Joined Cases C‑339/20 and C‑397/20

VD
and
SR

v

Procureur général at the Cour de cassation

(Request for a preliminary ruling from the Cour de cassation (France))

 Judgment of the Court (Grand Chamber), 20 September 2022

(References for a preliminary ruling – Single market for financial services – Market abuse – Insider dealing – Directive 2003/6/EC – Article 12(2)(a) and (d) – Regulation (EU) No 596/2014 – Article 23(2)(g) and (h) – Supervisory and investigatory powers of the Autorité des marchés financiers (AMF) – General interest objective seeking to protect the integrity of financial markets in the European Union and public confidence in financial instruments – Option open to the AMF to require the traffic data records held by an operator providing electronic communications services – Processing of personal data in the electronic communications sector – Directive 2002/58/EC – Article 15(1) – Charter of Fundamental Rights of the European Union – Articles 7, 8 and 11 and Article 52(1) – Confidentiality of the communications – Restrictions – Legislation providing for the general and indiscriminate retention of traffic data by operators providing electronic communications services – Option for a national court to restrict the temporal effects of a declaration of invalidity in respect of provisions of national law that are incompatible with EU law – Precluded)

1.        Approximation of laws – Insider dealing and market manipulation (market abuse) – Supervisory and investigatory powers of the Autorité des marchés financiers (AMF) – Option open to the AMF to require the traffic data records held by an operator providing electronic communications services – Processing of personal data and the protection of privacy in the electronic communications sector – Power of Member States to restrict the scope of certain rights and obligations – National measures requiring operators providing electronic communications services temporarily to retain traffic data generally and indiscriminately – Objective of combating market abuse offences including insider dealing – Unlawful

(Charter of Fundamental Rights of the European Union, Arts 7, 8, 11 and 52(1); European Parliament and Council Regulation No 596/2014, recitals 2, 24 and 62 and Arts 1, 8(1), 22 and 23(2)(g) and (h) and (3); European Parliament and Council Directives 2002/58, as amended by Directive 2009/136, Art. 15(1), and 2003/6, recitals 2 and 12 and Arts 2(1), 11 and 12(1) and (2)(a) and (d))

(see paragraphs 66, 68-70, 72, 73, 76-79, 82, 85-95, operative part 1)

2.        Approximation of laws – Insider dealing and market manipulation (market abuse) – Supervisory and investigatory powers of the Autorité des marchés financiers (AMF) – Option open to the AMF to require the traffic data records held by an operator providing electronic communications services – Processing of personal data and the protection of privacy in the electronic communications sector – Power of Member States to restrict the scope of certain rights and obligations – National measures incompatible with EU law – Option open to a national court to restrict the temporal effects of a declaration of invalidity in respect of those measures – Precluded

(Charter of Fundamental Rights of the European Union, Arts 7, 8, 11 and 52(1); European Parliament and Council Regulation No 596/2014, recitals 2, 24 and 62 and Arts 1, 8(1), 22 and 23(2)(g) and (h) and (3); European Parliament and Council Directives 2002/58, as amended by Directive 2009/136, Art. 15(1), and 2003/6, recitals 2 and 12, Arts 2(1), 11 and 12(1) and (2)(a) and (d))

(see paragraphs 97-107, operative part 2)

Résumé

Following an investigation by the Autorité des marchés financiers (Financial Markets Authority, France; ‘AMF’), (1) criminal proceedings were brought against VD and SR, two natural persons charged with insider dealing, concealment of insider dealing, aiding and abetting, corruption and money laundering. In the course of that investigation, the AMF had used personal data from telephone calls made by VD and SR, generated on the basis of the code des postes et des communications électroniques (Post and Electronic Communications Code), (2) in connection with the provision of electronic communications services.

In so far as the respective investigations into them was based on the traffic data provided by the AMF, VD and SR each brought an action before the cour d’appel de Paris (Court of Appeal, Paris, France), relying, inter alia, on a plea alleging infringement of Article 15(1) of the Directive on privacy and electronic communications, (3) read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union (‘the Charter’). Specifically, VD and SR, relying on the case-law arising from the judgment in Tele2 Sverige and Watson and Others, (4) challenged the fact that the AMF took the national provisions at issue as its legal basis for the collection of those data, whereas, according to them, those provisions, first, did not comply with EU law in so far as they provided for general and indiscriminate retention of connection data and, second, laid down no restrictions on the powers of the AMF’s investigators to require the retained data to be provided to them.

