When Excessive Prevention Does More Harm Than Good

It would seem that the following post will be focused on human health, but this is not so. It will be focused on the health of the rule of law.

At the end of 2025, the Supreme Court of the Czech Republic ruled that the preventive retention of traffic and location data under the Electronic Communications Act under the conditions defined by this law infringes the rights of the persons whose data is concerned. The conditions defined in Section 97 (3) of this Act do not comply with the European Directive they are to transpose.

Precautionary retention of data is one of the features of our legislation, which, without further restrictive time conditions and without a valid reason, can lead to non-compliance with EU law in the field of protection of the right to respect for privacy and personal data.

In the present case, the dispute concerned the award of compensation for non-pecuniary damage, where the courts had for quite some time ruled on an action by which a party had requested to be sent an apology of a specific text to its data box. At the request of the applicant, the State should have apologised for the infringement of a specific provision of the EU Directive on Privacy and Electronic Communications (2002/58/EC) and found that this was an undue interference with the claimant's rights. The plaintiff is a journalist and perceives the retention of traffic and location data on his communications for 6 months without a qualified reason as a risk of disclosing the identity of his information sources. Although this did not happen, this does not mean that the person concerned did not suffer any harm.

However, the State acting in the case through the Ministry of Industry and Trade objected to such a finding and argued that no injury had actually occurred to the applicant, that the statutory wording constituted the maximum possible injury and that the State's rule-making activity was not considered to be an official procedure for the improper performance of which the State becomes the responsibility of the State.

The Supreme Court has used this dispute to explain several crucial issues in detail.

First of all, he made valuable arguments for the fact that the Member State is responsible for the incorrect implementation or transposition of EU law.

On the possibility of preventive blanket and indiscriminate storage of traffic and location data, he referred to the conditions under which the Court of Justice of the EU finds such data processing permissible. This is a situation of serious threat to national security that is immediate, current and real. The handling of the data must also be ordered in a form subject to judicial review and only for a strictly necessary period.

Our legislation does not meet these criteria when Section 97 (3) of the Electronic Communications Act contains the following starting sentence: A legal or natural person providing a public communications network or providing a publicly available electronic communications service is obliged to retain for 6 months the operational and location data that are generated or processed in the provision of its public communications networks and in the provision of its publicly available electronic communications services by means.

But is this sufficient to fulfil the basic premise of state responsibility for the incorrect implementation of European law, which is an interference with the rights of the individual, that is, a violation of the rule from which the individual derives some right?

We are not going to stretch and say straight away that, according to the Supreme Court, that is enough.

The doctrine of state responsibility for violations of EU law was formulated by the Court of Justice of the EU and approved by the Supreme Court of the Czech Republic in a number of judgments. The right to compensation arises under this doctrine by an individual if the State violates such a norm of European law that establishes a sufficiently determinable subjective right or protects a subjective interest. Liability does not arise where an improperly implemented standard is aimed solely at safeguarding general interests and does not protect any individual interests. Directive 2002/58/EC clearly states that its objective is to protect users of electronic communications services from the risks posed by technology to personal data and privacy. Thus, it is a norm that protects, among other things, the rights of individuals.

The Supreme Court also analyzed in great detail the criterion of universality and non-discrimination, that is, the consequences of enshrining the spatial storage of data without distinction between situations and the entities concerned, i.e. users of electronic communications services. According to the Supreme Court, it would be more appropriate, according to the Supreme Court, to use the term general obligation to retain data in this context, that is, preventively and without ties to a predetermined purpose. In order to fulfil this criterion, neither the extent of the data stored nor the entities that are obliged to retain the data play a role. What matters is the range of subjects whose data is involved.

And how to assess the intensity of the interference with the right to private life in a given case? According to the Supreme Court, it is essential whether and to what extent the retained data are capable, in their entirety, of leading to the formation of conclusions about a person's private life. Since the Czech legislation includes among the stored data the concretization of the caller and the caller via telephone number, the length of communication, the time of communication, information on the location of the communication participants, information on SMS and MMS messages, information about the Internet connection, about the connection to the e-mail box, regardless of the list of other stored data, it is clear that these are data from which conclusions can be drawn about private life of the user.

All its considerations in this respect were summarised by the Supreme Court in paragraph 85 of the judgment of p. n. 30 Cdo 2556/2025-335 of 30 December 2025, which is currently published on its official record. It was launched on January 8, 2026 and will be unveiled on January 23, 2026.

Note: The text is an unedited machine translation.