On May 16, 2024, the National Commission for Data Protection (CNPD) announced that it provided its opinion on draft law no. 8148 relating to the retention of personal data and amending the Code of Criminal Procedure, amended Law of May 30, 2005, concerning the protection of privacy in the electronic communications sector (the Telecom law), and amended Law of July 5, 2016, reorganizing the State Intelligence Service (the draft law).

Background and scope of the draft law

On February 2, 2023, the Minister of Justice invited the CNPD to issue an opinion on the draft law. The draft law aims to align the existing laws to the recent requirements imposed by the Court of Justice of the European Union (CJEU) regarding the possibility for telecommunications operators or electronic communications service providers to retain traffic and location data, as well as for competent national authorities to access the retained data.

In particular, the draft law intends to remove the generalized and undifferentiated retention obligation of all traffic and location data for all the purposes listed in Article 15 of the Privacy and Electronic Communications Directive (ePrivacy Directive) from the Telecom law. Instead, it intends to introduce several legislative measures for data retention and access to such data, meeting the requirements of the CJEU.

Opinion of the CNPD

The CNPD provided observations on the compliance of the legislative measures for data retention and access to retained data, which included:

• the absence of clarity on whether the measures apply to data already processed by the operators or if they apply to data that will be processed;
• the thresholds and criteria for allowing a retention measure, including a generalized and undifferentiated retention measure, as well as its duration and separation between different categories of data retained;
• the entities that are able to request and implement the retention measures; and
• the requirements regarding maximum retention periods, location of the retained data, and security requirements.

The CNPD provided observations on compliance with the legislative measures for access to retained data, including the scope of access and the absence of provisions for persons subject to professional secrecy and whistleblowers.

Furthermore, the CNPD provided additional observations, including on the alignment with the notion of consent under the General Data Protection Regulation (GDPR) and the absence of enforcement powers of the CNPD regarding the Telecom Law.

You can read the press release here and the opinion here, both only available in French.