CJEU upholds strict requirements for law enforcement access to electronic communications metadata

Designed by: stories/Freepik

On 2 March 2021, the Court of Justice of the European Union (CJEU) delivered its judgment in the case C-746/18 – Prokuratuur from Estonia. The ruling expands and clarifies the extensive, and increasing complex, CJEU case law on data retention for electronic communications services.

Traffic and location data (electronic communications metadata) may allow precise conclusions to be drawn about the persons involved, e.g. their social relationships or the social environments frequented by them. In most cases, the CJEU has only allowed access to such data for serious crimes. However, in C-207/16 – Ministerio Fiscal, the CJEU ruled that access to retained data could be authorised for all criminal offences when the interference that such access entails is not serious. In essence, access to retained data is only allowed in cases of serious crime when the access implies a serious interference, and in all criminal cases when the access does not imply a serious interference.

The Ministerio Fiscal case was concerned with access to data about user identity, without any connection to the destination or location of the user’s electronic communications. While access to data strictly limited to user identity (e.g. name and address) is not a serious interference, it was not clear from the judgment whether access to a small subset of retained traffic and location data could also be regarded as a non-serious interference. Even though the retained data as a whole allows precise conclusions to be drawn about the users’ private lives, it could perhaps be argued that this is not the case for a sufficiently small subset of the retained data.

In the new judgment, the CJEU provides the much needed clarity on this issue. For traffic and location data that allows precise conclusions to be drawn, law enforcement access must always be confined to cases of serious crime, even for access to small subsets of the data (by para. 45 of the judgment: “this is so regardless of the length of the period in respect of which access to those data is sought and the quantity or nature of the data available in respect of such a period.”)

In paras. 39-40, the CJEU elaborates that even access for a short period may provide precise information about a person’s private life, and this assessment can only be made after the data as a whole has been consulted. Restricting access to cases of a serious crime is also critical for upholding the purpose limitation principle reiterated by the CJEU in para. 31: ”[A]ccess may be justified only by the public interest objective for which those service providers were ordered to retain the data.” A purpose limitation to serious crime at the retention stage would be effectively undermined if the data, or a subset thereof, could subsequently be assessed in ordinary criminal cases.

While the new judgment is very positive from the viewpoint of EU data protection law, it also highlights the increasing tension between CJEU case law and Member States’ national data retention laws. The case was referred to the CJEU in part because the accused person disputed that the data could be admissible as evidence in the criminal case when it was retained and accessed illegally. From the CJEU judgment, it is apparent that the Estonian data retention law does not comply with Article 15(1) of the ePrivacy Directive. The data retention obligation is general and indiscriminate, and access to retained data is not limited to serious crime. However, since there is currently no EU law on admissibility of evidence, the CJEU must leave this question entirely to national law and national courts.

(Contribution by: Jesper Lund, Chairman IT-Political Association of Denmark)