Two of Europe’s highest national courts have just published their decisions on how to implement the 6 October 2020 judgments of the European Court of Justice on data retention. The Belgian Constitutional Court opted, on 22 April 2021 for complete compliance. A day earlier, the French Council of State tried to invent instead an alchemical formula capable of turning the CJEU judgments into a silver bullet for the French security and law enforcement authorities.
When reading the press release published by France’s highest administrative Court on its eagerly expected decision concerning data retention, one discovers that the Council of State was able to “conciliate the implementation of European Union law and the effectiveness of the fight against terrorism and crime”. No mean feat!
As we moved towards the date of the decision all signs indicated that a conciliation between La Quadrature du Net (LQDN) and the other data retention judgments issued by the Court of Justice of the European Union (CJEU) on 6 October 2020 (discussed here) with the needs of the intelligence and law enforcement authorities (LEAs) in France was simply impossible.
First, shortly after the CJEU judgments, France led efforts at the Council of the European Union to bypass the CJEU’s case law by incorporating a broad national security exception into the proposed ePrivacy Regulation. I have discussed these developments extensively with Ken Propp here.
Second, when the European Data Protection Board reacted quickly by sending the message that European Member States cannot effect a Houdini-like escape from the CJEU data retention judgments by amending ePrivacy, France hinted that, if secondary law cannot provide a solution to its security community’s needs then probably the only way out of this would be to change primary law, the founding EU treaty and, if necessary, even the Charter of Fundamental Rights of the European Union.
Third, whilst awaiting these political developments, the French government filed a long submission to the Council of State asking the high court not to apply the CJEU LQDN judgment. In its submission, the government highlighted the important operational difficulties created by this judgment for its intelligence and law enforcement authorities and gave specific information in this respect (arguing, for instance, that access to connection data is necessary in more than 85% of all criminal investigations).
It argued that the CJEU did not respect the national security exemptions in EU primary and secondary law; that the primacy of EU law only exists insofar as Member States effectively transfer competences to the EU; and that in the present case Member States have never transferred powers relating to national security and the maintenance of public order to the EU. The government therefore relied on the position of certain constitutional courts in Europe (in particular the German Constitutional Court in terms of its 5 May 2020 decision on the European Central Bank) and argued that the CJEU acted ultra vires (i.e. in excess of its powers) and that the Council of State should not recognise this erosion of national state sovereign power, operated by the CJEU. This was the first time ever that a French Government had made such a request to the Council of State.
Everything therefore seemed to indicate that no compromise was possible between the CJEU’s LQDN judgment and the operational needs of the security and law enforcement community in France, and that only radical solutions were on the table.
And then came the Council of State!
First, as a result of the 21 April decision, the Court averted in a very clear and determined way the institutional crisis that could have resulted if it had followed the government’s submission. “It is not for the administrative judge to ensure that … the CJEU respects the distribution of powers between the EU and the member states. It cannot therefore exercise control over the conformity with Union law of decisions of the Court of Justice and … deprive such decisions of the binding force with which they are vested”, affirms the Council of State (§8) in a compelling passage that may be read with interest by the German Constitutional Court. As explained by the President of the Council of State in a press conference that followed the decision, it was impossible for the French High Court to “rebel” against the Luxembourg Court. This would have opened a Pandora’s box and would have “encouraged resistance” by “Eastern capitals” that are currently in a dispute with the CJEU over rule of law problems (see here and here). Far from declaring a “war among judges”, the Council of State preferred to continue a “dialogue between judges”, however “rough” (as opined by the Council of State President) this dialogue may sometimes be. Therefore, it proposed a “conciliatory” interpretation of the CJEU judgment (see below).
This being said, the decision of the Council of State far from adheres to a position of subordination to, or complete compliance with, the CJEU (in sharp contrast with the judgment issued by the Belgian Constitutional Court on 22 April 2021 – see post scriptum). The Council of State recalls, on the contrary, that the French Constitution remains the supreme norm within the French national legal system. It brandishes the spectre of its previous case law (the “Arcelor” precedent) to argue that it has the power to ensure that the application of EU law, as specified by the CJEU, “does not in practice jeopardise French constitutional requirements which are not guaranteed in an equivalent manner by EU law”. However, in terms of the most important issue at stake in this decision, the Council will not need to use this precedent, as it aims to find instead an alchemical formula capable of turning the decried CJEU judgment into a golden solution for the French security and law enforcement community.
A silver bullet?
The Council of State, of course, explains (§51-57) that none of the proposed CJEU solutions are workable or sufficient by themselves in order to satisfy the needs of security and law enforcement authorities. The Council explains, for instance, that in terms of prosecution of criminal offences, the CJEU’s suggested solution of targeted upstream data retention is neither possible in practice nor operationally effective. Among other problems, it is neither possible to pre-designate who will be involved in a crime that has not yet been committed, nor the place where it will take place. This could be highly problematic given how the Council of State explains (§ 50) that access to connection data “is a decisive condition for the success of the investigations carried out with a view to the search, establishment and prosecution of the perpetrators of criminal and tortious offenses” and could also help exculpate “people wrongly suspected of being involved”.
