Prioritising Member States Over Citizens

The classic story about the right to privacy and data protection in the EU is one of a high level of protection. According to this narrative, the Court is the champion of privacy and data protection, constraining the Member States’ competences in national security. And yet, this original rosy image is increasingly fading away, perhaps most visibly in the La Quadrature du Net litigation (now in its second iteration). I will argue that the second judgment is a continuation of two dynamics in EU law. First, the Court is still cleaning up the residual mess that lingers on from the now annulled Data Retention Directive. Second, in so doing, it is incrementally allowing the Member States to inch ever more closely to what the annulled directive originally empowered them to do: indiscriminately retain personal data. What connects these two outcomes is the Court’s shift towards carving out space for Member States’ preferences to the detriment of the protection of the individual and her rights. This trend, I argue, is consistent with what is happening in other areas of EU law, pointing to a more general normative change in European integration.

To demonstrate these claims, I will do three things. I begin with presenting the “residual mess” that the annulment of the Data Retention Directive left, which is an important context for understanding the judgment and its novelties. Second, I will briefly present the judgment in La Quadrature du Net II, by showing that the judgment joins a now constant jurisprudence, extending the space for data retention by the Member States as well as the justifications they may use when doing so. Lastly, I will place this trend in the wider context of the EU’s recent prioritising of the Member States over its citizens.

The residual mess of the Data Retention Directive

The Data Retention Directive saw the light of day as a response to the increased regulation of data retention across the Member States for national security and the fight against terrorism. It imposed an obligation on service providers to retain telecommunication data, making it available for access by competent national authorities to combat “serious crime.” The data to be retained was confined to traffic data, location data, and data necessary to identify the user, to the exclusion of the content of communications. The procedure for access itself was left to the discretion of the Member States and was outside the scope of the Directive, subject to the principles of proportionality and necessity.

Although the Directive initially survived the competence challenge, its national implementing measures were subject to a number of actions before national courts, and ultimately reached the Court of Justice via the preliminary reference procedure, where it was annulled. Without the Directive, some Member States simply retained their data retention legislation as a matter of national competence, which led to further litigation before the Court of Justice. In Tele2 Sverige and Watson, the Court of Justice brought the matter back within EU law, with the ePrivacy Directive (and most prominently its Article 15(1)), now doing all the heavy lifting. Accordingly, if the Member States want to order telecommunication service providers to retain data, they must do so in line with the ePrivacy Directive and the Charter. In that sense, the confidentiality of private communications is the rule, and data retention the exception. Any indiscriminate data retention may be ordered solely for the purpose of fighting serious crime, be subject to prior review by a court or an independent administrative authority, and be retained within the EU.

With Member States eager to carve out as many exceptions as possible under Article 15(1) of the ePrivacy Directive, national courts pursued further preliminary references. This bring us to the first La Quadrature du Net judgment, where the Court expanded the possibility of indiscriminate data retention: “the objective of safeguarding national security is therefore capable of justifying measures entailing more serious interferences with fundamental rights than those which might be justified by those other objectives” (para 136). Using the Court’s finding, the referring court (the French Conseil d’état), found that preventing breaches of public order, tracking down the perpetrators of criminal offences and combating terrorism are of constitutional value, safeguarding the fundamental interests of the nation.

The judgment may be used to summarise the standard set of rules for data retention: indiscriminate data retention is allowed for the protection of national security or combating serious crime. Conversely, combating ordinary crime may only justify discriminate data retention (para 141). The degree of interference with fundamental rights must have a correspondingly proportionate limitation, and any indiscriminate retention must be subject to prior review by either a court or an independent administrative body whose decisions are binding (para 139). The wisdom was repeated in Prokuratuur and Commissioner of An Garda Síochána. This is the crucial context for understanding La Quadrature du Net II.

La Quadrature du Net II: normalising data retention

The French “Hadopi law” aimed to prevent Internet users from sharing copyrighted works without the permission of the copyright holders. The law’s namesake agency was empowered with a “graduated response” to copyright infringements: 1) sending “recommendations”, which are similar to warnings; 2) within a period of one year following the sending of a second recommendation, in respect of conduct that may constitute a repetition of the offending conduct detected, the subscriber is notified that the conduct may constitute the offence of gross negligence, which is a minor offence; 3) the referral to the public prosecution service of conduct that may constitute such a minor offence or, as the case may be, the offence of counterfeiting (para 57). To carry out its work, Hadopi is able to order service providers the retention of IP addresses and personal data and information relating to their holders, concerning their civil identity. No prior judicial or independent administrative review is necessary for Hadopi to make such requests.

