The EU’s top court ruled against Estonia police who used electronic surveillance to catch an alleged criminal. This ruling could shape the ePrivacy Regulation the bloc is considering.
I will switching to a new platform soon. In the near future, I will be using The Wavelength as my primary means of sharing my output on technology, politics, and policy. So, please sign up if you would like to receive my newsletter.
The Court of Justice of the European Union (CJEU) ruled that European Union (EU) nations may not collect and use data about criminal suspects except in investigating the most serious crimes. This ruling clarified the current ePrivacy Directive with respect to police surveillance and arose from a case in Estonia where a person stole about €4000 and committed acts of violence. Estonia’s highest court asked the CJEU for a ruling on the issues before it in light of previous CJEU rulings. The CJEU rejected the Estonian prosecutors arguments that limited surveillance is legal and that a prosecutor that will prosecute the case may sign off on surveillance.
This ruling comes at a time when the EU is considering the long awaited replacement to the ePrivacy Directive. The Council of the European Union (Council) has released a compromise draft of the ePrivacy Regulation, a rewrite of the EU’s existing rules on the privacy of electronic communications. This new law is intended to complement the General Data Protection Regulation (GDPR). This is an important but preliminary development, and now the Council will begin negotiations with the European Parliament to arrive at final ePrivacy Regulation language. The European Commission (EC) presented its ePrivacy Regulation proposal in January 2017 but lobbying in Brussels has been fierce. The last four years have been spent haggling over the final Regulation. However, as a regulation, the ePrivacy Regulation, like the GDPR, would become EU law throughout all the nations without needing member states to enact implementing legislation as it must for directives even though there is leeway for nations to legislate further in accordance with the draft. (see here for more detail and analysis.)
The Riigikohus (Supreme Court of Estonia) wanted the CJEU to rule on the following: 1) do the ePrivacy Directive and Charter of Human Rights limit electronic surveillance in criminal investigations only to “serious crime” regardless of how limited data collection and retention may be; 2) whether the principle of proportionality under the ePrivacy Directive found in a previous case applies to criminal investigations with more serious offenses justifying collecting and holding larger amounts of data; 3) and if an agency of a government that may investigate independently in accord with the law and prosecute is an “independent administrative authority” under the ePrivacy Directive. The Riigikohus articulated these questions thusly:
(1) Is Article 15(1) of Directive [2002/58], in conjunction with Articles 7, 8, 11 and 52(1) of the [Charter], to be interpreted as meaning that in criminal proceedings the access of State authorities to data making it possible to establish the source and destination, the date, the time, the duration and the type of the communication, the terminal used and the location of the mobile terminal used, in relation to a telephone or mobile telephone communication of a suspect, constitutes so serious an interference with the fundamental rights enshrined in those articles of the Charter that that access in the area of prevention, investigation, detection and prosecution of criminal offences must be restricted to the fighting of serious crime, regardless of the period to which the retained data to which the State authorities have access relate?
(2) Is Article 15(1) of Directive [2002/58], on the basis of the principle of proportionality expressed in the judgment of [2 October 2018, Ministerio Fiscal (C‑207/16, EU:C:2018:788)], paragraphs 55 to 57, to be interpreted as meaning that, if the amount of data mentioned in the first question, to which the State authorities have access, is not large (both in terms of the type of data and in terms of its temporal extent), the associated interference with fundamental rights is justified by the objective of prevention, investigation, detection and prosecution of criminal offences generally, and that the greater the amount of data to which the State authorities have access, the more serious the criminal offences which are intended to be fought by the interference must be?
(3) Does the requirement mentioned in the judgment of [21 December 2016, Tele2 (C‑203/15 and C‑698/15, EU:C:2016:970)], second point of the operative part, that the data access of the competent State authorities must be subject to prior review by a court or an independent administrative authority mean that Article 15(1) of Directive [2002/58] must be interpreted as meaning that the public prosecutor’s office which directs the pre-trial procedure, with it being obliged by law to act independently and only being bound by the law, and ascertains the circumstances both incriminating and exonerating the accused in the pre-trial procedure, but later represents the public prosecution in the judicial proceedings, may be regarded as an independent administrative authority?
The CJEU rejected the Estonian prosecutors claims about their ability under EU law to surveil people for limited times:
only the objectives of combating serious crime or preventing serious threats to public security are capable of justifying public authorities having access to a set of traffic or location data, that are liable to provide information regarding the communications made by a user of a means of electronic communication or regarding the location of the terminal equipment which he or she uses and that allow precise conclusions to be drawn concerning the private lives of the persons concerned (see, to that effect, judgment of 2 October 2018, Ministerio Fiscal, C‑207/16, EU:C:2018:788, paragraph 54), and other factors relating to the proportionality of a request for access, such as the length of the period in respect of which access to such data is sought, cannot have the effect that the objective of preventing, investigating, detecting and prosecuting criminal offences in general is capable of justifying such access.
The CJEU also rejected the argument a prosecutor (at least in these circumstances) may serve as an independent body for ensuring that surveillance meets the legal review standards:
It follows from the foregoing considerations that the requirement of independence that has to be satisfied by the authority entrusted with carrying out the prior review referred to in paragraph 51 of the present judgment means that that authority must be a third party in relation to the authority which requests access to the data, in order that the former is able to carry out the review objectively and impartially and free from any external influence. In particular, in the criminal field, as the Advocate General has observed, in essence, in point 126 of his Opinion, the requirement of independence entails that the authority entrusted with the prior review, first, must not be involved in the conduct of the criminal investigation in question and, second, has a neutral stance vis-à-vis the parties to the criminal proceedings.
The CJEU ruled that nations may not implement legislation to surveil EU residents’ traffic of location data for any period of time unless it is “to combat serious crime or prevent serious threats to public security.” The CJEU also ruled that it is not permissible for nation to enact legislation allowing a prosecutor that can bring charges against a person the power to authorize surveillance. The CJEU’s ruling is:
- Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation that permits public authorities to have access to a set of traffic or location data, that are liable to provide information regarding the communications made by a user of a means of electronic communication or regarding the location of the terminal equipment which he or she uses and to allow precise conclusions to be drawn concerning his or her private life, for the purposes of the prevention, investigation, detection and prosecution of criminal offences, without such access being confined to procedures and proceedings to combat serious crime or prevent serious threats to public security, and that is so regardless of the length of the period in respect of which access to those data is sought and the quantity or nature of the data available in respect of such a period.
- Article 15(1) of Directive 2002/58, as amended by Directive 2009/136, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights, must be interpreted as precluding national legislation that confers upon the public prosecutor’s office, whose task is to direct the criminal pre-trial procedure and to bring, where appropriate, the public prosecution in subsequent proceedings, the power to authorise access of a public authority to traffic and location data for the purposes of a criminal investigation.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.
Photo by Julius Jansson on Unsplash
Michael Kans 