EU’s top court paves the way for major reforms of European surveillance laws. What do the rulings in cases “Privacy International”, “La Quadrature, French Data Network et al.” mean?

On October 6, 2020, the grand chamber of the Court of justice (CJEU) – the European Union’s highest court – ruled that the following measures are contrary to EU law:

Also read : Our Press Release on the judgments
Full text of the judgments: Case La Quadrature, French Data Network et al. - Case Privacy International

Download this page as PDF

What is at stake?

When you communicate by phone or via the Internet and when you browse online, considerable amounts of data are generated automatically. This information is often referred to as “metadata”. It indicates ‘where’, ‘when’ and ‘who’ communicates with whom, and may also include information about the type of online content consulted (e.g. URLs). Metadata is ready to be analysed by computers on a massive scale and enables the profiling of individuals. It may reveal sensitive information, sometimes more than the actual content of communications. In particular, metadata “facilitate\[s] the almost instantaneous cataloguing of entire populations, something which the content of communications does not.”\[1]

Under Belgium, France and UK laws, communications service providers would be required to retain this metadata for one year, or to forward this data ‘in bulk’ for intelligence and investigation purposes of the State.

Despite their different national implementations, these data retention and transmission schemes cover all users of electronic communications (individuals, businesses, judges, attorneys, whistleblowers, etc.) and apply at all times. There is no need for any suspicion, or any objective criteria linked to any investigation. There is no need for any court approval. They are systematic and preventive, i.e. ‘just in case’ investigators or intelligence agencies might ever need them.

The legal challenges that led to the rulings of 6 October 2020 aim to strike down the general data retention laws and the surveillance rationale behind them, because these laws are fundamentally intrusive and prone to abuse by States.

Why do these laws even exist in the first place? The rationale since 2006 in Europe\[2], and in particular in France since 2001\[3], is the following: “Because it is impossible to know in advance who is likely to be a threat or a criminal, we ought to keep data to track the behaviours and communications of everyone.”

However, this way of thinking is far from harmless, and the categories of data at stake are far from innocuous. In the words of the CJEU:

“\[T]raffic and location data may reveal information on a significant number of aspects of the private life of the persons concerned, including sensitive information such as sexual orientation, political opinions, religious, philosophical, societal or other beliefs and state of health \[…]. Taken as a whole, that data may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them. In particular, that data provides the means of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications”. (§117 of joint Cases C-511/18, C-512/18 and C-520/18)

From a political standpoint, our legal actions challenge the state of ‘general suspicion’ or ‘State paranoia’ that has led to the development of ‘mass surveillance’ techniques. Opposite to this, our stance is simple: intrusive surveillance measures should not be the norm, they should be the exception. Surveillance measures should be carried out only where strictly necessary, subject to safeguards and in a manner holding authorities accountable.

From a legal standpoint, the rulings are essentially about (1) whether national security purposes are exempted from EU law and (2) to what extent EU law prohibits or allows the retention, real-time automated analysis and/or collection, and/or transmission of electronic communications data for public authorities.

Is it a victory for privacy or for security?

This is a victory for both.

Both the right to privacy and confidentiality of communications, and the right to security, contribute to a democratic society. That is why, under European human rights laws, States have both an obligation to protect individuals against interference in their home and communications, as well as to maintain public security.

However, one objective should not completely overcome the other. Surveillance measures are allowed, but only as far as they are “necessary in a democratic society” and remain proportionate. That is why the Court strikes a balance between, on the one hand, the right to privacy and confidentiality of communications, the right to an effective remedy, and freedom of expression online, and on the other hand, the public interests to preserve national security, public security and the fight against criminality.

The rulings of 6 October 2020 are a victory for the rights to privacy and confidentiality of communications, because they:

This, is no less of a major victory.

Are these rulings a surprise?

No. The rulings of 6 October 2020 are not a change of case law. They are the direct continuity of previous cases where the grand chamber of the CJEU – the highest jurisdiction for European law – already ruled that European States’ security logic was at odds with the protection of European fundamental rights and freedoms.

Since 2014 and even more so since 2016, it is undeniably clear that the data retention laws of Belgium, France and many other EU Member States are not compatible with EU law. Same goes for France’s “Intelligence Act 2015” and the UK’s “Investigatory Powers Act 2016”.

So these rulings hardly come as a surprise. The need to change European States’ surveillance laws has been the ‘elephant in the room’ since 2014.

Yet, as mentioned, while the CJEU has been constant in its interpretation of the EU legal framework — many European States have been constant in their inability to engage substantial reforms; whether at EU or national level. Many representatives justified the lack of reform with false legal arguments — the main one being that national security was out of reach of EU law. The rulings of 6 October 2020 finally and unequivocally put an end to this invalid argument, hopefully once and for all.

