ePrivacy: Confidentiality of Communications
Confidentiality of Communications [Art 5(1)]
Rule: Member States must ensure confidentiality of communications and related traffic data — prohibiting listening, tapping, storage, or surveillance without user consent.
The Fundamental Principle
Article 5(1) states:
Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation.
What’s Prohibited
Member States must prohibit:
| Prohibited Activity | Description |
|---|---|
| Listening | Monitoring the content of communications |
| Tapping | Intercepting communications |
| Storage | Recording communications or traffic data |
| Surveillance | Systematic monitoring of communications |
| Other interception | Any other kind of interception |
Exceptions to Confidentiality
The prohibition does NOT apply to:
- Legally authorized recording — When permitted by law (e.g., court orders)
- Technical storage for transmission — Necessary for conveyance of communication
- User consent — When both parties consent to recording
- Lawful business practices — Recording for evidence of commercial transactions
Who Must Comply?
- Network providers — Those operating public communications networks
- Service providers — Those providing publicly available electronic communications services
- Anyone — Who would intercept or surveil communications without authorization
Relationship with Lawful Interception
Article 15(1) allows Member States to restrict confidentiality for:
- National security
- Defense
- Public security
- Prevention, investigation, detection of criminal offenses
Such restrictions must be:
- Necessary, appropriate, and proportionate
- In accordance with general principles of Community law
- Compliant with ECHR and fundamental rights
Practical Implications
For telecommunications providers:
- Implement technical security measures
- Prevent unauthorized access to networks
- Encrypt communications where appropriate
- Train staff on confidentiality obligations
For businesses:
- Call recording requires consent or legal basis
- Employee monitoring requires transparency
- CCTV with audio requires specific consent
For law enforcement:
- Interception requires legal authorization
- Blanket surveillance is prohibited (per CJEU case law)
- Proportionality must be assessed
CJEU Key Rulings
| Case | Ruling | Implication |
|---|---|---|
| Digital Rights Ireland (2014) | Data Retention Directive invalid | Blanket retention disproportionate |
| Tele2 Sverige (2016) | General data retention unlawful | Targeted retention only |
| La Quadrature du Net (2020) | Confirms strict limits | National security exception narrow |