The Court of Justice of the European Union sets limits to mass surveillance

The Court of Justice of the European Union sets limits to mass surveillance

On October 6, 2020, the Court of Justice of the European Union (CJEU) delivered two long-awaited decisions on data retention, intelligence and state surveillance.[1]

  The purpose was to examine the compliance with European Union law of certain regulations adopted by member states (especially France, Belgium and the United Kingdom) providing for an obligation on providers of telephone and electronic communication services to retain users data, and to transmit them to certain public authorities for the purpose of fighting criminality, or safeguarding national security.   In the name of the protection of fundamental rights and freedoms, the Court of Justice of the EU, in these two decisions, opposed to the massive collection of Internet and telephone connection data by the States. These decisions were awaited with concern by magistrates and police officers.  

I. In the EU and in France: what connection data is available, for whom, for how long?

In Europe, the Directive 2006/24/EC on the retention of data for the purpose of facilitating criminal investigations[2] was declared invalid in a decision handed down on August 8, 2014 by the CJEU[3] on the grounds that it constituted a particularly serious interference with the fundamental rights guaranteed by the Charter of Fundamental Rights of the European Union[4].   In 2016, in a decision called "Tele2": the Court then ruled that member states could not impose on providers a "general and undifferentiated obligation" to collect and retain traffic and location data.   Concretely, in accordance with the European jurisprudence, the data of Internet connections and telephone conversations could therefore theoretically no longer be kept by operators. However, several States of the European Union continue to require such a collection so that police, magistrates or intelligence services can access these data.   This is the case in France, where communication service operators are required to keep all users connection and navigation data for one year, in accordance with Decree No. 2011-219 of February 25, 2011[5].  

Which data?

  In France, the data to be kept are listed in general terms by Article R. 10-13 of the French Postal and Electronic Communications Code (CPCE).   This is all the data related to the "who, when, what, where, how" of an electronic activity. Everything except the content of the message itself, which would requires an interception.   It is traffic data - sometimes called metadata - and location data[6]. Connection data allows the identification of anyone who has contributed to the creation of content. This can include IP address, geolocation, phone records, and the numbers of frequently called contacts. This personal information can be very useful during an investigation to identify the perpetrator or to collect evidence.   Twitter or Facebook, for example, acting as technical intermediaries, are obliged to keep the "connection data" of their online activities during one year. The same applies to e-merchants with respect to buyers' login credentials, financial transactional data, e-mail addresses, telephone numbers and, where applicable, contribution to the creation of content such as a consumer notice.  

Which authorities are likely to request connection data?

  In accordance with Article 34-1 of the CEPC, data are kept "for the purpose of research, detection and prosecution of criminal offences". Only authorities acting for these purposes are authorized to request access to the data. In France, the law of July 24, 2015 offers the possibility for intelligence services to receive in real time the connection data of a person identified as a threat. This stock is also made available to police and gendarmerie services, judicial authorities such as investigating judges "for the purposes of research, recording and prosecution of criminal offences", but also Hadopi, ANSSI[7], Customs and Tax authorities.   Another purpose of the consultation is to guarantee the durability and security of the Internet network. Recently, under certain strict conditions, connection data can be made available to the Competition Authority for the purpose of investigating fraud or other violations of French competition law.  

How long should they be kept?

  It is the responsibility of the Access Provider to keep the connection data for a period of one year, in material conditions that guarantee their confidentiality and security, in order to be able to hand them over to the competent administrative and judicial authorities that request their communication (art. L.34.1 of the CPCE). The purpose is to meet the needs of research, detection and prosecution of criminal offences.   "Storage conditions must allow extraction as soon as possible to meet a request from the judicial authorities" (Article 4 of Decree No. 2011 219 of February 25, 2011). Any violation of this obligation of preservation can be punished by criminal penalties.    

II. The context and content of the two decisions of the CJEU

  Several non-governmental organizations and privacy associations in the United Kingdom, France and Belgium contested the collection of these citizens login data for intelligence purposes.   In France, four associations (La Quadrature du Net, French Data Network, Fédération des fournisseurs d'accès à Internet associatifs, have referred the matter to the Conseil d'Etat, questioning it on the compatibility of the French regime with Directive 2002/58/EC of July 12, 2002, known as "privacy and electronic communication" or "ePrivacy", considered in the light of the Charter of the European Union. These associations believe that French legislation violates European law. The Conseil d'Etat therefore referred a preliminary question to the CJEU concerning several decrees implementing the French Code of Internal Security, for 2015 and 2016. At the same time, the CJEU was also asked to rule on Belgian and British regulations, which imposed the same type of mass data collection on operators. The cases were joined and were at the origin of the first judgment of the CJEU (cases C-511/18, C-512/18 and C-520/18).   In United Kingdom, the NGO Privacy International initiated an action before the Investigatory Powers Tribunal contesting the legality of these practices under EU law on the grounds that they infringe on citizens' right to privacy. The United Kingdom government, the defendant, contested the jurisdiction of Union law in this case. It considers that the obligation to retain data and the obligation to transmit them are the exclusive competence of each member state because they relate to national security. The British court therefore asked the EU Court of Justice whether EU law applied in this case or not. This case is at the origin of the second judgment of the CJEU. (case C-623/17)   The Court of Justice of the European Union (CJEU) has ruled on the illegality of "generalized and undifferentiated" retention practices for connection data. The CJEU thus confirms its Tele2 Sverige and Watson decision rendered in 2016.   A. Principle: European justice recalls that States do not have the right to carry out mass surveillance.   In the first judgment (joined cases C-511/18 and C-512/18, 520/18), which concerns the other cases in France and Belgium, the Court specifies that legislative measures imposing on Internet access and telephony operators, as a preventive measure, a generalized and undifferentiated retention of traffic and location data is contrary to Union law because it involves particularly serious interference with the fundamental rights guaranteed by the Charter of the Union, except in the case of "a serious threat to real and actual or foreseeable national security" with data retention "temporally limited to what is strictly necessary".   In the second judgment (aff. C-623/17), which concerned the United Kingdom in particular, the CJEU confirmed that national regulations cannot require access providers to "transmit or retain customer connection data in a general and undifferentiated manner". The CJEU stated that the practices denounced by Privacy International exceed the limits of what is strictly necessary and cannot be considered justified in a democratic society.   The CJEU carries out a proportionality check.   It is the obligation of generalized and undifferentiated transmission of data to the security services that is targeted here. The national legislations in question are contrary to Union law.   Contrary to the English case, the retention of data "à la française" may therefore be authorized provided that it is proportionate to the objective of safeguarding national security and that it provides sufficient safeguards.   In other words, the CJEU states that France can no longer impose this generalized and undifferentiated retention of connection data except in certain cases.  

