgements of the highest courts will be planned restrictively and limited to the most serious infringements on fundamental rights.