By Gionata Bouché and Etienne Valk
The data retention debate is becoming ever-more complex, or so it is written. Since the second La Quadrature du Net (LQDN) installment by the Court of Justice of the European Union (CJEU) on 30 April 2024, it is at least becoming a bit clearer. The CJEU answers preliminary questions on the alignment of national legislation with Directive 2002/58 (the ePrivacy Directive), more specifically concerning the retention of and access to personal traffic data by public authorities for identifying (alleged) copyright infringers.
We begin this blog post by outlining the main facts of the case and the questions raised before the CJEU. Secondly, we proceed to unpack the ruling by guiding the reader through the proportionality assessment conducted by the CJEU in light of Art. 52 of the EU Charter of Fundamental Rights (CFR). Our aim is to contextualise the present judgment in the CJEU’s line of case law, while highlighting some of the CJEU’s innovations.
Facts and legal questions
The preliminary questions were prompted by a dispute between the French government and civil society organisations defending the rights and freedom of citizens on the Internet, including NGO La Quadrature du Net. In France, Hadopi is the independent public authority tasked with preventing copyright violations on the Internet. In order to combat online unlawful dissemination of copyrighted material, rightholder organisations can submit complaints to Hadopi reporting infringing conduct by users of electronic communication services associated with one or more IP addresses.
This is where the imputed administrative procedure kicks in. The procedure consists of a ‘graduated response’ building on several steps. Upon receiving a notification of infringement, Hadopi is authorised under French legislation from 2010 and 2017, to request from electronic communication providers access to the identity of the holders of the IP-addresses connected to the infringement. Once a match is made, Hadopi sends a first warning to the (alleged) infringers. When the violation does not cease within a year, Hadopi can notify infringers that their actions may be considered “gross negligence”. At this stage, Hadopi may also impose a minor fine, which can increase in the event of a repeat offence. As a last resort, in case of serious or persistent infringements, Hadopi can refer the case to the public prosecution service for possible criminal charges, such as counterfeiting.
La Quadrature du Net and other organisations filed a case against the French state, claiming the French legislation from 2010 and 2017 governing the procedure is in violation of EU law. They argued that data retention and access competencies for the purpose of preventing copyright violations disproportionately infringe on the fundamental rights of individual citizens. The case ended up before the Conseil d’Etat (French Supreme Court for administrative justice), which decided to refer preliminary questions to the CJEU.
The Conseil d’Etat asked whether Article 15(1) of Directive 2002/58, read in light of Articles 7, 8, and 11 and Article 52(1) of the CFR, should be interpreted as prohibiting national laws that allow a public authority responsible for protecting copyright and related rights, to access data retained by providers of publicly available electronic communications services. These are the IP-addresses and the corresponding civil identity data of the suspected infringers. Additionally, the referring court seeks to know whether such access can be granted without prior review by a court or independent administrative body.
While a considerable part of the judgment relates to the legal permissibility of accessing civil identity data of suspected infringers, our analysis focuses mostly on the retention of and access to IP addresses. The CJEU does reach some interesting conclusions about the permissibility of access to users’ identities, such as when (partly) dispensing enforcement authorities from requesting prior review by a court or an independent administrative body for the disclosure of those identities. Nevertheless, in our opinion, no substantial shifts in the CJEU’s dealing with civil identity data of communication services users take place. In previous case law, the CJEU consistently stressed the broader margin for state authorities to gain access to information purely revealing a user’s identity compared to other traffic data (Ministerio Fiscal, para. 60; LQDN I, para. 157). From a purely legalistic perspective, the lower sensitivity attributed to this category of information indeed allows the CJEU to less controversially reduce the burden on authorities seeking access to the identity of infringing users. The same cannot be said about its justification for the general retention of and access to IP addresses serving that end.
The CJEU’s proportionality assessment
Any interference with the confidentiality of citizens’ electronic communications under Art. 15 of Directive 2002/58 must fulfil the requirement of proportionality inscribed in Article 52(1) CFR. The CJEU’s assessment is therefore always explicitly guided by the objective of striking the appropriate balance between the competing needs of national authorities and the citizens’ rights to privacy and data protection, while safeguarding the latter’s essence (CJEU Digital Rights Ireland, para. 40). Legislative measures imposing general and indiscriminate data retention requirements on electronic communication providers, for example, did not pass the CJEU’s test (See Digital Rights Ireland and Tele2 Sverige).
