The Belgian Constitutional Court’s data retention judgment: a revolution that wasn’t
1.Background to the preliminary question
The digitalisation of society resulted in an unparalleled ‘datafication’ of our communication. We increasingly use digital technology to communicate, seek information and express ourselves. Every time we connect, click or browse on the internet intermediary internet service providers and operators (ISP’s) collect data on the account we use, from which device we connect, with whom, how long and how we connect, and where we are. These metadata of our online presence are of particular interest to law enforcement and intelligence services in order to fight crime and keep our society safe.
Therefore, most EU member states introduced legislation obliging ISP’s to retain the subscriber, traffic and location data of all users on the state’s territory. However, experts questioned whether these compulsory general data retention schemes were compatible with the right to privacy and protection of personal data. Already in 2014 the Court of Justice of the European Union (CJEU) decided in the Digital Rights Ireland – case that the EU data retention directive violates articles 7 (protection of privacy) and 8 (protection of personal data) of the EU Charter as well as the E-privacy directive because it provided of a compulsory retention of all EU-citizens’ communication data including those that did not pose any security risk or were not involved in criminal investigations. The Belgian constitutional court in consequence annulled the Belgian legislation that implemented the data retention directive (CC 11 June 2015, n° 84/2015).
In 2018, the CJEU argued that the principles of Digital Rights Ireland also applied to national data retention schemes. In the cases Tele2 and Watson, the Luxembourg court found that a compulsory untargeted retention of communication data to fight crime was only justified for subscriber data, i.e. the data necessary to trace and identify the source of a communication, and this only under strict conditions of access, use and storage of these data. Location data and traffic data that identify the destination, the date, time and duration of a communication could not be covered by an indiscriminate retention scheme. National legislation could only oblige ISP’s to collect traffic and location data to fight crime if targeted on objective grounds, e.g. because the person is suspected to have committed or to commit a crime, or within certain geographical zones.
In consequence of these judgments national constitutional courts were asked to rule on the national data retention legislation in view of the CJEU’s case law. The Belgian data retention legislation had been drafted in follow-up of the annulment of the previous law by the constitutional court applying the Digital Rights Ireland – reasoning. The Belgian legislator reinstated a general retention of all subscriber, location and traffic data, but limited the access to these data for law enforcement. When this new legislation was attacked before the constitutional court, it appeared prima facie problematic because it obliged ISP’s to retain subscriber, traffic and location data of all users on the Belgian territory contrary to the Tele2/Watson-reasoning of the CJEU. Instead of ruling on the constitutionality of the legislation, the Constitutional Court send new preliminary questions to the CJEU asking whether the Belgian legislation violated EU law, in particular the right to privacy and data protection (BCC 19 July 2018, n° 96/2018). The CJEU joined the Belgian preliminary question with the question sent by the French Conseil constitutionnel because of the similar issues raised.
2.La Quadrature du Net: Luxembourg speaks, Brussels listens
In the case La Quadrature du Net (LQDN), the CJEU reiterated its previous reasoning. It held that subscriber data could be retained indiscriminately for fighting crime under strict conditions, but that this was not the case for location and traffic data. These could only be retained for fighting crime when targeted, e.g. on the basis of geographical zones. The CJEU concluded therefore that national legislation is incompatible with EU law in so far as it provides of indiscriminate retention obligations for location and traffic data to fight crime. In reply to the critique that the CJEU’s data retention case law undermined the security of the state, the Court made two concessions to its previous jurisprudence. First, it accepted that such data could be retained indiscriminately for the state’s security in so far the state showed that there is a present, genuine and foreseeable serious threat to the national security. Second, the CJEU specified that IP-addresses are considered subscriber data in so far that these data are used for identifying the source of communication. IP-addresses are unique addresses that identify a device on the internet. They are vital to identify who and which device is behind certain online communication or action. This implies that states can impose an indiscriminate data retention for these data. The CJUE further added that it was not up to the national courts to limit the temporal effects of the declaration of illegality. Because of the principle of primacy and the effectiveness of EU law, only the CJEU could decide on such temporal measures. The Court declined to provide temporal measures for national data retention schemes, which must not surprise given that it had already clearly stated the principles in its previous Tele2/Watson – case, which many countries decided to ignore. As such, little manoeuvring room was left to the French and Belgian constitutional courts to salvage the national legislation.
When the case returned to Brussels, the Belgian constitutional court loyally applied the CJEU’s findings. In the judgment of 22 April 2021 (BCC n° 57/2021), the Court quoted many paragraphs of the LQDN-judgment to find that EU law precluded an indiscriminate retention of traffic and location data, which was provided in the Belgian legislation. It emphasised that the data retention provision in national legislation did not distinguish between subscriber data on the one hand and traffic and location data on the other hand and could, therefore, not decide differently than finding the legislation in its whole unconstitutional. The Court held that in line with the CJEU’s reasoning in this sense, it could not provide a temporal effect to the legislation. The legislation became null and void at the moment of the publication of the constitutional court’s judgment on 28th June 2021. The minister of justice communicated that a new law on data retention would be drafted, but this is yet to be introduced in parliament.
