Communications data: content, metadata and retention
Electronic communications generate two categories of data: content and metadata (data about data). Metadata splits into traffic data, location data and subscriber data, and arguably reveals as much as content because it is structured and easy to combine. EU data retention case law is a saga: the Data Retention Directive was struck down in Digital Rights Ireland (2014), and the CJEU has since held that EU law precludes general and indiscriminate retention of traffic and location data - but allows narrow exceptions. The ECtHR in Big Brother Watch required end-to-end safeguards.
| Category | What it is | Examples |
|---|---|---|
| Content | The substance of the communication | The conversation in a call; the words in an SMS; an email subject line, body and attachments |
| Metadata | Data about data - context of the transmission | Traffic data, location data and subscriber data |
| Metadata type | Includes |
|---|---|
| Traffic data | Type, format, time, duration, origin/destination, routing, protocol, networks (e.g. calling/called numbers, sender/recipient addresses, attachment size) |
| Location data | Latitude/longitude/altitude of equipment, direction of travel, accuracy, Cell ID, time recorded |
| Subscriber data | Name, contact details, payment information |
Metadata answers the who, where, when, what and how of a communication. Because it is more structured and less context-dependent than content, it is easier to process and combine - arguably revealing even more than the content itself.
After the 2014 repeal, the CJEU has consistently held EU law precludes general and indiscriminate retention or transmission of traffic and location data for combating crime or safeguarding national security. But it has 'poked holes' in the prohibition: where a member state faces a genuine and present or foreseeable serious threat to national security, bulk retention is possible for a strictly necessary limited time and not systematic in nature. The court has also allowed targeted retention, expedited retention and retention of IP addresses under conditions.
| Case | Court | Holding |
|---|---|---|
| Digital Rights Ireland (2014) | CJEU | Struck down the Data Retention Directive as a disproportionate infringement of Charter rights |
| Tele2/Watson and later cases | CJEU | EU law precludes general and indiscriminate retention; narrow exceptions exist |
| Big Brother Watch v UK (2021) | ECtHR | UK bulk-interception regime violated ECHR Article 8, but bulk interception is not as such outside the margin of appreciation; needs end-to-end safeguards |
The book warns the 'serious threat' exception could let law enforcement circumvent the prohibition by continuously issuing new time-limited orders. The CJEU is adamant on banning general/indiscriminate retention but is exploring narrowing of time or scope to make it acceptable.