IP case law Court of Justice

Article 15 - Application of certain provisions of Directive 95/46/EC

Home > Personal Data Protection > ePrivacy Directive > Article 15 - Application of certain provisions of Directive 95/46/EC
3 pending referrals

Referral C-741/25 (Ranerski, 20 Nov 2025)


Referral C-427/25 (Uffida, 26 Jun 2025)


Referral C-661/24 (Académie Fiscale and Others, 9 Oct 2024)


15 preliminary rulings

Judgment of 13 Jun 2024, C-229/23 (HYA)

Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), read in the light of the second paragraph of Article 47 of the Charter of Fundamental Rights of the European Union,   must be interpreted as not precluding provisions of national law which require that a judicial decision authorising listening, tapping and storage in respect of communications, without the consent of the users concerned, must itself contain an express statement of reasons in writing, irrespective of the existence of a reasoned application made by the criminal authorities.  

Judgment of 30 Apr 2024, C-470/21 (La Quadrature du Net)

Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Articles7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union,must be interpreted as not precluding national legislation which authorises the public authority responsible for the protection of copyright and related rights against infringements of those rights committed on the internet to access data, retained by providers of publicly available electronic communications services, relating to the civil identity associated with IP addresses previously collected by rightholder organisations, so that that authority can identify the holders of those addresses– which have been used for activities liable to constitute such infringements– and may, where appropriate, take measures against them, provided that, under that legislation:–those data are retained in conditions and in accordance with technical arrangements which ensure that the possibility that that retention might allow precise conclusions to be drawn about the private life of those IP address holders, for example by establishing a detailed profile of those persons, is ruled out– which may be accomplished, in particular, by imposing on providers of electronic communications services an obligation to retain the various categories of personal data, such as data relating to civil identity, IP addresses and traffic and location data, in such a way as to ensure a genuinely watertight separation of those different categories of data, thereby preventing, at the retention stage, any combined use of those different categories of data– and for a period not exceeding what is strictly necessary;–that public authority’s access to such data retained separately and in a genuinely watertight manner serves exclusively to identify the person suspected of having committed a criminal offence and is subject to the necessary safeguards to ensure that that access cannot, except in atypical situations, allow precise conclusions to be drawn about the private life of the IP address holders, for example by establishing a detailed profile of those persons, which entails, in particular, that the officials of that authority authorised to have such access are prohibited from disclosing, in any form whatsoever, information on the content of the files consulted by those holders, except for the sole purpose of referring the matter to the public prosecution service, from tracking the clickstream of those IP address holders and, more generally, from using those IP addresses for any purpose other than that of identifying their holders with a view to the potential adoption of measures against them;–the possibility, for the persons responsible for examining the facts within that public authority, of linking such data with files containing information that reveals the title of protected works the making available of which on the internet justified the collection of IP addresses by rightholder organisations is subject, in cases where the same person again repeats an activity infringing copyright or related rights, to review by a court or an independent administrative body, which cannot be entirely automated and must take place before any such linking, as such linking is capable, in such circumstances, of enabling precise conclusions to be drawn about the private life of the person whose IP address has been used for activities that may infringe copyright or related rights;–the data processing system used by the public authority is subject at regular intervals to a review, by an independent body acting as a third party in relation to that public authority, intended to verify the integrity of the system, including the effective safeguards against the risks of abusive or unlawful access to or use of those data, and its effectiveness and reliability in detecting potential offending conduct.

Judgment of 30 Apr 2024, C-178/22 (Procura della Repubblica presso il Tribunale di Bolzano)

Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Articles 7, 8, 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union,   must be interpreted as not precluding a national provision which requires a national court, acting in the context of a prior review carried out following a reasoned request for access to a set of traffic or location data – which are liable to allow precise conclusions to be drawn concerning the private life of a user of a means of electronic communication and retained by providers of electronic communications services – submitted by a competent national authority in the context of a criminal investigation, to authorise such access if it is requested for the purposes of investigating criminal offences punishable under national law by a maximum term of imprisonment of at least three years, provided that there is sufficient evidence of the commission of such offences and that those data are relevant to establishing the facts, on condition, however, that that court is entitled to refuse such access if it is requested in the context of an investigation into an offence which is manifestly not a serious offence, in the light of the societal conditions prevailing in the Member State concerned.  

Judgment of 16 Feb 2023, C-349/21 (Spetsializirana prokuratura)

 Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) read in the light of the second paragraph of Article 47 of the Charter of Fundamental Rights of the European Union,   is to be interpreted as meaning that it does not preclude a national practice under which judicial decisions authorising the use of special investigative methods following a reasoned and detailed application from the criminal authorities, are drawn up by means of a pre-drafted text which does not contain individualised reasons, but which merely states, in addition to the validity period of the authorisation, that the requirements laid down by the legislation to which those decisions refer have been complied with, provided that the precise reasons why the court with jurisdiction considered that the legal requirements had been complied with, in the light of the factual and legal circumstances characterising the case in question, can be easily and unambiguously inferred from a cross-reading of the decision and the application for authorisation, the latter of which must be made accessible, after the authorisation has been given, to the person against whom the use of special investigative methods has been authorised.  

