CJEU - C-339/20 and C-397/20 - VD and SR (Joined Cases)

From GDPRhub
(Redirected from CJEU - C-339/20 - VD)
CJEU - Joined Cases C‑339/20 and C‑397/20 VD and SR
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 11 Directive 2003/6/EC
Article 12(2)(a) Directive 2003/6/EC
Article 12(2)(d) Directive 2003/6/EC
Article 22 Regulation 596/2014
Article 23(2)(g) Regulation 596/2014
Article 23(2)(h) Regulation 596/2014
Decided: 20 September 2022
Parties: VD
SR
Case Number/Name: Joined Cases C‑339/20 and C‑397/20 VD and SR
European Case Law Identifier: ecli:EU:C:2022:703
Reference from: Cour de Cassation (France)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: Annkathrin.a.dix


English Summary

EU law restricts the ability of Member States to implement broad data retention requirements and access regimes as part of combating market abuse, and requires national courts to exclude improperly obtained evidence in accordance with EU law principles.

Facts

On 22 May 2014, a judicial investigation was initiated into VD and SR for insider dealing and related offenses. On 23 and 25 September 2015, the Autorité des marchés financiers (the French Financial Markets Authority (hereinafter AMF)) provided the investigating judge with personal data from telephone calls made by VD and SR. The AMF had collected such data under French law, namely Article L. 34-1 CPCE. VD and SR challenged the use of this telephone data, on the grounds that it infringed Article 15(1) e-Privacy Directive. On 20 December 2018 and 07 March 2019, the French courts rejected the claims brought by the parties, relying on Article 23(2) Regulation No. 596/2015 relating to market abuse, which allows competent authorities to access such data where there is suspicion of insider dealing.

Holding

The Court firstly noted that the wording of the provisions in the Regulation only refer to the authority's power to "require existing" data records, suggesting that the EU legislature did not intend to mandate data retention obligations. The Court also held that the context and objectives of the legislation support the interpretation that it only governs access to existing data, not an obligation to retain data generally and indiscriminately. The Court concluded that a broad interpretation that would allow mandating data retention would deprive the clear wording of the provisions of effectiveness, which the Court cannot do according to its settled case law. The purpose of the EU legislation on insider trading — namely, Directive 2003/6 and Regulation No 596/2014 — is to protect the integrity of EU financial markets and enhance investor confidence by preventing the improper use of inside information. However, the EU legislation does not provide a legal basis for imposing a general obligation on electronic communications service providers to retain traffic and location data for the purposes of investigating market abuse offenses. Directive 2002/58 governs the processing of personal data in the electronic communications sector, including the retention of traffic data records. Provisions of national law requiring the general and indiscriminate retention of traffic and location data for the purpose of combating market abuse offenses must therefore be assessed in light of Article 15(1) of Directive 2002/58, read in conjunction with the relevant provisions of the Charter of Fundamental Rights. The AMF investigators collected traffic data based on an exception in French law that allowed for the retention of certain types of data for 1 year to investigate, detect, and prosecute criminal offences. The data that could be retained included information identifying the user, data on the communications terminal equipment, technical characteristics and details of each communication, data on additional services used, and data identifying the parties to the communication. This data, while not including the content of communications, could allow very detailed profiles to be created about individuals' private lives and activities. The purpose of the data retention was for investigating, detecting and prosecuting criminal offences, including market abuse offenses like insider trading. However, the Court of Justice of the EU (hereinafter CJEU) has ruled that such general and indiscriminate data retention, even for such purposes, is not justified under EU law and exceeds what is strictly necessary.

Therefore, the Court concluded that Article 12(2) Directive 2003/6 and Article 23(2) Regulation No. 596/2014, read in conjunction with Article 15(1) Directive 2002/58, preclude national legislation that requires the general and indiscriminate retention of traffic data for one year as a preventive measure to combat market abuse offenses.

Secondly, the Court emphasised that the principle of primacy of EU law requires national courts to give full effect to EU law provisions, which extends to refusing to apply conflicting national legislation. The CJEU can exceptionally allow temporary suspension of the effect of an EU law rule on national law. However, this is a prerogative of the Court when interpreting EU law. Unlike breaches of procedural obligations, a failure to comply with Article 15(1) of Directive 2002/58 (on data retention) cannot be remedied by allowing temporary maintenance of the national legislation. This means that the domestic law continuously imposed obligations contrary to EU law, thereby interfering with fundamental rights. The referring national court cannot restrict the temporal effects of a declaration of invalidity of the national data retention legislation that it is bound to make under national law. The Court did not impose any temporal restriction on the effects of its previous rulings on data retention, so it did not do so in the present case either. The Court emphasized the importance of determining the effect of finding the national data retention provisions incompatible with EU law on the admissibility of evidence obtained from the retained data in the main proceedings, in accordance with the principles of equivalence and effectiveness.

Thus, EU law precludes national courts from restricting the temporal effects of a declaration that national laws requiring the general and indiscriminate retention of traffic data, and allowing access to that data without prior judicial or independent authorization, as this is incompatible with Article 15(1) of the E-Privacy Directive and the Charter of Fundamental Rights. The admissibility of evidence obtained under such incompatible national laws is a matter for national law, subject to the principles of equivalence and effectiveness.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!