There is a recent French decision, the “French Data Network” decision from 2021, in connection with the primacy of EU law from the Council of State (Conseil d’État). The aim of this post is to study this decision and to review its main statements regarding the French practice of the EU law application. French constitutional identity is strong and builds on a solid historical background, however, it must be pointed out that France is one of the most dedicated supporters of the European Union toward an ever-closer Union and further integration. Nevertheless, the Data Network case has far-reaching implications on the interpretation of EU law, as well as how France, the engine of integration, tries to reconcile EU law with its own national (constitutional) law when adjudicating EU law related cases.

Background of the case

People generate metadata through their online activities. Previous searches, IP addresses, location, or communication on social media are part of the private lives of people using the internet. However, the law in recent years more or less reacted to the changes in online data processing and privacy, rather than taking actions against platforms gathering data from people and initiating a protective legal environment rather than giving a chance for malpractice to occur. Regarding the privacy of personal data, there is always a crucial aspect to who can access these data and to what extent. (More on the (mis)usage of our personal data here, and on the “regulation revolution” here.)

The French telecommunications law (available here) is favorable toward the retention of data when it comes to purposes of national security. The French regulatory provisions in the case at hand (Post and Electronic Communications Code Article R10-13) allow the authorities for a maximum period of one year to retain in a general and indiscriminate manner data from the electronic communications operators for the purposes of investigating, establishing and prosecuting criminal offenses. According to Article R10-13 of the Code, this data allows for the identification of the user, the location of the communication, and the technical characteristics (date, time, and duration) of any communication. Moreover, the Internal Security Code (precisely Book VIII)  also allows certain techniques to prevent acts of terrorism by surveilling the electronic communication of persons.

Enabling state organs to retain data of individuals in general is highly debatable, even in the legal community. This does not however change the fact that France has had a lengthy list of terrorist attacks committed against its citizens from the recent years. In 2021, the same year the French Data Network decision came out, there were 140 terrorism-related arrests in France. The country also experienced the highest number of attacks (there were five) in Europe. This is an important sidebar before delving into the facts of the case, and before making any conclusions about the decision of France regarding the retention of metadata.

Constitutional and European law aspects

The primacy of European law establishes that EU law always prevails when a conflict arises between an aspect of EU law and an aspect of national law. This legal principle was questioned several times throughout the history of the European Union, in earlier posts I have mentioned a few of these and presented them. France is famous for its creative solutions “mingling” compliance with both its Constitution and the relevant EU law.

The Constitution of the Fifth Republic emphasizes in Article 88(1) that the French national law must comply with EU law. Under the primacy principle of the EU law, this also means the necessary adaptation of national law to European regulations. However, if under EU law there are no effective guarantees for constitutional requirements, the administrative court must set aside EU law to the extent required to guarantee compliance with the Constitution. In this case, constitutional requirements such as protecting France from criminal activity and terrorism. To this end, in modern crime prevention techniques, the use of metadata is highly effective, therefore France protects its laws concerning the allowance of such retention of data.

Lost and Found? The Conclusions of the French Data Network Case

The most important finding regarding the case was that France preserves its capacity to store the above-mentioned data of individuals for intelligence purposes (it is not lost). However, the way it establishes its capacity for retention is a clever legal maneuver from the Council of State. In the words of Thibaut Larrouturou, rather than deciding between the superiority of the national law over the EU law (or the other way around with the Constitution having the highest authority), the Council of State chose a conciliatory perspective for resolving the legal conflict. This legal conflict being the French government asking the Council of State not to apply relevant CJEU precedent stating that the storage of personal data interferes with the privacy of individuals. (By stating the above, Tele2 Sverige, limits national laws for the general retention of data to the most serious threats to public security and prohibits its usage for the discovery of ordinary crimes. In this regard, however, the French Code on data retention established a wider competence than the case law of the CJEU permitted. Article 15 of the Directive on Privacy and Electronic Communications also deals with this question, however, it gives the Member States the possibility to take the necessary measures for the protection of public security, defense, State security, and the enforcement of criminal law.

The reconciliation between EU law and constitutional law 

To quote Brunessen Bertrand, the Council of State found a very pragmatic approach to the case at hand, rather than setting aside the EU law. The Council of State in its judgment drew attention to an inconsistency in the solution of the CJEU regarding the retention of data: any targeted retention proves impossible to apply since it is obviously not possible to anticipate the commission of a crime in advance. Therefore, indiscriminate retention, prohibited by the CJEU in “ordinary crimes”, is necessary for the effectiveness of criminal investigations.

So what exactly happened? Did the Council of State disregard the primacy of EU law by overruling the jurisprudence of the CJEU? Technically, the Council of State overruled the CJEU without formally overruling the CJEU. This was possible because the Council did not overlook the CJEU jurisprudence, as it only clarified a legal error. In reality, there is no way to anticipate the degree of a crime that will be committed in the future. Crimes can only be evaluated after they have been committed, therefore member states could not store data which could lead to catching the offenders.

The Council of State in the French Data Network case also implicitly referred to the importance of the French Constitution, or even to the supremacy of the Constitution by essentially neutralizing the case law of the CJEU to be utilized. To quote Professor Bertrand once more, the Council neutralized EU law through its interpretation in a way that the decision’s finding complies with the constitutional requirement of the necessity to protect the public order.

Márton Balogh is a law student in his fourth undergraduate year at the University of Pécs, Hungary, and a student at the MCC Law School. As of this year, he is a holder of the graduate scholarship of the Aurum Foundation. He is mostly interested in European law. His current study and research interests include the practice of the European Court of Justice in the Common Foreign and Security Policy, the primacy of European law, and migration and asylum law in the European Union. He envisions his future working in the European Union, where he currently interns at the European Parliament.