The Court of Justice of the European Union (“Court”) recently published a decision regarding article 15 of Directive 2002/58/EC, on privacy and electronic communications (“Directive”) stating the existence of a serious interference between data access and fundamental rights that implies the irrelevance of the amount of data accessed and the necessity for Member States to set safeguards in case such access must be nevertheless accorded to state authorities.
It must be said that the Grand Chamber substantially confirms its own case law making express reference to the judgments Tele2 Sverige (C‑203/15 and C‑698/15), La Quadrature du Net (C‑511/18, C‑512/18 and C‑520/18) but it also gives some clarifications.
The case at stake is based on a criminal conviction relying – among other things – on data generated in the context of the provision of electronic communications services. The Riigikohus (Supreme Court, Estonia), expressed doubts as to whether the conditions under which the investigating authority had access to those data were compatible with EU law – in particular article 15 of the Directive – and referred three different questions to the Court.
The first regards the relevance, in the proportionality test, of the period to which the retained data accessed by the authorities relate. The second regards the need to assess the proportionality between the amount of data to which the authorities may have access to, the seriousness of the criminal offence and the tolerated interference with fundamental rights. The third regards the quality of independence of the authority that can be competent for the prior review of the data access request.
Regarding the first two questions, the Court holds that the Directive, read in the light of the Charter, precludes national legislation that allows public authorities to have access to traffic or location data without restrictions on the merit of the procedures, that should instead be limited to serious crimes or threats to public security. What is more, the length of the period in respect of which access to data is sought and the quantity or nature of the data available are irrelevant circumstances in the assessment of legality of the data access, being the interference with the fundamental rights in any event serious per se.
With reference to the independence principle, the Court holds that that the Directive also precludes national legislation that recognises to the public prosecutor’s office the power to authorise access to data for the purpose of conducting a criminal investigation.
Indeed, even if it is for national law to determine the conditions under which access to data must be granted, the legislation must set minimum safeguards in order to avoid risk of abuse and to reconcile the various interests and rights at issue. It follows that the requirement of independence of the authority entrusted with carrying out the prior review of legitimacy of data access requests implies that the said authority must be a third party in relation to the one filing the request. This is not the case for the public prosecutor’s office when it directs the investigation and also performs the subsequent public prosecution.
Andrea Giulia Monteleone