Abstract
In Ministerio Fiscal the Court of Justice of the European Union has considered once again the criteria governing access by the authorities to data retained by electronic communications service providers permitted under Article 15(1) of Directive 2002/58 (the ‘ePrivacy Directive’), in particular the principle of proportionality and the concept of ‘serious crime’ as developed in the recent Digital Rights and Tele2 rulings.
Keywords
1. Introduction
In Ministerio Fiscal, 1 the Court of Justice of the European Union (CJEU, the Court) has further developed its jurisprudence on the criteria governing access by the authorities to personal data retained by electronic communications service providers, as permitted under Article 15(1) of Directive 2002/58 (the ‘ePrivacy Directive’). 2 The Court has avoided defining the concept of ‘serious crime’ developed in the recent Digital Rights 3 and Tele2 4 rulings, and has maintained its broad approach to the personal and material scope of protection of the fundamental rights guaranteed under the Charter of Fundamental Rights of the EU (the Charter) and the ePrivacy Directive.
2. Facts and procedure
In 2015 a thief stole a wallet and mobile telephone. As part of the investigation into the theft, the Spanish police requested the Juzgado de Instrucción, the investigating magistrate responsible for the case, to grant them access to data identifying users of the stolen mobile phone. These were the telephone numbers activated with the International Mobile Equipment Identity code (‘the IMEI code’) of the stolen mobile phone for a period of 12 days as from the date of the theft, and the personal data relating to the identity of the owners or users of the telephone numbers corresponding to the SIM cards activated with the code, such as their surnames, forenames and, if need be, addresses.
The magistrate rejected the request on the ground, inter alia, that the acts giving rise to the criminal investigation did not constitute a ‘serious’ offence – that is, an offence punishable under Spanish law by a term of imprisonment of more than five years 5 – and that access to such identification data was only permissible under Spanish law in respect of such ‘serious’ offences. 6 Subsequently the Spanish legislature introduced new alternative criteria for determining the degree of seriousness of an offence, in respect of which the retention and communication of personal data are permitted. One related to terrorism and offences committed in the context of organised crime, specific and serious criminal offences that are particularly harmful to individual and collective legal interests. The other was based on a minimum threshold of three years’ imprisonment. 7
Article 15(1) of the ePrivacy Directive provides that Member States may restrict certain rights in the Directive when such a restriction constitutes a necessary, appropriate and proportionate measure within a democratic society in order to safeguard national security, defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system. Directive 2006/24 (the ‘Data Retention Directive’) 8 went further and required operators to retain certain categories of communications data, that is, traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism.
The CJEU invalidated the Data Retention Directive in its Digital Rights ruling, where the Court ‘recognised that the retention and communication of traffic data constitute particularly serious interferences with the rights guaranteed in Articles 7 and 8 of the Charter and established criteria for the assessment of whether the principle of proportionality has been observed, including the seriousness of the offences warranting the retention of data and access thereto for the purposes of an investigation’. 9
In Spain, the Ministerio Fiscal (Public Prosecutor’s Office) appealed against the magistrate’s decision before the Audiencia Provincial de Tarragona (Provincial Court of Tarragona). The Provincial Court decided to ask the guidance of the CJEU on the threshold of seriousness of offences above which an interference with fundamental rights, such as access to personal data retained by providers of electronic communications services, may be justified when the competent national authorities seek access to personal data retained by electronic communications service providers.
In the meantime, the CJEU considered the applicability of Articles 7 and 8 of the Charter to national data retention legislation in Sweden and the UK, and affirmed and developed its approach in Digital Rights to justification for serious interference with those rights. In Tele2, the Court laid down that where national legislation provides for the general and indiscriminate retention of traffic and location data for the purpose of fighting crime, only the objective of fighting serious crime is capable of justifying such a measure. Second, it applied that reasoning to access to such data, emphasising that ‘since the objective pursued must be proportionate to the seriousness of the interference, it followed that, in the area of prevention, investigation, detection and prosecution of criminal offences, only the objective of fighting serious crime is capable of justifying such access to the retained data’. 10
The reference from the Provincial Court was stayed by the CJEU pending judgment in Tele2. Following that ruling, the referring court maintained its request for a preliminary ruling, to define the seriousness of the offence that could justify a measure of interference.
