CJEU saved the HADOPI: what implications for the future of data retention in the EU?

A European Commission data retention proposal is expected in 2026

On 30 April 2024, the Court of Justice of the European Union (CJEU), sitting as a full court (which only happens in rare cases, notably of exceptional importance), delivered its judgment on the HADOPI (short for: Haute Autorité pour la diffusion des œuvres et la protection des droits sur internet) case (C-470/21 or ‘La Quadrature du Net II’).

The case is of particular importance for the ongoing political debate on the mandatory retention of traffic and location data (metadata) by internet companies for access by law enforcement authorities. Metadata generated by internet use is the bedrock of modern state surveillance and therefore ‘data retention’ will remain a key digital rights issue in the next years in the EU.

Following European Commission President’s request for “adequate and up-to-date tools” for law enforcement access to data, Commissioner for Home Affairs Magnus Brunner is currently working to update “rules on data retention, while safeguarding fundamental rights”. A legislative proposal aiming to harmonise the existing patchwork of national laws is therefore expected in 2026.

With this article, we provide the key takeaways of the CJEU judgment and what they mean for the legislative instrument in the Commission’s pipeline.

Background of the case

The French “HADOPI” law aims to halt the unauthorised online exchange of copyrighted material. EDRi member La Quadrature du Net challenged the compliance of the HADOPI framework with EU law. Based on reports from rights holders, French authorities identify internet users involved in sharing copyrighted material, and then send two formal warnings to the users before resorting to legal action upon detecting a third violation – which is called “the graduated response”.

This system relies on two critical personal data processing operations: first, the Internet service providers (ISPs) can identify users because they are required by the French data retention law to indiscriminately retain all source IP addresses and to which users they are assigned. Second, HADOPI, as a government agency, accesses this information in an extensive manner as it sends automated requests to ISPs (several million per year). Given the CJEU extensive jurisprudence on data retention, the system seems contrary to EU law at first glance since the offences in the HADOPI system are not serious crime

After a first Advocate General (AG) Opinion in 2022 – which EDRi critically commented as risking to water down core privacy protections – the case was referred to the CJEU full court in 2023 and led to a second AG opinion. At the time, we warned that the interpretation proposed by the AG would severely weaken the CJEU’s jurisprudence, as well as its authority and legitimacy vis-à-vis Member States. Because Member States have stubbornly refused to apply the Court’s rulings for over a decade, the AG was ready to ‘adapt’ the jurisprudence to satisfy those EU countries that are most attached to mass surveillance. We called out this threat to the rule of law and to fundamental rights.

The CJEU jeopardises essential privacy protections to accommodate false law enforcement claims

Unfortunately, the Court is revising its past interpretation of EU law to save the HADOPI from its expected tragic fate.

The degree of interference of IP addresses retention

The Court re-assesses the seriousness of the interference with fundamental rights of the retention and access to IP addresses associated with a user’s civil identity (LQDN II, para. 79-84). In its La Quadrature du Net and Others judgment from October 2020, it held that the general and indiscriminate retention of source IP addresses is a serious interference with the rights to privacy, data protection and freedom of expression, and thus can only be justified by the objective of fighting serious crimes (LQDN I, para. 156). It was considered a serious interference because it allows to “track an internet user’s complete clickstream” and draw precise conclusions about their private life (LQDN I, para. 153).

In LQDN II, the Court clarifies that retention of source IP addresses is not a serious interference if the national legislation mandates technical retention arrangements which rule out that precise conclusions about the private life of the person can be drawn. This requires watertight separation between IP addresses, civil identity data and other traffic data and location data. The only exception to the complete separation of data categories is when IP addresses and civil identity data are linked, and this must be done through an effective technical process that does not undermine the watertight separation.

In essence, the Court envisages a closed retention system where personal data can only be extracted from the “black box” by querying the system for the civic identity data associated with a specific source IP address at a specific time. By conceptually precluding a serious interference through technical means, the Court paves the way for retaining IP addresses the purpose of fighting all offences, including relatively minor ones like copyright infringement. This elaborate reinterpretation of the extensive case law very conveniently saves the HADOPI system.

It is unlikely that current retention practices by internet service providers conform to the detailed requirements about watertight separation set out by the Court. The elephant in the room is whether Member States will actually amend their data retention laws and enforce the new security requirements. Data retention laws in many Member States already allow access to retained IP addresses for all criminal offences – which was in contradiction with the CJEU previous case law. It is not inconceivable that these Member States will simply see the HADOPI judgment as vindication for their current laws and tacitly ignore the watertight separation requirements that are critical in the judgment.

The degree of interference of IP addresses access

It is already established case law that access to retained data for the sole purpose of identifying a user does not constitute a serious interference when it is not possible to associate that data with information about the communications made (LQDN I, para. 158). However, in the context of identifying an internet user there is an inherent link to the communications made. Law enforcement may have additional information which can reveal intimate details about the person concerned and make the interference a serious one.

In 2018, in Benedik v. Slovenia, the European Court of Human Rights (ECtHR) rightly mentioned how data sought by the police (namely the name and address of a subscriber) combined with pre-existing content (the content shared online) is capable of revealing “a good deal about the online activity of an individual, including sensitive details of his or her interests, beliefs and intimate lifestyle” (Benedik v. Slovenia, para. 109).

Yet, the CJEU considers that such situations are “atypical” in the case of HADOPI because the information available to HADOPI, such as the type of copyrighted content and the file name, is limited and rarely reveals sensitive information (LQDN II, para. 111-112). It adds that only a limited number of public officials accesses the data (LQDN II, para. 113) and are bound by a confidentiality obligation (LQDN II, para.114) which prohibits any disclosure of information to other parties, except for referring the case to the public prosecutor in stage 3.

