Op-Ed: “La Quadrature du Net e.a. : balancing data retention with general interests and the right to security…again” by Catherine Van de Heyning
In the joined cases La Quadrature du Net e.a. (C-511/18, C-512/18 and C-520/18), the French Conseil d’Etat and the Belgian Constitutional Court asked the Court of Justice to refine its Tele2/Watson reasoning (C-203/15 and C-698/15) on the retention of communication data. In its previous case law, the Court found that the e-Privacy Directive and the protection of privacy and personal data in Articles 7 and 8 of the EU Charter preclude national legislation that requires telecommunication operators and providers to uphold an indiscriminate and general retention of communication data. Only targeted retention of location and traffic data is allowed, namely if limited in time, geographical location and to persons concerned.
The Tele2/Watson judgment was met with dismay by intelligence services and law enforcement. The claim put forward is that they cannot predict who may constitute a threat to public security or commit an offence (EU Member States willing to retain illegal data retention). Targeted retention would mean that traces of the offence would no longer be available if a crime committed by a previously unsuspected person is discovered after the facts. Therefore, Member States argued that criminal investigations would turn out to be futile without data retention because digital evidence would be unavailable. Consequently, several Member States were reluctant to change their data retention regime or applied a new approach that is not in line with the previous EU-judgments.
It came as no surprise that new preliminary questions were sent to the Court of Justice by Belgian, French and UK courts as in particular in these Member States the Tele2/Watson judgment was criticised as undermining effective criminal investigation and public security. Whereas in the first data retention cases Digital Rights Europe (C-293/12 and C-594/12) and Tele2/Watson to focus was on the question whether data retention did not pose a disproportionate threat to privacy and the protection of personal data, these preliminary questions suggest that the balance has tilted too much in favour of these rights and public interests of safety and security are to be considered. The preliminary questions therefore not only read as an invitation to the Court to refine and clarify its case law, but also as a suggestion to reconsider.
The top French and Belgian courts asked the Court of Justice to consider an alternative approach to Tele2/Watson whereby the retention of bulk communication could still be possible under certain conditions. Whereas the French Conseil d’Etat questioned the Court on the exceptions to the general rule as set out in Tele2/Watson, the Belgian Constitutional Court suggested that a new balance was to be struck because other fundamental rights were not considered, such as the positive obligation on Member States to protect the integrity of children in sexual exploitation cases. Given that the Court left no doubt in its case law that indiscriminate and general retention of communication data violates EU law, the Court would have to reverse its current case law. In Quadrature du Net e.a., the Court made it very clear that it was not willing to do so and that the principle still stands that only targeted retention of location and traffic data is allowed. These data are considered as particularly sensitive because they allow one to draw an intimate picture of an individual’s personal life. As such, retention of these data constitutes a serious infringement of the protection of privacy and personal data. Therefore, it can only exceptionally be justified. The fact that the data collected are not particularly ‘sensitive’ data in the light of the e-Privacy Directive (for example with regard to the sexual orientation of a data subject), that the data subject has not suffered an inconvenience due to the collection, or whether or not the data have been accessed, are immaterial for the Court.
While standing its ground on the principles, the Court was open to the concerns of the Member States for the impact on the protection of security and effective criminal investigation. The Court agrees that other interests are to be taken on board, such as the protection of personal integrity, public security, the effective fight against crime or positive obligations on member states to protect vulnerable persons such as minors. Therefore, the Court developed a more detailed framework for the retention of communication data in an attempt to strike the right balance between privacy and security. First, the Court agreed that certain objectives of public interest could justify the retention of data. In principle, the fight against serious crime justifies the retention of personal data if targeted as to the geographical area, persons concerned and time. The retention of bulk communication data, however, is only allowed in situations of a serious, present and foreseeable threat to national security, such as in case of a terrorist threat. Such bulk retention for intelligence purposes is only possible if provided by law, limited in time to what is strictly necessary and subject to effective review either by a court or by an independent administrative body whose decision is binding.
Second, the Court limited the scope of data that cannot be retained in bulk. From Tele2/Watson and follow-up case Ministerio Fiscal (C-207/16), follows that the retention of identification data (such as subscriber information) constitutes but a limited infringement of the right to privacy and the protection of personal data. In Quadrature du Net e.a., the Court adds that EU law does not preclude the bulk retention of IP addresses or information concerning the civil identity of users to fight serious crime or protect public security. In particular IP addresses are of high importance for digital investigation as they are often the only lead to a criminal.
Finally, the Court allows for investigative measures that are necessary for an effective investigation in the digital sphere whereby traces may quickly disappear. Taking the nudge from the Belgian Constitutional Court on the importance of retention of data for cybercrime, the Court emphasises that EU law does not preclude targeted rapid conservation of data in emergency situations where the connection of persons with a crime is not yet clear. Equally, real-time retention as well as automatic detection and analysis of data to fight crime and discover security threats are found to be compatible with EU law.
The data retention saga – from the Digital Rights Ireland – judgment over Tele2/Watson to Quadrature du Net and Privacy International – is a clear example of a fruitful judicial dialogue between the highest European courts and the Court of Justice. On the one hand, the Court emphasises that the principle of targeted retention is not for the Member States to circumvent or mitigate, thereby highlighting the principle of primacy of EU law. This is a clear warning to the Member States that were reluctant to put themselves in line with the Tele2/Watson case law. On the other hand, the Court explicitly takes on board the concerns of the Member States and is willing to provide for a more sophisticated balancing of EU law, fundamental rights and public interests. A fine example of the attempt of the Court to walk this tight line can be found in the question concerning IP-addresses. The Court acknowledges that these data can portray an intimate picture of a person’s personal life and thus, the retention of these data is a serious infringement of the Articles 7 and 8 of the EU Charter. Yet, the Court accepts that these data are often the only basis for solving a crime and essential in the fight against particular serious crimes such as child pornography. In this context, the Court finds bulk retention of these data proportionate if strictly limited in time and in so far as strict conditions and guarantees are provided for access to these data.
This judicial dialogue invites the Court to conduct a delicate balancing exercise that is first and foremost rights-focused. The Court reiterates the importance of the protection of personal data and privacy in a democratic society finding an infringement only justified if proportionate and strictly necessary. At the same time, the Court takes a procedural approach by requiring a solid legal basis for any exemption and by highlighting the necessity of procedural guarantees (such as an independent oversight whose decisions are binding). This results in a refined framework of data retention, access and exploitation. From a judicial perspective, this judgment largely convinces as a balanced and substantiated reply to the difficult question of reconciling privacy and security. From a practical and technical perspective, the application in day-to-day intelligence and criminal investigations is not as self-evident and will require trial and error as well as a cooperative approach of the telecommunication services and operators to develop targeted retention by design.
Catherine Van de Heyning, dr. is an Assistant Professor in fundamental rights law at the University of Antwerp. She recently published on data retention and fundamental rights in The Charter and the Court of Justice of the European Union (Pahladsing e.a, Wolf Legal Publishers 2019) and European Constitutional Courts towards Data Retention Laws (Zubik e.a., Springer, 2021)