Nevertheless, the Council of State considers that a combination of the solutions proposed by the CJEU could constitute a silver bullet! In particular, in §57, the Council of State argues that:
1) The CJEU accepted in its LQDN judgment that general, preventive, and indiscriminate retention of data would be acceptable if there is a serious threat to national security. The Council of State considered that such a threat exists in France and therefore general retention of data requirements currently imposed on operators by French law are legally justified due to the threat to national security, in conformity with the CJEU judgment.
2) The CJEU also accepted in LQDN (§ 160-168) that countries can adopt, as provided for by Article 16 of the 2001 Budapest Convention on cybercrime, legislative measures that provide for the “expedited retention” of traffic and location data for the purpose of combating serious crime.
3) Lastly, the Council of State considers that this method of “expedited retention” permitted by EU law can build on the stock of data generally retained for national security purposes and can therefore be used for the prosecution of criminal offences. The Council of State points to §164 of the LQDN judgment to explain the CJEU’s consideration that there is no purpose limitation problem with this solution, provided that Member States “make clear, in their legislation, for what purpose the expedited retention of data may occur”.
The solution is ingenious and also seems to indicate that there was “more flexibility” in the CJEU judgment than was initially thought. However, this solution is also very controversial.
A legal house of cards
The main problem is that basing the effectiveness/efficiency of criminal investigations on the continuous existence of a “serious threat to national security” constitutes a legal minefield. The whole house of cards risks crashing down if such a threat suddenly disappears. This, in turn, creates the need for a kind of permanent national security crisis and the risk of an ‘automatic’ and artificial declaration of the existence of such threats. The CJEU was clear, nonetheless, in the LQDN judgment, that general preventive retention of connection data for national security purposes would only be possible if a Member State faced a “serious” threat to its national security that proves to be “genuine” and “present or foreseeable”. The CJEU also noted that, even under these conditions, data retention could only be authorised “for a period that is limited in time to what is strictly necessary” (see also this).
The Council of State partially takes note of this and requires that the French Government change the legal framework so as to be able “to assess from time to time the existence of such a threat, subject to review by administrative courts”. However, the Council of State simultaneously adopts a very broad definition of what could constitute a “threat to national security”, which will definitely make it easier for the government to claim that there is a threat.
Indeed, in § 44 of the decision, the Council of State states that not only terrorism, but also the “risk of espionage and foreign interference”, “malicious actions” against French companies “through industrial or scientific espionage operations, sabotage, damage to reputation or poaching experts”, and “threats to public peace, linked to an increase in the activity of radical and extremist groups”, could constitute national security threats capable of justifying the general preventive retention of connection data. The Council of State thus paves the way for a kind of ‘systematic’ general preventive retention of connection data for national security purposes – in a distortion of the CJEU’s ruling and also in contrast to the position of the Belgian Constitutional Court (§138) that such data retention “cannot be systematic”.
The need for reform
For the sake of brevity, I will end this analysis with two conclusive thoughts on the decision and the way forward.
Firstly, despite the fact that the “magic formula” discovered by the Council of State does not really affect the core of the French data retention scheme and does not change anything for telecom operators and service providers either, it does nevertheless entail an important need for reform of the French Code of Criminal Procedure and the way data can be accessed for criminal investigations.
Accordingly, lawyers involved with the case for certain NGOs were not wrong in highlighting (in sharp contrast to the “catastrophic” discourse adopted by LQDN), that the decision requires a rewrite of the data retention rules in the French system which, if conducted correctly, could permit many of the CJEU limitations and safeguards to be incorporated. Among other things, it should be emphasised that the CJEU’s “expedited retention” exception is only possible when important conditions and limitations are met, and only for “combating serious crime”. The CJEU stressed in LQDN (§166) that access to the stock of data generally retained for national security (or other legitimate) reasons “may in no event be granted” “for the purpose of prosecuting and punishing an ordinary criminal offence”. This requires serious legislative effort on the part of the French Parliament to define “serious crime”. It also leaves no room for independent administrative authorities to access this stock of data, as the Council of State unfortunately suggested in §57, which means that such authorities will need to find other ways, albeit compatible with EU law, of accessing data for their own needs.
Similarly, the French Parliament will need to take advantage of the six months deadline provided by the Council of State to introduce all new mechanisms, procedures and safeguards. For instance, the Council of State stressed that France needs to change its surveillance law so as to render binding the opinions given by the National Commission for the Control of Intelligence Techniques (CNCTR), an independent oversight body, with regard to the use of data that is retained for intelligence purposes. Similarly, France will need to take stock of the 2 March 2021 Prokuratuur judgment especially in view of the requirement that competent law enforcement authorities’ access to retained data must always be subject to a prior review carried out either by a court or by an entirely independent administrative body.
