Following an investigation by the Autorité des marchés financiers (Financial Markets Authority (AMF)), criminal proceedings were brought in France against VD and SR in respect of insider dealing, concealment of insider dealing, aiding and abetting, corruption and money laundering. The proceedings relied on personal data from telephone calls made by VD and SR using electronic communications services. The data had been sent to the investigating judge by the AMF.

VD and SR appealed two judgments from the French Court of Appeal to the Court of Cassation, challenging AMF’s position that national law allowed it to collect the data in question. VD and SR claimed that national law did not comply with EU law insofar as it provided for the general and indiscriminate retention of connection data and did not contain any restrictions on AMF’s powers to require the retained data to be provided to them.

The Court of Cassation asked the CJEU how Article 15(1) of the E-Privacy Directive (2002/58/EC) read in the light of the Charter of Fundamental Rights of the EU can be reconciled with Articles 12(2)(a) and (d) of the Market Abuse Directive (2003/6/EC) and Articles 23(2)(g) and (h) of the Market Abuse Regulation (596/2014/EU) in the context of national law which, as a preventive measure, in order to combat market abuse offences including insider dealing, allows the general and indiscriminate retention of traffic data by providers of electronic communication services for a year from the date on which they were recorded. If the national law is found to be inconsistent with EU law, the Court of Cassation asked whether such legislation would retain its effects provisionally to avoid legal uncertainty and to allow the data retained on the basis of the legislation to be used for the purposes of detecting insider dealing and bringing prosecutions accordingly.

The CJEU found that neither the Market Abuse Directive nor the Market Abuse Regulation can constitute the legal basis for a general obligation to retain data traffic records held by providers of electronic communications services for the purposes of exercising the powers conferred on financial authorities under those measures.

Further, the CJEU noted that since the E-Privacy Directive governs the retention and, more generally, the processing of personal data in the electronic communications sector, it also governs traffic data records held by providers of electronic communications services, which financial authorities can request access to. Consequently, the assessment of the lawfulness of the processing of records held by providers must be carried out in the light of the conditions contained in the E-Privacy Directive.

The CJEU found that the Market Abuse Directive and the Market Abuse Regulation, read in conjunction with the E-Privacy Directive and in the light of the Charter, do not authorise the general and indiscriminate retention by providers of electronic communications services of traffic data for a year from the date on which they were recorded for the purpose of combating market abuse offences including insider dealing.

In addition, the CJEU upheld its own case law, according to which it found that under EU law a national court cannot restrict the temporal effects of a declaration of invalidity which it is bound to make in relation to national legislation that requires providers of electronic communications services to retain generally and indiscriminately traffic and location data due to that legislation being incompatible with the E-Privacy Directive.

That said, the CJEU pointed out that the admissibility of evidence obtained further to retention of data is a matter for national law, subject to compliance with the principles of equivalence and effectiveness. The latter principle requires the national criminal court to disregard information and evidence obtained by means of the generalised and indiscriminate retention of traffic and location data in breach of EU law if the persons concerned are not in a position to comment effectively on that information and evidence, they belong to a field of which the judges have no knowledge and they are likely to have a greater influence on the findings of fact. (Joined Cases C-339/20 and C-397/20 VD and SR v EU:C:2022:703 (20 September 2022) — to read the judgment in full, click here).