Soutenons La Quadrature du Net !

Data Retention: Will the French Council of State Defy the ECJ?

Paris, 10 February 2016 — As the French Council of State is set to render a first decision on this burning issue this Friday1, Privacy International (PI) and the Center for Democracy and Technology (CDT) have submitted a third party intervention aiming to support the legal challenges brought by FDN, the FDN Federation and La Quadrature du Net. The goal: repealing the provisions enforcing the generalised retention of metadata in France and allowing the European Court of Justice (ECJ) to play its role of guardian of fundamental rights.

A bit of context

In the weeks following World Trade Center attacks of 9/11 and the terrorist attacks in London and Madrid in 2004 and 2005, France and several countries voted laws in favour of a general retention of connection data. The European Union adopted Directive 2006/24/CE on 15 March 2006, imposing the principle of general retention of connection data to all Member States of the Union, with a range of retention periods ranging from six months to two years.

But on 8 April 2014 the Digital Rights decision, the ECJ has invalidated the directive. At this time, the interference with privacy rights had already been denounced by constitutional and administrative jurisdictions among Member States. National judges had deemed that these provisions entailed a disproportionate encroachment on the citizens' right to privacy and freedom to communicate. Such conclusions were reached in Romania (2009), Germany (2010), Bulgaria (2010), Cyprus (2011) and Czech Republic (2011).

On 24 December 2014, the French Government adopted a decree referred to as “LPM”2. It is against this decree that the "exegetes amateurs”3 brought their first legal action. Soon after they initiated another legal challenge on the refusal by the French Government to abrogate:

  • article R. 10-13 (fr) of the Post and Electronic Communications Code;
  • Decree 2011-219, of 25 February 2011 (fr), amending provisions related to judicial requisitions in article 6 the Law on Digital Trust and Economy (LCEN), 2 June 2004 (law 2004-575).

Both legal actions aim at the same goal: to expose the French mass surveillance measures' contradictions with European law and to come back to more targeted and proportionate approaches. In their third party intervention, CDT and Privacy International analyse both the European Court of Justice's (ECJ) and the European Court for Human Rights' (ECHR) case-law and remind that in the aftermath of the Digital Rights ruling, several courts across Europe invalidated national laws' provisions4.

It is therefore the French Council of State's turn to do the same. Otherwise, it should at least refer the matter to the ECJ to ensure that the French law on the subject respects European Union's law. This would appear all the more essential since two preliminary rulings to clarify the Digital Rights ruling's consequences are pending before the ECJ. If the Council of State failed to do so, it would not only go against the European case-law and its upholding by many Member States' supreme courts, but also turn its back on two constitutive elements of the European Union, namely: the Charter of Fundamental Rights of the European Union on the one hand and the dialogue between judges on the other hand.

Will France thumb its nose at the ECJ?

A hearing has already taken place on 27 January 2016 before the French Council of State on the legal action against the LPM decree. On this occasion, the public rapporteur (a judge) opposed the idea of the Council of State referring the matter to the ECJ for a preliminary ruling, so as to evaluate the conformity of the French law with the Charter. According to him, this would not be appropriate as French measures would "in any case" be validated because it is more precise than the 2006 directive invalidated by the ECJ.

This argumentation is extremely political as well as chocking. It goes against several rulings in other European countries5, against a report of the European Parliament's own legal services but also of statements in the annual report (fr) of the French Council of State itself which recognised that the applicability of the Charter could not be dismissed6?

On 12 February at 2pm, the French Council of State will take a first decision on the appeal against the LPM decree. If French judges had to validate the French measures or to object to a preliminary ruling to ECJ, this would not only be the sign of profound defiance towards the ECJ, but also a real denial of justice vis-à-vis French citizens.

As a worldwide debate is being held against Internet surveillance measures and when, all across Europe, courts are pushing towards an overhaul of national legislations in order to take account of the ECJ's case-law, the dismissal of the action initiated by FDN, FFDN and La Quadrature du Net would symbolize a new historical step back for the rule of Law in France. It would be yet another sign of the historic crisis the European Union is currently facing.

For more informations:

  • The offical release of the third party intervention by CDT;
  • The abrogation request (fr) of the article R. 10-13 of the Post and Electronic Communication Code and of the 2011-219 decree of 25 January 2011, which modify the dispositions related to judicial requisitions under the article 6 of the Law of Trust in the Digital Economy (LCEN) of 21 June 2004 (2004-575);
  • The LPM brief (fr);
  • To read more on the actions of the Exegetes Amateurs see this page;
  • 1. On the 12 February at 2pm, the French Council of State is set to give its first decision on the legal challenge against the Military Programming Act (LPM)
  • 2. Decree n° 2014-1576 of 24 December 2014 on administrative access to connection data.
  • 3. Nickname given by former MP Jean-Jacques Urvoas to the group of activists of the three aforementioned associations. The exegetes are mobilised against the French government's abuses infringing freedoms on the Internet.
  • 4.
      Examples:
    • In June 2014, the Austrian Constitutional Court invalidated most of its national law. Telecom operators immediately stopped retaining the concerned data;
    • On 3rd July 2014, Slovenian Constitutional Court quashed a decision on data retention. The three main rationales raised by the Court were the massive and indiscriminate retention of a significant part of the population's data without any justification, the lack of motivation of the retention duration (8 months for Intenet connection data), the use of other motives than "serious crimes";
    • In Romania, the first transposed national law was invalidated by the Constitutional Court as early as in 2009. The government adopted a new law in 2012. On 8 July 2014, the Constitutional Court declared this 2012 law unconstitutional as well;
    • In Bulgaria, the Constitutional Court declared the national law unconstitutional on 12 March 2015;
    • To finish, the Belgian Constitutional Court ruled on 12 June 2015 that the transposing Belgian law adopted in June 2013, "with similar grounds as the ones that brought the ECJ to invalidate the 'data retention' directive", and in particular taking into consideration the generalised and undifferentiated aspect of the retention, the legislator violated the human rights Charter, hence, the Belgian Constitution.

  • 5. See the request for a preliminary ruling from the Kammarrätten i Stockholm (Sweden), lodged on 4 May 2015 — Tele2 Sverige AB v Post- och telestyrelsen (Case C-203/15):

    "Is a general obligation to retain traffic data covering all persons, all means of electronic communication and all traffic data without any distinctions, limitations or exceptions for the purpose of combating crime (as described [below under points 1-6]) compatible with Article 15(1) of Directive 2002/58/EC, 1 taking account of Articles 7, 8 and 15(1) of the Charter
    If the answer to question 1 is in the negative, may the retention nevertheless be permitted where:

    • access by the national authorities to the retained data is determined as [described below under paragraphs 7-24], and
    • security requirements are regulated as [described below under paragraphs 26-31], and
    • all relevant data are to be retained for six months, calculated as from the day the communication is ended, and subsequently deleted as [described below under paragraphs 25]?"

  • 6. RICHARD, Jacky et CYTERMANN, Laurent, 2014. Le numérique et les droits fondamentaux, Les rapports du Conseil d’État. S.l. Conseil d’État. [Last visited on the 29th May 2013]. Études du Conseil d’État, p. 200. Avalaible here: http://www.ladocumentationfrancaise.fr/rapports-publics/144000541/index.... (fr).