France, Council of State, 26 July 2018 394922

Identification of the case

• Right to liberty and security (art. 6 CFREU)
• Respect for private and family life (art. 7 CFREU)
• Protection of personal data (art. 8 CFREU)
• Freedom of expression and information (art. 11 CFREU)

• Decree No. 2015-1185 of 28 September 2015 designating specialized intelligence services
• Decree No. 2015-1211 of 1 October 2015 relating to disputes over the use of intelligence techniques subject to authorisation and files relating to State security
• Decree No. 2015-1639 of 11 December 2015 on the designation of services other than specialized intelligence services authorized to use the techniques mentioned in Title V of Book VIII of the Internal Security Code, adopted pursuant to Article L. 811-4
• Decree No. 2016-67 of 29 January 2016 on intelligence-gathering techniques
• Decision of the Constitutional Council No. 2016-590 QPC of 21 October 2016
• Internal Security Code
• Administrative Justice Code

• Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000
• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002
• Charter of the Fundamental Rights of European Union

Summary of the case

By three applications, some associations are seeking the annulment of French decrees implementing the Internal Security Code for excess of power. The Council of State ruled on those actions brought for the defence of freedoms on the Internet against provisions relating to techniques for the collection of personal data by the State. The purpose of the decrees is based on the collection of data, which are implemented solely for the purposes of preventing terrorism. Article L. 851-1 of the Internal Security Code, under the terms of which the disputed decrees are based, comes under Book VIII of the Internal Security Code relating to "Intelligence" and provides with article L. 801-1 for restrictions on the collection of data from electronic communication operators.

The applicants challenged the conformity of the decrees with article L. 851-1 and highlighted the problem of proportionality between the data collected and the freedom and protection of privacy.

The Council of State rejected the application directed against the decrees in so far as they implement the provisions of Articles L. 851-5 and L. 851-6, as well as those of Chapters II, III and IV of Title V of Book VIII of the Internal Security Code. The Council of State rejected the request on the basis of the restrictions laid down in the decrees, which exclude from the data thus collected the content of the correspondence exchanged or the information consulted. It stated that only data relating to connections likely to reveal a terrorist threat are collected. Those specific connexions must be collected and recorded by electronic communication service providers.

The Council of State dismissed several preliminary legal means:

- including the unconstitutionality of article L. 811-5 of the Internal Security Code contrary with the right to privacy and secrecy of correspondence resulting from Article 2 of the Declaration of 1789, which was nonetheless found by the Constitutional Council (Constitutional Council, 21 October 2016, No. 2016-590 QPC). The applicants cannot benefit from this priority question of constitutionality (which they nevertheless initiated) since the Constitutional Court did not intend to call into question the effects produced by the article prior to its repeal.

- As for the provisions governing disputes over the use of intelligence techniques, they do not affect the right to appeal (although a person cannot appeal directly to the court but can only lodge a complaint with a supervisory committee), the principle of contradictory proceedings (although certain information protected by defence secrecy are not transmitted to the applicant) or the right to privacy (although the persons under surveillance are not informed a posteriori of the measures concerning them) enshrined in the European Convention on Human Rights.

The main objection concerned the conformity of the contested decrees with Directive 2002/58/EC of 12 July 2002 as interpreted by the Court of Justice in the Tele2Sverige AB judgment (21 Dec. 2016, Case C-203/15). According to its terms, this Directive, read in the light of the European Charter, precludes national regulations imposing on operators a generalised and undifferentiated retention of Internet users' data.

The Court of Justice has clarified that "the protection of the confidentiality of electronic communications and related traffic data, guaranteed in Article 5(1) of Directive 2002/58, applies to measures taken by all persons other than users, whether private persons or entities or State entities" (CJEU, Grand Chamber, 21 December 2016, Tele2 Sverige, Watson and others, C-2013/15, C-698/153, § 77). Article 5 of the directive establishes the prohibition in principle of "listening, intercepting, storing communications and related traffic data or subjecting them to any other means of interception or surveillance" and of obtaining "access to information already stored in the terminal equipment of a subscriber or user".

The Council of State testified his opposition to this European case law by excluding techniques directly implemented by the State from the scope of the directive, thus restricting it to measures involving private operators. In so doing, it distances itself from the Court, for whom the directive applies to any manipulation of personal data by a third party.

Indeed, Article 15 of Directive 2002/58 allows Member States to take certain measures derogating from this Article 5, in particular "to safeguard national security" or "public security, or to prevent, investigate, detect and prosecute criminal offences", but only if such measures "are taken in accordance with the general principles of Union European law".

In France, almost all the measures authorised by the Internal Security Code are derogations from Article 5 of Directive 2002/58 including Articles L 851-1 et L 852-1 of the Internal Security Code.

The general principles of Union European law that a State must respect in order to derogate from Article 5 of Directive 2002/58 pursuant to Article 15 are defined both by the Charter (Articles 7 and 8) and by the GDPR.

The Council of State merely states that the intelligence resources are aimed solely at the prevention of terrorism and that this fact alone justifies their legality, without really considering the proportionality of the measures with private life.

The second objection related to the measures remaining within the scope of the directive after that restriction. Although "the disciplined application of the case-law of the Court of Justice" should have led to their repeal, the Council of State refer them to the Court of Justice, by way of a preliminary question, to encourage it to "reconsider its position". The Council of State has identified, in view of the "serious and persistent threats to national security", three difficulties of interpretation.

