Finding the balance between fighting crime and privacy: an Update to the use of Metadata in Criminal Prosecution

I.    Introduction

15 years after Law No. 32/2008 of July 17 (also called “the Metadata Law”) was enacted, discussion spurt in the Portuguese legal community regarding its compliance with current understandings of privacy-related constitutional values. While the statute had originally been enacted to transpose Directive (EU) No. 2006/24/EC, of March 15, into domestic Portuguese law, that European Directive was later found invalid by the Court of Justice of the European Union . At the time, Portuguese authorities declined adapting the law accordingly, arguing the implementing law granted sufficient safeguards to appease the concerns expressed by the CJEU.

In April 2022, however, the Portuguese Constitutional Court came to agree with the CJEU, and declared articles 4, 6 and 9 of the implementing statute unconstitutional for breach of the constitutional principles of proportionality and necessity, materialized in an interference in fundamental rights . Specifically, these articles required telecommunications and electronic communications service providers to retain and store all traffic and location data relating to all communications or attempts thereof, for a period of one year, with view to their potential use for the prevention, investigation, and prosecution of serious crimes.

On October 13, 2023, the Portuguese Parliament approved an updated version of Law No. 32/2008, which was expected to correct the flaws identified by the Constitutional Court already a year and a half ago. Not convinced of the legislator’s success in that matter, however, after receiving the Proposal for promulgation, the President of the Portuguese Republic directed the statute to the Constitutional Court seeking a preventive review on the use of traffic and location data in criminal investigation. The community is now waiting for that judgment.

II.    Background: why was it unconstitutional and what was the government expected to improve?

Three lines of criticism were developed by the Constitutional Court in April 2022 :

1. the right of the data subject to control and audit the processing of his/her data would be compromised by the fact that it was not foreseen that data retention had to take place in an EU Member State;
   
   
2. the undifferentiated and generalized obligation to retain all traffic and location data concerning all individuals disproportionately restricts the rights to privacy and information self-determination;
   
   
3. By not providing for notification to the data subject that the retained data has been accessed by criminal investigation authorities, it could deprive data subjects of any effective control over the lawfulness and regularity of access to their data, in violation of the rights to informative self-determination and to effective judicial protection.

In short, the Constitutional Court deemed the mandatory generalized retention of all available communications data concerning all individuals for criminal prosecution purposes as sanctioning legal presumptions of guilt, in arguable violation of constitutional principles.

III.    The new Law: What’s New on the Menu?

In light of the Constitutional Court's decision, it was now for Government and Parliament to find a balance between fighting crime and respecting citizens’ privacy.

In that context, the Portuguese legislator could have chosen to follow the criteria issued by the CJEU providing general and discriminatory retention of traffic data may occur only if there are concrete and specifically determined grounds to suspect the commission of a serious crime. We can anticipate that this was not how the Portuguese Government saw fit to legislate.

Instead, the Proposal provides:

1. Traffic data, date and location data, as well as metadata that enables the identification of the communication service users (both sender and receiver) and their devices are still subject to mandatory retention;
   
   
2. This retention obligation, however, no longer falls on law enforcement agencies, but rather in operators of publicly available electronic communications networks and public communications networks (“Network operators”);
   
   
3. The intervention of a judge is no longer necessary – operators must transfer the retained data to law enforcement authorities when requested by the District Attorney’s Office, or one of its Prosecutors;
   
   
4. Data that enables the identification of the individuals engaging in communication, as well as their IP addresses and connections must be retained for at least a year, by the operators, for the purpose of their potential use in criminal prosecution;
   
   
5. While the remainder of the data collected (regarding, e.g., traffic and location) must first be retained for three months, upon which the retention will be automatically extended to six months, unless the data subject opposes (although no reference is made to how this prerogative should be exercised), and after which the retention may again be extended for six more months by decision of the Supreme Court of Justice, upon request by the General District Attorney (having as effect that this data can also be retained for up to a year);
   
   
6. Whenever applicable, terms in the statute shall have the same construction as homonymous terms in the GDPR;
   
   
7. Network operators may not access the data they retain other than to fulfil legal or contractual obligations;
   
   
8. The judicial authorization to extend the retention of communications data should be notified to the data subject within 10 days, but it may not be whenever the Court and the DA’s office agree such notice could harm an undergoing investigation.

IV. Going Forward: Predictions on a Constitutional Judgment

It is never a good idea to attempt to predict how judges (let alone a collective of judges) will decide on a specific matter. Legal analysis, however, provides tools that enable, at least, the putting forward of predictive considerations.

The unconstitutionality judgment of April 2022 was not entirely uncontroversial – some dissident voices still claimed the legitimacy and lawfulness of Law No. 32/2008. The majority decided, however, otherwise and it does not appear that the new government Proposal will be considered to have addressed the issues as raised by that majority.

On the one hand, switching the subjective scope of the retention obligation  from public law enforcement to operators of publicly available electronic communications networks (who are, it should be noted, forced to transfer that data to law enforcement upon request by a DA) does not represent a lesser intrusion into individuals privacy – their data is still being retained, for under-determinate purposes, and easily accessible to law enforcement for broad “criminal prosecution.” On the other hand, the “selection” of data that should be retained is not less broad than before, nor is its retention significantly reduced in time (since it can still all be retained for up to a year). Finally, the concern with the applicability of the GDPR appears to be exhausted through reference to the use of its definitions when interpreting the new law.

Overall, it appears the Portuguese legislator is still unconvinced of the merits of the decision declaring invalid the previous regulation, and is attempting to enact a similar statute. Will they be able to?

Article provided by INPLP member: Ricardo Henriques (Abreu Advogados, Portugal)

 Co authors: José Maria Alves Pereira and Matilde Ortins de Bettencourt

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)