On 22 April 2021, the Belgian Constitutional Court annulled the Act of 29 May 2016 on the collection and storage of data in the electronic communications sector (the Data Retention Act). This judgment, which follows a decision of the Court of Justice of the European Union (CJEU) pursuant to the Constitutional Court’s request for a preliminary ruling in respect of article 15(1) of the Directive 2002/58/EG of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the e-Privacy Directive), may have significant implications for the Belgian investigation and prosecution authorities in their fight against serious crime and threats to national security.
Pursuant to the Data Retention Act, telecom and internet companies are required to retain electronic and telephony data of its users for 12 months for criminal investigation and prosecution purposes. The Data Retention Act was created to address the annulment of article 126 of the Act of 13 June 2005 concerning electronic communication by the judgment of 11 June 2015 of the Constitutional Court. According to the preparatory documents of the Data Retention Act, the legislator deemed a specific, differentiated retention obligation impossible and, hence, opted for a general, non-differentiated retention obligation with strict safeguards in respect of security and access.
An action for annulment in respect of the Data Retention Act was brought before the Constitutional Court on 11 January 2017 by, among others, the French and German-speaking Bar (Ordre des barreaux francophones et Germanophone) and the League for Human Rights (Liga voor Mensenrechten). By interim judgment of 19 July 2018, the Constitutional Court referred a request for preliminary ruling to the CJEU. In essence, the Constitutional Court asked the CJEU whether article 15(1) of the e-Privacy Directive prohibits national legislation which provides for a general obligation for providers of electronic communications services to retain traffic or location data for purposes of investigating and prosecuting (serious) crime and safeguarding national security.
Pursuant to Article 15(1) of the e-Privacy Directive “Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (ie State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.”
On 6 October 2020, the CJEU issued its ruling in joined cases C-511/18, C-512/18 and C-520/18 and concluded that article 15(1) e-Privacy Directive does not allow national legislative measures which, for the purposes laid down in article 15(1), provide, as a preventive measure, for the general and indiscriminate retention of traffic and location data. In other words, the CJEU decided that mass storage of personal data, as a general and preventive measure, is not in line with EU law. However, the CJEU also ruled that certain measures can be allowed insofar that they meet objective criteria that establish a connection between the data retained and the objective pursued. For example, the CJEU expressly allows the targeted retention of traffic and location data which is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion, for a period limited to what is strictly necessary for purposes of safeguarding national security, combating serious crime and preventing serious threats to public security. Also legislative measures that provide, for the aforementioned purposes, for the general and indiscriminate retention of IP addresses for a period that is limited in time to what is strictly necessary, are allowed according to the CJEU.
In its decision of 22 April 2021, the Constitutional Court follows the CJEU’s reasoning and further emphasises that the CJEU also ruled that certain legislative measures can be allowed if they meet objective criteria and are limited to what is strictly necessary. In that respect, the Constitutional Court finds that the Data Retention Act aims at broader objectives than safeguarding national security, combating serious crime and preventing serious threats to public security and that the interference is thus not limited to what is strictly necessary. In addition, the Constitutional Court points out that such requirement to retain traffic and location data should be the exception, not the rule, must set out clear and precise rules regarding the scope and application of such measure, whereby certain minimum requirements should be implemented, and should ensure that the interference is limited to what is strictly necessary.
As regards the consequences of the annulment, the Constitutional Court concludes, in reference to the CJEU’s ruling in case C-520/18, that it does not have substantiated reasons to limit the consequences of the annulment. As a result, the competent criminal court must decide on the admissibility of the evidence collected on the basis of the application of the Data Retention Act.
Due to the annulment of the Data Retention Act, the Belgian authorities lose an important (but unlawful) instrument in the context of criminal investigations and prosecutions. As a result, the federal government has already started to prepare an amending act in order to address the concerns expressed by the CJEU and the Constitutional Court in respect of proportionality and privacy.
Following the CJEU’s judgment of 6 October 2020, the French Constitutional Court (Conseil d’Etat) issued a judgment on 21 April 2021 in relation to similar legislative measure on access to and retention of connection data (such as identity data, traffic data and location data). Unlike the Belgian Constitutional Court, the French Conseil d’Etat ruled that the French legal framework’s requirement that telecommunications operators must retain all user connection data for one year for the purposes of intelligence and criminal investigations is justified by a threat to national security, as required by the CJEU. Nevertheless, the Conseil d’Etat found that the general obligation to retain data for purposes other than national security is unlawful.