On 6 October 2020 (1), the European Court of Justice (“ECJ”) rendered its judgment further to requests for preliminary ruling from the Belgian Constitutional Court (Cour Constitutionnelle / Grondwettelijk Hof) and the French Council of State (Conseil d’Etat).
Without getting into the specifics of the Belgian and French cases that caused the aforesaid national jurisdictional bodies to seek preliminary ruling, the ECJ was principally asked to determine whether the general and indiscriminate retention of data relating to electronic communications (as defined in Directive 2002/58/EC on privacy and electronic communications) that is imposed on providers of electronic communications services under national law is compatible with the right to privacy and the right to protection of personal data as defined under EU legislation.
In its 59 pages judgement, the ECJ expressly states that any retention of data related to individuals’ electronic communications is an interference with the right to respect for private life. Therefore such retention must remain the exception and not be established as a principle. General and indiscriminate retention of traffic and location data (2), as a preventive measure, is contrary to the EU privacy right and right on data protection. As exceptions (3) to that principle, the measures for general and indiscriminate retention, under the following conditions, are however compatible with EU law:
- for the purposes of safeguarding national security, an instruction requiring providers of electronic communications services to retain, generally and indiscriminately, traffic and location data, in situations where Member States are confronted with a serious threat to national security that is genuine and present or foreseeable, and provided (i) that the decision imposing such an instruction is subject to effective review, either by a court or by an independent administrative body whose decision is binding, and (ii) that such instruction may be given only for a period of time that is limited to what is strictly necessary, but which may be extended if that threat persists;
- for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security, the general and indiscriminate retention of IP addresses assigned to the source of an Internet connection for a period of time that is limitedto what is strictly necessary;
- for the purposes of safeguarding national security, combating crime and safeguarding public security, the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems.
According to the ECJ, the measures under a), b) and c) must ensure, though clear and precise rules, that the data retention is subject to applicable substantive and procedural conditions, and that the concerned data subjects have effective safeguards against the risks of abuse.
Challenged legal framework in Belgium and France
- Belgium: the relevant national legal provisions in Belgium are provided under the Law of 29 May 2016 on data collection and retention in the field of electronic communications (4) (the “Belgian Data Retention Law”). The Belgian Data Retention Law imposes, upon every provider of electronic communications services (and networks), a general and indiscriminate obligation to retain, for a period of 12 months, the following categories of data: (a) identification data: data that can be used to identify the user or subscriber and the means of communication; (b) connection data: data relating to (i) the terminal equipment access and connection to the network and the service and to (ii) the location of those equipment; and (c) communication data (other than content), including the origin and destination of the communication.
Pursuant to the preparatory documents of the Belgian Data Retention Law, the purpose thereof (and thus the purpose of the aforesaid data retention obligation) is to allow to fight against terrorism and child pornography, and also to use the retained data in a wide variety of situations in which these data can be both the starting point and a step in a criminal investigation. - France: the challenged set of legal texts is made of provisions of the Internal Security Code, the Post and Electronic Communications Code, the Law No. 2004-575 of 21 June 2020 to promote trust in the digital economy and related Decree No. 2011-2019 (collectively the “French Data Retention Law”).
To summarize, the French Data Retention Law imposes upon telecommunications operators the obligation to retain generally and indiscriminately, for a period of one year, users’ connection data(5): (a) identity data, which allows the identification of the user of an electronic communication system (for example, the first and last names linked to a telephone number or the IP address through which a user is connected to the Internet); (b) traffic data which track the dates, hours and recipients of electronic communications, or the list of websites consulted; and (c) location data, which allows a device to be “marked” by the base station to which it is connected.
Such general and indiscriminate retention of users’ connection data as imposed under the French Data Retention Law is for the purposes of intelligence and criminal investigation including, without limitation, the fight against terrorism.
The Belgian Constitutional Court and the French Council of State
- Belgian Constitutional Court: in its decision (6) (arrêt / arrest) dated 22 April 2021 and following the ECJ reasoning, the Constitutional Court comes to the conclusion that the Belgian Data Retention Law is not compatible with EU law – in particular the right to privacy and the right to protection of personal data – and therefore repeals the Belgian Data Retention Law, principally on the following grounds:
- the Belgian Data Retention Law establishes the general and indiscriminate retention of electronic communications data as a principle whereas it imperatively must remain an exception, since it constitutes an interference with data subjects’ fundamental right to privacy;
- the Belgian Data Retention Law does not fall within the exceptions strictly and exhaustively listed in the ECJ decision (see above):
- the purpose of the general and indiscriminate data retention therein contained goes beyond the fight against serious crime or the risk to national security;
- the categorization of the data that must be retained does not correspond to the categorization and distinction determined by the ECJ (the Belgian Data Retention Law does not refer to IP-addresses assigned to the source of an Internet connection or civil identity of users);
- the principle of proportionality is not complied with (e.g. users’ data are to be retained whether are not such users are suspected of having committed or being involved in a crime).
The Constitutional Court ruled that it is up to the Belgian legislator to adopt a law that is compatible with the EU law – as construed by the ECJ – and to determine with precision the possible measures authorized by the ECJ, to ensure that the interference with data subjects’ fundamental rights is strictly limited to what is necessary.
In light of the ECJ preliminary ruling, the Constitutional Court states that the effect of the Belgian Data Retention Law – as repealed – cannot be maintained provisionally. It is up to the criminal judge to decide, in pending cases, whether or not to use evidence obtained further to the application of the Belgian Data Retention Law. If such criminal judge decides to do so, he or she must ensure that the right to fair trial is not infringed.
