“Customizing” La Quadrature du Net: The French Council of State, National Security and Data Retention

Arianna Vedaschi (Bocconi University)

On 21 April 2021, the French Council of State (FCS) delivered a ruling that follows up the decision of the European Court of Justice (ECJ), La Quadrature du Net and others. In this case, the Luxembourg Court, deciding several referrals for preliminary rulings submitted, among others, by the FCS itself, held that, in the light of EU law, some limits exist to the general and indiscriminate retention of data by electronic service providers on crime prevention and national security grounds. The FCS was faced with how French lawmaker should implement EU law as interpreted by the ECJ in its 6 October 2020 judgment.

The FCS hit two major points: first, it addressed the Government’s argument that, in La Quadrature du Net, the ECJ acted ultra vires, touching upon national security, a matter that remains in the exclusive competence of member states. Second, it dealt with the challenging balance between national security and privacy rights.

Although the ultra vires issue – actually raised for the first time by the French Government before the FCS – is of outmost interest, especially considering the 2020 much-debated judgment by the German Constitutional Court on the European Central Bank, it will not be the focus of this comment. Here, suffice it to say that – differently from German judges – the FCS pointed out that it is not for the administrative judge to check whether the ECJ respected the correct allocation of competences.

This very short piece aims to remark some aspects of the second point, i.e. the FCS’s stance on security versus rights. In this regard, at least three key issues deserve consideration.

First, the FCS observed that, in line with the ECJ’s stance, the French decrees allow general and indiscriminate retention of traffic and location data for national security purposes (e.g. the fight against terrorism, but the French higher administrative court singled out many other examples, as foreign espionage or threats to public peace).  However, the Council required regular monitoring by the French Government in order to verify the persistence of national security threats, a safeguard that – like other requested changes – the French lawmaker is bound to introduce within a 6 months deadline given by the FCS itself. This is a significant caveat that the FCS added, since it inextricably links the intrusiveness of measures to the timing of the terrorist threat and gives implementation to the principle of proportionality.

Second, the FCS examined the use of above-mentioned data, retained on national security grounds, by intelligence services (even through automated tools), allowed in France on the mere authorization of the Prime Minister. The FCS noted that the French legal framework failed to provide appropriate oversight by an independent authority (a requirement that the ECJ has stressed since Digital Rights Ireland in 2014). What is more, the opinion of the Commission Nationale de Contrôle des Techniques de Renseignement (CNCTR), which the Prime Minister is obliged to hear before giving his authorization, is not binding. And the fact that, over the time, the Prime Minister has never departed from the CNCTR’s opinion is not enough to say that the oversight mechanism is appropriate. Therefore, French provisions should be rewritten making the CNCTR’s opinion binding.

Third, the FCS accepted the ECJ’s view that massive retention shall be prohibited in the fight against ordinary crime (i.e. other than national security threats). However, the FCS disagreed on the method suggested by the ECJ to approach retention in case of ordinary crime.

In this respect, the ECJ proposed that, as far as serious (ordinary) crimes are concerned, retention is allowed only if targeted to certain geographical areas and categories of persons (i.e. not generalized). No retention of traffic and location data is permitted, instead, for (ordinary) crimes that cannot be defined “serious”. The CFS held that targeted retention suggested by the ECJ is not feasible in practice, being impossible to determine a priori whether an offence will be committed, where and by whom.

The FCS offered an alternative for a “mitigated” data retention: it recommended a procedure set by the Council of Europe Convention on Cybercrime (2001), allowing states to require providers to “freeze” data for maximum 90 days (“expedited retention”). Moreover, the FCS rejected the ECJ’s thesis that this “diminished” form of retention shall be carried out only for “serious” crimes and stated that a “sufficient degree” of seriousness is enough.

This complex decision prompts a couple of considerations.

First of all, the French administrative court endeavoured to “customize” La Quadrature du Net on the French system, unlike the Belgian Constitutional Court, which, on 22 April 2021, adhered literally to the ECJ’s stance and annulled domestic law on data retention.

At the same time, the judges of Palais-Royal refrained from engaging in ultra vires review, which would trigger a “war among courts” – something that, instead, the German Constitutional Court vigorously did. They rather took a someway “interlocutory” approach, raising doubts on the practicability of some ECJ’s findings and coming up with alternative options.

By working out (partially) different solutions to the ECJ’s one, the FCS is giving a “concrete” shape to the challenging balance between national security and rights, which otherwise risks remaining relegated to a theoretical and abstract dimension.

Second, practical considerations of the FCS on retention techniques, its request to the French Government to make the CNCTR’s opinion binding as well as detail in listing national security threats show that, similarly to the ECJ in some previous decisions (e.g. Opinion 1/15 on PNR data), this court is increasingly closer to do the job of a lawmaker (or even of a technical expert), than that of a traditional-style judiciary body. And what is more interesting is that such transformation is happening in a country where, traditionally, the judge was considered to be no more than a “bouche de la loi”.

In such a sensitive field, i.e. national security, it seems that “activism” by courts should not be necessarily reproached as an undue overreach into the realm of other powers, but rather regarded as an attempt to weigh up interests at stake.

Arianna Vedaschi is Full Professor of Public Comparative Law at Bocconi University.

The views expressed in this article reflect only the position of the author and not necessarily the one of the BRIDGE Network Blog.

Latest Posts