On 20 September 2022, the Court of Justice of the European Union (hereinafter “CJEU”) ruled on the conditions under which Member States are allowed to retain traffic and location data for surveillance purposes.[1]

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (hereinafter referred to as the “Directive on privacy and electronic communications”)[2] provides a European-wide framework for the storage and processing of such data.

Within the meaning of this Directive, traffic data are “any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof”.[3] As for the location data, it concerns “any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”.[4]

This regulation enshrines the principle of confidentiality of electronic communications and related traffic data.^[5] Thus, it is forbidden to any person other than the users to keep, without their consent, these communication and data.[6]

In addition, Article 6 of the Directive provides rules for suppressing, anonymizing and processing data to prevent abuses.[7]

Furthermore, the Charter of Fundamental Rights of the European Union guarantees the right to respect for private and family life, home and correspondence,[8] the right to protection of personal data,[9] and the right to freedom of expression and information.

However, Member States are allowed to adopt legislative measures to “restrict the scope” of the rights and obligations above-mentioned. The measures adopted must, however, be necessary, appropriate and proportionate, and pursue the objective of safeguarding national security as defined by Article 15 of the Directive, in compliance with the general principles of Union law and fundamental rights guaranteed by the Charter[10].

In its two rulings handed down on 20 September 2022, the CJEU had to assess the conformity of French (joined cases C 339/20 and C 397/20) and German (joined cases C 793/19 and C 794/19) laws with the European legal framework on data protection.

I. The French and German courts have addressed several questions to the CJEU for a preliminary ruling on the interpretation of their data retention laws

On the one hand, in the context of an investigation initiated by the French Financial Market Authority (“AMF”) in France, the AMF provided the investigating judge with personal data from phone calls made by two individuals. Subsequently, criminal proceedings were initiated against them on charges of insider trading, concealment of insider trading, complicity, bribery and money laundering.[11]

The latter challenged the validity of the collection of their data before the French Supreme Court (Cour de cassation), in that it was based on national provisions that do not comply with EU law and do not set any limits on the power of AMF investigators to obtain access to the data stored.[12] The French provisions at stake were article L.34-1 of the French Post and Electronic Communications Code (hereinafter “CPCE”), and article 6 of the French Law on Confidence in the Digital Economy (hereinafter “LCEN”).

The French government submitted observations to the CJEU pursuant to which European law would allow the national legislature to institute “a general and indiscriminate obligation on operators providing electronic communications services to retain date, in order to allow the competent financial authority to detect and impose sanctions for insider dealing”. According to the French government, these recordings would be essential for the detection and demonstration of the existence of an infringement. They would ensure the effectiveness of investigations and prosecutions carried out by the AMF and guarantee the integrity of the Union’s financial markets.[13]

On the other hand, the German case involved SpaceNet and Telekom Deutschland were German Internet service providers. They were required by the German Telecommunications Act (TKG) to retain traffic and location data relating to their customers’ telecommunications.[14] German service providers questioned this retention obligation.[15]

The French and German laws provided for generalized and undifferentiated retention of traffic data. The objective of French law was to prevent market abuse offences[16] whereas German law was aimed at fighting particularly serious offences and preventing a material risk to the physical integrity, life or freedom of a person or to the existence of the Federal State or a Land.[17]

The data retained allowed the identification of the user and the recipient of the communication.^[18] The data included telephone numbers, date and time of the start and end of the conversation, details of the service used, and IP addresses in the case of Internet telephony services.[19]

In addition, in France the LCEN authorized online service providers to keep data that would allow the identification of anyone who contributed to the creation of any of the content for which they are providers.[20]

The French data were to be kept for one year, while the German traffic and location data were to be kept for ten and four weeks respectively.[21]

In both cases, these data could be transmitted to the competent law enforcement authorities at their request.[22]

In both cases, the Court was asked whether a national provision requiring operators and providers of electronic communications services to retain traffic and location data of end-users in a temporary, generalized, and undifferentiated manner for the purpose of prosecuting serious criminal offences or preventing a concrete risk to national security was contrary to Union law.[23]

II. The CJEU confirms its previous case law on traffic and location data retention

In its two decisions of 20 September 2022[24], the CJEU confirmed its previous case law resulting from the “La quadrature du net” and “Tele2 Sverig and Watson” decisions, in which it had held that European law precludes national regulations from providing for the generalized and undifferentiated retention of all traffic and location data of all subscribers and users of electronic means of communication for the purpose of fighting crime.

To that extent, the CJEU notes that neither the Directive 2006/3 nor the Regulation No. 596/2014[25], by allowing Member States to take the necessary measures to provide the competent authorities with a set of “effective tools, powers and resources, as well as the necessary supervisory and investigative powers to ensure the effectiveness of their duties”[26], did intend to allow Member States to impose a generalized and undifferentiated obligation to retain traffic data on electronic communication services operators.[27]

In addition, the data stored under French and German law was necessary to trace the source of a communication and its destination, the date, time, duration, type of communication and the communication equipment. This data included the name, the address of the user and the telephone numbers of the caller and the called party[28].

The CJEU noted that such data would then allow access to very precise information concerning the private life of individuals, including daily habits, permanent or temporary places of residence and the social relationships of the person to whom the data belong. Consequently, they violate the right to protection of privacy, correspondence and freedom of expression.[29]

Furthermore, the Court found that the violation persists regardless of the length of time the data is kept. Indeed, such retention is of a serious nature, since all the data is likely to allow very precise conclusions to be drawn concerning the private lives of the persons at stake.[30]

Consequently, the Court held that the French and German laws requiring operators of electronic communications services to carry out, as a preventive measure, a generalized and undifferentiated retention of the traffic data of all users of electronic communications media, without differentiation or exception, exceed the limits of what is strictly necessary and are not justified in a democratic society.[31]

On the other hand, the Court considered that the Directive 2002/58/EC does not preclude generalized and undifferentiated retention under certain conditions in the event of a serious and current threat to national security.[32] To that matter, Member States have the possibility of imposing on operators and service providers the rapid retention of data, under certain conditions, and in particular in the event of a crime considered “serious”.[33]

Finally, the Court outlined that access to retained data must be authorized by a court or an independent administrative authority.[34]

In any case, these measures must ensure by “clear and precise rules, that the storage of the data in question is subject to compliance with the relevant material and procedural conditions and that the persons concerned have effective guarantees against the risks of abuse”.[35]

While it is too early to quantify the impact of this decision on the French provisions, the Secretary General of the AMF considered that it created a “situation of legal uncertainty as to some of [the AMF’s] means of action”.[36]