By two judgments of 20 December 2018 and 7 March 2019, the cour d’appel de Paris (Court of Appeal, Paris) rejected the action brought by VD and SR. When it rejected the plea referred to above, the court adjudicating on the substance of the case relied, inter alia, on the fact that the Market Abuse Regulation (5) allows the competent authorities to require, in so far as permitted by national law, existing data traffic records held by operators providing electronic communications services, where there is a reasonable suspicion of an infringement of the prohibition on insider dealing and where such records may be relevant to the investigation of that infringement.

VD and SR then brought an appeal before the Cour de cassation (Court of Cassation, France), the referring court in the present cases.

In that context, that court is uncertain how to reconcile Article 15(1) of the Directive on privacy and electronic communications, read in the light of the Charter, with the requirements under Article 12(2)(a) and (d) of the Market Abuse Directive (6) and Article 23(2)(g) and (h) of the Market Abuse Regulation. That uncertainty arises from the legislative measures at issue in the main proceedings, which provide, as a preventive measure, that operators providing electronic communications services are to retain traffic data generally and indiscriminately for one year from the day of recording for the purposes of combating market abuse offences including insider dealing. Should the Court of Justice find that the legislation on the retention of the connection data at issue in the main proceedings does not comply with EU law, the referring court is uncertain as to whether that legislation retains its effects provisionally, in order to avoid legal uncertainty and to allow the data previously collected and retained to be used for the purpose of detecting insider dealing and bringing criminal proceedings in respect of it.

By its judgment, the Court, sitting as the Grand Chamber, holds that the general and indiscriminate retention of traffic data for a year from the date on which they were recorded by operators providing electronic communications services is not authorised, as a preventive measure, in order to combat market abuse offences. Furthermore, it confirms its case-law to the effect that EU law precludes a national court from restricting the temporal effects of a declaration of invalidity which it is required to make with respect to provisions of national law that are incompatible with EU law.

Findings of the Court

The Court notes, first of all, that, in interpreting a provision of EU law, it is necessary not only to refer to its wording but also to consider its context and the objectives of the legislation of which it forms part.

As regards the wording of the provisions that are the subject of the reference for a preliminary ruling, the Court states that, while Article 12(2)(d) of the Market Abuse Directive refers to the AMF’s power to ‘require existing telephone and existing data traffic records’, Article 23(2)(g) and (h) of the Market Abuse Regulation refers to the power of that authority to require, first, ‘data traffic records held by investment firms, credit institutions or financial institutions’ and, second, to require, ‘in so far as permitted by national law, existing data traffic records held by a telecommunications operator’. According to the Court, it is clear from the wording of those provisions that they merely provide a framework for the AMF’s power to ‘require’ the data available to those operators, which corresponds to access to those data. Furthermore, the reference made to ‘existing’ records, such as those ‘held’ by those operators, suggests that the EU legislature did not intend to lay down rules governing the option open to the national legislature to impose an obligation to retain such records. According to the Court, that interpretation is, moreover, supported both by the context of those provisions and by the objectives pursued by the rules of which those same provisions form part.

As regards the context of the provisions that are the subject of the questions referred, the Court observes that, although, under the relevant provisions of the Market Abuse Directive (7) and the Market Abuse Regulation, (8) the EU legislature intended to require the Member States to take the necessary measures to ensure that the competent financial authorities have a set of effective tools, powers and resources as well as the necessary supervisory and investigatory powers to ensure the effectiveness of their duties, those provisions make no mention of any option open to Member States of imposing, for that purpose, an obligation on operators providing electronic communications services to retain generally and indiscriminately traffic data, nor do they set out the conditions in which those data must be retained by those operators so that they can be submitted to the competent authorities where appropriate.

