23 November 2022

The CJEU limits generalized data retention in surveillance

On 20 September 2022, the Court of Justice of the European Union issued two rulings concerning the conditions under which member states are allowed to retain traffic data for surveillance purposes. These rulings challenge the national systems of France and Germany in this area.


On 20 September 2022, the Court of Justice of the European Union (hereinafter “CJEU”) ruled on the conditions under which Member States are allowed to retain traffic and location data for surveillance purposes.[1]

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (hereinafter referred to as the “Directive on privacy and electronic communications”)[2] provides a European-wide framework for the storage and processing of such data.

Within the meaning of this Directive, traffic data are “any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof”.[3] As for the location data, it concerns “any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”.[4]

This regulation enshrines the principle of confidentiality of electronic communications and related traffic data.[5] Thus, it is forbidden to any person other than the users to keep, without their consent, these communication and data.[6]

In addition, Article 6 of the Directive provides rules for suppressing, anonymizing and processing data to prevent abuses.[7]

Furthermore, the Charter of Fundamental Rights of the European Union guarantees the right to respect for private and family life, home and correspondence,[8] the right to protection of personal data,[9] and the right to freedom of expression and information.

However, Member States are allowed to adopt legislative measures to “restrict the scope” of the rights and obligations above-mentioned. The measures adopted must, however, be necessary, appropriate and proportionate, and pursue the objective of safeguarding national security as defined by Article 15 of the Directive, in compliance with the general principles of Union law and fundamental rights guaranteed by the Charter[10].

In its two rulings handed down on 20 September 2022, the CJEU had to assess the conformity of French (joined cases C 339/20 and C 397/20) and German (joined cases C 793/19 and C 794/19) laws with the European legal framework on data protection.


I. The French and German courts have addressed several questions to the CJEU for a preliminary ruling on the interpretation of their data retention laws

On the one hand, in the context of an investigation initiated by the French Financial Market Authority (“AMF”) in France, the AMF provided the investigating judge with personal data from phone calls made by two individuals. Subsequently, criminal proceedings were initiated against them on charges of insider trading, concealment of insider trading, complicity, bribery and money laundering.[11]

The latter challenged the validity of the collection of their data before the French Supreme Court (Cour de cassation), in that it was based on national provisions that do not comply with EU law and do not set any limits on the power of AMF investigators to obtain access to the data stored.[12] The French provisions at stake were article L.34-1 of the French Post and Electronic Communications Code (hereinafter “CPCE”), and article 6 of the French Law on Confidence in the Digital Economy (hereinafter “LCEN”).

The French government submitted observations to the CJEU pursuant to which European law would allow the national legislature to institute “a general and indiscriminate obligation on operators providing electronic communications services to retain date, in order to allow the competent financial authority to detect and impose sanctions for insider dealing”. According to the French government, these recordings would be essential for the detection and demonstration of the existence of an infringement. They would ensure the effectiveness of investigations and prosecutions carried out by the AMF and guarantee the integrity of the Union’s financial markets.[13]

On the other hand, the German case involved SpaceNet and Telekom Deutschland were German Internet service providers. They were required by the German Telecommunications Act (TKG) to retain traffic and location data relating to their customers’ telecommunications.[14] German service providers questioned this retention obligation.[15]

The French and German laws provided for generalized and undifferentiated retention of traffic data. The objective of French law was to prevent market abuse offences[16] whereas German law was aimed at fighting particularly serious offences and preventing a material risk to the physical integrity, life or freedom of a person or to the existence of the Federal State or a Land.[17]

The data retained allowed the identification of the user and the recipient of the communication.[18] The data included telephone numbers, date and time of the start and end of the conversation, details of the service used, and IP addresses in the case of Internet telephony services.[19]

In addition, in France the LCEN authorized online service providers to keep data that would allow the identification of anyone who contributed to the creation of any of the content for which they are providers.[20]

The French data were to be kept for one year, while the German traffic and location data were to be kept for ten and four weeks respectively.[21]

In both cases, these data could be transmitted to the competent law enforcement authorities at their request.[22]

In both cases, the Court was asked whether a national provision requiring operators and providers of electronic communications services to retain traffic and location data of end-users in a temporary, generalized, and undifferentiated manner for the purpose of prosecuting serious criminal offences or preventing a concrete risk to national security was contrary to Union law.[23]


II. The CJEU confirms its previous case law on traffic and location data retention

In its two decisions of 20 September 2022[24], the CJEU confirmed its previous case law resulting from the “La quadrature du net” and “Tele2 Sverig and Watson” decisions, in which it had held that European law precludes national regulations from providing for the generalized and undifferentiated retention of all traffic and location data of all subscribers and users of electronic means of communication for the purpose of fighting crime.

