French administrative court walks data retention tightrope

The Council of State backed France's data retention practices, while partially annulling them.

French administrative court walks data retention tightrope

PARIS — France’s highest administrative authority on Wednesday avoided a direct clash with the EU’s top court while offering partial support for the country’s data retention practices.

In a mixed assessment, the Council of State rejected the French government’s argument that the EU top court is not competent to rule on national security issues, but put forward a solution that would still allow France to hold on to citizens’ data with some limits. 

The ruling shows the Council trying to balance competing imperatives: allowing intelligence services and judicial authorities to continue accessing data to fight crime while somehow staying on the right side of European law.

Under the French rules, telecom operators and hosting providers are required to keep a range of connection data including numbers called, the dates and duration of calls, IP addresses and location data for up to a year.

In October 2020, the Court of Justice of the European Union said the French regime was illegal, but the government asked the Council of State not to abide by the ruling.

Digital rights nonprofit La Quadrature du Net, activist internet service provider French Data Network and the Federation of Associative Internet Service Providers have been battling the state on its data retention rules since 2015.

The government argues that data retention is essential to solving crime and fighting terrorism, but privacy campaigners say its practices are illegal and amount to mass surveillance.

At Wednesday’s press briefing, a Council of State official said “context, the current climate and principles” compel the authority to abide by the CJEU’s ruling. 

He argued that “rebelling” against the Luxembourg court would “encourage resistance” when “Eastern capitals” — an apparent reference to Poland and Hungary — are currently in a dispute with the CJEU over the rule of law.

The Council of State ordered the government to repeal the rules forcing telecom operators to keep connection data for a year, and rewrite them in a way that is more compliant with the EU ruling. The administrative body said the rules requiring internet hosting providers to retain IP addresses were legal.

Overall, the administrative authority said holding data for a year was not unreasonable, but that it was up to the government to decide when it redrafts the regime.

The Council of State did not challenge the legality of intelligence services accessing the data per se, but said the current law was “incomplete” and should include a binding opinion from an independent authority — not the Prime Minister’s office, which currently approves data access authorization requests.

The government has six months to comply.

National security and serious crime

The Council of State cited the CJEU’s ruling, which says indiscriminate and bulk data retention is legal if used to fight against a national security threat. It said that since France is currently under a national security threat, holding on to data is justified.

Still, the French administrative authority said the government should rewrite its data retention rules to make it clear that information is maintained for national security purposes. The government should also add to the new scheme a regular reassessment of national threats — subject to review by administrative courts.

While large-scale data retention is legal for national security, it isn’t for battling serious crime, the CJEU ruled. Instead, it allows narrow, targeted data retention “according to the categories of persons concerned or using a geographical criterion.”

The Council of State said sticking to those strictures is not technically feasible nor operationally efficient, and backed the government’s argument that connection data such as localization — knowledge of where people are — is indispensable to conduct successful investigations. 

To fight criminal activity, the authority recommended the Budapest convention, an international treaty signed by France that allows authorities to require companies to “freeze” data for up to 90 days — a process called “expedited preservation” — and to renew such orders.

In practice, the ruling does not change much for telecom operators, who will still have to keep people’s data, a Council of State official said during the press conference. What will change is how data will be accessed for criminal investigations, he said.

The official added that Wednesday’s decision also does not provide guidance on what rules apply to other public authorities that also have access to the vast troves of data — including the Financial Markets Regulator and the piracy watchdog Hadopi — adding that he expected new cases on this specific issue in the future.

The CJEU is currently deliberating on a case concerning the French Financial Markets Regulator, and whether it can use the pool of connection data retained by telecom operators to track down insider trading.

La Quadrature du Net criticized the Council of State’s decision, arguing it “validates mass surveillance in the long run.” The prime minister’s office did not immediately reply to a request for comment.

UPDATED: This article has been updated to include more details about the ruling.

Source : Politico EU More