As regards the objectives pursued by the legislation at issue, the Court finds that it is apparent, first, from the Market Abuse Directive (9) and, second, from the Market Abuse Regulation (10) that the purpose of those instruments is to protect the integrity of EU financial markets and to enhance investor confidence in those markets, a confidence which depends, inter alia, on investors being placed on an equal footing and being protected against the improper use of inside information. The purpose of the prohibition on insider dealing laid down in those instruments (11) is to ensure equality between the contracting parties in stock-market transactions by preventing one of them that possesses inside information and that is, therefore, in an advantageous position vis-à-vis other investors, from profiting from that information, to the detriment of those that are unaware of it. Although, according to the Market Abuse Regulation, (12) connection data records constitute crucial, and sometimes the only, evidence to detect and prove the existence of insider dealing and market manipulation, the fact remains that that regulation makes reference only to records ‘held’ by operators providing electronic communications services and to the power of that competent financial authority to ‘require’ those operators to send ‘existing’ data. Thus, it is in no way apparent from the wording of that regulation that the EU legislature intended, by that regulation, to give Member States the power to impose on operators providing electronic communications services a general obligation to retain data. It follows that neither the Market Abuse Directive nor the Market Abuse Regulation can constitute the legal basis for a general obligation to retain the data traffic records held by operators providing electronic communications services for the purposes of exercising the powers conferred on the competent financial authority under those measures.

The Court then notes that the Directive on privacy and electronic communications is the measure of reference on the retention and, more generally, the processing of personal data in the electronic communications sector, which means that the Court’s interpretation, given in respect of that directive, also governs the traffic data records held by operators providing electronic communications services, which the competent financial authorities, within the meaning of the Market Abuse Directive (13) and the Market Abuse Regulation, (14) may require from those operators. The assessment of the lawfulness of the processing of records held by operators providing electronic communications services (15) must, therefore, be carried out in the light of the conditions laid down by the Directive on privacy and electronic communications and of the interpretation of that directive in the Court’s case-law.

The Court finds that the Market Abuse Directive and the Market Abuse Regulation, read in conjunction with the Directive on privacy and electronic communications and in the light of the Charter, preclude legislative measures which, as a preventive measure, in order to combat market abuse offences including insider dealing, provide for the temporary, albeit general and indiscriminate, retention of traffic data, namely for a year from the date on which they were recorded, by operators providing electronic communications services.

Lastly, the Court confirms its case-law according to which EU law precludes a national court from restricting the temporal effects of a declaration of invalidity which it is required to make, under national law, with respect to provisions of national law which, first, require operators providing electronic communications services to retain generally and indiscriminately traffic data and, second, allow such data to be submitted to the competent financial authority, without prior authorisation from a court or independent administrative authority, owing to the incompatibility of those provisions with the Directive on privacy and electronic communications read in the light of the Charter. However, the Court recalls that the admissibility of evidence obtained by means of such retention is, in accordance with the principle of procedural autonomy of the Member States, a matter for national law, subject to compliance, inter alia, with the principles of equivalence and effectiveness. The latter principle requires national criminal courts to disregard information and evidence obtained by means of the general and indiscriminate retention of data in breach of EU law if the persons concerned are not in a position to comment effectively on that information and that evidence and they pertain to a field of which the judges have no knowledge and are likely to have a preponderant influence on the findings of fact.

1      Investigation carried out under Article L.621-10 of the code monétaire et financier (Monetary and Financial Code), in the version applicable to the disputes in the main proceedings.

2      Specifically, on the basis of Article L.34-1 of the Post and Electronic Communications Code, in the version applicable to the disputes in the main proceedings.

3      Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 (OJ 2009 L 337, p. 11).

4      Judgment of 21 December 2016, Tele2 Sverige and Watson and Others (C‑203/15 and C‑698/15, EU:C:2016:970).

5      Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6/EC and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC (OJ 2014 L 173, p. 1).

6      Directive 2003/6/EC of the European Parliament and of the Council of 28 January 2003 on insider dealing and market manipulation (market abuse) (OJ 2003 L 96, p. 16).

7      Article 12(1) of Directive 2003/6.

8      Article 23(3) of Regulation No 596/2014, read in the light of recital 62 of that regulation.

9      Recitals 2 and 12 to Directive 2003/6.

10      Article 1 of Regulation No 596/2014, read in the light of recitals 2 and 24 of that regulation.

11      Article 2(1) of Directive 2003/6 and Article 8(1) of Regulation No 596/2014.

12      Recital 62 of Regulation No 596/2014.

13      Article 11 of Directive 2003/6.

14      Article 22 of Regulation No 596/2014.

15      As provided for in Article 12(2)(d) of Directive 2003/6 and Article 23(2)(g) and (h) of Regulation No 596/2014.