3. The ruling of the CJEU and the Opinion of Advocate General Saugmandsgaard Øe
In this case the reasoning of the Court and the Advocate General were very close, and the Court specifically followed the Advocate General on the key issues. It is therefore appropriate to consider the reasoning of the two together.
The Court first dealt with procedural objections raised by Spain.
With regard to jurisdiction, Spain argued that the case concerned an activity of the State in criminal matters, and thus fell outside the scope of the ePrivacy Directive under the exception in Article 1(3). The Court observed that the fact that national authorities’ request for access to personal data was made in connection with a criminal investigation does not bring this case outside the scope of the ePrivacy Directive. 11 To the contrary, the Court noted that ‘legislative measures requiring providers of electronic communications services to retain personal data or to grant competent national authorities access to those data necessarily involve the processing, by those providers, of the data’. It therefore concluded that such measures, ‘to the extent that they regulate the activities of such providers, cannot be regarded as activities characteristic of States, referred to in Article 1(3) of Directive 2002/58’. 12
It was also argued that the ePrivacy Directive only applied to traffic and location data relating to communications made. Following the Advocate General at point 54 of his Opinion, the Court ruled that the ePrivacy Directive governs all processing of personal data in connection with the provision of electronic communications services. It is not limited to traffic data relating to communications actually carried out and to the location data concerning the stolen mobile telephone. 13 In consequence, data relating solely to the identity of owners or users of SIM cards, known as ‘subscriber data’, fall within the scope of the Directive.
The Court then proceeded to address the substance. It considered the two questions referred together and reformulated them, as suggested by the Advocate General, into the question whether the limited access to data requested by the police entailed an interference with the fundamental rights of privacy and data protection in the Charter which was sufficiently serious to require such access to be limited to the objective of fighting serious crime. 14
The Court affirmed that access by national authorities to personal data retained by providers of electronic communications services constitutes an interference per se with the fundamental rights of respect for private life and protection of data enshrined in Articles 7 and 8 of the Charter, regardless of whether that interference is ‘serious’. 15
The Court noted that the ePrivacy Directive sets out an exhaustive list of legislative objectives capable of justifying such an interference, so that such access must correspond, genuinely and strictly, to one of those objectives. In this respect, the Court noted that, as regards the objective of preventing, investigating, detecting and prosecuting criminal offences, the wording of the Directive does not limit that objective to the fight against ‘serious crime’ alone, but refers to ‘criminal offences’ generally. 16
The Advocate General observed that the rulings of the CJEU in Digital Rights and Tele2 had established a link, in line with the principle of proportionality, between the ‘great breadth and the particularly serious nature of the interference’ in Digital Rights 17 and the seriousness of the reason required to justifying that interference. Thus, the requirement that there should be a ‘serious offence’ to justify derogating from the principle that electronic communications are confidential, means that the interference itself must be serious. This essential element was lacking in the present case, where the nature of the interference was quite different and related to a targeted and narrowly circumscribed measure operative over a very short period, with the result that the interference entailed was not particularly serious for the privacy of the persons concerned. 18
The Court agreed that such access could not be defined as a ‘serious’ interference with the fundamental rights of the persons concerned, as those data do not allow precise conclusions to be drawn concerning their private lives. 19 The Court concluded that the interference occasioned by access to such data may therefore be justified by the objective under Article 15(1) of the ePrivacy Directive of preventing, investigating, detecting and prosecuting ‘criminal offences’ generally, 20 without it being necessary to define those offences as ‘serious’.