B. Derogations: Targeted and temporary retention of data in the event of a serious threat to national security

  The Court emphasizes that it "does not oppose legislative measures allowing recourse to targeted, time-limited retention of connection data limited to what is strictly necessary". Thus, "in situations where the Member State concerned is faced with a serious threat to national security which is real and present or foreseeable", the famous ePrivacy Directive, read in the light of the Charter, "does not preclude an order requiring providers of electronic communications services to retain traffic and location data in a generalized and undifferentiated manner", the judges consider. An injunction is possible, for a "period of time limited to what is strictly necessary", provided that it is subject to "effective control, either by a court or by an independent administrative entity". The ruling makes real-time surveillance of individuals targeted in serious cases (e.g. terrorism) possible, provided there is a reasonable suspicion that they are involved.  

To be remembered from the two decisions:

  Objective of safeguarding national security If a State faces a serious threat to national security (e.g. terrorism), real and present, or foreseeable, operators may be required to retain traffic and location data in a generalized and undifferentiated manner. This possibility should be subject to effective supervision by an independent court or administrative authority.   Targeted conservation The CJEU also states that Member States may retain data in a targeted manner, on the basis of objective and non-discriminatory elements, according to categories of data subjects or by means of a geographical criterion.   Duration limited to what is strictly necessary Similarly, this Directive does not preclude such measures providing for generalized and undifferentiated retention of data, provided that the retention period is limited to the strict necessary.  

III. The concrete implementation of these judgements is still subject to interpretation

  The exceptions listed disappointed the plaintiff associations. Indeed, even though the CJEU decisions provide a legal framework that is much more protective of liberties and privacy than the current state of French law, the important exception regimes are subject to interpretation. They could, according to associations for the defense of rights and freedoms, lead to abuses.   The intelligence services, especially the French ones, consider that the decision of the Court of the Union seriously hinders their investigative work. In many cases, such as the 2015 attacks, data is an essential raw material for magistrates and investigators. Many ongoing criminal investigations could be stopped dead in their tracks or their actions declared null and void if the State amends the legislation.   Some questions remain open, in particular on how the authorities can or should target the individuals whose data is to be kept by the operators (since the data could in fact make it possible to identify them a posteriori).   Following the decisions of the CJEU, the next step will be played out before the national authorities of the different member states: the Investigatory Powers Tribunal in Great Britain and the Conseil d'Etat in FranceThey will have to decide on the contested text taking into account the opinion of the CJEU. If there is a need to adapt them, it will be necessary to determine how to reconcile the standards of the CJEU with the reality on the ground and the seriousness of the threats. Bering in mind that the Court leaves a certain latitude to the Member States in terms of defining the time for the storage and exploitation of the data.   [interne id="63239"][interne id="67062"]   [1] Decision La Quadrature du Net and others, Joined Cases C-511/18 and C-512/18 and Ordre des barreaux francophones et germanophone and others, C-520/18 of the Court of Justice of the European Union, 6 October 2020; Decision Privacy International C-623/17 of the Court of Justice of the European Union, October 6, 2020. [2] It required the retention for a period ranging from six months to two years of the data necessary to determine the source, destination, date, time, duration, type and transmitting machine of a communication as well as the location of the mobile communication equipment involved in it. [3] CJEU, Judgment of the Court (Grand Chamber) of 8 April 2014, Digital Rights Ireland Ltd v. Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others, Joined Cases C-293/12 and C-594/12. [4] Articles 7 (respect for private and family life) and 8 (protection of personal data) [5] French legislation on the processing of connection data is mainly based on the provisions of the French law no. 2004-575 of June 21, 2004 for confidence in the digital economy ("LCEN"); transposing the European directive 2000/31/EC of June 8, 2000 on electronic commerce; The French Postal and Electronic Communications Code ("CPCE"); The French Commercial Code (new article L450-3-3, resulting from the new PACTE law no. 2019-486 of May 22, 2019). [6] The CJEU states that these are "in particular those necessary to trace the source and destination of a communication, to determine the date, time, duration and type of the communication, to identify the communication equipment used and to locate the terminal equipment and communications, data which include, in particular, the name and address of the user, the telephone numbers of the calling and called parties and the IP address for Internet services. » [7] National Agency for the Security of Information Systems
To go further