PRESS RELEASE No 123/20
Judgments in case C-623/17 Privacy International and in joined cases C-511/18 La Quadrature du Net and others and C-512/18, French Data Network and others, as well as C-520/18 Ordre des bars francophones and german speaking ea
The Court of Justice confirms that Union law precludes national regulations requiring a provider of electronic communications services, for the purposes of combating infringements in general or safeguarding national security, the transmission or generalized and undifferentiated storage of data relating to traffic and location.
On the other hand, in situations in which a Member State faces a serious threat to national security which proves to be real and current or foreseeable, it may derogate from the obligation to ensure the confidentiality of data relating to communications. electronic data by imposing, through legislative measures, generalized and undifferentiated storage of these data for a period limited to what is strictly necessary, but renewable in the event of a persistence of the threat. As regards the fight against serious crime and the prevention of serious threats to public security, a Member State may also provide for the targeted retention of such data as well as their rapid retention. Such interference with fundamental rights must be accompanied by effective guarantees and supervised by a judge or an independent administrative authority. Likewise, it is open to a Member State to carry out generalized and undifferentiated storage of the IP addresses attributed to the source of a communication as long as the storage period is limited to what is strictly necessary or to proceed with generalized storage and undifferentiated data relating to the civil identity of the users of electronic means of communication, without this being limited in the latter case to a specific period.
In recent years, the Court of Justice has ruled in several judgments on the retention and access to personal data in the field of electronic communications. The resulting case-law, in particular the Tele2 Sverige and Watson and Others judgment, in which it considered in particular that the Member States could not impose on providers of electronic communications services a general and indiscriminate retention obligation of traffic data and localization, has aroused the concerns of some States, fearing that they have been deprived of an instrument which they consider necessary to safeguard national security and fight crime.
It is against this backdrop that the Investigatory Powers Tribunal (Privacy International, C-623/17), the Council of State (France) (La Quadrature du Net and others, joined cases C-511/18 and C-512/18) as well as the Constitutional Court (Belgium) (Order of French-speaking and German-speaking bars and others, C-520/18) were seized of disputes concerning the legality of regulations adopted by certain Member States in these areas, providing in particular for an obligation for providers of electronic communications services to transmit to a public authority or to keep in a generalized or indiscriminate manner user data relating to traffic and location.
By two judgments delivered in Grand Chamber, on October 6, 2020, the Court firstly ruled that the “privacy and electronic communications” directive applies to national regulations requiring providers of electronic communications services to proceed, for the purposes of from the protection of national security and the fight against crime, to the processing of personal data, such as their transmission to public authorities or their storage. In addition, while confirming its case-law resulting from the Tele2 Sverige and Watson and Others judgment, on the disproportionate nature of generalized and undifferentiated storage of data relating to traffic and location, the Court provides details, in particular, as regards the the extent of the powers conferred by that directive on the Member States with regard to the retention of such data for the aforementioned purposes.
First of all, the Court takes care to dispel the doubts about the applicability of the Directive on privacy and electronic communications raised in the context of the present cases. Indeed, several Member States which have submitted written observations to the Court have expressed a dissenting opinion in this respect. They argued in particular that that directive would not be applicable to the national regulations in question, in so far as their purpose is to safeguard national security, which falls within their sole competence, as evidenced in particular by the Article 4 (2), third sentence, TEU. The Court considers, however, that national regulations requiring providers of electronic communications services to keep data relating to traffic and location or to transmit such data to national security and intelligence authorities for that purpose fall within the scope of application. of the directive.
Next, the Court reiterates that the “Directive on privacy and electronic communications” does not allow the derogation from the obligation in principle to guarantee the confidentiality of electronic communications and of the data relating thereto and from the prohibition on storing such data to become the rule. This implies that this directive does not authorize the Member States to adopt, inter alia for national security purposes, legislative measures aimed at limiting the scope of the rights and obligations provided for by this directive, in particular the obligation to guarantee the confidentiality of data. communications and traffic data, only in compliance with the general principles of Union law, including the principle of proportionality, and the fundamental rights guaranteed by the Charter.
