23 November 2022

The CJEU limits generalized data retention in surveillance

On 20 September 2022, the Court of Justice of the European Union issued two rulings concerning the conditions under which member states are allowed to retain traffic data for surveillance purposes. These rulings challenge the national systems of France and Germany in this area.


On 20 September 2022, the Court of Justice of the European Union (hereinafter “CJEU”) ruled on the conditions under which Member States are allowed to retain traffic and location data for surveillance purposes.[1]

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (hereinafter referred to as the “Directive on privacy and electronic communications”)[2] provides a European-wide framework for the storage and processing of such data.

Within the meaning of this Directive, traffic data are “any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof”.[3] As for the location data, it concerns “any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”.[4]

This regulation enshrines the principle of confidentiality of electronic communications and related traffic data.[5] Thus, it is forbidden to any person other than the users to keep, without their consent, these communication and data.[6]

In addition, Article 6 of the Directive provides rules for suppressing, anonymizing and processing data to prevent abuses.[7]

Furthermore, the Charter of Fundamental Rights of the European Union guarantees the right to respect for private and family life, home and correspondence,[8] the right to protection of personal data,[9] and the right to freedom of expression and information.

However, Member States are allowed to adopt legislative measures to “restrict the scope” of the rights and obligations above-mentioned. The measures adopted must, however, be necessary, appropriate and proportionate, and pursue the objective of safeguarding national security as defined by Article 15 of the Directive, in compliance with the general principles of Union law and fundamental rights guaranteed by the Charter[10].

In its two rulings handed down on 20 September 2022, the CJEU had to assess the conformity of French (joined cases C 339/20 and C 397/20) and German (joined cases C 793/19 and C 794/19) laws with the European legal framework on data protection.


I. The French and German courts have addressed several questions to the CJEU for a preliminary ruling on the interpretation of their data retention laws

On the one hand, in the context of an investigation initiated by the French Financial Market Authority (“AMF”) in France, the AMF provided the investigating judge with personal data from phone calls made by two individuals. Subsequently, criminal proceedings were initiated against them on charges of insider trading, concealment of insider trading, complicity, bribery and money laundering.[11]

The latter challenged the validity of the collection of their data before the French Supreme Court (Cour de cassation), in that it was based on national provisions that do not comply with EU law and do not set any limits on the power of AMF investigators to obtain access to the data stored.[12] The French provisions at stake were article L.34-1 of the French Post and Electronic Communications Code (hereinafter “CPCE”), and article 6 of the French Law on Confidence in the Digital Economy (hereinafter “LCEN”).

The French government submitted observations to the CJEU pursuant to which European law would allow the national legislature to institute “a general and indiscriminate obligation on operators providing electronic communications services to retain date, in order to allow the competent financial authority to detect and impose sanctions for insider dealing”. According to the French government, these recordings would be essential for the detection and demonstration of the existence of an infringement. They would ensure the effectiveness of investigations and prosecutions carried out by the AMF and guarantee the integrity of the Union’s financial markets.[13]

On the other hand, the German case involved SpaceNet and Telekom Deutschland were German Internet service providers. They were required by the German Telecommunications Act (TKG) to retain traffic and location data relating to their customers’ telecommunications.[14] German service providers questioned this retention obligation.[15]

The French and German laws provided for generalized and undifferentiated retention of traffic data. The objective of French law was to prevent market abuse offences[16] whereas German law was aimed at fighting particularly serious offences and preventing a material risk to the physical integrity, life or freedom of a person or to the existence of the Federal State or a Land.[17]

The data retained allowed the identification of the user and the recipient of the communication.[18] The data included telephone numbers, date and time of the start and end of the conversation, details of the service used, and IP addresses in the case of Internet telephony services.[19]

In addition, in France the LCEN authorized online service providers to keep data that would allow the identification of anyone who contributed to the creation of any of the content for which they are providers.[20]

The French data were to be kept for one year, while the German traffic and location data were to be kept for ten and four weeks respectively.[21]

In both cases, these data could be transmitted to the competent law enforcement authorities at their request.[22]

In both cases, the Court was asked whether a national provision requiring operators and providers of electronic communications services to retain traffic and location data of end-users in a temporary, generalized, and undifferentiated manner for the purpose of prosecuting serious criminal offences or preventing a concrete risk to national security was contrary to Union law.[23]


II. The CJEU confirms its previous case law on traffic and location data retention

In its two decisions of 20 September 2022[24], the CJEU confirmed its previous case law resulting from the “La quadrature du net” and “Tele2 Sverig and Watson” decisions, in which it had held that European law precludes national regulations from providing for the generalized and undifferentiated retention of all traffic and location data of all subscribers and users of electronic means of communication for the purpose of fighting crime.

To that extent, the CJEU notes that neither the Directive 2006/3 nor the Regulation No. 596/2014[25], by allowing Member States to take the necessary measures to provide the competent authorities with a set of “effective tools, powers and resources, as well as the necessary supervisory and investigative powers to ensure the effectiveness of their duties”[26], did intend to allow Member States to impose a generalized and undifferentiated obligation to retain traffic data on electronic communication services operators.[27]

In addition, the data stored under French and German law was necessary to trace the source of a communication and its destination, the date, time, duration, type of communication and the communication equipment. This data included the name, the address of the user and the telephone numbers of the caller and the called party[28].