- French Council of State: the day before the decision of the Belgian Constitutional Court, the French Council of State (7) ruled over the compatibility of the French Data Retention Law with the EU law as construed by the ECJ.
In the first section of the decision, the Council of State substantially reminds that the French Constitution remains the supreme norm in the national legal system. In the case at hand, this principle means – as developed in the French decision – that the Council of State must ensure that the application of EU law – as specified by the ECJ – does not endanger French constitutional requirements (i.e. the requirements established in the French Constitution) that would not benefit from an equivalent safeguard under EU law.
In terms of hierarchy of norms, the EU law comes first provided (and to the extent) that the French constitutional requirements at stake are not less safeguarded under EU law than under the French law. In case of inferior safeguard under EU law, the specific EU provision shall be set aside by the Council of State and therefore by the French judge.
The French Constitution is the first norm referred to in the recitals of the decision of the Council of State. The EU Treaty follows right after.
With respect to the French Data Retention Law, the French constitutional requirements are the safeguard of the fundamental interests of the nation, prevention of public order infringements, fight against terrorism and search for criminal offenders. While examining the compatibility of the French Data Retention Law with EU law, the Council of State assesses whether the ECJ limited conditions do not affect these constitutional requirements.
In light of the above, the Council of State concludes that:
- considering the permanent state of alert and the terrorist threat in France these last years, the general and indiscriminate retention of connection data – as defined and imposed upon telecommunications operators under the French Data Retention Law – is justified for the purpose of safeguarding national security. In other words, such retention falls within the exceptions defined in the ECJ preliminary ruling.
To ensure compliance with the ECJ decision, the Council of State however specifies that the French government must periodically assess, under the control of the administrative court, the existence of a serious, actual and current or foreseeable threat to national security;
- the general and indiscriminate obligation to retain connection data for purposes other than national security, such as prosecuting criminal offences, is not legal. There is however an exception for data deemed less sensitive, such as civil status, IP address, accounts and payments. Outside these exceptions, the French Data Retention Law is repealed to that limited extent;
- in accordance with the principle of proportionality, the use of connection data must be limited to the prosecution of serious offences;
- the use of retained data for intelligence purposes must be subject to the prior binding control of the court or an independent authority. The current French Data Retention Law however refers to mere advice or non-binding recommendations by the National Commission for the Control of Intelligence Techniques. Therefore, the State of Council orders the Prime minister to adopt the necessary amendments within six months.
In accordance with its conclusions above, the Council of State decides that – except for a few exceptions – the repealed provisions (or parts of provisions) of the French Data Retention Law are so without retroactive effect.
* *
*
The Belgian Data Retention Law and the French Data Retention Law are of course drafted differently. It is also worth mentioning that the former, as referred to in the ECJ preliminary decision, is much more succinct than the latter which covers several sets of legal provisions.
That being said, it is further to requests for preliminary ruling based on both abovementioned national laws that the ECJ ruled that any retention of data related to individuals’ electronic communications is an interference with the right to respect for private life and is thus prohibited as a principle. The general and indiscriminate preventive retention of electronic communications data is solely authorized when the strict conditions of the exceptions exhaustively listed by the ECJ are met.
The Belgian Constitutional Court is fully in line with the ECJ and integrates, in its 60 pages decision, lengthy excerpts from the ECJ preliminary ruling. Accordingly, the Constitutional Court requests that the Belgian legislator rethinks the perspective of the legal framework so that the general and indiscriminate data retention – where possibly applicable – remains the exception and not the principle, as it is the case under the repealed Belgian Data Retention Law, according to the Constitutional Court.
The comprehension of the ECJ preliminary ruling by the French Council of State is not, as such, different from the Belgian jurisdiction. The decision of the French Council of State however translates a will to preserve the French Data Retention Law – and more generally the national legal order – as it is. In other words, the position is rather to determine from the outset whether and to what extent the French Data Retention Law falls within the exceptions defined in the ECJ decision, and to repeal (or to order the amendment for) only what exceeds the limits of the ECJ exceptions.
Another specificity of the French decision is the application of the hierarchy of norms. Whereas EU scholars teach that EU law is at the top of the pyramid in Member States’ legal systems (except for the determined fields subject to national sovereignty), the Council of State explains that the French Constitution is the supreme norm and that French requirements of constitutional essence (safeguard of the interests of the nation, fight against terrorism, etc.) cannot be put at risk by EU legal provisions (as construed by the ECJ as the case may be) that do not offer the same safeguard as the French law, in respect of these requirements.
The preamble of the press release of the French Council of State sums it well : “The Council of State rules that the existing threat to national security currently justifies the generalized retention of data. It also notes that the possibility of accessing connection data in order to fight serious crime allows, at the present time, the constitutional requirements of preventing breaches of law and order and the tracking down of authors of criminal offences to be ensured”.
Now, let’s wait for the new provisions that will be adopted by the Belgian legislator…
Stéphanie Ngay-Katalay
Lawyer DNA LAW
25 May 2021
(1) C-511/18, C-512/18 and C-520/18.
(2) “Traffic data” means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof; “location data” means any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.
(3) The ECJ judgment refers to other measures such as targeted retention, expedited retention, automated and real-time collection. Those measures are not commented in this publication which focuses on general and indiscriminate retention of electronic communications data.
(4) As modifying, among others, the Belgian Law of 13 June 2005 on electronic communications and Code of criminal procedure.
(5) Press release of the French Council of State of 21 April 2021.
(6) Decision No. 57/2021.
(7) Decision No. 393099,394922, 397844, 397851, 424717, 424718.