Data Retention Laws and La Quadrature du Net II

Data retention laws are not a shield for online abusers or a means of ensuring impunity. While new forms of data processing pose privacy risks, they also enable the implementation of data retention regimes to combat abuse without going beyond what can be considered necessary in a democracy.

When the CJEU handed down its judgment in La Quadrature du Net (and Privacy International) in 2020, it seemed that the saga of retention cases was coming to an end. The Court – in its eighth consecutive ruling – clarified (what appeared to be) the final aspects of the application of data retention legislation, which were largely focused on the use of such information in the area of state security.

However, this did not happen. The following years saw the equally significant cases of Graham Dwyer and SpaceNet. And when, once again, it seemed that the issue of general data retention, encompassing traffic and location data, was ultimately closed (in SpaceNet, the CJEU clearly and unequivocally indicated its impermissibility in criminal proceedings), the problem of retention rules began to be examined from a new, equally important perspective. As a result of a request for a preliminary ruling from Conseil d’État, the Court had to clarify again whether the general retention of IP addresses can be used as a mechanism to counter online copyright infringement.

The La Quadrature du Net II case  – especially the AG’s opinion accepting the possibility of using such a measure – sparked a discussion on the possibility of revising the CJEU’s retention jurisprudence to date. However, I do not believe that the CJEU’s judgment actually heralds a “Copernican revolution” or is a “Pandora’s box.” It rather complements the existing line of jurisprudence. Like a cliffhanger in a TV series, it foreshadows that the story is not yet over.

Retention of telecommunications data in the CJEU case law

The Court of Justice’s position on generalised forms of retention has always referred to the principle of proportionality, according to which a serious interference with an individual’s rights can only be justified by the pursuit of objectives that can also be considered serious. In the Court’s view, processing of all retained data makes it possible to reconstruct a digital profile of an individual, revealing detailed information about them – including their worldview, health status, political beliefs etc. Thus, such serious interference can only be justified by the fight against serious crime and national security objectives. Again, however, this measure cannot be applied in a generalised manner, as its application would then not be linked to a concrete and real threat to an important public interest. Rather, it would become a tool for collecting redundant data.

The examination of national retention laws should therefore be carried out in two dimensions: qualitative and quantitative. The former serves to assess the degree of interference with individual rights. Serious interference (collecting the totality of electronic communications metadata) should be limited to cases in which serious objectives are pursued and should require special legal safeguards, such as judicial oversight. When examining retention laws, attention should thus first be paid to the quality of the data collected, which reveals the degree of interference with individual rights.

Importantly, however, the CJEU has not predetermined the absolute impermissibility of all untargeted forms of data retention in its case law to date. The cases examined by the Court concerned the retention of high-quality data, most often the entirety of metadata from electronic communications, such a location data, date and time of communication, and the communication partners involved (allowing profound interference with individual rights). Consequently, the Court’s interpretation concerned the collection and processing of this type of information. It was only in La Quadrature du Net II that the CJEU was confronted with the permissibility of applying untargeted retention of a certain category of information, the collection and processing of which, within a limited scope and for a specific purpose, does not seem to seriously interfere with individual rights.

The problem of IP address retention

The background of La Quadrature du Net II was the permissibility of a special legal procedure, the so-called graduated response procedure, which was established in French law for cases of counteracting copyright infringement. Its essential part is sending notifications to users (subscribers of an Internet service provider) about the use of their network termination to share files on a P2P network in a way that infringes copyright. A graduated response procedure is carried out by an administrative body (Arcom, formerly Hadopi) and, in principle, does not involve the imposition of criminal sanctions on users. Only in the case of repeated copyright infringement does the procedure provide for the possibility of notifying a public prosecutor of the infringement.

On the technical side, the procedure is implemented when copyright holders transmit aggregated information about files being shared on P2P networks, along with the IP addresses of the users sharing these files. Arcom combines this information with data from telecoms operators, thus establishing the identity of the subscriber to be notified of the infringement detected. It was in fact this last element of the mechanism that was at the heart of the dispute in La Quadrature du Net II – namely, whether telecommunications operators can be ordered to pre-emptively collect information on the IP addresses of all users simply because these data may (and in some cases will) prove necessary for the purposes of detecting copyright infringements.

A positive answer, it seems, would lead to a situation in which it would be permissible to retain a particular type of metadata (source IP addresses) in an untargeted manner and without any concrete link to a crime. According to critics of such a solution, this would lead to the Court accepting the use of an intrusive measure (generalised data retention) for less important public tasks whilst simultaneously rejecting its use for the purposes of fighting serious crime.

However, a negative answer – upholding the prohibition of IP data retention in an untargeted manner for the use of combating general crime – would make it significantly more difficult to investigate online copyright infringements. In the Court’s view, it would in fact not so much hinder such a fight as make it impossible, creating the risk of systemic impunity for perpetrators (para. 119).