More practical solutions
Second, and from a more general point of view, whilst it is legitimate and compelling to be critical of the Council of State decision’s shortcomings, especially in the light of the “100% compliant” approach of the Belgian Constitutional Court (see post-scriptum), one should also try to understand the bigger picture and understand that this was a clever attempt to brush off the dispute with the CJEU in a non-confrontational way, and to “buy” the necessary time both for political initiatives and for the “dialogue among judges”.
The CJEU’s data retention judgments have often been accused, by several Member States (that sometimes used for years, unrestrained, broad data retention practices), of being unrealistic and unworkable, and ignoring the operational needs of the intelligence and law enforcement agencies in Europe. In a recent hearing at the European Parliament the Commission officially acknowledged that “there are elements of non-application [of the CJEU judgments] in most of the data retention schemes that exist in member states”; that “a majority of national governments have still not amended their rules”; that “even member states who have started changing their schemes haven’t found the magic formula to be fully compliant with the court cases”; that the Commission won’t launch infringement proceedings; and that finally we have no consensus on the way forward (see Laura Kayali’s reporting here & her article in Politico here). Against this background, the Council of State has proposed a solution which may of course be criticised, but which is also based on the “flexibilities” opened by the CJEU on 6 October 2020, while being pragmatic and providing hope that the “dialogue among judges” will lead to a convergence of views, and lead to an approach that will be both protective of human rights and workable for law authorities.
In a roundtable organised by the European Law Blog on 19 April 2021, one of the high-profile speakers said that “the fact that some criminals will go undetected and unpunished” [because of the restricted approach of the CJEU on data retention] is the price that must be paid to avoid an “Orwellian” society of mass surveillance”. One wonders why time-limited, generalised preventive retention of data by service providers constitutes “mass surveillance” as such.
The CJEU and its national counterparts in Europe should probably focus instead on the really pressing problems: security of retained data by service providers; legal certainty – as opposed to obscure and non-transparent “voluntary” practices (i.e., pressing requests to service providers to retain the connection data “for business purposes”) ; and especially a compelling and clear legal framework concerning proportionate access to data by government authorities. They could insist that the important limitations and safeguards that govern such access to data are respected: ex ante independent authorisation; access only for the sake of national security and the fight against serious crime; necessity and proportionality; effective independent oversight; redress; transparency; etc. Then, probably, the dialogue among judges would lead to practical solutions that result in serious criminals not going unpunished and us not having a surveillance society either.
Post-scriptum
While this article was going through the editorial process, the Belgian Constitutional Court published its judgment on data retention (summarised here) which very much concerned the same subject matter as the French Council of State’s decision: the Court had to decide how Belgium should implement the 6 October 2020 judgments of the CJEU on data retention. In contrast to the Council of State, the Belgian Constitutional Court applied the CJEU judgments to the letter: no exceptions, no legal inventions, no contradictions. The Court thus annulled Belgium’s data retention scheme as being contrary to the CJEU judgments, and asked the Parliament to develop new legislation in this field, ensuring that it complies with the CJEU requirements.
There are two ways to assess this judgment and compare it with the decision produced by the French Council of State.
The first way is to approve and even celebrate the fact that the Belgian Constitutional Court applied the CJEU judgment to the letter. This is good news for the European public order – and also good news for the NGOs involved who were stunned by the Council of State’s decision.
The other way, though, is to take into account that Belgian law enforcement authorities might presently be in an awkward position. First, following the Belgian’s Court immediate annulment of the data retention scheme, ongoing criminal investigations could face severe challenges that could lead to substantial complication, partial inadmissibility of evidence, or even abandonment of pending procedures or annulments. Second, the immediate invalidation of the Belgian data retention scheme would probably compel the government to contact telecoms and service providers to request that they retain the data voluntarily (this will be described as being “for legitimate business purposes”) henceforward, so as to make them available to LEAs when needed. Third, a devil’s advocate would suggest that the Belgian legislator might be tempted by the French Council of State’s ‘silver bullet’.
Interestingly, while activists may consider that they would “prefer to live in Belgium today”, LEAs may consider that they are better off in France! And while privacy pros will celebrate the Belgian Constitutional Court’s decision, security and law enforcement authorities in France will feel that the inventiveness of the French Council of State saved their investigations from the ‘sword of Damocles’ now hanging over their Belgian counterparts’ investigations.
I warned in 1982, in a presentation to the Council of Europe on behalf of Annesty International, that anti-terrorist legislation threatened to create “semi-permanent quasi-emergencies” in the CofE countries – not meeting the A15 emergency conditions but also not really in line with the normal standards. The Conseil d’Etat judgment goes back in that direction.
This is a very insightful article with a lot of excellent arguments and nuance. However, I am still thinking about the last sentence:
‘Then, probably, the dialogue among judges would lead to practical solutions that result in serious criminals not going unpunished and us not having a surveillance society either.’
Please correct me if I am wrong, but the central question for me here is not whether oversight can be effectively carried out to prevent abuse of data ALREADY collected.
Rather, the question is whether the right to privacy (and especially data protection) is already infringed ONCE the data is collected as such.
In other words, it is not only about the how, but about the if – and I think this is the central aspect the ECJ is concerned about. Even a legally legitimate infringement is still an infringement, no?