• Administrative judicial enforcement

Annulment of Decrees for excess of power;

In the alternative, refer a number of questions to the Court of Justice of the European Union for a preliminary ruling.

1° Is the obligation of general and undifferentiated retention, imposed on suppliers on the basis of the permissive provisions of Article 15(1) of the Directive 2002/58/EC of 12 July 2002, not to be viewed in a context marked by serious and persistent threats to national security and in particular by the risk of terrorism, as interference justified by the right to security guaranteed in Article 6 of the Charter of Fundamental Rights of the European Union and the requirements of national security, for which the Member States alone are responsible under Article 4 of the Treaty on European Union?

2° Must the Directive 2002/58/EC of 12 July 2002, read in the light of the Charter of Fundamental Rights of the European Union, be interpreted as authorizing legislative measures, such as measures for the real-time collection of traffic and location data relating to specific individuals, which, while affecting the rights and obligations of providers of an electronic communications service, do not impose on them a specific obligation to retain their data?

3° Must the Directive 2002/58/EC of 12 July 2002, read in the light of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that it makes the regularity of the procedures for collecting connection data subject in all cases to a requirement to inform the data subjects where such information is no longer likely to jeopardise the investigations carried out by the competent authorities, or can such procedures be regarded as regular in the light of all the other existing procedural guarantees, provided that the latter ensure the effectiveness of the right to a remedy?

In substance, the Council of State asks the Court to define the conditions under which Directive 2002/58 and the Charter allow States to collect directly data covered by the obligation of secrecy of correspondence, in particular by intercepting connection or location data.

The State Council puts forward a valid argument for each of the questions.

The State Council argues that its rejection is based on the fact that the applications put forward a contradiction between the content of the decrees and the requirements of the Directive 2002/58/EC of 12 July 2002 which governs the activities of providers of electronic communications services by imposing specific obligations on them. National provisions which relate to intelligence-gathering techniques directly implemented by the State without governing the activities of electronic communications service providers by imposing specific obligations on them do not fall within the scope of this Directive.

The State Council seems to indicate that these decrees do not fall within the competence of the European legislator but rather within the one of the national legislator because of the context “marked by serious and persistent threats to national security, and in particular by the risk of terrorism”, and that the provisions in question thus fall within the requirement of national security "for which the responsibility lies solely with the Member States by virtue of Article 4 of the Treaty on European Union".

Then, on the third question the State Council states that the intelligence techniques used, which do not provide for notification to the persons concerned of the surveillance measures taken against them once they have been lifted, do not constitute an excessive infringement of the right to privacy in so far as a right to an effective remedy is guaranteed under Article L. 773-2 of the Administrative Justice Code.

Role of the Charter and role of the general principles on enforcement

Article 15(1) of the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation providing, for the purposes of combating crime, for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users concerning all means of electronic communication.

Article 6: Right to liberty and security. Everyone has the right to liberty and security. Is the administrative access to and use of login data is an interference justified by the right to security guaranteed in Article 6 of the Charter?

L. 773-1 and L 773-2 Administrative Justice Code: provide that intelligence techniques carried out pursuant to Book VIII of the CSI may only be challenged in a specific procedure. Article 773-3 of the same Code provides that, in such proceedings, 'the requirements of adversarial proceedings ... shall be adapted to those of national defence secrecy', which implies in particular that the trial panel 'shall hear the parties separately where national defence secrecy is at issue' and that the documents then produced are not debated by the person who lodged the appeal.

Article 47 CFREU:

The Court of Justice has stated that "legislation which does not provide for any possibility for individuals to exercise legal remedies in order to gain access to personal data concerning them [...] does not respect the essential content of the fundamental right to effective judicial protection as enshrined in Article 47 of the Charter" (CJEU, Schrems, § 95). Pursuant to that Article 47, it decided that, as a matter of principle, 'it would be a breach of the fundamental right to an effective judicial remedy to base a judicial decision on facts and documents of which the parties themselves, or one of them, were not able to take cognisance and on which they were therefore unable to take a position' (CJEU, 4 June 2013, ZZ v Secretary of State for the Home Department,C-300/11, § 56).

Article 54 Directive 2016/680 et Article 79 §1 GDPR;

Article 13 ECHR:

The derogation made by the contested provisions of the Administrative Justice Code from the contradictory nature of the judicial procedure, the sole purpose of which is to bring to the attention of the judges elements covered by national defense secrecy and which cannot, therefore, be communicated to the applicant, allows the specialized panel, which hears the parties, to rule in full knowledge of the facts. The powers vested in it to examine applications, to note of its own motion any unlawfulness which it finds and to order the administration to take all appropriate measures to remedy the unlawfulness found guarantee the effectiveness of the judicial review which it exercises.

• Proportionality

Proportionality between intelligence measures and protection of freedom and private life. The public authority can’t jeopardize the protection for private life only in cases of public interest necessity provided for by law, within the limits set by the law and in accordance with the principle of proportionality.

Elements of judicial dialogue

• Direct dialogue between CJEU and National court (preliminary reference)

• Court of Justice of the European Union of 21 December 2016, Tele2 Sverige AB v. Post-och telestyrelsen and Secretary of State for the Home Department v. Tom Watson and others (C-203/15 and C-698/15)

Preliminary reference