As an operator, we aggregate, process, and handle sensitive information. This information is that of the users of our services and their uses. This information is valuable for us from an operational point of view and is also very valuable for the state services that call upon the operators to deliver information on their users and their telecom uses within the framework of an investigation. However, the information we aggregate, as useful and sensitive as it may be, has a limited life span. It must be deleted after a certain period of time to comply with the right to privacy (notably the right to be forgotten) and the RGPD.
There are two major forces at work on this subject: the states on one hand, which seeks to have access to this information for as long as possible to ensure national security, and service users on the other hand, who demand their right to privacy and therefore the shortest possible retention of this data. While these forces take turns to assert their interests at the national and European levels, operators must comply with developments and adapt, particularly with regard to the length of time they retain usage information. So where do we stand in France? And how long should we keep this information?
The right to collect and transmit telecom data
Thus we, operators, collect, as required by the regulation, names, addresses, ID of the users of our phone numbers. We also keep in our databases CDRs (communications detail records) which are summaries of users’ telecom activities, the numbers called, for how long, at what time… Privacy issues are largely regulated by European law in the EU, which, being supranational, prevails over national law. Member States are then free to develop their national laws in accordance with the European framework.
So what does Europe say?
Well, Europe has defined a framework to protect the privacy of users through various texts:
- The famous GDPR, which is no longer to be presented, that deals with the management and protection of personal data on the territory of the European Union.
- The ePrivacy Directive 2002/58/EC, amended by Data Retention Directive 2006/24/EC and Directive 2009/136/EC.
- This text initially allowed EU member states to retain citizens’ telecommunications data for a minimum of six months and a maximum of 24 months.
However, the European Court of Justice declared the 8 April 2014 Data retention directive invalid on the basis of surveillance that is considered to be insufficiently supervised and generalized. Thus, the European Commission had to change this directive.
- Following this court decision, the new version of the ePrivacy directive is published and this new version allows the retention of users’ communication data as long as the operator needs this data for operational reasons. In particular for billing or commercial/marketing reasons if the user has given his consent.
- Consequently, European law currently allows operators to keep user data for as long as it takes to bill their customers and until the period for disputing the bill has passed. Thus, in most cases, the retention period of this data is between 1 and 3 months maximum.
- Other personal data, such as location data, if to be used for commercial or marketing purposes, must be anonymized before use and the operator must have received the end-user’s consent beforehand.
The court conclusions therefore considerably reduce the legal retention period for usage information and obviously change the national practices to such an extent that some countries do not comply with them.
The tug of war between the union and the member states
This noncompliance has been the case with France, Belgium, and the United Kingdom. To enforce European law, the European Court of Justice then launched the charge against these states for non-compliance with this European directive on the right to privacy. It renders its verdict in October 2020
In this decision the European justice:
- Recalls that member states do not have the right to mass surveillance, that the European directive prevails over national law, in particular with regard to the transfer of communications and location data by providers of electronic communications to state security services. It also states that providers must not indiscriminately and generally retain the communications data of their users.
- Recalls that states are therefore prohibited from enacting general laws that violate the confidentiality of private communications as provided for in Directive 2002/58/EC (in its amended version). Therefore, operators are prohibited from storing and transferring in a general and undifferentiated manner user data.
- It, therefore, provides a framework with which the member states must comply. Nevertheless, it recognizes the right of Member States to deviate from the Directive in certain specific cases when it is a matter of safeguarding national security and fighting crime.
So the devil is in the details, is it not? So “proportionate exceptions” can be applied, what are they?
- The first exception is the fact that a state can by decree, validated by an independent authority or a judge, ask operators to store and transfer user data in a general and undifferentiated way if it foresees a real and serious threat to its national security in the future. How far in advance and for how long can this situation last? Good question.
- The second one is that the member state may request targeted retention of traffic, location and IP address data, limited in time and to what is strictly necessary. This must be done in a non-discriminatory framework and on the basis of objective elements. On the other hand, the collected information may be retained if it is part of an investigation of a crime or a breach of national security already carried out during the period of that investigation.
- The third one is that the European Court of Justice has authorized the real-time collection of communication or location information in the context of a judicial request concerning a limited group of persons suspected of terrorist activity.
One aspect of the proportionality of these measures is that they must be time-limited and that a law imposing an exception without a time limit becomes de facto a general rule and goes against the directive.
So the European rule remains the default framework and unless otherwise ordered, personal usage data should be kept for a limited time necessary for billing purposes.
And speaking of counter-order, France retaliated.
Indeed, in April 2021, the Council of State approves the retention of connection data in a general indiscriminate manner and for one year. According to the Council of State, this decision does not contradict European law. Indeed, the Council of State considers that this decision is made within the framework of the exceptional cases authorized by the directive. Firstly it considers there is a threat to national security and secondly the state also fights against crime which makes two reasons for exceptions. In order to comply with the temporal aspect of this exceptional state, the Council provides that the government must re-evaluate the reality of the threat regularly. In order to end this “state of telecom emergency” and return to the standard European framework or possibly extend it. How many times can this exceptional state be extended? For how long? Will the fight against terrorism or crime have disappeared at the next review? This is a good question. In any case, rights defenders have denounced the vagueness of the decision of the Council of State, fearing that its interpretation will lead to generalized surveillance in the long term through the extension of this state of emergency, which is contrary to European law.
Okay, so what’s the current deal?
France has therefore decided to interpret the European directives in the sense of longer retention of communication data, in this case, 1 year. One can imagine that the decision of the Council of State will again be the subject of a procedure in front of the European Court of Justice and it is likely that France’s interpretation will be debated. Especially since this decision is not isolated. Germany (which asks to keep the data for 10 weeks) and Italy (also 1 year) are also in opposition with European law. Moreover, on May 25, 2021, the ECHR repeated in a court decision against the United Kingdom, which has become a precedent for member states, the “necessity and proportionality” in the context of massive data collection and that this practice must provide a “framework of end-to-end guarantees”, including those mentioned above.
Operationally this means that :
- Operators in France must comply with French law as long as it is not judged contrary to European law and must therefore apply the decision of the Council of State. It is, therefore, necessary to keep the communication information for a period of 1 year. This situation will undoubtedly evolve but this is the situation now.
- Nevertheless, the European framework applies, and therefore, except for French (and German and Italian) exceptions, for the European activities of operators, non-anonymized communication data can be kept during the billing period and the period necessary for the processing of disputes.
- On the other hand, this information must be kept for the duration of the investigation if it is part of the file.
- Anonymized information may be retained for marketing and sales purposes with the user’s consent.
That’s all for now in this still-evolving story and hopefully, we’ve brought some clarity to it. We will update this article as soon as there are further developments!