To that extent, the CJEU notes that neither the Directive 2006/3 nor the Regulation No. 596/2014[25], by allowing Member States to take the necessary measures to provide the competent authorities with a set of “effective tools, powers and resources, as well as the necessary supervisory and investigative powers to ensure the effectiveness of their duties”[26], did intend to allow Member States to impose a generalized and undifferentiated obligation to retain traffic data on electronic communication services operators.[27]

In addition, the data stored under French and German law was necessary to trace the source of a communication and its destination, the date, time, duration, type of communication and the communication equipment. This data included the name, the address of the user and the telephone numbers of the caller and the called party[28].

The CJEU noted that such data would then allow access to very precise information concerning the private life of individuals, including daily habits, permanent or temporary places of residence and the social relationships of the person to whom the data belong. Consequently, they violate the right to protection of privacy, correspondence and freedom of expression.[29]

Furthermore, the Court found that the violation persists regardless of the length of time the data is kept. Indeed, such retention is of a serious nature, since all the data is likely to allow very precise conclusions to be drawn concerning the private lives of the persons at stake.[30]

Consequently, the Court held that the French and German laws requiring operators of electronic communications services to carry out, as a preventive measure, a generalized and undifferentiated retention of the traffic data of all users of electronic communications media, without differentiation or exception, exceed the limits of what is strictly necessary and are not justified in a democratic society.[31]

On the other hand, the Court considered that the Directive 2002/58/EC does not preclude generalized and undifferentiated retention under certain conditions in the event of a serious and current threat to national security.[32] To that matter, Member States have the possibility of imposing on operators and service providers the rapid retention of data, under certain conditions, and in particular in the event of a crime considered “serious”.[33]

Finally, the Court outlined that access to retained data must be authorized by a court or an independent administrative authority.[34]

In any case, these measures must ensure by “clear and precise rules, that the storage of the data in question is subject to compliance with the relevant material and procedural conditions and that the persons concerned have effective guarantees against the risks of abuse”.[35]

While it is too early to quantify the impact of this decision on the French provisions, the Secretary General of the AMF considered that it created a “situation of legal uncertainty as to some of [the AMF’s] means of action”.[36]


Related content

La 32e chambre correctionnelle du tribunal judiciaire de Paris se prononce pour la première fois en matière de délit de manipulation de marché
7 July 2023
The Paris Criminal Court issues its first decision on a market manipulation case
On 25 May 2023, the Paris Criminal Court (32nd Chamber) ruled for the first time on the offence of market...
CumEx files
13 January 2022
CumEx files, from tax optimization to tax fraud?
A look back at the revelations of the "CumEx files" and key take aways on these practices of tax optimization...
Press review
Press review
22 September 2023
Press review – Week of 18 September 2023
This week, the Navacelle press review looks back at the adoption of the eighth version of the European Administrative Cooperation...
La Cour de cassation reconnaît à la justice française la compétence universelle dans le cadre de crimes commis en Syrie.
18 September 2023
French Supreme Court (Court de Cassation) recognizes the universal jurisdiction of the French judicial courts...
In two rulings handed down on May 12, 2023, the French Supreme Court (Cour de Cassation) clarifies the conditions under...
Press review
press review
15 September 2023
Press review – Week of 11 September 2023
This week, the Navacelle press review looks back at the decision of a Brazilian Supreme Court judge to overturn the...
Press review
Press review
8 September 2023
Press review – Week of 4 September 2023
This week, the Navacelle press review discusses the guide published by the European Commission for EU operators on the best...
Bastille day newsletter 2023
14 July 2023
Bastille Day Newsletter 2023
On this 14th of July, lawyers at Navacelle offer you, as it does every year, a selection of noticeable events...
Judicial public interest agreements (CJIP)
13 July 2023
[Infography] Focus on Judicial public interest agreements (CJIP)
Since its creation by the Sapin II law of 9 December 2016, the Judicial Public Interest Agreement (“Convention Judiciaire d’Intérêt...
Focus on the French financial markets authority activity (AMF)
13 July 2023
[Infography] Focus on the French financial markets authority activity (AMF)
The French Financial Markets Authority (“AMF”) intensive enforcement activity again demonstrates the regulator’s ambition to continuously strengthen market surveillance, through...
13 July 2023
[Infographie] Focus on the French data protection authority activity (CNIL)
Over the past months, the French Commission Nationale de l’Informatique et des Libertés (“CNIL”), regulator of personal data, imposed tremendous...
13 July 2023
Overview of arbitration case law
French case law rendered this past year has notably addressed the enforcement regime against assets frozen because of international sanctions,...
13 July 2023
AFA and PNF publish a guide to anti-corruption internal investigations
On 14 March 2023, the French Anti-Corruption Agency (“AFA”) and the French National Financial Prosecutor's Office (“PNF”) jointly published a...
13 July 2023
PNF updates its guidelines for judicial public interest agreements
In January 2023, the National Financial Prosecutor published its new guidelines on judicial public interest agreements, which are intended to...
13 July 2023
The French Supreme Court confirms in its decision “La Chaufferie de La Défense” that the...
In a decision dated 9 November 2022, the criminal chamber of the French Supreme Court confirmed its case law on...