CJEU rulings v. French intelligence legislation

In October 2020, the European Court of Justice ruled that France’s surveillance laws did not safeguard fundamental rights and freedoms. Rather than adjust its laws, in April 2021, the French high administrative court issued a decision effectively undermining the CJEU stipulations. The Conseil d’État’s creative interpretation of the CJEU ruling allows the French state to indiscriminately and indefinitely retain data.

After the Court of Justice of the European Union (CJEU) issued its ruling on 6 October 2020, there was no doubt that the French legal framework of surveillance was being seriously challenged. In our opinion, a basic analysis of the criteria required by the Court — to review situations in which metadata collection and intelligence tools could be implemented — would lead to ruling the French surveillance framework as illegal, due to breaching EU law. On 21 April 2021 however, the Conseil d’État (the French higher administrative court) issued its ruling French Data Network and undermined those expectations.

By disingenuously misinterpreting the La Quadrature du Net (LQDN) CJEU ruling, the French administrative court made sure that the existing habits of police and intelligence services would not be altered in any way by legal changes. This questionable interpretation was unfortunately made at the cost of the protection of fundamental rights and freedoms.

Part 1 : Metadata Retention

National Security

Following on its position ruled in DRI and Tele2, the CJEU confirmed in the LQDN decision that national legislation providing for the general and indiscriminate retention of metadata for the purpose of combating serious crime exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society.

Yet, the Court added a new exception that could balance such infringement of people’s privacy. According to the CJEU, bulk collection could be implemented by authorities “as long as there are sufficiently solid grounds for considering that the Member State concerned is confronted with a serious threat […] to national security which is shown to be genuine and present or foreseeable” (paragraph 137). Furthermore, the Court added that this surveillance shall not be systematic and be limited in time by an instruction subject to effective review.

In France, article 34-1 III of the Postal and electronic communications code and order n°2011-219 provide that any hosting service or internet service providers shall collect metadata for one year and for the broad purposes of :

investigation, prosecution and recording of criminal offences in general;
allowing the High Authority for the Distribution of Works and the Protection of Rights on the Internet (HADOPI) to take actions against people who fail to secure their Internet access to prevent copyrighted files sharing;
safeguarding against information system hacking offences;
identifying users that have posted, modified, or deleted any content on the Internet.

Thus, the existing French law does not meet the criteria of the CJEU judgment.

First, purposes listed by the French law which may justify the collection of metadata are broad and not limited to the prevention of ‘national security threats’. Second, mass surveillance does not depend on a targeted, time-limited order given to specific operators but is imposed perpetually and generally on all operators by the existing legislation – having been adopted by Parliament and therefore not subject to ulterior and case-by-case public debate.

Whereas the invalidation of such provisions should be self-evident, the Conseil d’État gave in its ruling a wide definition of “national security threat” that must be open to serious criticism. According to the French court, these aforementioned provisions pursue the objective of defending “fundamental interests of the nation” – which is never directly laid out in the metadata retention. This subversive interpretation leads the Conseil d’État to see the whole framework as proportionate for safeguarding national security.

Moreover, the Conseil d’État, overstepping its role, examines the existence of a foreseeable and present threatening situation. In France, such analysis is restricted solely for Parliament in regard to declaring a state of emergency. In its ruling, the French court took the initiative to go through the examination of such a threat without waiting for debate in Parliament. According to the Conseil d’État, France has faced a perpetual genuine and serious threat since 2015 not only due to terrorist attacks, spying, and interference by foreign countries, but also because France would have been exposed to industrial and economical spying (including headhunting or sabotage) or the rise of radical political groups. Not only is this interpretation of national security threat very broad, vague, and far from the intention of the CJEU, but it will also set new standards to assess the need for surveillance. We consider that those standards are very low and not protecting the population’s privacy. (Better possible standards have been discussed internationally).

Furthermore, the Conseil d’État does not even look into the requirement of a time limitation measure asked by the CJEU. The Conseil d’État implicitly considers that the French provisions of postal and electronic communications code can be considered as mere ‘instructions’. Such reasoning is again very questionable. An instruction has a completely different legal nature than a law and should be defined as a delimited and individual act with a much narrower scope. In the end, the only breach of EU law pointed out by the Conseil d’État is the lack of periodic review, which is probably going to be fixed in the code with a yearly sunset clause that the Government will systematically renew.

By dishonestly deconstructing the guarantees provided by the CJEU’s ruling, the Conseil d’État twists the exception of “threat to national security” outlined by the Court to turn it into a general and perpetual situation allowing permanent metadata retention. In this respect, this ruling should be regarded as a dangerous precedent. Those new low standards of protection about surveillance will be difficult to challenge during the future intelligence bill’s debates in Parliament and before courts for future litigation.

IP addresses

If the CJEU ruled for the third time (after DRI and Tele2) that general data retention breaches EU fundamental rights, it introduced a major exemption within the LQDN decision.

