Can European states demand from operators a massive collection of connection data for legal and intelligence purposes? EU justice makes a decision on Tuesday that is awaited with concern by magistrates and police.
Asked by the courts in France, Belgium and the United Kingdom, the Court of Justice of the EU (CJEU), based in Luxembourg, will rule at 9 a.m. on the legality of these practices.
The whole question is whether it will confirm a 2016 judgment called “Tele2”: the Court then ruled that the member states could not impose on suppliers a “generalized and undifferentiated obligation” to collect and store traffic data. and location data.
Concretely, the metadata of internet connections and telephone conversations – which do not relate to the content of the messages but the conditions under which they were exchanged (identity, location, date, duration, etc.) – could not be kept by the operators.
But several EU states continue to require such a collection so that police, magistrates or intelligence services can access this data.
The Court’s Advocate General, Manuel Campos Sanchez-Bordona, estimated in mid-January that the French, Belgian and British rules requiring operators to keep or transmit user data in an “undifferentiated” manner, in particular for the purposes of fight against terrorism, were contrary to European law.
While “recognizing the usefulness of a data retention obligation to safeguard national security and fight crime”, the Advocate General “pleaded in favor of limited and differentiated retention (…) as well as for limited access to this data ”. His opinion is not binding on the Court.
For their defense, the states concerned rely on the Treaty on the EU, according to which national security “remains the sole responsibility of each member state”.
The Court examined several decrees of application of the French code of internal security, of 2015 and 2016, attacked by the organizations La Quadrature du Net, the access provider French Data Network and the Federation of associative internet access providers. .
For the Advocate General, the French regulations are certainly “in a context marked by serious and persistent threats to national security” but they “do not establish the obligation to inform the persons concerned of the processing of their data. personal data ”and contradicts the 2002 Privacy and Electronic Communications Directive.
“Whether there can be targeted surveillance of people who are dangerous or suspected of being dangerous is one thing”, conceded at the beginning of 2020 Alexis Fitzjean, lawyer for La Quadrature du Net, an association for the defense of the rights of Internet users.
“But keeping all traces of connection in an undifferentiated way for such long periods is mass surveillance, contrary to the rule of law,” he insisted.
Belgian and British regulations which impose on operators the same type of massive collection are also incompatible with European law, according to the Advocate General.
The human rights NGO, Privacy International, had taken legal action in the United Kingdom. Organizations representing lawyers, accountants and legal professions in Belgium, for their part, considered that professional secrecy was no longer guaranteed.
A possible confirmation by the CJEU of its “Tele2” judgment is giving the French intelligence services a cold sweat, which evokes “a disaster” likely to “seriously hamper” their investigations.
In many cases, such as that of the 2015 attacks, these data “constitute an essential + raw material for judges and investigators”, observed François Molins, Attorney General at the Court of Cassation last year. “Many ongoing criminal investigations” could be stopped short or their acts nullified, he warned.
Access to data is obtained in France at the request of a magistrate, and in matters of information subject to authorization by the services of the Prime Minister.