4. Comments
For a narrowly defined case, the ruling is remarkable for the number of important questions that it addresses.
a. The CJEU applied the principle of proportionality as the criterion for justification of limited interference with fundamental rights
The national court asked for guidance on whether the seriousness of an offence may be assessed on the basis of the sentence which may be imposed or whether it is necessary to go further and identify particular levels of harm to the individual or collective interests involved. In particular, it asked whether a minimum sentence of three years’ imprisonment would be sufficient to this effect.
The Advocate General advised against laying down a definition of a ‘serious offence’ within the meaning of Digital Rights and Tele2. He argued that the concept of ‘serious crime’ is ‘not an autonomous concept of EU law the content of which must be defined by the Court’, but rather depends on the legal order of each Member State, 21 subject to the need to interpret the derogation in Article 15(1) of the ePrivacy Directive in accordance with the fundamental rights guaranteed by the Charter. 22 Following this advice, instead of providing the requested guidance on the threshold for ‘serious crime’, the Court focused on the interference with individual rights and the proportionality of that interference. It reformulated the questions referred, specifying that the question in issue did not relate to the compliance of the communications service providers with the law but rather to ‘whether, and to what extent, the objective pursued by the legislation at issue in the main proceedings is capable of justifying the access of public authorities, such as the police, to such data (…)’. 23
In its ruling in Tele2, the Court ruled that access to the retained traffic and location data, taken as a whole, allowed precise conclusions to be drawn regarding the private lives of the persons concerned. Such access therefore constituted a serious interference with fundamental rights and could be justified only by the objective of fighting serious crime. In order to reconcile Tele2 with the present case, the CJEU referred to paragraph 115 of the Tele2 ruling as laying down that the objective pursued by the access must be proportionate to the seriousness of the interference with the fundamental rights that the access entails. 24
In this respect, the Court’s analysis of proportionality in the present case was based on two main issues. First, the access request was limited in type, 25 to the forename, surname and address, and limited in time. Therefore it could not be deemed a serious interference with the fundamental rights of the data subject.
Second, the limited data concerned could not be cross-referenced with other data. As a result, those data did not ‘allow precise conclusions to be drawn concerning the private lives of the persons whose data is concerned’. 26 This absence of profiling appears to be a ‘key factor’ for the Court’s assessment of the interference as ‘not serious’. 27
In such cases, access can be justified by the broader objective of fighting criminal offences generally. 28
The Provincial Court will have to apply the ruling to its national legislation laying down a specific threshold of three years’ imprisonment. It has been argued that the Spanish court may take the view that applying the proportionality argument will require it to grant access for less serious crimes, notwithstanding national law, an interpretation which could overstep the bounds of the CJEU’s competence just as much as defining ‘serious crime’ would have done. 29 However, this is not actually required by the wording of the Court’s response, which leaves it open to the national court to decide how to implement the preliminary ruling. 30
Finally, whilst the CJEU has recognised that access to identification data per se is not intrusive, the question has been left open how that information may be based on other information retained by telecoms operators. If the underlying national legislation requires the retention of wider categories of data that permit profiling, such retention can only be justified by the objective of fighting serious crime and must respect the criteria laid down in Tele2. If national legislation does not satisfy these retention criteria, the question arises whether access to a part of the data retained may be lawful. The Advocate General noted that the conformity with EU law of the retention of the data had not been called into question in the main proceedings, nor was there any information on this point. He concluded that it was appropriate to assume that the data at issue in the main proceedings were retained in accordance with the national legislation, ‘in compliance with the conditions laid down in Article 15(1) of Directive 2002/58, which it is for the referring court alone to verify’. 31
b. The CJEU maintained its position on the application of EU law to national law enforcement activities involving access to personal data retained by private operators 32
Spain, supported by the UK, submitted that the Court did not have jurisdiction because the case in question fell outside the scope of Directives 95/46 and 2002/58. Spain argued that the request for access was part of national authorities’ exercise of jus puniendi and thus an activity of the State in the area of criminal law falling under the exception from the scope of the ePrivacy Directive in Article 1(3) thereof (the same as the exception clause in the first indent of Article 3(2) of Directive 95/46).
