Connection data and national security: the French Administrative supreme court’s judgment

In a ruling dated April 21, 2021 informally known as “French Data Network” (CE, Ass., 21 Apr. 2021, n°393099), the French administrative supreme court (Conseil d’Etat) analysed the general obligation of retention of connection data imposed on telecommunications operators, internet service providers and hosting companies. This obligation was imposed in response to threats to national security.

This ruling comes in the context of proceedings which began in 2018. Several associations and a telecommunications operator went to the Conseil d’Etat who stayed the proceedings, pending the outcome of the judgments by the CJEU on a preliminary reference on October 6, 2020 (C-511/18, C-512/18 and C-520/18).

As a reminder, in its judgment dated October 6, 2020, the CJEU, when asked about the scope of the rules resulting from Directive 2002/58 "Directive on privacy and electronic communications" and the GDPR, held that the obligation of generalised and undifferentiated retention of connection data (other than identity data) imposed on operators must be limited to what is necessary for national security purposes in case of serious threats. Moreover, the CJEU specified that access to such data by intelligence services must be subject to prior review by an independent authority (AAI) or a judge.

As a preliminary remark, in its judgment dated April 21, 2021, the Conseil d’Etat recalled that its task is to "ensure that enforcing European law does not compromise the requirements of the French Constitution". The Conseil d’Etat then made a distinction based on the purposes of the data retention and the type of data. The Conseil d’Etat considered that the obligation imposed on French operators, regarding traffic and location data, was justified in consideration of the current threat to national security. However, the Conseil d’Etat urged the Government to periodically assess the reality of this threat. On the other hand, the judgment considered that the generalised retention of data for purposes other than safeguarding national security was unlawful. Only non-sensitive data such as identity data, contact and payment details, contract and account data, as well as IP addresses should be subject to a generalized retention obligation, regardless of national security requirements.

Furthermore, the Conseil d’Etat considered that access to retained data by intelligence services must solely be subject to prior approval by an independent authority, and therefore revoked the regulations that allowed such access on the basis of a mere non-binding opinion from the national intelligence services watchdog (CNCTR).

Finally, the Conseil d’Etat urged the Government to revoke, within 6 months, the provisions of the Postal and electronic communications code (CPCE) and the French law “loi sur la confiance dans l’économie numérique” (LCEN) only insofar as they provide for a retention obligation for purposes other than the safeguarding of national security.

It should be noted that the day after the Conseil d’Etat’s ruling, the Belgian Constitutional Court also ruled on the retention of connection data. Unlike the French Conseil d’Etat, the Belgian Court voided all provisions of the Belgian law imposing a generalised and undifferentiated retention of such data.

n addition, on May 25, 2021, the European Court of Human Rights (ECHR) adopted a more flexible position in the two following judgments on mass electronic surveillance: Big Brother Watch and others v. United Kingdom (req. n°58170/13, 62322/14 and 24960/15) and Centrum för Rättvisa v. Sweden (req. n°35252/08). In these judgments, the ECHR allowed the generalised surveillance of content and connection data of electronic communications for national security purposes among others and gave States "a wide margin of appreciation in deciding what type of interception regime is necessary, for these purposes". The ECHR requires, however, that sufficient safeguards be deployed to avoid abuses and arbitrary decisions, and it is only for this reason that the ECHR condemns the United Kingdom and Sweden, implicated in the above-mentioned judgments.

Behring, Anne-Solène Gay, Juris Initiative, connection data, generalized retention of data, Conseil d’Etat, CJEU, national security, intelligence services