CE - 393099

From GDPRhub
Revision as of 16:27, 3 May 2021 by Cvl (talk | contribs) (→‎Facts)
CE - 393099
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law:
Décret n° 2015-1185 du 28 septembre 2015 portant désignation des services spécialisés de renseignement
Décret n° 2015-1639 du 11 décembre 2015 relatif à la désignation des services autres que les services spécialisés de renseignement, autorisés à recourir aux techniques mentionnées au titre V du livre VIII du code de la sécurité intérieure, pris en application de l'article L. 811-4 de ce code
Décret n° 2016-67 du 29 janvier 2016 relatif aux techniques de recueil de renseignement
Decided: 21.04.2021
Published:
Parties: La Quadrature du Net
French Data Network
Igwan.net
Fédération des fournisseurs d'accès à internet associatifs
National Case Number/Name: 393099
European Case Law Identifier: ECLI:FR:CEASS:2021:393099.20210421
Appeal from:
Appeal to:
Original Language(s): French
Original Source: Conseil d'Etat (in French)
Initial Contributor: n/a

The French Supreme Administrative Court (Conseil d'Etat) ruled that the French legal framework on access to and retention of connection data for the purposes of combating crime and safeguarding national security is compatible with the CJEU requirements, being it justified by a threat to national security.

English Summary

Facts

In its Joined Cases C-511/18, C-512/18 and C-520/18 and Case C‑623/17, the CJEU found that EU law precludes national legislation from requiring a provider of electronic communications services to carry out a general and indiscriminate transmission or retention of traffic and location data for the purpose of combating crime in general or safeguarding national security.

However, the Court said, when combating serious crime and preventing serious threats to public security, a Member State may also provide for the targeted retention of that data as well as its expedited retention, given that such an interference with fundamental rights is accompanied by effective safeguards and is reviewed by a court or by an independent administrative authority.

Following these cases, several French organizations lodged complaints with the Conseil d'Etat to declare invalid the French legal framework on access to and retention of connection data (identity data, traffic data, and location data) for the purposes of combating crime and safeguarding national security, that requires telecommunications operators to retain all user connection data for one year for the purposes of intelligence and criminal investigations.

Holding

Firstly, the CE assessed the compatibility of EU law and case law with the French Constitution. According to the Court, European norms and case law (specifically the CJEU rulings) should not be able to jeopardize the ultimate French norm. Therefore, the CE needs to be consequent with that.

Secondly, the CE remarked that the generalized obligation to retain data for purposes other than those of national security, notably the prosecution of criminal offences, is unlawful (with the exception of less sensitive data, such as civil status, IP address, accounts and payments). However, the Court also concluded that the general retention of data currently imposed on operators by French law is actually justified by a threat to national security.

The Court also concluded that, even if the retention of such data is justified, it must be subject to prior review by an independent authority, for which the French law needs to be amended so it requires the Government to assess from time to time the existence of such a threat, according to the CJEU. Currently, only a non-binding opinion of the National Commission for the Control of Intelligence Techniques is required.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.