For a better framework on Metadata Law Enforcement, the following timeline led us to the current state within this context:
- In 2014 the Court of Justice of the European Union (CJEU) invalidated the Data Retention Directive (Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006), on the grounds that the general and indiscriminate retention of all traffic and location data constitutes an interference with fundamental rights without adequately ensuring the principles of necessity and proportionality;
- In 2016 the CJEU concluded that Article 15 of the Directive, interpreted in light of the EU Charter of Fundamental Rights, admitting the so-called target retention, excludes national legislation which, for the purposes of fighting crime:
- provides for the general and indiscriminate storage of all traffic and location data of all subscribers and users registered relating to all means of electronic communication, constituting a first level of interference with fundamental rights;
- does not require the data concerned to be preserved within the EU;
- on a second level of interference does not restrict access by the relevant national authorities to data preserved solely for the purpose of combating serious crime;
- does not make such access "subject to prior control by a court or independent administrative authority".
- In 2020,
- the general and indiscriminate preventive retention in the field of national security, but limited in time to what is strictly necessary, where the Member State concerned is faced with a serious threat to national security, which is shown to be genuine and either existing or foreseeable;
- the general and indiscriminate retention of only IP addresses assigned to the source of a connection - access IP addresses-: only for combating serious crime, preventing serious threats to public security and safeguarding national security, provided they are limited in time to what is strictly necessary and safeguards are put in place against tracking of online activities
and
- the general and indiscriminate retention of data concerning the civil identity of users of electronic communications systems for the purposes of prevention, investigation, detection and prosecution of criminal offences and the safeguarding of public security, regardless of whether the criminal offences or the threats to public safety and national security are of a serious nature, also without imposing a specific time limit,
have been considered admissible by the CJEU.
- In 2022, the Portuguese Constitutional Court pronounced itself on the Metadata issue, when Judgment 268/2022 was issued, making the Data Retention Act inapplicable. Essentially, the following was held there:
- the revised rules of the Data Retention Act fail to meet one of the conditions on which the constitutional compliance of legislative measures relating to the retention of personal data depends: the legislator has not prescribed the need for data to be retained within the European Union territory, thereby undermining the effectiveness of the rights guaranteed by Article 35(1) and (4) of the Constitution, interpreted in light of the provisions of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union;
- the retention of and access to all metadata referred to in that rule - basic data, traffic data that do not presuppose interpersonal communication and traffic data relating to interpersonal communications - because they are capable of revealing relevant aspects of citizens' family life, should be considered unconstitutional on the grounds of violation of Article 35 (1) and (4) and Article 26 (1), in conjunction with Article 18 (2) of the Constitution.