The Unbearable Lightness of Interfering with the Right to Privacy

The European Court of Justice has once again ruled on national data retention legislation. In La Quadrature du Net II (“LQDN II”, Case C-470/21), the Full Court allowed the indiscriminate retention of IP addresses for the purpose of combating copyright infringements. Although the judgment does not openly contradict its previous case law, the Court applies a lower standard of scrutiny when Member States retain IP addresses to identify their citizens online. This encourages Member States to try and implement indiscriminate retention regimes for IP addresses and other categories of personal data in the future, and raises the question of whether the Court will maintain its generally critical stance towards interferences with the right to privacy. It seems that the Court is slowly but surely abandoning its role as guardian of this fundamental rights and allowing governments to collect vast amounts of data on their citizens in order to solve minor crimes.

Previous Data Retention Case Law 

Before considering the present decision, it is worth recalling the historical development of the Court’s case law on data retention.

Originally, Directive 2006/24 harmonized national data retention rules. It required providers of electronic communication services and networks to retain communications traffic data about their users and to hand them over to national authorities on request. In Digital Rights Ireland (2014) the Court invalidated this directive. It held that while data may be retained to combat serious crime, any interference with the rights to privacy and data protection must be subject to strict scrutiny and limited to what is strictly necessary to achieve that objective. The indiscriminate retention of traffic data about the entire European population did not meet these criteria.

Without a specific legal basis for indiscriminate data retention, the national retention regimes were obliged to comply with Article 15(1) of the ePrivacy Directive. In Tele2 Sverige (2016) the Court clarified the obligations of national legislators when introducing data retention regimes. In essence, it held that these rules, where their purpose is to combat crime, are subject to the same level of scrutiny as that developed in the Digital Rights case. Article 15(1) contains an exception to the general obligation to erase communications traffic data once they are no longer needed, and national legislation may not make retention the rule. Indiscriminate data retention is a serious interference with the right to privacy and data protection. Therefore, legislatures must be able to show – based on objective evidence – that a link exists between the data to be retained and an offence to be prosecuted. Furthermore, procedural safeguards must be in place so that authorities cannot access the retained data without prior authorization by an independent body.

The Court’s reputation as a persistent opponent of broad data retention regimes was first dented in 2020. In La Quadrature du Net I (2020) the Court of Justice allowed indiscriminate retention for certain categories of data. It argued that the retention of IP addresses can be justified to protect national security and combat serious crime if the retention period is limited to what is strictly necessary. Data relating to the civil identity of users may even be retained to investigate ‘ordinary’ crime.

La Quadrature du Net II

La Quadrature du Net II confronted the Court with the French authority Hadopi, a body charged with investigating copyright infringements. Rights owners send complaints to Hadopi containing the IP addresses of alleged infringers. The authority can then order internet service providers to identify the holders of these addresses using retained data. Hadopi initially warns infringers, but can refer repeat offenders to a criminal prosecutor.

This setup raises several questions. First, whether it is permissible for communications providers to retain IP addresses indiscriminately in order to prosecute minor offences such as copyright infringement (“the retention question”). Second, whether and when Hadopi may access the retained data (“the access question”). And finally, whether such access must be subject to prior judicial authorization.

The “retention question” forced the Court to revisit its statements in LQdN I, in which it declared the retention of IP addresses to be permissible in the fight against serious crime. In LQdN II, the Court maintains that data retention that seriously interferes with fundamental rights can only be justified to combat serious crime. If the interference is non-serious, however, it may be used to combat any crime (para. 77–85). An interference caused by the retention of IP addresses is non-serious when it is ruled out that the retained data can be combined in a way that allows precise and thus invasive conclusions to be drawn about a person’s private life (para. 82). The Court provides “guidance” on the retention arrangements that Member States must maintain to avoid such inferences being drawn: the different categories of retained data must be stored separately in a “genuinely watertight” manner, and the reliability of that separation must be regularly reviewed by a public authority (paras 86–89).

