La Quadrature du Net – Court Ruling (France, 2021)

In its Joined Cases C-511/18, C-512/18 and C-520/18 and Case C‑623/17, the CJEU found that EU law precludes national legislation from requiring a provider of electronic communications services to carry out a general and indiscriminate transmission or retention of traffic and location data for the purpose of combating crime in general or safeguarding national security. However, the Court said, when combating serious crime and preventing serious threats to public security, a Member State may also provide for the targeted retention of that data as well as its expedited retention, given that such an interference with fundamental rights is accompanied by effective safeguards and is reviewed by a court or by an independent administrative authority. Following these cases, several French organizations lodged complaints with the Conseil d'Etat to declare invalid the French legal framework on access to and retention of connection data (identity data, traffic data, and location data) for the purposes of combating crime and safeguarding national security, that requires telecommunications operators to retain all user connection data for one year for the purposes of intelligence and criminal investigations. Firstly, the CE assessed the compatibility of EU law and case law with the French Constitution. According to the Court, European norms and case law (specifically the CJEU rulings) should not be able to jeopardize the ultimate French norm. Therefore, the CE needs to be consequent with that. Secondly, the CE remarked that the generalized obligation to retain data for purposes other than those of national security, notably the prosecution of criminal offences, is unlawful (with the exception of less sensitive data, such as civil status, IP address, accounts and payments). However, the Court also concluded that the general retention of data currently imposed on operators by French law is actually justified by a threat to national security. The Court also concluded that, even