The disclosure of metadata may be justified in investigation of offences that do not constitute serious offences in the opinion of an Advocate General to the Court of Justice. But the special circumstances required to be present to justify an interference with the right to privacy are likely to be rare and did not apply in the instant case
Advocate General Saugmandsgaard Øe has given an Opinion to the CJEU which proposes that the Court should find that even criminal offences that are not particularly serious may justify disclosure of basic electronic communications metadata provided such disclosure does not seriously undermine the right to privacy.
Case C-207/16 Ministerio Fiscal involves an investigation concerning the robbery of a wallet and a mobile telephone. Spanish police asked the examining magistrate to grant access to identification data of users of telephone numbers activated from the stolen telephone for a period of 12 days from the date of the theft. The examining magistrate refused that request on the ground, inter alia, that the facts on which the criminal investigation was based did not constitute a ‘serious’ offence — ie, under Spanish law, an offence punishable by a term of imprisonment of more than five years – because disclosure of identification data is possible in Spain only for that type of offence. The Ministerio Fiscal (Spanish Public Prosecutor’s Office) appealed against that decision before the Audiencia Provincial de Tarragona (Provincial Court, Tarragona, Spain).
The Directive on privacy and electronic communications provides that Member States may restrict citizens’ rights where such a restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security, defence, public security and the prevention, investigation detection and prosecution of criminal offences or of unauthorised use of the electronic communications system.
In its judgments in Case C-293/12 and C-594/12 Digital Rights and Case C-203/15 and C-698/15 Tele2 Sverige, the Court of Justice used the concept of ‘serious offences’ to assess the lawfulness and proportionality of interference with the right to respect for private and family life and the right to protection of personal data, both those rights being enshrined in the Charter of Fundamental Rights of the European Union.
The Audiencia Provincial de Tarragona indicates that, after the adoption of the decision of the examining magistrate, the Spanish legislature introduced two alternative criteria for determining the degree of seriousness of an offence in respect of which the retention and disclosure of personal data are permitted. The first is a substantive criterion, relating to terrorism and offences committed in the context of organised crime. The second is a formal normative criterion which lays down a minimum threshold of three years’ imprisonment. The Spanish court observes that that threshold may encompass the vast majority of criminal categories. The Audiencia Pronvincial de Tarragona has therefore referred questions to the Court concerning the setting of the seriousness threshold for offences beyond which an infringement of fundamental rights may be justified, in the light of the judgments cited above, when the competent national authorities seek access to personal data retained by electronic communications service providers.
In his formal Opinion, Advocate General Henrik Saugmandsgaard Øe states, first of all, that a measure such as that requested by the police in the present case constitutes an interference with the right to respect for private and family life and with the right to protection of personal data. Nevertheless, the Advocate General considers that, in the judgments in Digital Rights and Tele2, the Court established a link between the seriousness of the interference and the seriousness of the reason justifying the interference. Thus, to require, at the stage of providing justification for such interference, that there should be a ‘serious offence’ that will justify derogating from the principle that electronic communications are confidential, means that the interference itself must be serious. According to the Advocate General, that essential element is lacking in the present case.
The Advocate General adds that the nature of the interference in the present case is distinct from that considered by the Court in the two judgments cited above. It relates to a targeted measure intended to allow access, by the competent authorities and for the purposes of a criminal investigation, to data held for commercial purposes by service providers which relate solely to the identity (surname, forename and possibly address) of a restricted category of subscribers or users of a specific means of communication, namely those whose telephone number was activated from the mobile telephone the theft of which is being investigated, for a limited period, that is, approximately 12 days. The Advocate General is of the view that the potentially harmful effects for the persons concerned by the request for access in question are both slight and limited, given that the data sought are not intended to be disclosed to the public at large and the right of access enjoyed by the police authorities is accompanied by procedural safeguards as it is subject to review by a court. As a consequence, the interference entailed by the communication of such civil identity data is not particularly serious, as, in those particular circumstances, such data do not have a direct or great effect on the privacy of the persons concerned.
The Advocate General states that, according to the Directive, a derogation from the principle that electronic communications are confidential may be justified by the general-interest objective of preventing and prosecuting criminal offences, but no further details are provided as to the nature of those offences. It is not therefore essential that the offences justifying the restrictive measure in question may be classified as ‘serious’ within the meaning of the judgments in Digital Rights and Tele2. According to the Advocate General, it is only where the interference suffered is particularly serious that the offences capable of justifying such interference must themselves be particularly serious. On the other hand, where the interference is not serious (that is, when the data the disclosure of which is sought do not entail a serious infringement of privacy), even criminal offences which are not particularly serious may justify such interference (that is, disclosure of the data requested).
In particular, the Advocate General considers that EU law does not preclude the competent authorities having access to identification data held by electronic communications service providers where such data make it possible to find the presumed perpetrators of a criminal offence that is not of a serious nature. The Advocate General concludes that, in the light of the Directive, the measure requested by the police in the present case entails interference with fundamental rights guaranteed by the Directive and the Charter which does not attain a sufficient level of seriousness for such access to be confined to cases in which the offence concerned is serious.