Are the judges on a political crusade for privacy?

Judges apply the law.

They do not write it. Even more importantly, Member States of the European Union have chosen to hold themselves to strict fundamental rights they set themselves, via the Charter of fundamental rights. The CJEU based its rulings on specific provisions of EU laws, read in light of this Charter.

The divide between the level of protection of some EU laws voted in Parliament, and the wishes of national authorities to give precedence to national security over the respect of human rights, is not consistent with the law and treaties that have been negotiated and agreed at the European level.

What is more of concern is that, since 2014, many intelligence services or investigatory bodies have constantly criticised the Court judgments – claiming they were deprived of tools necessary for the fight against crime.

After six years of clear rulings from EU’s top highest court, it is time that national authorities finally listen and act accordingly. To do otherwise would be a serious and concerning breach of the rule of law in Europe.

Disrespect for the rule of law – voted in Parliament and applied by judges – is a serious political concern.

What did the Court decide exactly?

In a nutshell, the CJEU concluded that current laws in Belgium, France and the UK, are incompatible with EU law. Reforms are necessary.

The Court clarified that:

In addition to the general prohibitions above, the Court sets the conditions, limitations, and safeguards that must be put in place for surveillance laws and investigatory or intelligence measures to be compatible with EU law. Laying out these requirements is a major victory, as the Court paves the way to reforms of surveillance laws in Europe.

In particular, the Court held that:

In any event, the rulings impose minimum safeguards, so that the persons whose personal data is affected have sufficient guarantees that data will be effectively protected against the risk of abuse. The need for such safeguards is even bigger where personal data is subjected to automated processing.

What are the impacts of the judgments for France and UK surveillance laws?

Specifically for France:

Data retention laws and decrees (L34-1 and R10-13 of the French Code of Electronic Communications and Posts and Decree 2011-219) will have to be modified because data retention may not be general, indiscriminate and systematic as a preventive measure.

The Intelligence Acts of 2015 (and related decrees codified in Book 8 of the Internal Security Code) will have to be structurally changed — in particular:

The scrutiny of intelligence measures should also undergo deep reforms. As of to day, the French intelligence oversight body, the Commission Nationale de Contrôle des Techniques de Renseignement (CNCTR) provides non-binding opinions to the Prime Minister, it does not take binding decisions. We hope that the necessary reforms will also be an opportunity to discuss the means allocated. Historically, the CNCTR (former CNCIS) has known times where it was underresourced, by its own admission, which could in turn increase the quality of its investigations and management of data subjects rights.

Reforms in the Code of criminal procedure for related techniques may also be expected.

More generally, to comply with the ruling, French law will have to include a notification to inform data subjects of surveillance or investigative measures, when such notification does not undermine the purposes of the measure.

This must become a requirement regarding access to traffic and location data (whether real-time or delayed access) but also with regard to automated analysis of that data that singles out individuals. To provide information when doing so no longer poses a threat to the investigation is fundamental, as the right to access a judge and obtain justice if one has been unfairly treated (right to an effective remedy) is a cornerstone of EU fundamental rights law.

A part of the case also impacts obligations to retain personal data imposed upon hosting providers, in relation to users who contribute to content online (LCEN Art 6 II). While the legality of Decree 2011-219 is now seriously at stake, the specific impact of the ruling here is not entirely clear, and it remains to be seen how the Conseil d’État will interpret it.

Specifically for the UK:

Read Privacy International’s analysis to learn more about the implications for the UK.

What is the impact elsewhere in Europe?

Many Member States in Europe have laws requiring general data retention: see this study from 2017 by Privacy International. The rulings of 6 October 2020 have an impact within all the European Union.

What was the involvement of Data Rights and what are the next steps?

Data Rights was founded by people including activists who brought the challenge in France that led to the ruling of 6 october 2020, as part of their contributions with the Exegetes Amateurs.

The cases will go back to national jurisdictions who sent the matters to the CJEU. In France, the case goes back to the highest administrative court (Conseil d’État). In the UK, the case goes back to the Investigatory Powers Tribunal. Privacy International will as usual keep the UK in check too.

Beside these cases, the rulings may spark reforms and discussions among lawmakers in Brussels and in every EU country. Data Rights will work to ensure the essence of the rulings is taken into account, and effective reforms are made.

  1. Opinion of Advocate General Saugmandsgaard Øe of 19 July 2016 in Tele2/Sverige, §259 ↩︎

  2. In 2006, the European Parliament and the European Council adopted the Data Retention Directive ↩︎

  3. In 2001, France’s Parliament adopted the Everyday Security Act now codified in Sec. L34-1 of the French Code of Electronic Communications and Posts ↩︎