These arguments about potentially sensitive information being strictly contained can be seen as “tailor-made” to the HADOPI system. This also means that they will not necessarily apply to other types of investigations. In fact, even in the case of HADOPI, the Court recognises later in the judgment that the third stage may involve a serious interference because precise conclusions about the person could emerge from the linking of information from all three stages (LQDN II, para. 141).

Lastly, the Court states that fundamental rights protection cannot go as far as “making it impossible or excessively difficult” to prosecute online offences (LQDN II, para. 116). With that reasoning, the Court takes over the AG’s argument of a substantial risk of “systemic impunity” online. The fundamental rights to privacy and protection of personal data are not absolute, but the principle of proportionality must put limits on how much personal data can be processed, especially for minor offences. EDRi has repeatedly pointed out that given the surveillance-based advertising business model of most online services nowadays, more information is available for investigative purposes than ever before.

The CJEU also brushes away alternative means of investigation aimed at identifying the suspect, such as analysing the person’s digital footprint like we had suggested in our first commentary of the case, as they would supposedly entail a higher degree of intrusion into privacy. However, while making these arguments, the Court forgets that HADOPI’s data access is massive (millions of requests per year) and could well be understood as mass surveillance. The use of other investigative techniques require more resources and thus would constrain investigations to a targeted number of users only. This would force such targeted efforts to apply against the most infringing users (the big seeders on P2P networks) and therefore would in fact constitute a more proportionate approach.

The need for prior authorisation by a court

The HADOPI case is the first case where the Court explicitly considers whether prior authorisation is required for data access which does not entail a serious interference. All previous data retention cases, where the Court has ruled that prior authorisation by a court is needed, have involved serious interferences.

In paras. 130-133, the Court holds that prior authorisation by a court is only required when a serious interference with fundamental rights is entailed by the access to retained data. In previous cases, the distinction between serious and non-serious interferences has determined whether access to retained data is permitted for only serious crime or for all criminal offences. Now, the same distinction also determines whether prior authorisation by a court is required.

Based on the principle of proportionality, the Court notes that the degree of interference with fundamental rights must also influence what substantive and procedural safeguards are required (LQDN II, para. 130). Whilst this argument is uncontroversial, it is nonetheless surprising that the reasoning leads the Court to completely dispense with the need for prior court review. The risk of abuse, for example, cannot be ruled out simply because law enforcement only requests access to civic identity data.

As noted above, the context of identifying an internet user will determine whether the data access represents a serious interference or not. This assessment is not always immediately obvious, which makes the need for prior court review more critical to safeguard fundamental rights. If the data access involves a serious interference, the access must be refused for investigations of ordinary criminal offences. Only a court or independent administrative body can ensure this.

The Court seems to address this concern by stating that access to retained civic identity for the sole purpose of identifying the user concerned is not a serious interference when those data cannot be associated with information about the communications made (LQDN II, para. 133). The latter condition is critical here. When the civic identity data can be linked to the context of the internet behaviour under investigation (the communication), the access may entail a serious interference in which case prior authorisation by a court is required.

In the case of HADOPI, the first two stages can take place without prior review by a court. Here, warning letters are sent without any reference to the content of the protected works. However, for the third and final stage of the graduated response mechanism, the Court insists on prior authorisation by a court before the case is referred to the public prosecutor. Information about the protected works being infringed has accumulated through the three stages and is directly linked to the person under investigation, which means the procedure may be liable to draw precise conclusions about the person (LQDN II, para. 141).

What does it mean for the future?

It is doubtful whether this ruling actually clarifies the legal situation for IP address retention and access. The Court allows data retention of IP addresses for combatting minor offences and access to that data without prior authorisation by a court. This is done under conditions that seem tailor-made to the functioning of HADOPI system, and may not realistically exist outside the HADOPI system which has very specific rules for processing personal data.

In the broader context of law enforcement investigations seeking to identity internet users from their IP address, the judgment says that this access can be a serious or non-serious interference, and that prior authorisation by a court is sometimes needed. This leaves a lot of ambiguity, which the judgment only settles for the HADOPI system.

The conditions that make the third HADOPI stage special, notably the connection to the context of the internet behaviour under investigation, are really the typical case in almost all other investigation where law enforcement seeks to identify internet users. From a digital rights perspective, that would be a positive reading of the HADOPI judgment, emphasising the critical importance of context as in Benedik v. Slovenia.

However, due to the lack of clarity about the broader implications of the judgment, there will undoubtedly be other interpretations about when prior authorisation by a court is required. The Commission is preparing a new data retention proposal based on recommendations from the High-Level Group “Going Dark” which seeks to ensure that any user on the internet can be identified. In terms of scale, this sounds very much like the functioning of the HADOPI system.

As an unintended side effect, the judgment creates a risk of abuse because law enforcement is given an incentive to claim that a certain data access is not a serious interference to avoid prior review by a court.

In a context of relentless attacks against human rights defenders, journalists and NGOs, the ability to protect one’s privacy online through anonymity is of paramount importance. It would be wise for EU legislators to maintain high protection standards in any future legislation and to provide a clearly defined framework for data retention and access which leaves no discretion to law enforcement to define the level of interference with rights and what procedural safeguards should apply.

Contribution by: Chloé Berthélémy, Senior Policy Advisor, EDRi & Jesper Lund, Chairman of EDRi member IT-Pol