In the context of a preliminary investigation or an investigation of flagrante delicto, the public prosecutor has the possibility of requesting from a judicial police officer the transmission of the telecommunications data of a person concerned by the investigation. , including the suspect. This remedy is provided for by the French code of criminal procedure: article 60-1 and article 77-1-1.
Telecommunications data can be crucial in an investigation and reveal a lot of information to investigators. Whether in terms of geolocation data or traffic data, the information helps to advance a judicial investigation.
However, this mechanism could be severely limited following a judgment delivered by the Court of Justice of the European Union on March 2, 2021. This follows a case in Estonia but could nevertheless impact the French procedure.
Do you want to know your rights and obligations with regard to the retention of data by a telephone operator? Pierre de Roquefeuil, a lawyer specializing in information technology law in Paris, supports you to advise you and to ensure that your interests are respected. The specialized lawyer will help you to identify the procedure adapted to your situation.
In which cases can the device for accessing data stored by telephone operators be used?
French law requires telephone operators to retain metadata for one year so that the intelligence services and the authorities can access it in the context of a judicial investigation.
Stone of Roquefeuil, lawyer specializing in digital and communication law in Paris, provides you with some information on the management of access to data stored by telephone operators.
Files list all our telecommunications data: the date and time of telephone communications, the identity of the interlocutors, but also geolocation data. Private companies keep this data for one year in order to allow law enforcement and intelligence services to have the possibility of requesting this information in the context of an investigation.
Three decrees of October 20, 2021 determine the applicable framework for the retention of connection data by electronic communication operators, internet access providers and hosts. They specify the conditions for communicating authorization requests.
The request for authorization to communicate connection data and the prior authorization to access the data must be formulated in writing and transmitted in such a way as to ensure its confidentiality and to be able to certify that it has been received.
Thus, the legislation provides that the request for authorization to communicate connection data can specify for each survey:
– The name of the suspected person or the name of any other person for whom access to the connection data is necessary for the investigation. If necessary, when the name is not known, the IP address or any other connection data may be requested.
– The connection data or types of connection data requested for each person or in each case.
– The periods during which access to connection data is requested.
– The factual and legal elements that justify the request.
These decrees demonstrate the importance of connection data in the context of legal cases. The public prosecutor may, in the context of an investigation, request all the connection data concerning him. This data can allow investigators to obtain key information in an investigation.
Indeed, in the context of the prevention of terrorism, the use of metadata is essential. Location data of suspected individuals as well as wiretaps can provide investigators with key information. This information can prevent individuals from acting out. With a view to preventing national security, the use of this information is authorized by the French internal security code.
The Roquefeuil lawyers firm sheds light on French legislation on access to metadata. The specialized lawyer explains to you the consequences following the judgment of the Court of Justice of the European Union.
What are the consequences following the judgment of the Court of Justice of the European Union?
The Court of Justice of the European Union (CJEU) has ruled practices of “widespread and undifferentiated” retention of login data unlawful. Since these declarations, the conservation of this device in France remains uncertain.
In fact, in the CJEU C-793/19 SpaceNet preliminary ruling case, the Advocate General specified that European law "opposes national regulations which require providers of electronic communications services available to the public to retain, in a preventive, general and undifferentiated way, the traffic data and the location data of the end users of these services for purposes other than those of the protection of national security against an actual and present or foreseeable serious threat”.
The Advocate General also indicated that legislation is unlawful when it “does not make access by the competent authorities to data relating to traffic and location data stored subject to a control carried out beforehand by a court or by an administrative entity. independent.
Also, the Constitutional Council recalled that the generalized retention of all connection data is contrary to the Constitution.