The Court allowed indiscriminate and general retention of IP addresses (and IP addresses only) for the purposes of safeguarding national security, combating serious crime, and preventing serious threats to public security. Nevertheless, the Court has drawn some limits to this new surveillance measure granted to Member States. It requires that the retention period must not exceed what is strictly necessary in light of the pursued objective, and that the measure must establish strict conditions and safeguards concerning the use of that data.

The French legal framework for metadata retention does not meet such criteria.

Internet service and hosting service providers subjected to French law are required to store IP addresses concerning all online activities made by the entire population for one year and for the investigation of all criminal offences, even the most trivial ones. Thus, retained IP addresses can be used for investigations that do not aim to protect national security, fight serious crime, or prevent serious threats to public security. Moreover, French law does not provide any guarantee to prevent public authorities inherently abusing these IP addresses.

Once again though, the Conseil d’État refused to strictly apply CJEU requirements. It found that the notion of ‘serious crime’ does not need to be limited by pre-established sets of offences but might be decided on a case-by-case approach by a judge. Thus, if a court deals with facts that it considers ‘serious’ enough, it may find itself allowed access to IP addresses. On the contrary, if the same court finds that the prosecuted offence is not ‘serious’, it should not access or use any IP addresses for investigation.

The Conseil d’État alters the safeguard mechanism created by the CJEU resulting, in our opinion, in making the protections provided by the EU law less effective. The control of ‘seriousness’ should first be done by legislators when writing the law before retention of any IP address occurs. On the contrary, in its reasoning, the Conseil d’État introduces this control when access to such IP address is done for the purposes of an investigation; that is to say, once the retention has already been made. In doing so, such a late balance will inevitably lead to situations where the retention, independently of the access, was not strictly necessary. In that event, non-necessary breaches of fundamental rights would have been created.

The Conseil d’État ruled that one year is a necessary and proportionate limitation of time for such retention. Furthermore, it does not even respond to the analysis required by the CJEU regarding strict conditions and safeguards. Once again we see that with subversive reasoning, the Conseil d’État kept the existing framework and practices unchanged.

Quick freeze

In addition to these new rules regarding general data retention, the CJEU introduced the possibility of expedited data retention (or ‘quick freeze’) for the purpose of combating serious crime or safeguarding national security.

More precisely, the CJEU considered as proportionate the possibility of instructing — by means of a decision of the competent authority, which is subject to effective judicial review — that data providers of electronic communications services can undertake the expedited retention of traffic and location data for a specified period of time. Such retained data must only be used for the initial purpose it was collected for and the Court considered that only “action to combat serious crime and, a fortiori, the safeguarding of national security are such as to justify such interference” (paragraph 164).

Plus, the collected data using a quick freeze measure must be limited to what may shed light on the serious criminal offences or the acts adversely affecting national security. Also, the time during which such data is retained must be limited to what is strictly necessary.

The French legal framework does not provide any measure regarding targeted or quick freeze retention for intelligence services.

It can explain why the discussions before the Conseil d’État between the claimants and the French government focused, for the most part, around the possibility of such type of retention as an alternative to bulk surveillance.

But once more, the Conseil d’État wriggled out of this issue through a deliberate misinterpretation of the CJEU’s decision that resulted in validating existing practices.

Ignoring the limitations and guarantees required by the CJEU, the Conseil d’État allows expedited data retention to combat serious crime using data already retained on the basis of threat to national security. As analysed above, we understand that this indiscriminate retention covers broad purposes and is likely to be continuously renewed and therefore will offer a very large source of data. In the end, such interpretation of the LQDN ruling would lead to authorise quick freeze retention on any retained metadata and without effective limitation.

By reading the conclusion of the Conseil d’État’s ruling, one could have thought that the French legal framework for metadata retention may have been ruled illegal. Actually the Conseil d’État used a warped reasoning to fit such a framework into the ‘national security’ and ‘quick freeze’ exemptions to save it from major legal changes. Moreover, many sections of this ruling will probably be used as guidelines for Parliament to review the few provisions requiring modifications. The expected evolution of the framework will then probably be superficial.

Part 2. Access to data

Purposes

Since Tele2, the CJEU has been perfectly clear: “only the objective of fighting serious crime is capable of justifying” access to metadata by public authorities. The CJEU went even further in LQDN by setting even higher standards for two specific measures.

First, it stated that “real-time access by the competent authorities to such data must be distinguished from non-real-time access to that data, the first being more intrusive in that it allows for monitoring of those users that is virtually total” (paragraph 187). Thus, “only persons with a link to the objective of preventing terrorism may be subject to such collection” (paragraph 189).

Second, the Court looked at the automated analysis of metadata carried out in France to detect terrorist threats. It found that such a measure “corresponds, in essence, to a screening of all the traffic and location data retained by providers of electronic communications services” (paragraph 172) about potentially everybody living in France. Thus, the Court set the same standard as for general data retention: the measure is acceptable “only in situations in which a Member State is facing a serious threat to national security” (paragraph 177). In other words, metadata can be analysed in bulk only to detect terrorism threats during temporary and major security crisis faced by Member States.

