Do you trust the police? CJEU Advocate General accepts access to phones for any type of crime

Smartphones often contain the most intimate details of our private life. They have apps to access all our communication services and social media accounts, sensors that may record very private details of our bodies, especially when connected to activity trackers or smartwatches, fine-grained location records, and cameras that we use to collect visual memories of our physical whereabouts, participation in public protest, and interactions with other individuals. The modern smartphone has almost become a digital extension of our body, mind and thoughts.

Law enforcement, being perfectly aware of this treasure trove of information, is increasingly seizing smartphones as evidence in investigations or to supposedly verify the veracity of asylum applications. Private companies such as Cellebrite, MSAB and Grayshift sell specialised equipment to law enforcement for extracting data from mobile devices, either by exploiting security vulnerabilities on the device for brute-force access, or by persuading or forcing the owner to unlock the device. These data-extraction tools are becoming widely used, also in local police stations to prosecute any and all crimes, even petty ones.

What legal rules govern access to personal data stored on our smartphones and protect our fundamental rights?

Technology will always move faster than the law, but in this case the discrepancy has become particularly problematic. In many countries, the ordinary rules for police gathering of evidence apply, and the smartphone is simply one of many objects that can be seized in the conduct of investigations. Legal protections that apply when e.g. telephone calls are intercepted, may not apply when private communications are extracted from the device storage.

A case (C-548/21) pending before the Court of Justice of the European Union (CJEU) may shed light on whether EU law can offer the protection of fundamental rights that’s often missing in the current legal framework and practices of Member States.

Advocate General (AG) Campos Sánchez-Bordona published his opinion on the case on 20 April 2023. AG opinions are non-binding but influential on the final judgment of the Court.

The dispute in the case stems from the seizure of and attempt by the Austrian police to access the data stored in a phone belonging to a person whose postal package containing 85g of cannabis was intercepted by the customs authorities. AG opinions are non-binding but influential on the final judgment of the Court.

The Austrian referring court submitted three questions to the CJEU, mainly focusing on the interpretation of the ePrivacy Directive. These questions are undoubtedly inspired by the landmark ruling of the CJEU on data retention and protection of the confidentiality of communications in electronic communications services. In his opinion, the AG first recommends to the CJEU to declare the reference for a preliminary ruling inadmissible because the ePrivacy Directive is not applicable in the present case and because the referring court failed to reformulate its questions when suggested to do so. In case the Court decides on an alternative outcome than inadmissibility, the AG Opinion also addresses the substantial issues raised by the case.

The AG concludes that access to information on a phone should not be limited to the investigation of serious crime, provided that access is justified in each case and limited to what is strictly necessary and proportionate. However, prior authorisation from a court is required before law enforcement can get full and uncontrolled access to all the data stored on a mobile phone.

Why does the ePrivacy Directive not apply?

Whereas the referring court sought mainly an interpretation of the ePrivacy Directive (2002/58), the AG rules out its application to the case entirely, following the majority opinion of the parties to the proceedings. Indeed, the AG states that the ePrivacy Directive only applies where Member States “impose processing obligations on providers of electronic communications services”. Where there is no involvement of an electronic communications service provider, such as in the present case where the seizure of and access to the phone was done directly and solely by law enforcement officers, only the protections afforded by national law, subject to the application of the Law Enforcement Directive (LED) 2016/680, applies.

On this basis, the AG states that the request is inadmissible since the EU law measure whose interpretation the Austrian court is seeking does not apply to the case.

It remains to be seen whether the CJEU will follow the AG’s conclusion or accept the request of inadmissibility regardless of these grounds. During the oral hearing on 16 January 2023, the judges of the Grand Chamber asked numerous questions to Member States and the Commission about the interference with fundamentals rights that law enforcement access to a mobile device entails.

Which guarantees does EU law offer when the police wants to access a phone?

