Of Minor Benefits and Major Costs

Is general and indiscriminate data retention permissible under the EU fundamental rights framework? A decade has passed since the Court of Justice of the European Union (CJEU) was asked this somewhat oversimplified legal question. For a decade, different iterations of this legal question, be it about the various forms of data in question or the purposes for which data are retained, e.g. counter-terrorism, national security, or criminal investigations, have reached the CJEU repeatedly. Each iteration of a similar question revealed the increasing role of the private sector in law enforcement and the national security domain at the expense of protecting individuals’ fundamental rights. The La Quadrature du Net II case adds a new formulation to the question – to what extent internet service providers can retain their users’ IP addresses so that HADOPI (Haute Autorité pour la Diffusion des Œuvres et la Protection des droits d’auteur sur Internet) – the French administrative authority for copyright protection, can access the civil identity data linked to those addresses to issue sanctions? In answering this question, the Court tilts the metaphorical scale towards the interest of criminal investigations. The case outcome could contribute to the enlargement of privatised surveillance that rests on a generalised pre-emptive data retention scheme. The Court’s findings could cement intrusive practices emerging from the counter-terrorism narrative to regular state practice at the expense of fundamental rights protection.

From hopeful beginnings to a cautionary future

Law enforcement authorities and security agencies praise communications data analysis as critical in criminal investigations and national security matters – so much so that states have tasked the electronic communication service providers, which hold the key to the unsurmountable amount of data extracted from their users, with data retention obligations to ensure that the data will not be deleted when needed. The result is the collaboration between private sector actors and law enforcement authorities to prevent, detect, investigate, and prosecute crimes in a pre-emptive action model. Lines are thus blurred regarding accountability and oversight of data retention schemes resting on this collaboration.

A decade ago, the CJEU’s Digital Rights Ireland judgment and its following findings in Tele2 were a ray of hope for strengthening fundamental rights against the pre-emptive and generalised data retention schemes. The Court was critical of the serious interference that such schemes cause to individuals’ enjoyment of the rights to privacy and data protection as prescribed under the EU Charter – to the point that they served as the precedent to argue that the indiscriminate data retention schemes were precluded under EU law, for they lead to disproportionate interferences with those Charter rights (for the analysis of the decisions see here).

This tide around a robust fundamental rights discourse from the CJEU started to turn with its 2020 La Quadrature du Net and Privacy International decisions, where it began to peel out the security objectives for which Member States may mandate retention of different types of data from communications service providers. A common legal issue in both cases was the applicability of EU law to the disputed national data retention legislation, which the French and the UK governments argued to be based on the national security carve out found in the EU Treaty (i.e., Article 4(2) TEU) and specific EU legislation covering the data processing obligations of the providers of electronic communications services, i.e. the e-Privacy Directive). Had the Court concurred that the relevant national data retention legislation was outside the scope of EU law, the duties of those service providers would have escaped its scrutiny, only to be subjected to national constitutional law and the European Convention on Human Rights (La Quadrature du Net, para 103).

However, the legislation in question rested on the national security derogation under Article 15(1) of the e-Privacy Directive, allowing the Member States to mandate that service providers retain communications data (including IP addresses) longer than the period required in the provision of their services (paras 95-96 and 101). Obliging service providers to retain data by law interfered with the service users’ rights to privacy and data protection (paras 114-115). This legal mandate had to be proportionate to the aim it set out to achieve – protecting national security and combating serious crime (paras 121-122).