In sum, at stake here is a national law allowing for indiscriminate data retention, for the purposes of preventing and prosecuting crime, without prior review. Originally hearing the case in grand chamber, the Advocate General proposed a change in the case law for offences conducted exclusively online, dispensing with the need for a prior review. The case was reopened for a second hearing, this time before the full court. The Court made great efforts (see in particular paras 77-84) to maintain that it is not in fact at all changing its previous case law, but it just so happens that this case may be distinguished on facts.

Why it was necessary to then do so in full court is puzzling to say the least, given the magnitude of other recent cases decided in that composition (for example, the validity of the Rule of Law Conditionality Regulation and the validity of a treaty change in Pringle). This is all the more curious when looking at the fact that Advocate General Szpunar called his proposal in his First Opinion a “readjustment” of the case law on data retention (section IV.4 of the Opinion), but in his Second Opinion insisted that “the solution which I propose aims not to call in question the existing case-law, but, with a view to a certain pragmatism, to enable that case-law to be adapted in particular and very narrowly defined circumstances” (para 30).

Regardless of semantics, the Court found that in the present case, regardless of the large scale of indiscriminate retention (most strikingly, compare this to para 100 of Space Net as well as paras 139 and 141 of the first La Quadrature du Net), the interference with fundamental rights is less serious than in previous cases. The Court stated that “in relation to email and internet telephony, provided that only the IP addresses of the source of the communication are retained and not the IP addresses of the recipient of the communication, those addresses do not, as such, disclose any information about third parties who were in contact with the person who made the communication. To that extent, that category of data is less sensitive than other traffic data” (para 76). Since the intrusion is (allegedly) less serious, the margin for authorities to intervene increased, warranting a relaxed set of criteria, most crucially omitting prior review.

Thus, policing copyright infringement on a large scale in the eyes of the Court does not meet the standard of serious interference. Two criticisms may be directed to this conclusion. First, by using the method of distinguishing (although every single case is different), the Court signalled to national courts to continue asking about every measure involving data retention, without providing a more general rule. Put differently, national courts cannot be certain that La Quadrature du Net II provides a general rule for online offences, or whether its findings will later be confined only to the French Hadopi law. Perhaps this is what the Court wants to achieve.

The second criticism concerns the departure from the way in which exceptions contained in Article 15(1) of the ePrivacy Directive were previously interpreted: as exhaustive, among which the prevention and prosecution of ordinary crime did not feature among those justifications for which indiscriminate retention of data was allowed (and this specifically concerning IP addresses in the abovementioned Space Net judgment). Copyright infringements are far from only crimes being committed (exclusively) online, and therefore the Member States may see this as a green light to expand the list of crimes for which indiscriminate data retention may be ordered. And all this without prior judicial or administrative review.

The rule, not an exception

Beyond the protection of privacy and personal data, I see the judgment as part of a broader trend of the EU’s normative orientation. When the EU is presented with the choice of individual rights versus Member States’ regulatory powers, it increasingly chooses the latter. That was the case in the Euro crisis, where the principle of equality of Member States was the main and guiding rationale for endorsing measures based on the logic of strict conditionality, disregarding the rights of citizens affected by austerity measures. Specifically, conditionality is, at its core, an insurance that the Member States receiving assistance will continue to pursue a sound budgetary policy. This in turn means that it would not become necessary for Member States to cover the liabilities of others in contravention of the prohibition of monetary financing under Article 125 TFEU. This resulted in a disregard of the major re-distributive effects of such decisions for citizens across different Member States and different socioeconomic groups across the EU.

The same applies to the principle of solidarity, which is mentioned in the Treaties concerning both the relations between citizens and those between the Member States. The Court of Justice, however, endorsed it as a general principle only when applied between the Member States (concerning the fair sharing of burden in asylum and energy). In addition, the new Migration and Asylum Pact follows this trend by allowing the Member States wide powers to the detriment of individual rights of asylum seekers, including opening up space for their surveillance.

The narrative of the Court as the institution protecting the individual and her rights is thus at risk, and the judgment in La Quadrature du Net II did little to change this.

The views expressed here are personal to the author and do not represent the official position of the Court of Justice of the European Union.