As the EU legislator explicitly intended the requirement of proportionality as ‘strict’ under the Directive (See Directive 2002/58, Recital 11), the CJEU has demanded that derogations from the right to data protection remain ‘strictly necessary’ (Digital Rights Ireland, para. 52; Tele2 Sverige, para. 96). Throughout the last decade, however, the CJEU has tended to adapt its approach in light of evolving political priorities and technological circumstances. The reasoning followed in the present case is an illustration of this trend.
Overview of the CJEU proportionality analysis in LQDN 2024
As mentioned above, the CJEU had to evaluate whether the French legal framework secures a proportionate outcome in providing Hadopi with the power to retain and access civil identity data associated with individual IP addresses of (potential) copyright infringers. The judicial reasoning essentially builds on three main factors: (1) the seriousness of the interference, (2) its legitimate aim, and (3) the safeguards implemented against abuse.
The seriousness of the interference
First, the CJEU assesses the seriousness of the interference with the rights of the users entailed by the powers granted by the legislator to the enforcement authorities. For the CJEU, this has usually boiled down to determining to what extent the latter are put in the position of “drawing precise conclusions about the private life of the person” when retaining and/or accessing their personal data (Digital Rights Ireland, para. 27; Prokuratuur v H.K., para. 45; LQDN II, para. 96).
An important novelty here is the CJEU’s removal of the “serious interference” label from the general and indiscriminate retention of IP addresses where these are merely instrumental in revealing the identity of a potential infringer (para. 79). This is a clear departure from its previous finding in LQDN I that both retention and access to IP addresses by default make for a serious interference (para. 153). As of the present judgment, the relevant factor is instead whether there is a “genuine” belief that such retention and access could not lead to the commission of a serious interference with the private life of the person concerned. Such genuine belief would be dispelled, for instance, by the suspicion that state authorities could possibly link those IP addresses with other traffic or location data retained about the same individuals (para. 82).
Secondly, in substantiating how this risk could be “genuinely ruled out”, the CJEU also delineates specific technical and organisational measures to be implemented by administrative and law enforcement authorities (see Safeguards against abuse, below). To critical observers, the CJEU’s standards applied in previous rulings to state authorities’ access to the identity of internet users should have raised concerns in the absence of explicit safeguards against online profiling. This is even more evident considering the CJEU’s insistence on the need of taking into account all available datasets “as a whole” when assessing profiling risks (Ministerio Fiscal, para. 54; LQDN I, para. 184). One could indeed criticise the CJEU’s prior lack of engagement with the technical and procedural safeguards which should prevent, or at least deter, any unlawful profiling and cross-referencing of Internet users’ identity with their traffic data, and in particular their IP addresses. In LQDN I, the CJEU did recognise the possibility of tracking the clickstream of Internet users through IP addresses – liable to reveal highly sensitive information (para. 153) – as well as the “risks of abuse and unlawful access” inherent to the mass retention of traffic data (para. 119). However, it refrained from elaborating on how the function-creep temptation of state authorities – let alone the impact of a potential data leak – should be concretely mitigated if access to Internet users’ identities is to be eased. A new framework, discussed below, is elaborated in the present judgment and arguably attempts to fill in these shortcomings.
Not so serious crimes
The second point the CJEU touches upon in its assessment is the legitimacy of the interference based on the aim pursued by the state authorities. These may range from the prevention of national security threats or serious crimes to ordinary crimefighting.
In the present case, the CJEU takes again an interesting detour from its previous stances on the retention of IP addresses. The CJEU now sanctions the objective of combating “criminal offences in general”, including copyright violations, as a legitimate aim for retaining IP addresses in a general and indiscriminate manner (para. 85). This is only subject to the condition that no serious interferences with the private life of the affected individuals take place (para. 82).