Judgment of 17 Nov 2022, C-350/21 (Spetsializirana prokuratura)

Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union must be interpreted as precluding

– (i) national legislation that provides, by way of prevention, for the purpose of combating serious crime and preventing serious threats to public security, for general and indiscriminate retention of traffic and location data, even if that legislation limits that general and indiscriminate retention to a period of six months and provides for a certain number of safeguards as regards retention of and access to the data in question;

– and (ii) national legislation that does not provide, in a clear and precise manner, that the access to the retained data is limited to what is strictly necessary for achieving the objective pursued by that retention.

Article 15(1) of Directive 2002/58, as amended by Directive 2009/136, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights, and Articles 13 and 54 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, must be interpreted as precluding national legislation that provides for access, on the part of the national authorities competent to undertake criminal investigations, to lawfully retained traffic and location data, without guaranteeing that the persons whose data have been accessed by those national authorities are informed thereof to the extent provided for under EU law, and without those persons having any remedy against unlawful access to those data.

Judgment of 20 Sep 2022, C-793/19 (SpaceNet AG)

Article15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25November 2009, read in the light of Articles7, 8 and 11 and Article52(1) of the Charter of Fundamental Rights of the European Union,must be interpreted as meaning that:it precludes national legislative measures which provide, on a preventative basis, for the purposes of combating serious crime and preventing serious threats to public security, for the general and indiscriminate retention of traffic and location data;it does not preclude legislative measures that:–allow, for the purposes of safeguarding national security, recourse to an instruction requiring providers of electronic communications services to retain, generally and indiscriminately, traffic and location data in situations where the Member State concerned is confronted with a serious threat to national security that is shown to be genuine and present or foreseeable, where the decision imposing such an instruction is subject to effective review, either by a court or by an independent administrative body whose decision is binding, the aim of that review being to verify that one of those situations exists and that the conditions and safeguards which must be laid down are observed, and where that instruction may be given only for a period that is limited in time to what is strictly necessary, but which may be extended if that threat persists;–provide, for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security, for the targeted retention of traffic and location data which is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion, for a period that is limited in time to what is strictly necessary, but which may be extended;–provide, for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security, for the general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a period that is limited in time to what is strictly necessary;–provide, for the purposes of safeguarding national security, combating crime and safeguarding public security, for the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems;–allow, for the purposes of combating serious crime and, a fortiori, safeguarding national security, recourse to an instruction requiring providers of electronic communications services, by means of a decision of the competent authority that is subject to effective judicial review, to undertake, for a specified period of time, the expedited retention of traffic and location data in the possession of those service providers,provided that those measures ensure, by means of clear and precise rules, that the retention of data at issue is subject to compliance with the applicable substantive and procedural conditions and that the persons concerned have effective safeguards against the risks of abuse.

Judgment of 20 Sep 2022, C-339/20 (VD)

Article12(2)(a) and (d) of Directive 2003/6/EC of the European Parliament and of the Council of 28January 2003 on insider dealing and market manipulation (market abuse) and Article23(2)(g) and (h) of Regulation (EU) No596/2014 of the European Parliament and of the Council of 16April 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6 and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC, read in conjunction with Article15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25November 2009, and read in the light of Articles7, 8 and 11 and of Article52(1) of the Charter of Fundamental Rights of the European Unionmust be interpreted as precluding legislative measures which, as a preventive measure, in order to combat market abuse offences including insider dealing, provide for the general and indiscriminate retention of traffic data for a year from the date on which they were recorded.

European Union law must be interpreted as precluding a national court from restricting the temporal effects of a declaration of invalidity which it is required to make, under national law, with respect to provisions of national law which, first, require operators providing electronic communications services to retain generally and indiscriminately traffic data and, second, allow such data to be submitted to the competent financial authority, without prior authorisation from a court or independent administrative authority, owing to the incompatibility of those provisions with Article15(1) of Directive 2002/58, as amended by Directive 2009/136, read in the light of the Charter of Fundamental Rights of the European Union. The admissibility of evidence obtained pursuant to provisions of national law that are incompatible with EU law is, in accordance with the principle of procedural autonomy of the Member States, a matter for national law, subject to compliance, inter alia, with the principles of equivalence and effectiveness.

Judgment of 5 Apr 2022, C-140/20 (Commissioner of An Garda Síochána)

Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding legislative measures which, as a preventive measure for the purposes of combating serious crime and preventing serious threats to public security, provide for the general and indiscriminate retention of traffic and location data. However, that Article 15(1), read in the light of Articles 7, 8, 11 and 52(1) of the Charter of Fundamental Rights, does not preclude legislative measures that provide, for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security, for – the targeted retention of traffic and location data which is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion, for a period that is limited in time to what is strictly necessary, but which may be extended; – the general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a period that is limited in time to what is strictly necessary; – the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems; and – recourse to an instruction requiring providers of electronic communications services, by means of a decision of the competent authority that is subject to effective judicial review, to undertake, for a specified period of time, the expedited retention of traffic and location data in the possession of those service providers, provided that those measures ensure, by means of clear and precise rules, that the retention of data at issue is subject to compliance with the applicable substantive and procedural conditions and that the persons concerned have effective safeguards against the risks of abuse.  