The retention of IP addresses as a serious interference with the right to privacy

Even though this could have partially addressed the legal accountability issues surrounding statutory privatisation, where private sector actors are mandated by law to act in the interest of states’ security objectives (for de Londras’s concept of statutory privatisation, see here), the criticisms focused on the proportionality analysis of different retention mandates and categories of communication data (see here). This retention mandate had to be proportionate to the interference it caused to the enjoyment of those rights. With its proportionality assessment, the Court dived into the different public security-related retention purposes, from the most serious one being national security interests to fighting serious crimes. The more intrusive a retention measure is, the more serious the public security purpose ought to be. The IP address, however, did not reveal the private lives of individuals as much as the other types of traffic data, only showing the owner of the terminal equipment (La Quadrature du Net, para 152). Revealing the owner could be the only way to investigate the perpetrator of an online offence (para 154), incentivising the legislator to mandate general and indiscriminate data retention to the internet service providers so that the information would be available beyond the period for which it is necessary for billing purposes (para 155). Still, the IP address could be used to profile users’ online activities (para 153). To mitigate this possibility, legislation imposing a data retention obligation had to comply with certain conditions, primarily the aim to combat serious crime, prevent threats to public security, and safeguard national security (para 156). A reverse reading of this finding would be that an objective of investigating non-serious crime does not justify the general and indiscriminate retention of IP addresses because of the disproportionate interference it causes with privacy and data protection rights.

In La Quadrature du Net II, the CJEU did not concur with this potential reverse reading. It distinguished the disputed legislation based on its assessment that HADOPI had limited access to the retained data – it could only access the civil identity of the holder of the IP address. If, as the Court argued, there was no possibility to conduct profiling based on the retained IP addresses, the interference arising from the general and indiscriminate data retention could not be deemed “serious”. With this lower threshold for rights interference, the Court was satisfied that the internet service providers could be mandated to retain all the IP addresses of their service users to combat “criminal offences in general” (para 82), however minor they might be. This generalised statutory privatisation had to meet specific standards – but as welcome as the Court’s attempt at limiting this indiscriminate surveillance was, the standards it laid out seem to fall short of addressing the underlying logic behind it.

Oh, the principle of proportionality. Where are you?

Ultimately, those standards were geared towards ensuring that the interference will not be serious by preventing online profiling (paras 86-90). Without that profiling, the cost to individuals’ fundamental rights could be balanced against the benefit of data retention for investigating ordinary crimes. This approach, however, captures only a limited aspect of the impacts of the privatisation of surveillance in question.

The issue here is that this pre-emptive action does not consider the individual circumstances of each case, as the counter-terrorism and national security interests are purported to be driven by a zero-risk imperative. A generalised IP address retention scheme does not target specific people based on their involvement in alleged criminal behaviour. It covers everyone who uses the Internet, notwithstanding their online behaviour. This leads to treating everyone as the perpetrator of a criminal offence – the access regime, despite the CJEU’s findings on the contrary, does not yield as much protection without independent oversight. As for the proportionality test, on one side of the balancing scale is (even minor) crime prevention. On the other side are categories of interests other than freedom from online profiling, such as presumption of innocence and reasonable expectation of online anonymity. The court, however, did not explore those interests fall and focused solely on online profiling. Different interests might require different levels of protection. Without this analysis, the retention of IP addresses was framed as a minor cost, while investigating ordinary crimes was deemed a significant benefit. A pre-emption logic found in the counterterrorism and national security rhetoric seeped into ordinary crime prevention to the detriment of fundamental rights.

Moreover, this lowering of the protection of fundamental rights within the EU framework could also impact the protection of data transferred from the EU to third countries. In Schrems I and II, the CJEU adopted a strict reading of the adequacy level the receiving country must afford for the incoming data, criticising its indiscriminate data retention schemes. Its findings in the Schrems saga are more protective of personal data than its recent case law, the last of which is La Quadrature du Net II. The CJEU’s recent stance on the issue could potentially serve as leverage to turn down the concerns over the expansive surveillance powers of law enforcement and intelligence authorities in the UK when the European Commission reconsiders its adequacy decisions for UK laws protecting personal data in June 2025 (see here). The compatibility of UK surveillance laws with the EU fundamental rights framework continues to be a live issue. As much as La Quadrature du Net II might indicate that the CJEU case law on data retention keeps on evolving towards undoing the Court’s former restrictive reading of permissible data retention, further issues linger as the UK plans to amend its data protection legislation. Surveillance laws, thus, are among many other problems that need to be reconsidered in evaluating the UK’s adequacy status. Just like the CJEU case law, nothing is settled.