Squaring the circle

Rarely is the name of a decision so emblematic of the problem that lies behind it. The association La Quadrature du Net has reached yet another landmark judgment on data retention before the CJEU. However, the decision seems like squaring the circle for opponents and proponents of mass surveillance alike. For decades, national law enforcement authorities and interior ministries have complained about a constant lack of investigative capacity for combating online crime. The CJEU is caught between its duty to ensure uniform application of EU law and its claim to have the final say in resolving conflicts affecting fundamental rights. As a matter of fact, the data retention saga is at the core of the judicial dialogue between the EU Court and the national constitutional courts. This contribution aims at contextualizing the La Quadrature du Net II-Judgment of April 2024 and questions the flawed methodological approach of the CJEU. Instead of conjuring up a worrisome paradigm shift, the judgment should rather be seen as a wakeup call for the EU legislator, who for decades has failed to establish clear and unambiguous limits for data retention.

Steady retreat

Ever since the Digital Rights Ireland-Judgment in 2014, the CJEU has slowly been watering down its own jurisprudence. In Tele2 Sverige (2016), it declared “targeted retention of traffic and location data“ to be permissible, if it was strictly limited “with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted“ for the purpose of fighting serious crime (para. 108). In La Quadrature du Net I (2020) the CJEU declared that the objective of safeguarding national security justified the “preventive retention of data of all users of electronic communications systems” if it was limited to a foreseeable period of time (para. 137 f.). Also, the Court paved the way for the general and indiscriminate data retention of IP addresses as they might be the only means to investigate offences committed online. This possibility was however limited to cases of combatting serious crime, preventing serious threats to public security and safeguarding of national security. The retention of IP addresses has since been subject to fewer restrictions than the retention of traffic and location data.

In 2022, requested for a preliminary ruling from the German Federal Administrative Court (SpaceNet) and the Supreme Court of Ireland (Commissioner of An Garda Síochána), the CJEU affirmed these limitations, allowing the generalised retention of IP addresses to combat serious crime (para. 102). With the recent La Quadrature du Net II-Judgment, the Full Court extended this exception to lesser crimes, such as combatting infringements of intellectual property rights committed exclusively online. It is important to note that the general and indiscriminate retention of IP addresses in this case was not necessarily considered to constitute “a serious interference” with Articles 7, 8 and 11 of the Charter. Given the specific provisions and safeguards in French law, the Court was convinced that the possibility that retention could give rise to serious interference in the private life of the person concerned could be “genuinely ruled out”.

Competence creep vis-à-vis the Member States

Leading court cases do not automatically create universally binding precedents and instead require contextualization (see Lepsius, here). It is the task of legal academia to assess the complex factual context of a decision, the hermeneutics applied by the court as well as the procedural history behind a case. In EU law in particular the interpretation of the law is increasingly being replaced by the interpretation of court decisions.

The CJEU’s preliminary rulings must be interpreted in the light of the questions referred as well as the societal conditions in and the legislative framework of the referring Member State. Given the specific legal framework governing the administrative procedure of Hadopi, an independent public authority tasked with combatting copyright infringements committed online, the CJEU was convinced in the recent La Quadrature du Net II-Judgment that data retention was organised in such a way that the “genuinely watertight separation” of the different categories of data was guaranteed, from a technical point of view as well. Bearing this in mind, it is noteworthy that La Quadrature du Net II was referred to the CJEU by the French Conseil d’État, the highest administrative court in France – the very same court that back in 2021 was asked by the French Government to declare La Quadrature du Net I to be an act ultra vires as it encroached upon France’s national security and undermined its constitutional identity.

The Conseil rejected this claim, thereby refraining from waging “open war” against the CJEU and instead opted for what the Conseil’s former vice president called a rough dialogue (le “dialogue rugueux”) with the CJEU. Needless to say, the Conseil considered the CJEU to be incapable of guaranteeing adequate protection on the basis that the safeguarding of national security falls exclusively within the competence of the Member States. And, establishing a “securitarian Solange” doctrine, the Conseil considered the indiscriminate and general retention of electronic communication data for a period of one year to be indispensable for the combat of serious crimes and the protection of national security (more detailed on this Gerhold, here).

Against this backdrop, La Quadrature du Net II is neither a “major U-turn in EU case law” nor “the end of online anonymity”. Instead, the judgment is just yet another chapter in the constitutional dialogue between the European courts – it is more a tactical concession to French particularities, a strategy of appeasement, than a really serious departure from the high standards of protection of fundamental rights, as established in the Court’s previous case law.

Methodological flaws

When the Court (rightly) annulled the EU Data Retention Directive in 2014, it did so primarily because instead of limiting itself to what is strictly necessary, the Directive interfered “with the fundamental rights of practically the entire European population” (para. 56). The CJEU found that the Directive lacked clear and precise rules for limiting the scope and application of data retention measures, giving rise to the possibility of severe interference with the fundamental rights enshrined in Art. 7 and 8 of the Charter.

