Public authorities’ access to electronic communications data has always been and continues to be a hot topic, even (or especially) after the EU Court of Justice (CJEU, Court) declared the so-called Data Retention Directive invalid in 2014 on the ground that the interference with the rights to respect for private life and to the protection of personal data recognised by the EU Charter of Fundamental Rights, which resulted from the general obligation to retain traffic and location data, was not limited to what was strictly necessary. Under the Directive, Member States had to transpose into their national law obligations for electronic communications service providers to retain certain data for a minimum of 6 months and maximum of 2 years.
After that, the Court has ruled on several occasions on the retention of and access to electronic communications data, the latest just a few days ago at the beginning of March (C‑746/18), where an Estonian court asked the CJEU (a) whether access to traffic and location data relating to a short period could justify access for fighting crimes that are not “serious” and (b) whether the Estonian public prosecutor’s office qualifies as an “independent” administrative authority that is able to carry out the prior review for access to the data that is required by EU law. The answer to both questions was a hard NO.
The underlying case in Estonia concerned convicting a person on a number of thefts of goods (of a value ranging from EUR 3 to EUR 40) and cash (in amounts between EUR 5.20 and EUR 2 100), using another person’s bank card, causing that person a loss of EUR 3 941.82, and performing acts of violence against persons party to court proceedings concerning her, on the basis of, among other things, personal data generated during the provision of electronic communications services. The offences listed are most likely generally not considered serious crimes or serious threats to public security (in earlier case law, the Court has considered access to electronic communications data only possible for fighting “serious” crime). The referring court therefore raised the question whether, where the period where the investigating authority has had access to the data is very short or the quantity of data gathered is very limited, the objective of combating crime in general, and not only combating serious crime, can justify such interference. Additionally, the referring court had doubts as to whether it is possible to regard the Estonian public prosecutor’s office as an “independent” administrative authority within the meaning of the judgment of the Court in Tele2 Sverige and Watson and Others considering the various duties which are assigned to it by national legislation.
The Court concluded:
- Access, for purposes in the criminal field, to a set of traffic or location data in respect of electronic communications, allowing precise conclusions to be drawn concerning a person’s private life, is permitted only in order to combat serious crime or prevent serious threats to public security. The length of the period in respect of which access to those data is sought and the quantity or nature of the data available in respect of such a period are irrelevant in that regard.
- EU law precludes national legislation that confers upon the public prosecutor’s office, whose task is to direct the criminal pretrial procedure and to bring, where appropriate, the public prosecution in subsequent proceedings, the power to authorise access of a public authority to traffic and location data for the purposes of a criminal investigation. According to the Court, the requirement of independence that has to be satisfied by the authority entrusted with carrying out the prior review means that that authority must be a third party in relation to the authority which requests access to the data, in order that the former is able to carry out the review objectively and impartially and free from any external influence.
It should be noted that Estonia did not change its electronic communications data retention laws after the Data Retention Directive was declared invalid. Under Estonian law, electronic communications service providers are required to retain certain data for 1 year and make it available, upon request, to a list of authorities, including outside of criminal proceedings (e.g., in civil proceedings and to supervisory authorities). It remains to be seen whether the recent CJEU judgement will finally provoke a change in Estonian law to comply with the EU standards. It also remains to be seen what questions the CJEU will have to tackle next in the world of electronic communications data as it will most likely not be able to escape it
Article provided by: Mari-Liis Orav (TGS Baltic, Estonia)
Dr. Tobias Höllwarth (Managing Director INPLP)