3.A revolution that wasn’t: the constitutional courts’ preference for coherence
The Belgian constitutional court uncritically aligning its case law with the CJEU’s comes as no surprise in view of the Belgian constitutional tradition. Already in 1971 the Court of Cassation, Belgian’s supreme court, accepted the primacy of directly applicable international law (Court of Cassation 27 May 1971, Franco-Suisse Le Ski judgment). Also the Belgian constitutional court is considered a ‘Europhile’ court given that it regularly sends preliminary questions to Luxembourg, in contrast to most other European constitutional courts. Nevertheless, the constitutional court does not accept the unconditional primacy of EU law. In its 2016 TSCG-judgment, the constitutional court highlighted that the transfer of powers to international organisations could not result in a derogation from the national identity inherent in the fundamental political and constitutional structures or the basic values of the protection provided by the Constitution (BCC 28 April 2016, n° 62/2016, and repeated in BCC 30 September 2021, n° 127/2021). Whereas this ‘solange’-rationale might suggest a critical stance to the CJEU’s case law, in practice the constitutional court loyally implements the Luxembourg case law and frequently asks its guidance via preliminary references. As such, it was expected that when the constitutional court was asked in 2018 to rule on the constitutionality of the Belgian data retention legislation, it would annul the legislation given that it clearly violated EU law by providing for untargeted location and traffic retention, which the CJEU had already found to violate the EU Charter.
Therefore, it came as a surprise when the Belgian constitutional court sent preliminary questions to the CJEU. All the more unexpected was the framing of the questions. First, the constitutional court asked the CJEU to address the compatibility of untargeted retention of location and traffic data to fight crime with EU law, which was a matter that Luxembourg had already clearly decided two years earlier in the Tele2/Watson-cases. Second, the constitutional court questioned whether the CJEU’s answer would be different if it took into account the positive obligations on the authority to conduct effective criminal investigations of sexual abuse of minors. Thereby, the constitutional court incorporated in preliminary question the critique voiced by the Belgian government that it would be impossible to investigate serious crime, and in particular cybercrimes such as online child sexual abuse material, without a general retention of traffic and location data. In its judgment of referral the Constitutional Court highlighted that the majority of the member states appeared to have great difficulties in enforcing their legislation on data retention in line with the requirements set by the Court of Justice. Given this remark as well as the fact that the CJEU had already explicitly ruled against a general retention of these data, the constitutional court’s reasoning could not but be interpreted as an open invitation to the CJEU to reconsider its case law.
AG Campos Sanchez-Bordona forcefully rejected this invitation and highlighted in his Opinion in LQDN that he had “already” clearly indicated that a general retention of traffic and location data violated articles 7 and 8 of the Charter in the Tele2/Watson-cases and that Belgium and France were basically asking the same question again. Notwithstanding the open critique by member states on the CJEU’s case law, the reluctance to put themselves in line with this jurisprudence and the suggestion of the Belgian constitutional court, the CJEU stuck to its principled stance outlawing indiscriminate retention of traffic and location data. Yet, it did made some concessions in view of the critique, in particular by indicating that IP-addresses are subscriber data and can therefore be retained. The CJEU held in line with the Belgian constitutional court’s judgment of referral that a balance was to be struck between rights and interests, including positive obligations on the state. According to Luxembourg, this necessitated the retention of IP-addresses, because in case of online crime IP address might be the only means of investigation. The CJEU explicitly referred to battling online child abuse and exploitation. Likewise, the CJEU took the criticism of the referring Belgian, French and British courts on board that indiscriminate data retention was necessary for national security, allowing for such retention in case of an imminent threat. It was argued that the CJEU thereby was willing to sacrifice the coherence of its reasoning in the data retention case law to appease the national courts.
Some national opponents of the CJEU’s case law hoped for a critical reception of the LQDN-judgment by the Belgian constitutional court. However, in line with its tradition the Belgian constitutional court loyally and uncritically applied Luxembourg’s reasoning by simply copy-pasting the paragraphs from the judgment and applying it to the Belgian legislation. Rather than witnessing open rebellion, the interaction between the Belgian constitutional court and the CJEU exemplifies a mature constitutional dialogue whereby preliminary references are used to inform the Luxembourg court of the national struggle to implement its case law and where the CJEU is willing to rethink its case law, even to the detriment of the coherence of its own case law.