CE - 393099

From GDPRhub
CE - 393099
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law:
Décret n° 2015-1185 du 28 septembre 2015 portant désignation des services spécialisés de renseignement
Décret n° 2015-1639 du 11 décembre 2015 relatif à la désignation des services autres que les services spécialisés de renseignement, autorisés à recourir aux techniques mentionnées au titre V du livre VIII du code de la sécurité intérieure, pris en application de l'article L. 811-4 de ce code
Décret n° 2016-67 du 29 janvier 2016 relatif aux techniques de recueil de renseignement
Decided: 21.04.2021
Parties: La Quadrature du Net
French Data Network
Fédération des fournisseurs d'accès à internet associatifs
National Case Number/Name: 393099
European Case Law Identifier: ECLI:FR:CEASS:2021:393099.20210421
Appeal from:
Appeal to:
Original Language(s): French
Original Source: Conseil d'Etat (in French)
Initial Contributor: n/a

The French Supreme Administrative Court (Conseil d'Etat) ruled that the French legal framework on access to and retention of connection data for the purposes of combating crime and safeguarding national security is compatible with the EU law requirements, as interpreted by the CJEU.

English Summary[edit | edit source]

Facts[edit | edit source]

In its Joined Cases C-511/18, C-512/18 and C-520/18 and Case C‑623/17, the CJEU found that EU law precludes national legislation from requiring a provider of electronic communications services to carry out a general and indiscriminate transmission or retention of traffic and location data for the purpose of combating crime in general or safeguarding national security.

However, the Court said, when combating serious crime and preventing serious threats to public security, a Member State may also provide for the targeted retention of that data as well as its expedited retention, given that such an interference with fundamental rights is accompanied by effective safeguards and is reviewed by a court or by an independent administrative authority.

Following these cases, several French organizations lodged complaints with the Conseil d'Etat to declare invalid the French legal framework on access to and retention of connection data (identity data, traffic data, and location data) for the purposes of combating crime and safeguarding national security, that requires telecommunications operators to retain all user connection data for one year for the purposes of intelligence and criminal investigations.

Holding[edit | edit source]

Firstly, the CE assessed the compatibility of EU law and case law with the French Constitution. According to the Court, European norms and case law (specifically the CJEU rulings) should not be able to jeopardize the ultimate French norm. Therefore, the CE needs to be consequent with that.

Secondly, the CE remarked that the generalized obligation to retain data for purposes other than those of national security, notably the prosecution of criminal offences, is unlawful (with the exception of less sensitive data, such as civil status, IP address, accounts and payments). However, the Court also concluded that the general retention of data currently imposed on operators by French law is actually justified by a threat to national security.

The Court also concluded that, even if the retention of such data is justified, it must be subject to prior review by an independent authority, for which the French law needs to be amended so it requires the Government to assess from time to time the existence of such a threat, according to the CJEU. Currently, only a non-binding opinion of the National Commission for the Control of Intelligence Techniques is required.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.