CJEU introduces new criteria for law enforcement to access data

On 2 October 2018, the Court of Justice of the European Union (CJEU) delivered a new ruling in the “Ministerio Fiscal” case on access to data retained by electronic communications service providers under the scope the ePrivacy Directive.

While investigating the robbery and theft of a mobile phone, the Spanish police asked an investigating magistrate to order various providers of electronic communications services to disclose the telephone numbers that had been activated during a twelve-day period with the International Mobile Equipment Identity (IMEI) code of the stolen mobile device, as well as the names and addresses of the subscribers for the SIM cards used for this activation. The request was denied by the magistrate on grounds that the criminal offence did not fulfill the requirements for serious offences in the Spanish Law 25/2007 on the retention of data relating to electronic communications and to public communication networks. On appeal by the prosecutor, a Spanish court referred the case to the CJEU.

The CJEU ruled that access to retained data for the purpose of determining the owners of the SIM cards used for activation of a mobile device entails an interference with the owners’ fundamental rights to privacy and personal data protection. However, the CJEU clarified that if the purpose for accessing the retained data is solely to obtain the subscriber identity, Article 15(1) of ePrivacy Directive allows restrictions of the rights provided for by the Directive for the prevention, investigation, detection, and prosecution of criminal offences – not just serious criminal offences.

What is interesting about this ruling is that in its previous Tele2/Watson judgment, the CJEU had ruled that access to the retained data is limited to cases involving serious crime. To reconcile the two rulings, the CJEU explains that this is because the objective pursued by the access must be proportionate to the seriousness of the interference with the fundamental rights that the access entails. The Tele2 case is concerned with access to retained data which, taken as a whole, allows precise conclusions to be drawn regarding the private lives of the persons concerned. Such access constitutes a serious interference with fundamental rights and can be justified only by the objective of fighting serious crime. If, however, the access to retained data is a non-serious interference, as in the present case involving access to the subscriber’s identity, access can be justified by the objective of fighting criminal offences generally.

The question that immediately comes to mind is whether this new case in any way departs from the strict conditions for access to retained data set forth in the Tele2/Watson judgment, and, in particular, whether the Ministerio Fiscal case waters down some of these conditions, thus allowing for access to retained data by law enforcement authorities in a greater number of scenarios.

First and foremost, it is important to note that the overlap between the two judgments is fairly small since they are concerned with very different questions:

The object of the Tele2/Watson case is the retention of data which, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained (first part of the judgment) and access to such data retained by electronic communications service providers (second part).

In contrast, the Ministerio Fiscal case is concerned with the presumably very narrow situation where accessing data does not constitute a serious interference. This includes obtaining a subscriber identity. However, the CJEU confirms that access to retained data which reveals the date, time, duration and recipients of the communications, or the locations where the communications took place, must be regarded as a serious interference since that data allows precise conclusions to be drawn about the private lives of the persons concerned (cf. paragraph 60 of the ruling). In these situations, access to the retained data must be limited to cases involving serious crimes, as in the Tele2 case.

There is, however, one scenario where the new judgment may add some confusion to the interpretation of the Tele2 judgment. According to paragraphs 108-111 of the Tele2 judgment, targeted data retention requirements for the purpose of fighting serious crime are compatible with EU law (unlike general and undifferentiated data retention which is illegal under EU law). Moreover, it would be natural to read paragraph 115 of the Tele2 judgment as always limiting the access to such retained data to cases involving serious crime because the targeted data retention requirement in itself constitutes a serious interference with fundamental rights that can only be justified by the objective of fighting serious crime. Allowing access to the retained data in cases not involving serious crime would arguably undermine the purpose limitation at the retention stage.

The CJEU did not define what can constitute a serious crime. Similarly, the Ministerio Fiscal ruling does not clearly refer to why the data was retained in the first place or whether that should affect the conditions for access to the retained data.

Because there is no apparent connection to why the data is retained, the CJEU now seems to say in paragraphs 54-61 of the Ministerio Fiscal ruling that if access is only sought to minor parts of the retained data, for example only for the purpose of obtaining the subscriber identity, accessing that data does not constitute a serious interference, even if the data is only available in the first place because of a (targeted) data retention order that can only be justified by the objective of fighting serious crime. This situation could arise in practice if the data retention order includes all data items in the (annulled) Data Retention Directive for a targeted group of persons, but access to the retained data is only requested for the purpose of determining the identity of a subscriber who has been assigned a specific dynamic IP address.

Leaving aside this potential weakening of the strict Tele2 conditions for access to retained data, there are three main positive aspects of the new judgment from a digital rights perspective:

1. The judgment clarifies that traffic data under the ePrivacy Directive includes the subscriber name and the IMEI address of the mobile device (cf. paragraphs 40-42). This implies that access to such data falls within the scope and safeguards of the ePrivacy Directive, and that the ePrivacy Directive cannot be circumvented by attempts to expand to definition of subscriber data.
2. The judgment notes in paragraph 51 with reference to the Court’s Opinion on the EU-Canada Passenger Name Records (PNR) agreement that access to any retained data, including subscriber identity, constitutes an interference with the fundamental right to the protection of personal data. Therefore, the CJEU requires substantive and procedural conditions based on objective criteria for the access to the retained PNR data, and the access must be subject to prior review by a court or an independent administrative body. In the Ministerio Fiscal case, the CJEU was not asked to consider substantive and procedural conditions for access. Nonetheless, paragraph 51 of the judgment has potential implications for other parts of EU law, most notably the proposed e-Evidence Regulation, which allows for access to not just subscriber data, but also so-called access data (data necessary to identify the user of a service) for all criminal offences and without any requirements of prior review by a court (a prosecutor’s approval can be sufficient) or an independent administrative body.
3. In paragraphs 34-37 of the Ministerio Fiscal judgment, the CJEU reiterates what it said in the Tele2/Watson judgment – that national legislation permitting access by competent authorities to personal data retained by electronic communications service providers cannot be regarded as activities of the state that fall outside the scope of Article 15(1) of the ePrivacy Regulation, since the access by competent authorities necessarily presupposes processing of personal data by the electronic communications service providers.

CJEU judgment in case C-207/16 Ministerio Fiscal (02.10.2018)
http://curia.europa.eu/juris/document/document.jsf?docid=206332&mode=req&pageIndex=1&dir=&occ=first&part=1&text=&doclang=EN&cid=252986

CJEU judgment in joined Cases C‑203/15 and C‑698/15 (Tele2/Watson)
http://curia.europa.eu/juris/document/document.jsf?text=&docid=186492&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=2525180

(Contribution by Jesper Lund, IT-Pol, Denmark, and Maryant Fernández Pérez, EDRi)