Article 15(1) of Directive 2002/58, as amended by Directive 2009/136, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights, must be interpreted as precluding national legislation pursuant to which the centralised processing of requests for access to data, which have been retained by providers of electronic communications services, issued by the police in the context of the investigation or prosecution of serious criminal offences, is the responsibility of a police officer, who is assisted by a unit established within the police service which has a degree of autonomy in the exercise of its duties, and whose decisions may subsequently be subject to judicial review.  

Judgment of 17 Jun 2021, C-597/19 (M.I.C.M. Mircom International Content Management & Consulting)

Point (f) of subparagraph 1 of Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in conjunction with Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, must be interpreted as meaning that it precludes in principle, neither the systematic recording, by the holder of intellectual property rights as well as by a third party on his or her behalf, of IP addresses of users of peer-to-peer networks whose internet connections have allegedly been used in infringing activities, nor the communication of the names and of the postal addresses of those users to that rightholder or to a third party in order to enable it to bring a claim for damages before a civil court for prejudice allegedly caused by those users, provided, however, that the initiatives and requests to that effect of that rightholder or of such a third party are justified, proportionate and not abusive and have their legal basis in a national legislative measure, within the meaning of Article 15(1) of Directive 2002/58, which limits the scope of the rules laid down in Articles 5 and 6 of that directive, as amended.

Judgment of 2 Mar 2021, C-746/18 (Prokuratuur)

Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation that permits public authorities to have access to a set of traffic or location data, that are liable to provide information regarding the communications made by a user of a means of electronic communication or regarding the location of the terminal equipment which he or she uses and to allow precise conclusions to be drawn concerning his or her private life, for the purposes of the prevention, investigation, detection and prosecution of criminal offences, without such access being confined to procedures and proceedings to combat serious crime or prevent serious threats to public security, and that is so regardless of the length of the period in respect of which access to those data is sought and the quantity or nature of the data available in respect of such a period.  

Article 15(1) of Directive 2002/58, as amended by Directive 2009/136, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights, must be interpreted as precluding national legislation that confers upon the public prosecutor’s office, whose task is to direct the criminal pre-trial procedure and to bring, where appropriate, the public prosecution in subsequent proceedings, the power to authorise access of a public authority to traffic and location data for the purposes of a criminal investigation.  

Judgment of 6 Oct 2020, C-511/18 (Ordre des barreaux francophones and germanophone and Others)

A national court may not apply a provision of national law empowering it to limit the temporal effects of a declaration of illegality, which it is bound to make under that law, in respect of national legislation imposing on providers of electronic communications services – with a view to, inter alia, safeguarding national security and combating crime – an obligation requiring the general and indiscriminate retention of traffic and location data that is incompatible with Article 15(1) of Directive 2002/58, as amended by Directive 2009/136, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights. Article 15(1), interpreted in the light of the principle of effectiveness, requires national criminal courts to disregard information and evidence obtained by means of the general and indiscriminate retention of traffic and location data in breach of EU law, in the context of criminal proceedings against persons suspected of having committed criminal offences, where those persons are not in a position to comment effectively on that information and that evidence and they pertain to a field of which the judges have no knowledge and are likely to have a preponderant influence on the findings of fact.

Judgment of 6 Oct 2020, C-623/17 (Privacy International)

Article 1(3), Article 3 and Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Article 4(2) TEU, must be interpreted as meaning that national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security falls within the scope of that directive.

Article 15(1) of Directive 2002/58, as amended by Directive 2009/136, read in the light of Article 4(2) TEU and Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.

Judgment of 2 Oct 2018, C-207/16 (Ministerio Fiscal)

Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that the access of public authorities to data for the purpose of identifying the owners of SIM cards activated with a stolen mobile telephone, such as the surnames, forenames and, if need be, addresses of the owners, entails interference with their fundamental rights, enshrined in those articles of the Charter of Fundamental Rights, which is not sufficiently serious to entail that access being limited, in the area of prevention, investigation, detection and prosecution of criminal offences, to the objective of fighting serious crime.

Judgment of 21 Dec 2016, C-203/15 (Tele2 Sverige)

Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.  

Article 15(1) of Directive 2002/58, as amended by Directive 2009/136, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights, must be interpreted as precluding national legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union.  

Order of 19 Feb 2009, C-557/07 (LSG)

Community law – in particular, Article 8(3) of Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights, read in conjunction with Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) – does not preclude Member States from imposing an obligation to disclose to private third parties personal data relating to Internet traffic in order to enable them to bring civil proceedings for copyright infringements. Community law nevertheless requires Member States to ensure that, when transposing into national law Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’), Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society, and Directives 2002/58 and 2004/48, they rely on an interpretation of those directives which allows a fair balance to be struck between the various fundamental rights involved. Moreover, when applying the measures transposing those directives, the authorities and courts of Member States must not only interpret their national law in a manner consistent with those directives but must also make sure that they do not rely on an interpretation of those directives which would conflict with those fundamental rights or with the other general principles of Community law, such as the principle of proportionality.



Disclaimer

Powered by