For example, the Court of Justice of the European Union was seized of a question from a Spanish court in the context of the investigation of a case. This one concerns a robbery during which the victim's mobile phone was stolen. The judge in charge of investigating the case had refused to request the transmission of the telephone numbers activated by the stolen device, considering that the offense was not serious enough to justify access to personal data. Thus, the court of appeal questioned the Court of Justice of the European Union on this subject. The latter then replied that Article 15 of the directive, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, "must be interpreted as meaning that access by public authorities to data aimed at identifying the holders of SIM cards activated with a stolen mobile telephone, such as the surname, first name and, where applicable, address of these holders involves an interference with the fundamental rights of the latter, enshrined in those articles of the Charter, which is not so serious that such access should be limited, in matters of prevention, investigation, detection and prosecution of criminal offences, to the fight against serious crime".
Consequently, access to personal data stored by telephone operators cannot be justified by minor offenses seriously infringing the right to privacy.
Nevertheless, the Court of Justice of the European Union specifies that it is up to each nation to apply its national law, specifying that it is up to the criminal court to discard data collected in a way that does not comply with Union law. in the event that the persons being prosecuted are unable to comment effectively on the information and evidence. These come from a field beyond the knowledge of the judges and which are likely to influence in a preponderant manner the assessment of the facts.
Indeed, the Court of Justice of the European Union recognizes that the retention of metadata can be useful for the purpose of preventing a serious threat to national security. However, it insists on the respect of three conditions: the limit of the mechanism in time, the possibility of justifying the seizure of this lever by a serious, real, current or foreseeable threat to national security. Finally, the use of metadata must be carried out under the effective control of a court or an independent administrative authority.
As a result, the automated processing of data relating to the location in the prevention of terrorism provided for by the Internal Security Code is authorized. This must make it possible to filter all the data to bring out only the data making it possible to search for and identify the person.
On the other hand, when there is no serious threat to national security, data retention for prevention must be targeted. For example, telephone tapping is only authorized for organized crime or terrorism investigations. They are possible for crimes and misdemeanors punishable by more than two years of imprisonment. As for the geolocation data, the intelligence services or the police can only use them for offenses punishable by more than five years of imprisonment, or three years in the event of harm to the person.
Your login details have been used as part of an investigation and you would like advice? Stone of Roquefeuil, lawyer specializing in digital and communication law in Paris, accompanies you to advise you and to ensure that your interests are respected. The specialized lawyer will help you to identify the procedure adapted to your situation.
Who keeps what? Operators keep the metadata, and transfer it to the authorities, under what conditions? What metadata?
Between national and community case law, the rules still seem to be floating, but to the advantage of GAFAM who try to uphold the confidentiality due to their subscribers and at the same time an American conception of freedom of expression which consists in admitting all slander , anonymous or not.
For a public opinion still fond of stoning, in defiance of the most basic objectives of social reintegration.
August 6, 2022 Update
Court of Cassation.
Cas. crime, July 12 2022, no. 21-83.710,
Cas. crime, July 12 2022, no. 21-83.820,
Cas. crime, July 12 2022, no. 20-86.652,
Cas. crime, July 12 2022, no. 21-84.096,
|EU law||Traffic and location data||iP addresses||Civil identity|
|Serious threats to national security||Retention by order of the authorities with the possibility of judicial recourse for verification||Retention by order of the authorities with the possibility of judicial recourse for verification||Retention by order of the authorities with the possibility of judicial recourse for verification|
Retention of certain data on limited injunction
Rapid, more extensive retention of certain data on limited injunction, on prior control, (case law = in any case contestable before an independent judge in the event of a grievance)
|Preservation on limited injunction||Conservation|
