National legislation providing for the general and indiscriminate retention of traffic data for the purpose of combating market abuse offences is incompatible with EU law. In addition, a national court cannot restrict the temporal effects of a declaration that national legislation providing for such retention is invalid. These are the main conclusions in the CJEU’s Grand Chamber judgment in the Joined Cases C-339/20 and C-397/20 (VD and SR). The judgment was delivered on 20 September 2020 – on the same day as the CJEU’s judgment concerning the (in)compatibility of the German rules on data retention (→ separate news item).

Facts of the case

The case at issue concerned investigations against VD and SR in respect of insider dealing, concealment of insider dealing, corruption and money laundering. They were initiated by the Autorité des marchés financiers (Financial Markets Authority, France; “AMF”), which collected certain information from operators providing electronic communications services. Under French law, investigators are allowed to request such operators to transmit traffic data in connection with telephone calls for the purposes of investigating market abuse, including insider dealing, as defined by Regulation (EU) No 596/2014. Operators had to retain such data for one year from the date on which they were recorded.

VD and SD challenged the use of the information obtained by the AMF. They first argued that the legal basis for the collection of the data did not comply with EU law as interpreted by the numerous CJEU’s judgments on data retention. Second, French law did not lay down any restrictions on the powers of the AMF’s investigators to require the retained data to be provided to them.

The reference for a preliminary ruling

The referring Cour de Cassation (Court of Cassation, France) was unsure whether the French legislation can be maintained. It pointed out on the one hand that EU law on market abuse (i.e. Directive 2003/6 and Regulation 596/2014) oblige that competent national authorities should have the investigatory powers to require existing telephone and existing data traffic records. In addition, such data are the crucial, and sometimes the only, evidence to detect and prove the existence of market abuse offences, such as insider dealing or market manipulation. On the other hand, Art. 15(1) of Directive 2002/58/EC on privacy and electronic communications, read in the light of Arts. 7, 8, 11, and 52 CFR and as interpreted by the CJEU restricts the possibilities of national legislators to provide for a general and indiscriminate retention of data (→ eucrim 3/2020, 184-186 and eucrim 2/2022, 115). In essence, the referring court asked how the obligations to combat market abuse and to safeguard privacy can be reconciled. Against the background of case law by the Conseil constitutionnel (Constitutional Council, France), the Cour de Cassation additionally asked as to whether the French legislation – if proved to be inconsistent with EU law – retains provisional effects, in order to avoid legal uncertainty.

The CJEU’s decision

First, the CJEU ruled that neither the wording nor the context nor the objectives of the Market Abuse Directive/Regulation allowed the conclusion that the EU legislature intended to give Member States the power to impose on operators providing electronic communications services a general obligation to retain data. Thus, this EU law cannot constitute the legal basis for a general obligation to retain the data traffic records held by operators providing electronic communications services for the purposes of exercising the powers conferred on the competent financial authority under those measures.

The only measure of reference on the retention is the Directive on privacy and electronic communications (Directive 2002/58/EC). It solely governs the question on the retention of traffic data to be used to investigate crimes in the context of market abuses. It follows, however, from this Directive as interpreted by previous CJEU case law (see above) that the general and indiscriminate retention by operators providing electronic communications services of traffic data for a year from the date on which they were recorded for the purpose of combating market abuse offences including insider dealing, is not authorised.

Second, the CJEU upheld its established case law according to which EU law precludes a national court from restricting the temporal effects of a declaration of invalidity which it is required to make, under national law, with respect to provisions of national law. The CJEU argued that maintaining the effects of national legislation such as that at issue in the main proceedings would mean that the legislation would continue to impose on operators providing electronic communications services obligations which are contrary to EU law and which seriously interfere with the fundamental rights of the persons whose data have been retained.

Lastly, the CJEU pointed out that the question of the admissibility of evidence obtained as part of the (unlawful) data retention is a matter of national law. This follows from the principle of procedural autonomy. However, the national law must respect the principles of equivalence and effectiveness. As a consequence, a national criminal court would be obliged to disregard information and evidence obtained by means of the general and indiscriminate retention of data in breach of EU law if:

• The persons concerned are not in a position to comment effectively on that information/evidence;
• Information/evidence pertain to a field of which the judges have no knowledge and
• Information/evidence are likely to have a preponderant influence on the findings of fact.

Put in focus

The present judgment in VD and SR fits into the series of CJEU rulings on the legality of data retention. The judges in Luxembourg stick to their line that national laws providing for the general and indiscriminate retention of electronic communications data for the purpose of combating criminal offences are not in line with EU law and thus unlawful. In the present case, the CJEU ultimately saw no conflict between the Directive on privacy and electronic communications and the EU regulations on market abuse. First it makes clear that clauses in secondary EU law harmonising the fight against certain forms of crime (here: market abuse offences) do not give green light for the national legislature to implement data retention rules. Second, it is clarified that the sole yardstick to assess the legality of data retention is Directive 2002/58/EC. The French legislator must now take action and bring its national law in line with the CJEU’s case law.