23 November 2022

The CJEU limits generalized data retention in surveillance

On 20 September 2022, the Court of Justice of the European Union issued two rulings concerning the conditions under which member states are allowed to retain traffic data for surveillance purposes. These rulings challenge the national systems of France and Germany in this area.


On 20 September 2022, the Court of Justice of the European Union (hereinafter “CJEU”) ruled on the conditions under which Member States are allowed to retain traffic and location data for surveillance purposes.[1]

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (hereinafter referred to as the “Directive on privacy and electronic communications”)[2] provides a European-wide framework for the storage and processing of such data.

Within the meaning of this Directive, traffic data are “any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof”.[3] As for the location data, it concerns “any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”.[4]

This regulation enshrines the principle of confidentiality of electronic communications and related traffic data.[5] Thus, it is forbidden to any person other than the users to keep, without their consent, these communication and data.[6]

In addition, Article 6 of the Directive provides rules for suppressing, anonymizing and processing data to prevent abuses.[7]

Furthermore, the Charter of Fundamental Rights of the European Union guarantees the right to respect for private and family life, home and correspondence,[8] the right to protection of personal data,[9] and the right to freedom of expression and information.

However, Member States are allowed to adopt legislative measures to “restrict the scope” of the rights and obligations above-mentioned. The measures adopted must, however, be necessary, appropriate and proportionate, and pursue the objective of safeguarding national security as defined by Article 15 of the Directive, in compliance with the general principles of Union law and fundamental rights guaranteed by the Charter[10].

In its two rulings handed down on 20 September 2022, the CJEU had to assess the conformity of French (joined cases C 339/20 and C 397/20) and German (joined cases C 793/19 and C 794/19) laws with the European legal framework on data protection.


I. The French and German courts have addressed several questions to the CJEU for a preliminary ruling on the interpretation of their data retention laws

On the one hand, in the context of an investigation initiated by the French Financial Market Authority (“AMF”) in France, the AMF provided the investigating judge with personal data from phone calls made by two individuals. Subsequently, criminal proceedings were initiated against them on charges of insider trading, concealment of insider trading, complicity, bribery and money laundering.[11]

The latter challenged the validity of the collection of their data before the French Supreme Court (Cour de cassation), in that it was based on national provisions that do not comply with EU law and do not set any limits on the power of AMF investigators to obtain access to the data stored.[12] The French provisions at stake were article L.34-1 of the French Post and Electronic Communications Code (hereinafter “CPCE”), and article 6 of the French Law on Confidence in the Digital Economy (hereinafter “LCEN”).

The French government submitted observations to the CJEU pursuant to which European law would allow the national legislature to institute “a general and indiscriminate obligation on operators providing electronic communications services to retain date, in order to allow the competent financial authority to detect and impose sanctions for insider dealing”. According to the French government, these recordings would be essential for the detection and demonstration of the existence of an infringement. They would ensure the effectiveness of investigations and prosecutions carried out by the AMF and guarantee the integrity of the Union’s financial markets.[13]

On the other hand, the German case involved SpaceNet and Telekom Deutschland were German Internet service providers. They were required by the German Telecommunications Act (TKG) to retain traffic and location data relating to their customers’ telecommunications.[14] German service providers questioned this retention obligation.[15]

The French and German laws provided for generalized and undifferentiated retention of traffic data. The objective of French law was to prevent market abuse offences[16] whereas German law was aimed at fighting particularly serious offences and preventing a material risk to the physical integrity, life or freedom of a person or to the existence of the Federal State or a Land.[17]

The data retained allowed the identification of the user and the recipient of the communication.[18] The data included telephone numbers, date and time of the start and end of the conversation, details of the service used, and IP addresses in the case of Internet telephony services.[19]

In addition, in France the LCEN authorized online service providers to keep data that would allow the identification of anyone who contributed to the creation of any of the content for which they are providers.[20]

The French data were to be kept for one year, while the German traffic and location data were to be kept for ten and four weeks respectively.[21]

In both cases, these data could be transmitted to the competent law enforcement authorities at their request.[22]

In both cases, the Court was asked whether a national provision requiring operators and providers of electronic communications services to retain traffic and location data of end-users in a temporary, generalized, and undifferentiated manner for the purpose of prosecuting serious criminal offences or preventing a concrete risk to national security was contrary to Union law.[23]


II. The CJEU confirms its previous case law on traffic and location data retention

In its two decisions of 20 September 2022[24], the CJEU confirmed its previous case law resulting from the “La quadrature du net” and “Tele2 Sverig and Watson” decisions, in which it had held that European law precludes national regulations from providing for the generalized and undifferentiated retention of all traffic and location data of all subscribers and users of electronic means of communication for the purpose of fighting crime.