The CJEU noted that such data would then allow access to very precise information concerning the private life of individuals, including daily habits, permanent or temporary places of residence and the social relationships of the person to whom the data belong. Consequently, they violate the right to protection of privacy, correspondence and freedom of expression.[29]

Furthermore, the Court found that the violation persists regardless of the length of time the data is kept. Indeed, such retention is of a serious nature, since all the data is likely to allow very precise conclusions to be drawn concerning the private lives of the persons at stake.[30]

Consequently, the Court held that the French and German laws requiring operators of electronic communications services to carry out, as a preventive measure, a generalized and undifferentiated retention of the traffic data of all users of electronic communications media, without differentiation or exception, exceed the limits of what is strictly necessary and are not justified in a democratic society.[31]

On the other hand, the Court considered that the Directive 2002/58/EC does not preclude generalized and undifferentiated retention under certain conditions in the event of a serious and current threat to national security.[32] To that matter, Member States have the possibility of imposing on operators and service providers the rapid retention of data, under certain conditions, and in particular in the event of a crime considered “serious”.[33]

Finally, the Court outlined that access to retained data must be authorized by a court or an independent administrative authority.[34]

In any case, these measures must ensure by “clear and precise rules, that the storage of the data in question is subject to compliance with the relevant material and procedural conditions and that the persons concerned have effective guarantees against the risks of abuse”.[35]

While it is too early to quantify the impact of this decision on the French provisions, the Secretary General of the AMF considered that it created a “situation of legal uncertainty as to some of [the AMF’s] means of action”.[36]


Related content

Lobbying : Declaration obligations of interest representatives in France
14 July 2022
Lobbying: Declaration obligations of interest representatives in France
Highlight on the disclosure obligations imposed on interest representatives in France, as provided for by Law 2013-907 of October 11, 2013, as amended by Law 2016-1691 of...
The Guide to Sanctions -GIR (2022)
10 July 2022
The Guide to Sanctions (2022) – GIR
Navacelle co-author of the third edition of the Global Investigation Review's Guide to Sanctions.
Press review
2 December 2022
Press review – Week of 28 November 2022
In this press review, you will discover several important judicial events: the French Supreme Court clarified the status of victim of an act of terrorism and the compensa...
Press review
Week of 21 November 2022
25 November 2022
Press review – Week of 21 November 2022
In this press review, you will discover the opening of a preliminary investigation by the French National Financial Prosecutor’s Office for misappropriation of public f...
Ifaci demain en main - vignette
24 November 2022
Roundtable – Allegations – Investigations : The edges of tomorrow
Stéphane de Navacelle will participate in IFACI's annual conference: "Demain en mains" on the theme "Allegations - Investigations : The edges of tomorrow ", Monday 28 No...
21 November 2022
Judicial Agreement of Public Interest for aggravated tax fraud laundering and illegal canvassing
Credit Suisse escapes prosecution and agrees to pay a public interest fine of 123,000,000 euros under the 13th deferred prosecution agreement concluded by the National an...
Press review
Week of 14 November 2022
18 November 2022
Press review – Week of 14 November 2022
In this press review, you will find three significant events: the first conviction in France of a former Liberian rebel leader by the Paris criminal Court; the sanction o...
Autorité de la concurrence - Google
18 November 2022
Recent sanctions against Google by the French Competition Authority: ad servers and related rights
In 2021, the French Competition Authority imposed several fines on Google for anti-competitive practices related, on the one hand, to the remuneration of the related righ...
17 November 2022
Identification of the contractual actors of Compliance
Julie Zorrilla participated in the Colloque "Contract and compliance: the actors and their strategies" at the University of Nîmes.
17 November 2022
The cumulation of criminal and administrative sanctions in tax fraud
The judges of the Court of Cassation recently ruled on the cumulation of criminal and fiscal sanctions in tax fraud cases. This decision confirms the case law which permi...
16 November 2022
Cambridge Forum: Mutual legal assistance has gone rogue!
Why bother with MLATs when local law is global and prosecutors trade information on WhatsApp ?
Press review
Week of 7 November 2022
14 November 2022
Press review – Week of 7 November 2022
In this press review, you will find clarifications from the Court of Cassation on the legality of an extradition of an EU national to another Member State, even in the ab...
9 November 2022
Webinar: A comparative approach to professional secrecy and attorney-client privilege in criminal proceedings
Stéphane de Navacelle spokes at the Mondaq and Monfrini Bitton Klein webinar on "professional secrecy and attorney-client privilege in criminal proceedings".
7 November 2022
The implementation of the cumulation of criminal and administrative penalties for tax infringements
While the principle of cumulating criminal and administrative penalties for tax infringement is well entrenched, its implementation is subject to conditions that must be ...