Having excluded the ePrivacy Directive, the only applicable EU law instrument for the AG Opinion is the Law Enforcement Directive (LED) 2016/680. Whereas the physical seizure of the mobile device by the police is governed by national law on evidence gathering (generally outside the scope of EU law), any processing of personal data by law enforcement authorities for criminal investigations falls under the LED interpreted in light of the Charter. Access to information on a mobile device, and, as the AG points out, even failed attempts to gain access, clearly involve processing of personal data.

The AG first concludes that access to information stored on a mobile device should not be limited to investigations of serious crime. This question was asked by the Austrian court under the assumption that the ePrivacy Directive and the associated CJEU case law applies. It is also a very natural question in light of the sensitivity of the information stored on a mobile device. However, the AG dismisses this analogue reasoning from the case law interpreting the ePrivacy Directive since the latter is concerned with the systemic general and indiscriminate data retention for an undefined generic group, whereas access to a mobile device only concerns the individual who is subject to the criminal investigation (points 65-66). However, this argument by the AG seems to ignore that parts of the ePrivacy case law actually deals with access to retained data in individual cases, e.g. the Prokuratuur and Ministerio Fiscal cases.

Recalling that the LED applies to processing of personal data for investigation of all criminal offences, not just serious crime, the AG instead proposes that access to data on a mobile device “must be justified in each case and must be limited to what is strictly necessary and proportionate according to the nature of the criminal offences under investigation and of the personal data to which access is sought.” This approach leaves a lot of discretion to Member States’ police authorities who will be naturally inclined to believe that their evidence collection is done in a proportionate way.

Data extraction from a mobile device is particularly problematic because there is no technical way to limit police access to a particular piece of information on the device. After unlocking the device, the police gets physical access to everything on the device, just like the owner would, except for the rare situation where certain apps are protected with separate passwords. This raises the question whether we should simply trust the police to limit its own access to what is strictly necessary and proportionate in the specific case, or whether specific procedural rules are required to ensure this.

On this point, the AG says that the national legislature must define the procedural rules for access to a mobile. The AG even accepts that this can be general rules laid down in domestic law for obtaining evidence. It is very hard to see how general rules with broad discretion to the police can afford adequate protection of fundamental rights in connection with full access to a mobile device.

Court authorisation required

The Austrian court specifically asks whether prior court authorisation is required for access to data stored on a mobile device. In the data retention and PNR case law, the CJEU has insisted on this to effectively protect against the risk of abuse. The AG agrees that the case law can be transposed to the present case: “Law enforcement authorities cannot, without prior authorisation by a court, grant themselves full and uncontrolled access to all the data stored on a mobile telephone in the course of a criminal investigation where those data make it possible to obtain a detailed picture of a person’s private life.” (paragraph 105)

There must be a general presumption that data stored on a mobile device makes it possible to obtain a detailed profile of the owner, which means that a court order will, in practice, always be required before the police can begin extracting data from a mobile device. As argued by the European Data Protection Supervisor, “Our smartphones know everything about us: they know our data, they can hear us, they can see us, and they know where we are and who we talk with.”

However, the proposition from the AG does not address how a court authorisation can effectively ensure that the extracted information is actually limited to what is strictly necessary and proportionate. A clear risk of abuse would be cases where the police uses the pretext of prosecuting minor offences (e.g. use of drugs) to seize and search a phone and in reality look for evidence of guilt of more serious crime but for which no reasonable grounds can be presented to justify a request. Ideally, the data extraction should be performed by an independent body whose sole role in the investigation is to ensure that only information from the mobile device expressly allowed by the court authorisation is turned over to the police, and that anything else is immediately deleted.

Lastly, the AG concludes that the owner of the mobile device must be informed of the data extraction when this can no longer jeopardise the investigation. This conclusion is based on an interpretation of Article 13 of the LED, but otherwise identical to the data retention and PNR case law, where the CJEU has held that notification is necessary for the person concerned to be able to exercise his or her data subject rights, e.g. rights of access and rectification, and to have access to effective remedies enshrined in Article 47 of the Charter.

Contribution by: Chloé Berthélémy, Senior Policy Advisor, EDRi, Jesper Lund, Chairman, IT-Pol Denmark