EU IP Address Retention #3: What Telcos MUST know after the Hadopi Ruling

PART 3.

The recent CJEU ruling in Case C-470/21, commonly referred to as the Hadopi judgment, introduces a narrow and conditional shift in how telecom operators may retain and provide access to source IP addresses in the EU. While the ruling may seem like a potential opening for more flexible retention policies, it comes with strict legal and technical requirements that telcos cannot ignore.

In this blog, we break down what changed, what didn’t, and what telcos must now consider in their compliance, architecture, and data governance strategies.

1. A narrow opening for broader EU IP retention

The CJEU has historically limited general and indiscriminate data retention to cases involving serious crime or threats to national security. With the Hadopi judgment, the Court allows a potential exception: the general retention of source EU IP addresses may be permissible for investigating any type of criminal offence, not just serious crime.

This is a significant shift from earlier jurisprudence but comes with a crucial caveat: the interference with fundamental rights caused by such retention must be considered “non-serious.”

This opens a conditional pathway for national lawmakers to expand IP address retention mandates. But telcos can only comply lawfully if very specific technical and procedural safeguards are in place.

2. The technical prerequisite – genuinely watertight separation

The most important requirement introduced by the Hadopi ruling is the concept of “genuinely watertight separation” of data. For source IP retention to be considered a “non-serious” interference with fundamental rights, IP addresses must be stored and managed entirely separately from other personal data, especially:

• Civil identity (name, address, subscriber details)

• Other metadata (e.g., browsing history, call records, location data)

The purpose of this separation is to ensure that retained IP data cannot be used to profile users or reconstruct their private lives. The separation must be both technical and organisational, and its effectiveness should be regularly reviewed by an independent authority.

This requirement is not just a legal formality. It has profound technical implications for how data is stored, accessed, and governed within telco environments.

3. Conditional access to identity data

The Hadopi ruling also refines the rules for accessing identity information linked to retained IP addresses. If a telco implements watertight separation correctly, access to a customer’s civil identity for a specific IP address and time may also be seen as a non-serious interference.

In such cases, access may be justified for any criminal offence, not just serious crime, and might not require prior judicial approval — but only if the access is strictly limited to identity and does not reveal private behaviours or allow profiling.

However, if the access involves linking IP data to online activity (such as the title of an illegally downloaded file), it crosses into “serious interference” territory, and prior, non-automated judicial or independent review remains mandatory.

Telcos will need to evaluate each request not only on its legal grounds but also on the level of intrusion it represents. This introduces a new operational challenge for compliance and legal teams.

4. What remains unchanged

Despite the nuance introduced by the Hadopi case, it does not represent a reversal of the CJEU’s overall stance on data retention. The following principles still apply:

• General and indiscriminate retention of traffic and location data (e.g., browsing history, email metadata, call records, precise geolocation) remains strictly limited to serious crime or national security.

• Even when allowed, such retention must be strictly necessary, time-limited, and safeguarded.

• National laws cannot ignore these requirements, even if framed as fighting minor or non-serious crimes.

  
  

Hadopi is a narrow, technical adjustment for one data category, source IP addresses, and only under very specific conditions.

5. What Telcos must do next

The ruling introduces a new layer of complexity to an already challenging data retention environment. Telcos operating across EU Member States must act decisively to understand and manage the implications.

Monitor national legislation

Some countries may attempt to introduce or update IP retention laws citing the Hadopi ruling. Telcos must closely analyse whether such laws meet the CJEU’s strict requirements, particularly around data separation and proportionality.

Assess technical feasibility

Implementing watertight separation is not trivial. It may require redesigning data storage and governance systems to isolate source IP data from all other datasets. Without clear standards from regulators, telcos must assess what level of separation is “genuine” and sustainable from a technical, financial, and operational viewpoint.

Update compliance frameworks

Compliance teams must distinguish between different levels of interference (serious vs. non-serious), build in checks for access requests, and ensure that authorisation levels are correctly applied. This requires tight coordination between legal, technical, and operational departments.

Implement verification procedures

Before complying with new mandates based on Hadopi, telcos should document internal verification steps to ensure national requirements align with CJEU jurisprudence. This protects against future legal risk and regulatory scrutiny.

Engage with regulators and lawmakers

Given the legal uncertainty, telcos should engage early with policymakers to ensure that any national implementation of Hadopi is technically realistic and legally compliant. Clear definitions and consistent guidance will be essential.

Conclusion – Not a loophole, but a legal tightrope

The Hadopi ruling opens a carefully defined exception for the retention of source IP addresses. It signals a recognition by the CJEU of the operational importance of IP data in criminal investigations, but it does so without compromising the EU’s strong commitment to fundamental rights.

For telcos, this is not an opportunity to expand surveillance. It is a compliance challenge, requiring advanced technical separation, precise legal interpretation, and constant vigilance.

Retaining IP addresses may become possible under broader conditions, but only for operators who are ready to walk the tightrope between national security needs and fundamental rights protection – with precision, transparency, and accountability.

Sources:

• Blog | Analysis of the Hadopi ruling and its context. https://www.europeanlawblog.eu/pub/fkjv9i49/release/1

• CJEU C-470/21 / Judgment | The official Hadopi ruling. Downloaded April 29, 2025. https://fra.europa.eu/en/caselaw-reference/cjeu-c-47021-judgment

• Expert analysis on the ruling's impact | What implications for the future of data retention in the EU. Downloaded April 29, 2025. https://edri.org/our-work/cjeu-saved-the-hadopi-what-implications-for-the-future-of-data-retention-in-the-eu/

• Data retention 2024 | Current developments and legal challenges. Downloaded April 29, 2025. https://externer-datenschutzbeauftragter-dresden.de/en/data-protection/data-retention-2024-current-developments-and-legal-challenges/

• Broader context on EU data retention | GDPR-focused analysis of the Hadopi ruling. Downloaded April 29, 2025. https://gdprhub.eu/index.php?title=CJEU_-C%E2%80%91470/21-La_Quadrature_du_Net_and_Others