In my view, such a polarised framing of the problem presented in La Quadrature du Net II is flawed and leads to oversimplification. On the one hand, the need for effective prosecution of online infringements is real. On the other hand, the measure needed to provide this protection – albeit using untargeted data retention – is not the same as the measure referred to in the earlier CJEU case law. Not every data retention procedure is conducted in an untargeted manner, but neither does every case of data retention affect the rights of the data subject in the same way. By skipping the qualitative assessment and focussing solely on the quantitative assessment of data collection principles, one loses sight of the actual surveillance potential of the entire process. The Court aptly recognised this problem, addressing it in detail in its judgment.

A readjustment or a u-turn?

In La Quadrature du Net II, the Court confirmed in principle that imposing an obligation on telecommunication providers to retain the IP addresses of the source of a connection does not infringe EU law, provided that additional and specific legal safeguards are established. Once again, it based its interpretation on the principle of proportionality, examining whether the bulk collection of IP addresses constitutes a serious interference with individual rights. In this regard, the Court considered that IP addresses, as long as they are not combined with other information (e.g. sites visited, information searched, content viewed etc.), do not enable the establishment of detailed information about an individual. Therefore, their processing does not lead to a serious interference and, thus, should not be limited solely to the pursuit of purposes that can be described as serious. The Court’s reasoning was based on two assumptions: (1) IP addresses do not reveal detailed information about an individual (para. 76) and (2) the processing of such data on a case-by-case (individualised) basis does not lead to the profiling of data subjects (‘watertight separation’, para. 83, and 87-89).

IP addresses as less sensitive data

The above leads to questions about the actual impact of La Quadrature du Net II on the application of retention rules in Member States. On the one hand, many point to the risk of lowering the restrictive standards set by the CJEU in its earlier case law, which were summarised in the SpaceNet case. La Quadrature du Net II can also be read as a narrow exception to the general prohibition of untargeted data collection established in former case-law. It permits such untargeted data collection only if it takes place in a strictly controlled environment. Furthermore, it remains to be seen whether the judgment initiates a discussion on untargeted retention in relation to other categories of traffic and location data.

In the Court’s view, the essential reasoning in La Quadrature du Net II remains consistent with – and even reinforces – the earlier case law. Indeed, the qualification of IP addresses as less sensitive data has made it possible not only to put forward a different set of legal safeguards for its processing, but also to dispense with the mandatory prior oversight – which, according to earlier case law, should be applied in cases where retained telecommunications data are accessed.

Although the Court’s reasoning is consistent, it is based on the assumption that IP addresses can indeed be categorised as low-sensitivity data. The question is whether this is always the case – all the more so as the experience of recent years shows that groups of information initially classified as not very sensitive (e.g. geolocation data) have in subsequent years been classified by the same Court as requiring the identical protection as the communications themselves. Similar doubts are already present today with regard to IP address data. For example, can information about users of the TOR network – in particular, data recorded at the originating and terminating nodes – really be classified as low-sensitivity data in every case? It should be noted that the collection of IP addresses at entry and exit nodes is a key technique for de-anonymizing TOR traffic and identifying users – a method successfully employed by security and intelligence agencies worldwide.

More data retention to come?

More controversy surrounds the link between data collection rules and the permissible scope of data processing. In particular, attention is drawn to the risk that implementing the safeguards model described in La Quadrature du Net II will only create the illusion of control. If state authorities are able to require telecommunication operators to collect large databases of user information, these data will – sooner or later – also be used for other public purposes. I call this phenomenon ‘the proliferation of electronic surveillance measures’, and it has, in fact, been observed for years.

In the light of the existing case law, there appears to be no obstacle to IP address retention data being used by secret services in the area of state security. Such data may also be helpful in identifying perpetrators of other (more serious) crimes. The question of the required legal safeguards restricting the use of this information may be secondary in a situation where the data have already been collected. This leads to the conclusion that in La Quadrature du Net II, the Court – consciously or not – permitted the implementation of a model awaited by many governments, whereby states will be able to legally retain (some) electronic communications data, with the obligation to demonstrate that the necessity criterion is met only at the stage of accessing the data.

A difficult balance to strike

La Quadrature du Net II has been met with mixed reactions, with mainly critical arguments pointing to the departure from the previous clear interpretation regarding the prohibition of generalised metadata retention measures. These voices should not be ignored, as they express legitimate concerns about the possibility of the judgment introducing solutions which are de facto identical in terms of intrusiveness to those previously challenged by the CJEU. At the same time, however, it is important not to lose sight of the fact that law – including data retention rules – must not become a mechanism for protecting criminals. The scale and mass nature of online rights violations are a real problem. P2P networks are not only a threat to copyright protection, but also an environment for the distribution of content related to serious crime (e.g. extremist speech or child abuse materials). It is therefore necessary to strike a balance between the two rationales and to propose solutions that adequately protect users by not guaranteeing impunity for criminals.

La Quadrature du Net II fits into this need but, at the same time, does not seem to explain in sufficient depth the relationship between the collection and processing of low-sensitivity data and their subsequent use by state authorities. Addressing this issue more clearly would help to clarify many controversies and answer questions about the future of retention laws in Member States.