The Court of Justice of the European Union (CJEU) is soon to release its judgment on a range of cases regarding data retention and access to metadata, brought before the court by digital rights organisations from France, Belgium, and the UK. Its decision will unquestionably have significant consequences for surveillance and data retention regimes across Europe. For a better understanding of what is to be expected from the final ruling, a close look at the Advocate General’s opinion is warranted.

On January 15th, 2020, Advocate General (AG) Manuel Campos Sánchez-Bordona released his opinion in three cases pending before the Court of Justice of the European Union (CJEU) that question the regime of retention and access to metadata. The AG concluded with an upholding of the ban on bulk surveillance of metadata (or “traffic and location data”, i.e. data related to a communication, excluding the content of this communication), but admitted the possibility of a limited and discriminate retention obligation. Additionally, he disagreed with the plaintiffs that challenged the validity of real-time surveillance of metadata.



Background

For the purposes of fighting and preventing crime and terrorism, EU Member States require electronic communications services to retain metadata, usually on an indiscriminate basis. Upon request, police or intelligence services are able to access the retained metadata at a later point. The mandatory retention period varies between six months and two years in general, and the requirements for access to metadata are supposed to be strict.

In 2014, the CJEU pronounced the Digital Rights Ireland Ltd (DRI) judgment that declared Directive 2006/24/EC invalid as it would allow Member States to make retention of all metadata mandatory. In 2016, it reaffirmed this with the Tele2 Sverige AB and Watson (Tele2) judgment that confirmed the DRI ruling by extending it to a national legislation.

The cases pending at the CJEU started with questions referred for a preliminary ruling. Three referring courts raised concerns about the validity of their national legislation concerning the metadata retention regime and the European case-law. In France (case C‑511/18), the Conseil d’État asked whether the Court could reconsider its jurisprudence regarding the context of security threats and terrorism. In Belgium (case C‑512/18), the Constitutional Court questioned the possibility of a general retention of metadata for criminal cases and, in particular, sexual abuses of minors. In the UK (case C‑623/17), the Investigatory Powers Tribunal of London had doubts regarding the scope of European Union law and of the e-Privacy Directive.



Metadata: to retain or not to retain?

In both DRI and Tele2 judgments, the Court explicitly declared that a legislation that requires an indiscriminate retention obligation would not comply with the EU Charter of Fundamental Rights, as it would exceed limits imposed by the principle of proportionality in light of Articles 7 (respect for private and family life) and 8 (protection of personal data). Furthermore, judgments also mentioned Article 11 and a possible interference with the right to freedom of expression and information. The Charter is therefore now interpreted as precluding Member States from imposing a retention obligation of all metadata in their national law.

The DRI and Tele2 cases were challenges to legislations that required the retention of all metadata. The CJEU declared that the indiscriminate retention of metadata was illegal. Yet, it mentioned the possibility of a limited retention in Tele2: “Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, does not prevent a Member State from adopting legislation permitting, as a preventive measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary”. (Tele2 judgment, paragraph 108). In other words, and a contrario, Member States can (but aren’t obliged to) adopt a framework legislation if providers of electronic communications services want to retain some of the metadata processed by them. It’s a slight but important precision: the Tele2 judgment does not empower Member States to institute an obligation in their national law to retain targeted metadata. It just refers to a scenario where electronic communications services need to retain some of them: only in that situation, Member States should adopt a framework to impose a targeted retention.



Moving from possibility to obligation

Metadata retention is often needed by electronic communications services, for instance to manage invoices or to respond to security threats. The Tele2 judgment embodies this reality by foreseeing the need for such a retention.

The AG’s opinion tends to confirm the principles of the DRI and Tele2 cases: Member States cannot introduce obligations of retention of all metadata. In September 2019, during the hearing, the judges asked the plaintiffs and Member States their thoughts on a limited and discriminate retention obligation. While the position of the plaintiffs was clear (no metadata retention obligation, even if it is a limited and discriminate one), the position of the Member States was not. Some of them, like Sweden — whose legislation was challenged in Tele2 — asked for an exhaustive list of metadata that could be subject to retention. Others, including France, rejected the very idea of a non-massive metadata retention obligation.

In this context, the AG’s opinion attempted to spare the Member States by ignoring the plaintiffs. During the hearing, however, he seemed to understand the plaintiffs’ opposition to a targeted (or limited and discriminate) retention obligation. But in his opinion, the AG dismissed the explanations of the plaintiffs: it should be acceptable to allow Member States to force electronic communications services to retain metadata if it is in a limited and discriminate way.

Surprisingly, the AG did not make a proportionality test. While the Tele2 and DRI judgments were strict on this point (see, for example, paragraphs 93 of Tele2 or 45 of DRI), the AG’s opinion did not explain at any time why or how a limited and discriminate retention could be a proportionate limitation to the rights of the Charter. This proportionality test, also found in the ECHR case-law, consists of verifying that the limitation of a fundamental right protected by the Treaties (in our case, Articles 7, 8 and 11 of the Charter) satisfies three conditions: adequacy (the limitation must achieve the pursued objective), necessity (it must be impossible to achieve the objective by any other less-prejudicial way) and proportionality stricto sensu. In both Tele2 and DRI judgments, the Court emphasized the lack of necessity.

