The Court of Justice of the European Union ruled Oct. 2, 2018, that national authorities may access certain types of personal data from electronic communication providers in the course of a criminal investigation because it does not amount to a “sufficiently serious” interference with fundamental rights.
The personal data at issue included surnames, forenames, and addresses. Collecting this personal information amounted to interference with fundamental rights enshrined in the Charter of Fundamental Rights of the EU, but the CJEU held such access was justified even if not fighting a serious crime. The CJEU explained that “when the interference that such access entails is not serious, that access is capable of being justified by the objective of preventing, investigating, detecting and prosecuting ‘criminal offences’ generally.”
The court contrasted this “non-serious” data with data that allows "precise conclusions to be drawn concerning the private lives of persons whose data is concerned.” The latter types of data, according to the CJEU, might include communication content; location data; date, time, duration, and identity of communication recipients; and frequency of communications between people.
The case arose when a Spanish man reported to police in February 2015 that his mobile phone had been stolen. The police promptly requested that a magistrate issue an order to various providers of electronic communications services seeking the numbers activated with the stolen phone’s mobile equipment identity code during the relevant time and “the personal data relating to the identity of the owners or users of the telephone numbers corresponding to the SIM cards activated with the code, such as their surnames, forenames and, if need be, addresses.”
The magistrate refused the request on the grounds that such data could not be revealed to police unless they were investigating a “serious offence,” defined as one punishable by more than five years’ imprisonment under Spain’s Criminal Code. Upon appeal, the Spanish provincial court referred two questions to the Court of Justice for a preliminary ruling.
In deciding whether the court had jurisdiction to reply to the request for a preliminary ruling, at issue was whether the case fell within the scope of EU law, namely, the ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC), as influenced by the Data Protection Directive (Directive 95/46/EC). Both laws limit access to and use of personal data, and the ePrivacy Directive specifically addresses processing of personal data in the context of publicly available electronic communication services. Also at issue was the Charter of Fundamental Rights of the European Union, which enshrines respect for private life and protection of personal data. Because the case involved a request for personal data access by a public authority to personal data retained by electronic communications providers, which invoke Article 15(1) and Article 3 of Directive 2002/58, the CJEU found that it had jurisdiction over the matter.
Under Article 15(1) of the ePrivacy Directive, member states have authority to adopt legislation that restricts the scope of rights and obligations with regard to electronic communications privacy “when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security …, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communications system.”
The CJEU was ultimately asked whether public authorities’ access to data for the purpose of identifying the owners of SIM cards activated with a stolen mobile telephone (such as their surnames, forenames and addresses) constituted interference with the SIM card owners’ fundamental rights under the Charter in a way that is sufficiently serious to require police access be limited to fighting only serious crimes.
The CJEU concluded that police access to names and addresses interferes with the fundamental right to respect for private life and to the protection of personal data under Articles 7 and 8 of the Charter. However, Article 15(1) of the ePrivacy Directive allows such interferences when “preventing, investigating, detecting and prosecuting criminal offences.” This is not limited to “serious” crimes on its face, but the CJEU has held that “only the objective of fighting serious crimes is capable of justifying public authorities’ access to personal data” held by electronic communications providers that allows "precise conclusions to be drawn concerning the private lives of the persons whose data is concerned.”
The CJEU clarified that serious interferences with fundamental rights can be justified only by fighting serious crime. When access to personal data is not serious, however, it can be justified when fighting crime generally. Here, the court held that access to names and addresses is not serious.
By contrast, only investigation of a serious crime would justify police access to data that allows "precise conclusions to be drawn concerning the private lives of the” targets, such as: “the date, time, duration and recipients of communications made,” or the “locations where those communications took place or the frequency of those communications with specific people during a given period.” This is consistent with, for example, the holding by the United States Supreme Court in U.S. v. Carpenter, which restricted public authorities’ ability to track a suspected criminal’s mobile phone location over several days because it provides “an intimate window into a person’s life.”
For privacy professionals, the operational relevance of this case lies in knowing where to place personal data on the scale of risk to a data subject’s fundamental rights. One may argue, for example, that breach of a data subject’s first name, last name, and address does not constitute a “serious” interference with the right to a private life or the protection of personal data, and therefore does not create a high risk to the data subject’s rights and freedoms.
This ruling also has implications for several requirements under the EU’s General Data Protection Regulation, which adopts a risk continuum for data processing and management requirements. Article 24 requires controllers to take into account the “risks of varying likelihood and severity for the rights and freedoms of natural persons” and to implement commensurate technical and organizational measures to protect personal data. Risk assessments also affect, among other privacy operations, whether or not a controller must perform a data protection impact assessment, the level of security required to protect data, privacy by design decisions, and when and whether to notify data subjects of a data breach.
The CJEU’s Oct. 2 decision is also consistent with IAPP’s recent risk study on data collected by mobile apps. According to the study, privacy professionals rate any application that collects messaging content as a high risk, and apps that collect phone or text logs, location information, and other personal information as a moderately high risk. They rated only as a moderate risk, however, the remote number reached by a caller and the frequency of communication, each of which the CJEU found to be a higher risk to privacy, at least when collected by public authorities in a criminal investigation.
The CJEU’s opinion may provide privacy professionals in the private sector some guidance on how to evaluate the risks of personal data processing under the GDPR. Data that merely identifies individuals by name and address does not qualify as high risk, while data that may allow one to draw precise conclusions with respect to private life clearly fall into the high-risk category. Although personal data processing in the private sector often falls somewhere on a spectrum from merely identifying to allowing intimate knowledge of one’s private life, this opinion may at least provide the bookends for this risk spectrum.
If you want to comment on this post, you need to login.