In view of the ruling in Tele2, the Advocate General drew a clear distinction between ‘personal data processed directly in the context of the activities – of a sovereign nature – of the State in a field governed by criminal law’ and ‘data processed in the context of the activities – of a commercial nature – of an electronic communications service provider which are then used by the competent State authorities’. 33 The Court concluded that legislative measures permitted under Article 15(1) of the ePrivacy Directive (herein ‘derogations’) come within its scope, even if they pursue objectives which ‘overlap substantially’ with the activities excluded from the scope of the ePrivacy Directive under Article 1(3) thereof (herein ‘exceptions’). In particular it noted that national legislation requiring providers of electronic communications services to retain personal data or to grant competent national authorities access to those data necessarily involves the processing of the data by those providers and thus cannot be regarded as the activities characteristic of States referred to in Article 1(3) of the ePrivacy Directive.
The Advocate General underlined the significance of this approach with reference to the pending Privacy International case. 34 This case concerns national security, which, like law enforcement, is mentioned both in the exceptions under Article 1(3) and the derogations under Article 15(1) of the ePrivacy Directive. The British Investigatory Powers Tribunal has asked the CJEU whether, having regard to Article 4 TEU and Article 1(3) of the ePrivacy Directive, a requirement by a government minister to an electronic communications operator to provide bulk communications data to national security and intelligence authorities falls within the scope of Union law and the ePrivacy Directive. The case law relied on in Privacy International refers, in particular, to early judgments of the Court in the first decade of this century. 35 This was before the entry into force of the Lisbon Treaty, which inter alia removed the distinction between the First and the Third Pillars which played such an important role in the earlier case law. 36 Since then the case law has substantially changed, 37 as evidenced by the Court’s rulings in Digital Rights, Tele2 and EU-Canada PNR, and now Ministerio Fiscal.
3. The Court adopted a broad approach to the protection of subscriber data 38
Subscriber data is not defined in the ePrivacy Directive, 39 unlike traffic and location data, and its status was uncertain before the ruling in Ministerio Fiscal, as will be seen below. Spain argued with regard to admissibility that mere subscriber data are not covered by the concept of confidentiality of communications enshrined in Article 7 of the Charter, which only extends to the electronic communications themselves. The police request for access to these data was not an interception of communications made by means of the SIM cards in the stolen mobile telephone; it was solely the ‘establishment of a link between the cards and their owners, in such a way that the confidentiality of the communications is not affected’. 40
The Court agreed that ‘the sole purpose of the request’ was indeed to obtain the ‘data relating to the identity of the owners of those cards’, and that ‘those data do not concern (…) the communications carried out with the stolen mobile telephone or its location’, but it ruled that this distinction was ‘irrelevant’. 41 Following the Advocate General, the Court maintained its broad approach to the scope of protection and ruled that the ePrivacy Directive is intended to govern ‘all processing of personal data in connection with the provision of electronic communications services’. Going further, the Court did not follow submissions by the Ministerio Fiscal, Denmark, Ireland, Latvia, Spain, the UK and the Commission to the effect that such identification information, where it is not connected to communications made, is not covered by the concept of ‘traffic data’. In view of the fact that the processing of subscriber information associated with the SIM cards and their owners is necessary for the provision of the electronic communications services, at least for purposes of charging for the service provided, irrespective of any calls actually made, 42 the Court recalled that Article 2(b) of the Directive defines such traffic data as ‘any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof’.
This is an important aspect of the judgment, because it requires subscriber data (the name and the IMEI address of the mobile device) to be protected in the same way as traffic data, even though they do not form part of an electronic communication. In consequence, access to such data falls within the safeguards of the ePrivacy Directive, and these safeguards cannot be circumvented by creating a separate category of subscriber data. This has important consequences for pending legislation.