Previously, the CJEU had affirmed the incompatibility between the aim of combating ordinary crime and the imposition of general and indiscriminate retention measures for traffic and location data of subscribers of an electronic communications service provider (Tele2 Sverige, para. 112). Later, in LQDN I, it eased this stance by conceding the legitimacy of broad retention measures targeted at traffic data, including IP addresses, subject to time limitations (LQDN I, para 168). However, such interferences would only be permitted for the purpose of safeguarding national security, combating serious crime or preventing serious threats to public security (LQDN I, para 168). Not even an expansive interpretation of the ruling could extend this finding to the objective of fighting crime in general – until the present judgment, at least.
The reasoning applied by the CJEU to navigate the barriers raised in LQDN I in relation to minor crimes is an interesting one. As also pointed out in AG Szpunar’s Opinion on the case, the CJEU could not in fact squeeze this kind of violations under the heading of “serious crime” (AG Opinion, LQDN II, para. 74). The key for the CJEU to justify an expansion of state powers even when dealing with ordinary offences is the risk of “systemic impunity” that could arise for copyright and related rights infringement, as well as analogous forms of cybercrimes (LQDN II, para. 119). This would be the undesirable consequence of restraining the general and indiscriminate retention of IP addresses to exceptional circumstances, despite this being, in the eyes of the CJEU, the only means for the state to proportionately investigate the perpetrators. The applicant organisations did advance more privacy-friendly alternatives to that end, including the possibility of identifying suspects through social media username and activity. However, the CJEU (and the AG) dismisses this, claiming that it would entail an even more serious interference of the data subjects’ private sphere (para. 121).
Safeguards against abuse
After having balanced the seriousness of the interference with the pursued legitimate aim, the last step of the assessment in the CJEU’s proportionality analysis is to look at existing safeguards against state abuse under the imputed laws which may impact the proportionality of the interference in either direction.
In sanctioning general and indiscriminate measures to retain IP addresses and collecting related civil identity data, the CJEU delineates mandatory safeguards, as already mentioned above, which should be incorporated in national legislative frameworks regulating data retention and access for the aim of combating ordinary crime. Specifically, the law must oblige state authorities to internally silo civil identity data from corresponding traffic data (para. 86) and to implement technical measures ensuring a “genuinely watertight” separation between these categories, by means of secure and reliable computer systems (para. 87). Any lawful linking between different datasets needs to be enabled through an “effective technical process” that does not de facto undermine their separation (para. 88). Here, the CJEU seems to hint to data management strategies such as federated data systems or other privacy-enhancing technologies (i.e. data masking). The reliability of this process must ultimately be subject to periodic review by a competent public body which is independent of the authorities seeking access to the data (para. 89). While it is true that previous judgments already stressed the decisive role of additional safeguards in proportionality assessments, we find this is the first time that the CJEU mandates the implementation of an explicit technical requirement in the context of Art. 15 Directive 2002/58.
According to the CJEU, these technical and organisational measures coupled with the imposition of strict confidentiality duties and a prohibition of profiling citizens via their IP addresses and clickstreams, would enable a regulatory framework such as the one applicable to Hadopi’s activities to pass the proportionality test (para. 122). Moreover, the CJEU reiterates (see LQDN I, para. 168) the importance of promoting an organisational culture of data minimisation and storage limitation by means of additional legal guarantees (LQDN II, para. 93).
Conclusion
With LQDN II, the CJEU rules in favour of effective online enforcement by national authorities. The judgment does elaborate more concretely on the technical and organisational measures expected of state authorities in the processing of traffic data of users of electronic communication services. On the other hand, it further lowers, what constitutes, in our opinion, an (already light) burden for national authorities to access civil identity data of online users.
What should strike from this judgment, however, is the outcome-based reasoning followed by the Court in justifying the undermined protection for users’ IP addresses. Compared to previous case law, the retention of and access to IP addresses for law enforcement purposes no longer entail a serious interference and are justified for combating any kind of online criminal activity, whether serious or not. The only requirement is that national law subjects enforcement authorities to technical and organisational safeguards dispelling the risks of individual profiling.
In general, this is an interesting case of how the CJEU invests in data protection accountability to provide more slack for governments’ extension of legitimate online enforcement powers. For La Quadrature du Net, instead, the judgment dodges the fundamental rights-nature of the questions asked and does not achieve anything more than digging online anonymity a ‘little further’ into its grave.