On 6 October 2020, the Court of Justice of the European Union (CJEU, the Court) delivered its judgments in Case C-623/17, Privacy International, and in Joined Cases C-511/18, La Quadrature du Net and Others, C-512/18, French Data Network and Others, and C-520/18, Ordre des barreaux francophones et germanophone and Others (referred to as La Quadrature du Net and Others). Both judgments continue the long line of case-law on the secondary use of personal data by intelligence services and law enforcement agencies, in particular traffic and location data initially collected by service providers for commercial purposes (see in particular Joined Cases C‑293/12 and C‑594/12 Digital Rights Ireland, Joined Cases C-203/15 and C-698/15 Tele 2, Opinion 1/15 of the Court on the draft EU-Canada PNR Agreement, Case C-207/16 Ministerio Fiscal).
While the Court in both judgments decides on landmark cases, which have a number of commonalities, and were heard in a joint hearing in 2019, their nature and outcome are quite different. On one hand, Privacy International is an easy victory for the right to privacy and data protection. The Court unequivocally confirms that the state authorities are not allowed to intercept personal data, originating from commercial operators, in bulk. La Quadrature du Net and Others on the other hand, is a complex victory for the law enforcement community and a major step back in the Court’s data retention jurisprudence.
The two-decades-long conflict between the law enforcement and the privacy communities is still ongoing. In what follows, I therefore decided to briefly present the facts of the case and then to divide the main outcomes of the two judgments in three victories for one or the other camp, without pretensions to be exhaustive on every single point of the judgments.