The ruling avoids a potentially risky precedent being set
The Government needs to amend the law: France’s highest court, the Council of State, has told the country’s Government that the national data retention law must be compatible with EU law and with rulings of the European Court of Justice. The French Government now has six months to rewrite the data retention framework, and make it proportionate to threats to national security (as required by the ECJ) and ensuring that access to communications data by intelligence services is subject to prior review by an independent administrative body.
The French tried to bypass the ECJ: In a case that came as a result of appeals filed by some NGOs (including La Quadrature Du Net) and operator Free, the French Government tried to defend the country’s data retention laws, arguing that the ECJ’s ruling resulted in an interpretation of EU laws incompatible with the French constitution. The Council rejected this argument, noting that threats to national security justified the generalised retention of communications data. However, retaining such data for other purposes (e.g. the prosecution of criminal offences) is unlawful. The ruling avoids a potentially risky precedent, which could have given individual member states a way to justify exceptions to compliance with EU law.
Data retention rules have been problematic for several years: The European Data Retention Directive was adopted in 2006 as an exception to the principle of confidentiality of communications, enshrined in the ePrivacy Directive of 2002. The ECJ declared it invalid in 2014, because it permitted blanket data collection against the right of privacy in the EU Charter of Fundamental Rights. In October 2020, a new ruling of the ECJ declared national data retention laws invalid, but said there could be exceptions motivated by serious security risks. To this day, the legal vacuum continues, and EU member states have not yet found a way to square the circle between the rights established in EU treaties and the need to obtain communications data to tackle crime. This issue is also one of the stumbling blocks for the e-Privacy Regulation, which has been dragging on now for four years and where deep divisions in the trilogue negotiations between Commission, Council, and Parliament still remain.