To that extent, the CJEU notes that neither the Directive 2006/3 nor the Regulation No. 596/2014[25], by allowing Member States to take the necessary measures to provide the competent authorities with a set of “effective tools, powers and resources, as well as the necessary supervisory and investigative powers to ensure the effectiveness of their duties”[26], did intend to allow Member States to impose a generalized and undifferentiated obligation to retain traffic data on electronic communication services operators.[27]

In addition, the data stored under French and German law was necessary to trace the source of a communication and its destination, the date, time, duration, type of communication and the communication equipment. This data included the name, the address of the user and the telephone numbers of the caller and the called party[28].

The CJEU noted that such data would then allow access to very precise information concerning the private life of individuals, including daily habits, permanent or temporary places of residence and the social relationships of the person to whom the data belong. Consequently, they violate the right to protection of privacy, correspondence and freedom of expression.[29]

Furthermore, the Court found that the violation persists regardless of the length of time the data is kept. Indeed, such retention is of a serious nature, since all the data is likely to allow very precise conclusions to be drawn concerning the private lives of the persons at stake.[30]

Consequently, the Court held that the French and German laws requiring operators of electronic communications services to carry out, as a preventive measure, a generalized and undifferentiated retention of the traffic data of all users of electronic communications media, without differentiation or exception, exceed the limits of what is strictly necessary and are not justified in a democratic society.[31]

On the other hand, the Court considered that the Directive 2002/58/EC does not preclude generalized and undifferentiated retention under certain conditions in the event of a serious and current threat to national security.[32] To that matter, Member States have the possibility of imposing on operators and service providers the rapid retention of data, under certain conditions, and in particular in the event of a crime considered “serious”.[33]

Finally, the Court outlined that access to retained data must be authorized by a court or an independent administrative authority.[34]

In any case, these measures must ensure by “clear and precise rules, that the storage of the data in question is subject to compliance with the relevant material and procedural conditions and that the persons concerned have effective guarantees against the risks of abuse”.[35]

While it is too early to quantify the impact of this decision on the French provisions, the Secretary General of the AMF considered that it created a “situation of legal uncertainty as to some of [the AMF’s] means of action”.[36]


Related content

The discreet ramping up of environmental criminal law
5 December 2023
The discreet ramping up of environmental criminal law
Navacelle contributes to The Legal Industry Reviews' fourth edition about recent gradual application of environmental criminal law in France, with...
17 November 2023
Saga UBS: second reassessment of the UBS’s historic financial penalty
On November 15, 2023, as part of the UBS saga that began on 20 February 2019, the judges on the...
Press review
23 February 2024
Press review – Week of 19 February 2024
This week’s press review covers Donald Trump and his sons’ conviction for fraud in New York, the decision of Paris...
22 February 2024
New clarifications on the repression of tax fraud offences and tax fraud laundering by the...
On 13 December 2023, the Cour de cassation first ruled on the concept of non bis in idem, rejecting the...
21 February 2024
Paris Arbitration Week 2024 – Ethics & Arbitration panel
Navacelle is hosting a panel regarding Ethics & Arbitration on 19 March 2024, during the Paris Arbitration Week (PAW).
20 February 2024
A French dairy group suspected of tax fraud
Since 2018, Lactalis has been suspected of committing tax fraud and laundering the proceeds of such fraud via schemes involving...
Press review
16 February 2024
Press review – Week of 12 February 2024
This week’s press review looks back at the legacy of former French minister of Justice Robert Badinter who recently passed...
Press review
9 February 2024
Press review – Week of 5 February 2024
This week’s press review highlights the acquittal of former minister and mayor of Pau, François Bayrou, the accusation of a...
Press review
2 February 2024
Press review – Week of 29 January 2024
This week’s press review highlights the Transparency report on France's global position in the fight against corruption, Uber's fine in...
30 January 2024
The European Public Prosecutor’s Office and TRACFIN signed a working arrangement for closer cooperation
In accordance with the principle of sincere cooperation between Member States and with the European Union's institutions, provided for in...
Press review
26 January 2024
Press review – Week of 22 January 2024
This week’s press review highlights Amazon’s 32 million euro fine by a French administrative authority for the monitoring of its...
25 January 2024
Internal investigation and data collection
EFB Degree - Internal investigation Internal investigation and data collection: In many respects, data collection is crucial in conducting an internal...
Press review
19 January 2024
Press review – Week of 15 January 2024
This week, the press review covers the validation by the French Supreme Court of Lafarge’s indictment for complicity in crimes...
15 January 2024
Practitioner’s Guide to Global Investigations (2024) – GIR
NAVACELLE co-author of the eighth edition of Global Investigations Review’s Practitioner’s Guide to Global Investigations.