In this context, the Court considers, on the one hand, in the Privacy International case, that the “privacy and electronic communications” directive, read in the light of the Charter, precludes national regulations, requiring suppliers electronic communications services, with a view to safeguarding national security, the generalized and undifferentiated transmission to the security and intelligence services of traffic and location data.
On the other hand, in the joined cases La Quadrature du Net and others, as well as in the French-speaking and German-speaking order of bars, the Court considers that the same directive precludes legislative measures requiring communications service providers electronic, as a preventive measure, generalized and undifferentiated storage of data relating to traffic and location. Indeed, these obligations of transmission and generalized and undifferentiated conservation of such data constitute particularly serious interference with the fundamental rights guaranteed by the Charter, without the behavior of the persons whose data is concerned having any link with the objective pursued by the regulations in question. Similarly, the Court interprets Article 23 (1) of the General Data Protection Regulation, read in the light of the Charter, as being opposed to national regulations requiring service providers access to online communication services to the public and to hosting service providers generalized and undifferentiated storage, in particular, of personal data relating to these services.
On the other hand, the Court considers that, in situations where the Member State concerned faces a serious threat to national security which turns out to be real and current or foreseeable, the Directive on privacy and electronic communications, read at in light of the Charter, does not preclude requiring providers of electronic communications services to keep data relating to traffic and location in a generalized and indiscriminate manner. In this context, the Court specifies that the decision providing for this injunction, for a period limited to what is strictly necessary, must be subject to effective control, either by a court or by an independent administrative entity, whose decision is with a binding effect, in order to verify the existence of one of these situations as well as compliance with the conditions and guarantees provided.
Under those same conditions, that directive does not preclude the automated analysis of data, in particular those relating to traffic and location, of all users of electronic communications means.
The Court added that the “privacy and electronic communications” directive, read in the light of the Charter, does not preclude legislative measures allowing the use of targeted conservation, temporarily limited to what is strictly necessary, of traffic data. and the location, which is delimited, on the basis of objective and non-discriminatory elements, according to the categories of persons concerned or by means of a geographical criterion. Likewise, this directive does not preclude such measures providing for generalized and undifferentiated storage of IP addresses attributed to the source of a communication, provided that the storage period is limited to what is strictly necessary, nor to those providing for a such retention of data relating to the civil identity of users of electronic means of communication, in the latter case the Member States are not required to temporarily limit the retention. Furthermore, that directive does not preclude a legislative measure allowing recourse to rapid storage of data available to service providers when situations arise in which the need to keep such data beyond the time limits arises. legal data retention for the purpose of clarifying serious criminal offenses or attacks on national security, when these offenses or attacks have already been noted or when their existence can be reasonably suspected.
In addition, the Court ruled that the “privacy and electronic communications” directive, read in the light of the Charter, does not preclude national regulations requiring providers of electronic communications services to use real-time data collection, in particular, data relating to traffic and location, when this collection is limited to persons in respect of whom there is a valid reason to suspect that they are involved, in one way or another, in activities terrorism and is subject to prior checking, carried out either by a court or by an independent administrative entity, whose decision has binding effect, ensuring that such real-time collection is only authorized within the limit of what is strictly necessary.
In the event of an emergency, the control must take place as quickly as possible.
Finally, the Court addresses the question of the maintenance of the effects over time of national regulations deemed incompatible with EU law. In this regard, it considers that a national court cannot apply a provision of its national law which empowers it to limit in time the effects of a declaration of illegality incumbent upon it, with regard to national regulations requiring providers of electronic communications services to maintain general and undifferentiated storage of traffic and location data, deemed incompatible with the “privacy and electronic communications” directive, read in the light of the Charter.
That being said, in order to give a useful answer to the national court, the Court recalls that the admissibility and assessment of evidence which has been obtained by keeping data contrary to EU law, in the in the context of criminal proceedings initiated against persons suspected of serious criminal acts, is, as Union law currently stands, subject to national law alone. However, the Court specifies that the Directive on "private life and electronic communications", interpreted in the light of the principle of effectiveness, requires the national criminal court to exclude evidence which has been obtained by a generalized and undifferentiated retention of data relating to traffic and location incompatible with Union law, in the context of such criminal proceedings, if persons suspected of criminal acts are not able to take an effective position on this evidence.
Download the decision