|Others||No conservation||No conservation||Conservation|
Oct. 6, 2020, La Quadrature du net [Assoc.], aff. C-511/18, C-512/18 and C-520/18,
Apr. 5, 2022, Commissioner of An Garda Síochána, aff. C-140/20,
Oct. 2, 2018, aff. C-207/16
Article L. 34-1, III, and III bis of the Postal and Electronic Communications Code
The Law of July 30, 2021 – 2021-998 (art.17) amending the LCEN, art.6 II, (law no. 2004-575 of June 21, 2004) and L34-1 post and electronic communications code
Articles 60-1, 60-1-1, 77-1-1 and 77-1-2, articles 99-3 and 99-4, of the Code of Criminal Procedure
Three decrees of October 20, 2021
Decree No. 2021-1362 of October 20, 2021 relating to the retention of data enabling the identification of any person having contributed to the creation of content put online, taken pursuant to II of Article 6 of Law No. 2004-575 of June 21, 2004 for confidence in the digital economy, replacing (repealed) Decree No. 2011-219 of February 25, 2011 relating to the retention and communication of data allowing the identification of any person who creation of online content
“e-Privacy” Directive 2002/58/EC of the European Parliament and of the Council, of July 12, 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (privacy and communications directive electronic)
May 20, 2022, No. 2022-993 QPC
Board of state
18 Feb. 2022, n°20/13824, would limit the communication of identification data to criminal matters, confirming interim order on article 145 of the code of civil procedure and article 6 LCEN
April 27, 2022
TJ – TGI Paris
January 30, 2013
April 5, 2022
In a judgment of March 2, 2021 (), the CJEU stated that access to login data can only be authorized:
– if this data has been kept in accordance with the requirements of European law;
– if it took place for the purpose that justified the storage or a more serious purpose, except for rapid storage;
– if it is limited to what is strictly necessary;
– with regard to traffic and location data, if it is limited to procedures aimed at combating serious crime, and;
– if it is subject to prior control by a court or an independent administrative body.
The Court of Cassation rules that Articles 60-1, 60-1-1, 77-1-1 and 77-1-2 are contrary to EU law in that they do not provide for prior control by a jurisdiction or an independent administrative entity.
"The data retained by the operators pursuant to this article may be the subject of a rapid retention order by the authorities having, in application of the law, access to data relating to electronic communications for prevention purposes. and repression of crime, serious delinquency and other serious breaches of the rules for which they are responsible for ensuring compliance, in order to access this data. »
Update September 22, 2022
On pain of nullity, requisitions relating to the technical data making it possible to identify the source of the connection or those relating to the terminal equipment used mentioned in 3° of II bis of Article L. 34-1 of the Post and electronic communications or on the traffic and location data mentioned in III of the same article L. 34-1 are only possible, if the necessities of the procedure so require, in the following cases:
1° The proceedings relate to a felony or misdemeanor punishable by at least three years' imprisonment;
2° The proceedings relate to an offense punishable by at least one year's imprisonment committed through the use of an electronic communications network and these requisitions have the sole purpose of identifying the perpetrator of the offence;
3° These requisitions relate to the terminal equipment of the victim and intervene at the latter's request in the event of an offense punishable by imprisonment;
4° These requisitions tend to find a missing person within the framework of the procedures provided for in articles 74-1 or 80-4 of this code or are carried out within the framework of the procedure provided for in article 706-106-4.
=> Waivers of anonymity are in principle prohibited, in particular with regard to civil offenses without criminal qualification or minor offenses (typically defamation and insults that do not discriminate against individuals), which goes against the requirements the right to a fair trial provided for by the ECHR. Advances in case law are therefore still to be awaited.
The texts (articles L34-1 and R10-13 of the postal and electronic communications code, L34-1 resulting from the reform Law of July 30, 2022) only allow a waiver of civil identity and data provided when signing the contract (by the prosecution only?) “for the purposes of criminal proceedings”.
The provision of civil identity and contract data (initially provided by the user) by an operator or a host may be insufficient to flush out the perpetrator of an infringement; the so-called technical data for the location and identification of the machines and software used are most of the time essential for the precise identification of the author and the circumstances of the offence.
