April 25, 2022
In March 2015 in Ireland, GD was sentenced to life imprisonment for the murder of a woman. In the appeal against his conviction, GD criticised the first instance court for having incorrectly admitted as evidence traffic and location data relating to telephone calls. GD also issued civil proceedings in the High Court (Ireland) contesting the validity of certain provisions of Irish law governing the retention of and access to such data, on the ground that his rights under EU law had been infringed. In December 2018, the High Court upheld GD’s case. Ireland appealed to the Supreme Court (Ireland), which sought clarification from the CJEU as to the requirements of EU law in respect of the retention of data for the purposes of combating serious crime and as to the necessary safeguards in respect of access to that data.
The CJEU noted that, pursuant to EU case law, national legislative measures which provide, as a preventative measure, for the general and indiscriminate retention of electronic traffic and location data for the purposes of combating serious crime are precluded. The E-Privacy Directive (2002/58/EC) does not merely create a framework for access to such data via safeguards to prevent abuse, but enshrines the principle that the storage of traffic and location data is prohibited. The retention of traffic and location data is therefore a derogation from the prohibition on the storage of such data and constitutes interference with the fundamental rights of respect for private life and the protection of personal data.
While the E-Privacy Directive allows Member States to place limitations on the exercise of those rights and obligations for the purposes, inter alia, of combating crime, those limitations must comply with the principle of proportionality. That principle requires compliance not only with the requirements of fitness for purpose and necessity but also with the requirement that the measures are proportionate to the objective pursued. Therefore, the CJEU has already held that the objective of combating serious crime, as fundamental as it may be, does not, in itself, justify the general and indiscriminate retention of all traffic and location data as necessary, given that it could interfere with the fundamental rights of an entire population.
Public authorities must therefore strike a balance between the various interests and rights in question. An objective of general interest may not be pursued without considering its reconciliation with the fundamental rights affected and ensuring that the significance of the public interest objective is proportionate to the significance of the interference that the measure entails.
The CJEU therefore rejected the argument that particularly serious crime could be treated in the same way as a genuine and current or foreseeable threat to national security and could, for a limited period, justify a measure for the general and indiscriminate retention of traffic and location data. Such a threat is distinguishable, the CJEU said, by its nature, seriousness, and specific circumstances from the general and permanent risk of tensions or disturbances, even of a serious nature, that affect public security or from that of serious criminal offences being committed.
However, the CJEU also held that EU law does not preclude legislative measures that, for the purposes of combating serious crime and preventing serious threats to public security, provide, subject to certain conditions, for:
- the targeted retention of traffic and location data, limited to certain categories of people or to geography;
- the general and indiscriminate retention of IP addresses;
- the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems; and
- the expedited retention (“quick freeze”) of traffic and location data.
Therefore, national authorities may adopt a targeted measure of retention of data using geographic criteria, such as the average crime rate in a particular area, without necessarily having specific indications as to the preparation or commission of an act of serious crime. Such a retention measure covering places that regularly receive a high volume of visitors, such as airports, stations, maritime ports or tollbooth areas, allows the authorities to collect information as to the presence of people using electronic communication services in that place and to draw conclusions about their activity for the purposes of combating serious crime.
The CJEU also said that neither the E-Privacy Directive nor any other measure of EU law precludes national legislation, for the purpose of combating serious crime, from providing that the purchase of a means of electronic communication, such as a pre-paid SIM card, is subject to checks as to the purchaser’s identity and registration by the seller of that information, with the seller being required, should the case arise, to give access to that information to national authorities.
The CJEU also noted that the E-Privacy Directive does not preclude national authorities from making a “quick freeze” order at the first stage of an investigation into a serious threat to public security or a possible serious crime. Further, such a measure may be extended to traffic and location data relating to people other than those suspected of having planned or committed a serious criminal offence or acts against national security, provided that that data can, on the basis of objective and non-discriminatory factors, shed light on the crime, such as data concerning the victim and their social or professional circle.
Further, the CJEU said, these various measures can, subject to the limits of what is strictly necessary, be applied concurrently.
The CJEU therefore again rejected the argument that national authorities should be able to access, for the purposes of combating serious crime, traffic and location data which have been retained in a general and indiscriminate way, in order to address a serious, genuine and current or foreseeable threat to national security.
The CJEU also confirmed that EU law precludes national legislation from making the centralised processing of police requests for access to data from electronic communications providers the responsibility of a police officer, even where that officer is assisted by a unit within the police service that has a degree of autonomy in the exercise of its duties and that officer’s decisions may subsequently be subject to judicial review. The CJEU confirmed its case law according to which, in order to ensure full compliance with the strict conditions of access to personal data, such as traffic and location data, access by national authorities to retained data must be subject to a prior review carried out either by a court or by an independent administrative body. Further, the request for such a decision must be submitted within the framework of procedures for the prevention, detection or prosecution of crime. A police officer does not constitute a court and does not have all the guarantees of independence and impartiality required to qualify as an independent administrative body, the CJEU said.
Finally, the CJEU confirmed that EU law precludes a national court from placing a time limit on any declaration of invalidity of national laws requiring electronic communications providers to retain, generally and indiscriminately, traffic and location data, that it might be required to make as a result of the incompatibility of that legislation with the E-Privacy Directive further to the judgment in Case C-293/12 Digital Rights Ireland.
In this case, the CJEU held that the admissibility of evidence obtained by means of such retention is, in accordance with the principle of procedural autonomy of Member States, a matter for national law, subject to compliance with the principles of equivalence and effectiveness. (Case C-140/20 GD v Commissioner of An Garda Síochána EU:C:2022:258 (5 April 2022) — to read the judgment in full, click here).