Clearly, the AG was trying to address a fear repeated by Member States throughout the hearing: that the CJEU case-law, specifically the Tele2 judgment, would limit their ability to protect national security and fight terrorism. But their defense as to why they needed to retain all metadata in order to do that was quite unclear, resting mainly on particularly egregious singular criminal cases where metadata access had supposedly helped in the investigation. However, as judges highlighted in their questions, they failed to demonstrate how metadata access was a decisive factor in solving even these cases. Member States have repeatedly stated that they cannot, and will not, comply with the Tele2 case-law. Almost all Member States — not only those concerned by the cases — have defended during the hearing and in their opinions the possibility of mass surveillance, invoking national security and the fight against terrorism. Such an inflection is not new in this area. In the Tele2 case, the AG already considered that the challenged Swedish legislation was not incompatible with the Charter. However, in its final judgment, the Court did not follow him.



The justification for a retention obligation

In his conclusions in the Belgian case, the AG noted that Member States were already criticising the DRI judgment at the time of the Tele2 case. However, according to him, the Tele2 judgment merely confirmed the DRI rules without taking into account the criticisms made.

In support of the shift of the Tele2 case-law suggested, the AG reiterated the distinction between access and retention of metadata. However, he came to a different conclusion: strict rules on access to metadata make it possible to “compensate” for the infringement created with a mandatory retention. Hence, the AG endorsed the position of some of the Member States without, however, accepting the idea of indiscriminate retention obligation.

Unfortunately, the AG thereby ignored concerns about the reality of controlling access to metadata. While calling for effective oversight, he did not question the reality of such control, even though the French plaintiffs underlined the lack of effectiveness of the intelligence oversight body in practice. Moreover, by making it possible to bypass the oversight body in case of emergency, the AG approved a common practice in many Member States: by abusing the use of emergency situations or the lack of adequate human resources, intelligence services can and do bypass ex-ante control when accessing metadata.

Sadly, a question posed by the Court at the hearing was ignored by the AG. At the very end, the U.S. system of metadata retention was discussed and, in particular, the lack of a obligation of metadata retention. In short, the U.S. system is close to what the CJEU stated in paragraph 108 of the Tele2 judgment. In other words, it supports the idea that it is not necessary to have a retention obligation – no matter if it is limited and differentiated or indiscriminate — as long as such a retention, on a voluntary basis, is regulated. And it would not be serious to argue that U.S. national security is undermined by this.

Moreover, on top of admitting a limited and differentiated retention obligation, the AG also conceded that, in “truly exceptional situations”, Member States could fall back to an obligation of retention of all metadata. The complexity therefore consists in the definition of what constitutes a “truly exceptional situation”. The AG did not offer such a definition but precluded national security threats and terrorism — possible exceptional contexts suggested by the Conseil d’État — albeit without explaining why. Yet, in France, the state of emergency following the attacks of November 2015 lasted several years and many of the measures resulting from the emergency legislation are now in the Penal Procedure Code.



Real-time access to metadata

The French case raised a particular question regarding algorithmic surveillance. French intelligence law allows the use of “black boxes”, a tool that helps real-time analysis of metadata of a particular network (which can scale from one building to, potentially, the entire network of a national ISP) in order to detect threats that are undetectable by a human analysis. When such a threat is detected, an alert is raised and intelligence services can deploy additional surveillance measures concerning the detected suspect. The tool monitors all network traffic and focuses its analysis on the metadata: the content of the communications is ignored (although processed). French law does not create an obligation for electronic communications services to retain all metadata, but simply allows intelligence services to use their algorithm to access metadata.

Discussions at the hearing focused on the nature of the access of these black boxes to metadata. If the challenged legislation so far created a retention obligation for a potential future access, then the idea of retention no longer makes sense since access is real-time. The French plaintiffs argued, however, that this type of surveillance not only targets the content of the communications (when it processes URLs for example), but is also disproportionate since it involves access to all metadata. The disproportionality argument is interesting because it pinpoints an interference with the Charter despite no conservation.

Once again, the AG rejected any interference with the Charter. He remained rather unclear — the question is addressed in four paragraphs — and seemed to discard the possibility of any access to metadata by an algorithm. Actually, the AG did not deduce any consequence of the presence of real-time processing of metadata in terms of access: more precisely, he did not even mention a possible access to metadata when discussing the algorithms in charge of surveillance. Paragraph 146 of his opinion in the French case seems to reflect a lack of understanding of the technical reality of algorithmic surveillance. During the hearing, the French plaintiffs tried to bring attention to the consequences of an algorithmic analysis of traffic which, even if it is limited to metadata, will necessarily mean dealing with the content of communications. By assuming that there is no possible access to metadata via an algorithm, the AG concluded a potential decisive discussion with a misunderstanding.



The CJEU could rule against its AG

Here is an AG pleading for a softening of the Tele2 and DRI case-law. In 2016, such a move had already been called for in the Tele2 case, in which AG Henrik Saugmandsgaard Øe validated the principle of metadata retention by diverging from the DRI judgment. However, this was not the approach adopted in the final Tele2 judgment and the Court could do the same here by upholding its strict jurisprudence and its rigorous proportionality test. The Court will necessarily have to rule on the compatibility of a limited and discriminate retention obligation with EU law, since the Member States and its AG have invited it to declare such an obligation compatible. But a proportionality test as strict as in Tele2 would most likely lead to the decision that such an obligation — even a limited and discriminate retention obligation — exceeds the limits imposed by compliance with the Charter, in particular because the Court has already stated that a retention obligation is not necessary for the objectives pursued (national security and the fight against terrorism).

The final judgments are expected before the summer. They will have implications all across Europe. If the CJEU follows its AG, it will also recognise that Member States may, with no consequences for them, ignore a court decision (the Commission has not initiated any infringement actions). On the contrary, if it upholds its case-law and rules that a retention obligation is still incompatible with EU law, it will give a clear message that the European Union is uncompromising, both legally and in terms of its values.