Several avenues are mentioned to challenge this current approach of the legislator:
- contesting the applicability of the directive “e-Privacy” 2002/58/EC of the European Parliament and of the Council, of 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (directive on privacy and electronic communications Directive which underlies the reform, but which would not be intended to govern public expression, only private communications;
- by challenging the constitutionality of the law of July 30, 2022 for infringement of the right to a fair trial;
Update of January 6, 2023:
A remarkable summary order of the Paris judicial court of 21 December 2022 (Tribunal judiciaire de Paris (ref.), 21 December 2022, n° 22/55886, Noctis Event and M. X. c/ Wikimedia Foundation Inc.) issued against Wikimedia recognises the right of access to the civil identity of the author of the malicious content, to his contact details, to his name and address, and to his phone number. but excluding, however, his login data – , in a context of invasion of privacy, denigration and cyberbullying (press offenses are not invoked), violations likely to justify civil and criminal actions.
The judge recalls the conditions of the summary procedure:
Article 145 of the Code of Civil Procedure provides that if there is a legitimate reason to preserve or establish before any trial the proof of facts on which the solution of a dispute could depend, the legally admissible investigative measures may be ordered at the request of any interested party, on request or in summary proceedings.
The summary court, referred to in application of Article 145, has sovereign power to assess whether the plaintiff has a legitimate reason and does not have to determine whether there is urgency. It must verify whether the trial in germ alleged by the plaintiff is not manifestly doomed to failure.
Are legally admissible, investigative measures limited in time and in their purpose and proportionate to the objective pursued. It is his responsibility to verify whether the measure ordered is necessary for the exercise of the right to evidence and proportionate to the conflicting interests involved.
The judge opportunely specifies, as in response to articles L34-1 and R10-13 of the postal and electronic communications code, L34-1 resulting from the reform Law of July 30, 2022:
The mere fact that the prosecutor has the opportunity to prosecute, as the company Wikimedia Foundation Inc. maintains, cannot suffice to render unlawful the measure of investigation requested, which aims to identify the perpetrator of these acts.
> The "legitimate reason" required to justify a request for interim relief prior to a trial, in particular for the purposes of establishing evidence, cannot be annihilated by a prognosis on the prosecutor's decisions regarding future prosecutions, as the judge pointed out .
Update of 15 March 2023:
Transmission to the Court of cassation of a QPC relating to Article 60-1-2 of the Code of Criminal Procedure
Court of Appeal of Versailles / 14 Dec. 2022, pourvoi n°22-90.019 / 6 Dec. 2022. Appeal no. 22-90.018
(Defamation of an individual - criminal prosecution)
The examining magistrate recalls that the new provisions of Articles 60-1 and 60-1-2 of the Code of Criminal Procedure (Code de la Cour de l'État) are not applicable to the case of the procedure do not allow for requisitions to be made technical connection data anonymous authors of defamatory content, taking into account the nature of the facts denounced and the penalty (a simple criminal fine).
The Investigating Chamber referred the priority question of constitutionality raised by the civil party to the Court of Cassation, stating that these provisions The new law makes it impossible for victims of defamation to access the search for the truth. the identity of those responsible for offences committed and to a judge to obtain compensation for damage that may be significant in terms of harming the honour and morality of the persons concerned, with repercussions on their life and personal situation, since only by obtaining the technical connection data can an indisputable identification of those responsible.
In its decisions of 14 March 2023, Appeal No. 22-90.018 and Appeal No. 22-90.019, the Court of Cassation did not refer the question to the Constitutional Council, stating that
when the sole purpose of the requisitions is to identify the perpetrator of the offence, Article 60-1-2 of the Code of Criminal Procedure limits the possibility of requesting the technical data enabling the source of the connection to be identified or those relating to the terminal equipment used, mentioned in 3° of II bis of Article L. 34-1 of the Post and Electronic Communications Code, to proceedings relating to an offence punishable by at least one year's imprisonment committed using an electronic communications network. These provisions were introduced by the legislator in order to strengthen the guarantees that meet constitutional requirements, given the privacy-invasive nature of such measures, taking into account the seriousness of the offence being investigated and the circumstances in which it was committed (Cons. const., 3 December 2021, decision no. 2021-952 QPC)
> The legislator considers that their communication constitutes a serious intrusion into private life ("interference with the right to privacy") and must therefore be limited. Access to civil identity data collected by operators remains available (such as name, address, e-mail address).