French law obliges CSPs to retain connection data (metadata) for the purpose of fighting crime and terrorism. This connection data can be accessed for intelligence and investigative purposes. Sometime prior to 2018 a number of data protection and other “actors” challenged these data retention laws. These challenges were in the form of appeals to the Council of State. (this is similar to the action taken by Digital Rights in Ireland regarding the 2006 EU Directive and the 2011 Act).
In 2018 the Conseil d’état referred the matter to the European Court of Justice (ECJ) concerning whether or not the French rules on retention of connection data were in conformity with EU law. (this is similar to the Irish Supreme Court’s referral of the Graham Dwyer case and the ECJ ruling is awaited. Therefore, the French case is one stage ahead)
Main Points of ECJ Ruling
On the 6 October 2020, the ECJ gave its ruling (joining 3 similar cases). The main points of the ruling were as follows:
Member States (MS) can only oblige CSPs to retain metadata for serious threat to national security.
Access to this data by intelligence services is subject to prior review by an Independent Administrative Body.
For serious crime, MS may only impose “Targeted Retention” of data (certain areas / certain categories of persons).
Retention of metadata is not allowed on other grounds (e.g., non serious crime).
Conseil d’État Ruling
Following this clarification / ruling from the ECJ, the French Conseil d’État then had to complete the task of examining the French data retention rules for conformity with EU law. This examination culminated with its ruling which was delivered on 21 April 2021.
One of the main considerations applied by the French Conseil d’État is an examination of the requirements of the French Constitution concerning the areas of:
(i) safeguarding the fundamental interests of the nation,
(ii) preventing crime
(iii) fighting terrorism and
(iv) searching for perpetrators.
In this regard the Conseil d’État found that these matters did not enjoy a protection in EU law which was equivalent to the French Constitution.
Following this determination, the Conseil d’État ruled that it must ensure that the “ECJ imposed limits” do not jeopardise the French constitutional requirements (as above).
The main points of the Conseil d’État ruling are:
General retention of data as currently laid down in French law is justified by a threat to national security. This threat must be assessed from time to time.
Generalised obligation to retain data for purposes other than national security (criminal offences) is unlawful. The ECJs suggested solution for targeted retention (certain areas / certain categories of persons) is “neither possible nor operationally effective”. (Comment: This is a similar sentiment as expressed by the Irish Supreme Court in the Dwyer case).
In applying the principle of proportionality in judging the seriousness of offence versus the importance of investigative measures used, the Conseil d’État ruled that “recourse to the connection data is limited to the prosecution of offences of a sufficiently serious nature”. (Comment: It appears that the Conseil d’État is stating that the only lawful basis for generalised retention of data in on threats to national security. However, having retained the data on this basis, Law Enforcement can have access to this data for the investigation of sufficiently serious criminal offences.
This is a very interesting ruling, as in essence it states that data retained on one justification can be accessed on a separate justification.
Finally, the Conseil d’état ruled that some modification is required to current French rules/law relating to use of retained data for intelligence purposes. (Comment: This appears to relate to the perceived lack of independence of the current arrangements).
In light of the foregoing, the ruling from the ECJ, in the Graham Dwyer case, and the subsequent final judgement from the Irish Supreme Court, are awaited with interest.