Obviously, simply storing IP data has no value when Hadopi cannot retrieve it to identify infringers. The Court thus turned to the “access question” reusing the distinction it just established between serious and non-serious interferences: Although copyright infringement is rarely serious, Hadopi may use the retained data to identify the perpetrator if the interference caused by the access itself is not serious. Hadopi only receives IP addresses and data that can be used for identification. In typical cases that is not enough to draw precise conclusions about the private lives of the alleged infringers and therefore not a serious interference (para. 99–100). Accordingly, authorities may, in principle, access that data to combat ordinary crime.

Whether the access is justified depends on its necessity in the individual case. The Court seems to have no general objection to Hadopi accessing the data to investigate copyright offences. It argues that only a few individuals at Hadopi, who are bound to confidentiality, have access to the data (para. 113–14) and that some offences can only be solved by identifying the owners of IP addresses or by even more intrusive measures (para. 116–21). This analysis of the necessity of the interference consists of only a few short paragraphs. It does not discuss whether certain offences can be easily solved without accessing retained data, nor does it task the referring court with evaluating this possibility. It simply accepts Advocate General Szpunar’s claim that without access to the retained data there is a serious risk of mass impunity for internet crimes.

Having established that IP addresses may be retained and accessed for the purpose of prosecuting copyright infringement, the Court had to decide whether access to the data requires prior judicial authorization. In Tele2 the Court had held that “as a general rule” the access to retained data should be subject to prior review by a court or an independent administrative body. In LQdN II, the Court reiterates that the prior review rule should apply only to serious interference and that non-serious interference does not require prior review (para. 124–31). Applied to Hadopi, this means that prior review is required when merging the identities of repeat offenders with information about the breaches they have committed (i.e., the songs they listened to). The reason is that in “atypical cases” merging this data might allow precise conclusions to be drawn about their media consumption or even more sensitive information, making it a serious interference (para. 110–11, 135–39). The authorization must be denied in these cases unless the alleged copyright violation is a serious crime (para. 145–46).

A Departure From the Court’s Approach to Data Retention?

The recent LQdN II judgment has been criticized as a turning point in the Court’s jurisprudence, caused by the Member State’s refusal to comply with the cases since Digital Rights and Tele2.

A friendly reading might conclude that the approach taken in LQdN II is in line with Digital Rightsand merely nuances the Court’s previous jurisprudence. Digital Rights is based on the seriousness of the interference with fundamental rights caused by the perception of constant surveillance. LQDN IIholds that this premise does not apply to all categories of data in all circumstances, and therefore less scrutiny may be justified in some cases. Furthermore, the Court is still unwilling to allow the continuation of far reaching mass retention regimes similar to that introduced by Directive 2006/24, and has consistently declared them unlawful (see, e.g. SpaceNet (2022)). LQdN II does not yield to the Member States in that regard.

However, what the Court presents as nuance is a complete abstention from proportionality assessment for certain categories of data. It does not balance the non-severe interference caused by the retention of IP addresses against the competing interest of combating ordinary crime. Instead, it stops its assessment once it has established the seriousness of the interference. In doing so, the Court is even more permissive than in LQdN I, where it used a positive obligation to prosecute certain crimes as a counterweight to justify the retention of IP addresses.

This prevents the Court from considering less intrusive ways of combatting cybercrime. “Expedited retention” or “quick freeze” is a commonly contemplated measure. The Court was already confronted with an expedited retention regime in LQDN I and yet it does not engage with this option.

Shortening the analysis also prevents other issues from previous cases from being included in the judgment. Indiscriminate retention of IP data does away with anonymity on the internet. The judgment, however, fails to address whether this could have a chilling effect on the exercise of the right to freedom of expression, as the Court has feared in the past.

Even if Digital Rights is not dead as a matter of law it is dead as a matter of spirit. Rather than simply reviewing the compliance of the French regime with the Charter, the Court provides detailed guidance on how to design a national regime for bulk retention of IP addresses and identifying data. This proactive guidance, the absence of any reference to the Digital Rights judgment, and the fact that LQdN II was rendered by the Full Court invites the Member States to be creative with their retention regimes and try to find new ways to massively retain personal data in a supposedly non-serious fashion.

With LQdN II it is likely that Member States put in place systems that walk the line between serious and non-serious rights interferences and that this, in turn, will lead to further litigation. The data retention saga before the Court is not over and it remains to be seen whether the Court will keep taking fundamental rights seriously.