Even criminal offences that are not particularly serious may justify the disclosure of basic electronic communications metadata provided that such disclosure does not seriously undermine the right to privacy, Advocate General of the European Court of Justice (AG) Saugmandsgaard Øe has recently proposed.

The EU’s directive on privacy and electronic communications obliges electronic communications service providers to put in place safeguards in order to ensure the privacy and confidentiality of any data exchanged through electronic services such as the internet and mobile and landline telephony and via their accompanying networks.

It sets out rules to ensure security in the processing of personal data, the notification of personal data breaches and confidentiality of communications. Nonetheless, the directive provides that such rights may be restricted by national rules which are necessary and proportionate to safeguard specific public interests, such as to allow criminal investigations or to safeguard national security, defence or public security.

In an investigation concerning the robbery of a wallet and a mobile telephone, the Spanish police asked the examining magistrate to grant it access to the identification data of users of telephone numbers activated from the stolen telephone for a period of 12 days from the date of the theft. The request was refused on the basis that the facts on which the criminal investigation was based did not constitute a serious offence.

The decision was appealed.

The appellate court filed a preliminary reference before the Court of Justice of the European Union requesting guidance as to how serious an offence must be in order to justify an infringement of fundamental rights when national authorities seek access to personal data retained by electronic communications service providers.

In his opinion, the AG noted that a measure such as that requested by the police in the present case constituted an interference with the right to respect for private and family life and with the right to protection of personal data. He alluded to previous CJEU jurisprudence where the court had established a link between the seriousness of the interference and the seriousness of the reason justifying the interference.

The AG highlighted the fact that the nature of the interference in the present case related to a measure intended to allow access, by the competent authorities and for the purposes of a criminal investigation, to data held for commercial purposes by service providers. This data related solely to the identity – surname, forename and possibly address – of a restricted category of subscribers or users of a specific means of communication, namely those whose telephone number was activated from the mobile telephone the theft of which was being investigated, for a limited period, that is, approximately 12 days.

Hence, the potentially harmful effects for the persons concerned by the request for access to the data in question, were both slight and limited. The data sought was not intended to be disclosed to the public at large and the right of access enjoyed by the police authorities was accompanied by procedural safeguards as it was subject to review by a court, the AG observed. This meant that the interference entailed by the communication of such data was not particularly serious since such data did not have a direct or great effect on the privacy of the persons concerned.

The AG noted that in terms of the EU’s directive, a derogation from the principle that electronic communications were confidential might be justified by the objective of preventing and prosecuting criminal offences. No further guidance was provided by the directive as to the nature of such offences.

It was, therefore, not essential that the offences justifying the restrictive measure in question were classified as ‘serious’. It was only where the interference suffered by the data subject was particularly serious that the offences capable of justifying such interference had to themselves be particularly serious, the AG asserted.

On the other hand, when the data the disclosure of which is sought did not entail a serious infringement of privacy – even criminal offences which were not particularly serious – may justify the disclosure of the data requested. The AG asserted that EU law did not preclude the competent authorities from having access to identification data held by electronic communications service providers where such data made it possible to find the presumed perpetrators of a criminal offence even though it was not serious in nature.

The AG concluded that, in the light of the directive, the measure requested by the police in the present case did not interfere seriously with an individual’s fundamental rights and hence the offence for which access to data by the police was being sought did not necessarily have to be a serious one.

In this day and age, when buzz words such as data protection, privacy and the right to be forgotten have become talk of the town, it was a sine qua non that a balance be maintained at all times between an individual’s fundamental rights to privacy and confidentiality and the rights of the public at large. The imminent ruling by the CJEU on the matter discussed above will, by endorsing the AG’s opinion or otherwise, undoubtedly shed more light on such a sensitive and topical issue.

Mariosa Vella Cardona M.Jur is a freelance legal consultant specialising in European law, competition law, consumer law and intellectual property law.

mariosa@vellacardona.com

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.