At EU level, the Commission has adopted the Proposal for a Regulation on ‘eEvidence,’ providing for the issue of European Production and Preservation Orders for electronic evidence in criminal matters. 43 The Proposal allows the competent authorities in one Member State engaged in criminal proceedings to require access by private operators in another Member State to data held by them for use in those criminal proceedings.
The eEvidence Proposal has already been criticised for lowering the threshold of fundamental rights protection within the EU by dispensing with the safeguard of judicial control in the executing Member State. 44 In the present context, it may be observed that it dispenses with two further safeguards with regard to identification data, known as ‘subscriber data’. First, a European Production Order may be issued by a prosecutor in the requesting Member State and there is no need to obtain prior judicial approval; second, such an Order may be issued for all criminal offences, as opposed to more ‘sensitive’ data, known as ‘transactional or content data’, whereas an Order may only be issued for investigations into offences that carry at least a three-year maximum sentence. 45 After Ministerio Fiscal, the second element may not be problematic with regard to basic identification data, so long as they do not reveal any communication data. However, the absence of any requirement of prior judicial scrutiny at all, whether in the requesting or the executing Member State, may be an issue. 46
Furthermore, the eEvidence Proposal groups two categories of data into the less-protected category described above, namely ‘subscriber data’, defined in Article 2(7) of the Proposal, and ‘access data’, defined in Article 2(8) of the Proposal. Whilst ‘access data’ are defined as data which are ‘strictly necessary for the sole purpose of identifying the user of the service’, the definition also encompasses various forms of metadata, including ‘electronic communications metadata’ as defined under the ePrivacy Proposal, 47 which includes data used to trace and identify the source and destination of a communication, location data, and the date, time, duration and the type of communication. Such metadata were characterised by the CJEU in Tele2 48 as providing the means of establishing a profile of the individuals concerned, ‘information that is no less sensitive, having regard to the right to privacy, than the actual content of communications’. 49 As a result, the CJEU considered such data to be particularly serious. Following the Tele2 ruling, the EDPB has underlined the need to ensure that the appropriate safeguards and conditions for access to eEvidence cover both ‘non-content’ and ‘content data’, and has criticised the definition of ‘access data’ as ‘vague’. 50 The ruling in Ministerio Fiscal confirms that the legislator will have to be clear on the definition of ‘access data’ if it wishes to continue to assimilate access and subscription data in this way.
At international level, Article 18(3) of the Budapest Convention 51 defines the term ‘subscriber information’ as ‘any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data’ and refers in principle to ‘any information held by the administration of a service provider relating to a subscriber to its services’, 52 that is, to data which are not limited to simple identification data. A Second Additional Protocol is being negotiated to strengthen international cooperation under the Convention, including obtaining access to electronic evidence and enhancing mutual legal assistance. In February 2019 the Commission sought a mandate to participate in these negotiations, which were due to be finalised by December 2019. It has committed itself to work on behalf of the European Union to ensure that individuals are protected in line with the Charter, general principles of EU law and the case law of the CJEU, to ensure that all EU citizens will receive protection under the Second Additional Protocol that is fully in line with EU legislation, including in particular the ePrivacy Directive. 53 The clarifications in Ministerio Fiscal will now have to be taken into account in these negotiations.
5. Conclusions
The CJEU has maintained and developed its broad approach to the scope of protection of the fundamental rights guaranteed under the Charter and the ePrivacy Directive in two important respects: the broad scope of the types of personal data protected, and the material scope of the EU data protection framework, where it has clarified the difference between the exceptions to the scope of the ePrivacy Directive under Article 1(3) and the derogations permitted to certain specific articles under Article 15(1).
The Court has also avoided defining the concept of ‘serious crime’, whether on the basis of a specific threshold or on a more general effects-based approach. Instead it has provided a pragmatic solution based on the principle of proportionality, so that a greater or lesser level of justification will be required depending on the extent of the interference with fundamental rights in a particular case.
In this particular case, the facts may have been limited, but the judgment, seen in context, is quite significant.