French law fails to meet these standards.

First, ‘ordinary’ access to metadata (i.e. in non-real-time) is allowed for the pursuit of any of the fifteen ‘fundamental interests’ listed by article L. 811-3 of the Homeland Security Code. These ‘interests’ include fighting serious crimes such as terrorism but also “promoting the major economic interests of France”, “preventing collective violence”, such as illicit protests, or “promoting French foreign policy”. The list goes way beyond “fighting serious crime” but the Conseil d’État refused to even discuss this breach of EU law.

Second, regarding automated analysis, just as for data retention, the Conseil d’État found that France is under a perpetual threat against its national security. As such, metadata of the whole population may always be automatically analysed in order to detect terrorist activities.

Third, regarding real-time access to metadata, the Homeland Security Code sets two rules. Article L. 851-2 limits access to non-location metadata (such as IP addresses) to terrorism issues, just as required by EU law. However, article L. 851-4 allows access to location metadata (such as the location of the antenna a phone is connected to) for any of the ‘fundamental interests’ listed above. That is another breach that the Conseil d’État simply refused to discuss.

Until now, the CJEU and the Conseil d’État have mainly addressed issues regarding access to metadata, but the debate should be much wider. French Homeland Security Code allows intelligence services to tap phones, hack computers, or set up hidden cameras for the same unjustifiably large ‘fundamental interests’. Since CJEU case law has not specifically addressed such measures yet, the Conseil d’État did not even bother handling these complaints.

Prior review

In Tele2, the CJEU has required access to metadata to “be subject to a prior review carried out either by a court or by an independent administrative body” (Tele2, paragraph 120). During the LQDN case, we explained to the Court that such a requirement was imperfect: the CNCTR (commission nationale de contrôle des techniques de renseignement) is supposed to oversee intelligence services but does not have any power to enforce its decisions. Thus, in the LQDN ruling, the CJEU has specified that its decisions must be binding.

The Homeland Security Code provides three types of review mechanisms:

First, in case of ‘extreme emergency’, the Government may authorise intelligence services to carry out a surveillance measure without the prior review of the CNCTR. The Government only needs to notify the CNCTR within 24 hours. If the CNCTR has been notified of an illicit measure, it may recommend the Government to cease it. Then, if the Government refuses to comply, the CNCTR may bring the issue before the Conseil d’État. The latter must settle the dispute by issuing “as soon as possible” a binding decision.

The Conseil d’État found that this ‘emergency’ mechanism complies with CJEU’s requirements. We argue this must be criticised for two reasons:

the review does not intervene “prior” to the surveillance being carried out but within 24 hours and then “as soon as possible”;
CNCTR’s decisions are still not binding but rely on the Conseil d’État referral.

It appears that the Conseil d’État has reframed the CJEU LQDN ruling in order to set a new, lower standard: surveillance measures need only be subject to a prompt review by the Conseil d’État when challenged by the CNCTR.

As regards non-emergency situations, the mechanism provided by the Homeland Security Code is very similar. The main difference is that the Government must notify the CNCTR prior to authorising intelligence services to act. Then, again, if the Government refuses to stop a measure reported as illicit by the CNCTR, the issue may be brought before the Conseil d’État. However, in this non-emergency situation, the Conseil d’État is not bound by any kind of deadline and may as well rule the case several months after the measure has been carried out. Worse, the CNCTR may choose not to bring the case before the Conseil d’État at all.

For these reasons, in the French Data Network ruling, the Conseil d’État found that this review mechanism is too permissive compared to what the CJEU has required. It ordered the French legislator to fix this issue within six months. Yet, the ruling has already provided some hints on how to ‘fix’ French law: by aligning the ‘non-emergency’ mechanism with the ‘emergency’ one. In other words, by simply requiring the Conseil d’État to settle “as soon as possible” any disagreement between the Government and the CNCTR. In our view, such a mechanism would still breach EU law as it fails to systematically provide an independent binding decision by the oversight authority and ‘prior’ the measure being carried out. But the Conseil d’État has already rejected the CJEU’s requirements by validating the current ‘emergency review’ mechanism and may as well validate the similar mechanism suggested in the new bill.

Lastly, where French intelligence services collect information from foreign services, such an access is never subject to CNCTR’s review. This has been a recurring complaint from the CNCTR (and us) for years. Both the Government and the Conseil d’État have refused to address it (in its recent ruling, the Conseil d’État acted as if we never raised the issue).

CJEU rulings v. French intelligence legislation

Add comment

Other articles

The Pegasus scandal in Poland – between old problems with state surveillance and the current rule of law crisis

Finnish intelligence overseers’ right of access supersedes Originator Control

Cyber defence operations require a dedicated legal framework

Stalemates in Dutch intelligence oversight

Obfuscation as a strategy to pass mass surveillance powers