Ever since the annulment, the CJEU has measured the various data retention laws, mainly enacted by the Member States to implement the Data Retention Directive, against the yardstick of a mere opening clause in the ePrivacy-Directive (2002/58/EC) read in the light of Art. 7, 8 and 11 of the Charter. Its case law is carved out from Art. 15 of the e-Privacy Directive, a “vague and vast disciple”, as rightly pointed out by Giulia Formici, because it allows Member States to derogate from the principle of confidentiality of the communications and the obligation to erase and anonymize personal data where they are no longer needed in the electronic communications sector. In fact, Art. 15 para. 1 of the e-Privacy Directive is a classic declaratory opening clause (see F. Wollenschläger here and here; Müller/Schwabenbauer here; Sandhu, pp. 249 ff.) referring to the Member States’ exclusive competence to safeguard national security, defence, public security and the prevention of criminal offences.

Whereas the EU can legislate in the fields of data protection and harmonize the processing of electronic communications data, it lacks the competence to harmonize the powers of national law enforcement authorities under the current primary law framework. Whether or not one considers this a deficit in the EU’s competence structure, it is it is not the task of the CJEU to fix it. As such, national data retention for the purposes defined in the opening clause does not fall within the scope of Union law. The CJEU’s case-law basically reaches to same result via detours. In essence, the CJEU acknowledges a national security-exception allowing for the preventive retention of all users of electronic communications systems in case of “serious threat to national security” (La Quadrature du Net I, para. 139; see here). Yet, methodologically, it would have been more consistent to declare such measures as falling outside the scope of Union law in the sense of Art. 51 para. 1 of the Charter.

Inter-institutional division of power

It is the CJEU, not the EU legislator, which has erroneously taken on the task of defining the strict safeguards, and the limitations and technical requirements for data retention measures. In 2017, the Commission published its proposal for an ePrivacy Regulation, which has since May 2021 been negotiated in the Trilogue (Council, Parliament, Commission). As revealed by the Council’s negotiation mandate, the Member States are trying to pull the rug out from under the feet of the CJEU. They have proposed including the following recital which would heavily restrict both the scope of Union law and, implicitly at least, any chance of applying of EU fundamental rights on their national data retention laws:

“This Regulation does not apply to the protection of fundamental rights and freedoms related to activities which fall outside the scope of Union law, and in any event measures, processing activities and operations concerning national security and defence, regardless of who is carrying out those operations,whether it is a public authority or a private operator acting at the request of a public authority.”

This is a clear attempt to counter the CJEU’s extensive interpretation of the opening clauses in the ePrivacy-Directive. Its aim is to exclude data retention measures carried out by private telecommunication providers in the state’s interest from the scope of Union law.  Art. 11 of the proposed ePrivacy Regulation on restrictions of the confidentiality of electronic communications data is much broader than the current Art. 15 para. 1 ePrivacy Directive which it is meant to replace. The proposed provision also allows restrictions on confidentiality to safeguard the enforcement of civil law claims. Furthermore, the opening clause is not only addressed to the Member States, but also directly to the EU legislator and may thus be a hint for the reintroduction of data retention at EU level. The Full Court’s decision in La Quadrature du Net II is surprisingly in line with this legislative compromise. It would not be the first time the CJEU anticipates a decision by the EU legislator – the same happened in 2014, when the court established the right to be forgotten in the Google Spain decision before Art. 17 GDPR was enacted by the EU legislator. And the same happened in its recent decision on Meta Platforms, when it tacitly applied the obligations for gatekeepers under the Digital Markets Act on a case from 2019.

Time for clarity

Whereas EU Law on data retention is considered to intrude too much on national fundamental rights, especially by liberal Justice Ministers in Germany, it seems like it cannot be intrusive enough for others. It could be argued that the decade old dispute over data retention can be tackled by the EU legislator at least insofar as the internal market and serious cross border as well as online crimes are concerned. Indiscriminate and general data retention does constitute a mass breach of confidentiality. It therefore must be the absolute exception and based on objective evidence to prevent unlawful discrimination. Member States could at least agree on a set of serious crimes, for example by means of non-binding Guidelines. They should however refrain from merely referring to “terrorist activities”, which is not a legal term. Otherwise, the Member States’ contempt for the CJEU and the constant retreat of the Court risk undermining the supremacy of Union law as well as effective fundamental rights protection in the long term. Whereas the processing and retention of communication data by private actors as well as the access to this data by state authorities fall under the scope of Union law, surveillance activities of the competent state authorities remain excluded from the court’s scrutiny. This competence division fails to adequately asses mass surveillance activities, which are the product of a public-private partnership, with law enforcement authorities making use of private data power. The potential risks arising from mass data retention have only increased over the last decades, as the automated and real-time collection of metadata to predict private actions and the use of AI tools in warfare have shown.

The views expressed in this blogpost are entirely personal to the author and do not represent the official position of the Federal Constitutional Court.