The Court of Justice of the European Union (CJEU) evaluated the use of personal data in criminal proceedings with its decision numbered C-746/18 dated 2 April 2021 ("Decision"). In the Decision, the CJEU concluded that traffic and location data could only be used by the national courts to combat serious crimes and prevent serious public security threats. The Decision is available here.
Background information
The Estonian Court of First Instance ("Court of First Instance") sentenced H.K. ("Applicant") to two years' imprisonment for using someone else's bank card and committing theft. In the proceedings, the Court of First Instance relied on the reports prepared using electronic communication data records containing the traffic and location information of the Applicant. This data was obtained by the Estonian Public Prosecutor's Office from the electronic communications service provider. According to Estonian law, service providers must store traffic and location data for one year and, if needed, such data can be accessed in criminal proceedings. The stored data includes information about the identity of the parties of the phone call, the start and end time of the call, its duration, the device used, the location of the parties, etc.
The Applicant appealed the decision of the Court of First Instance on the grounds that it was based on unlawful evidence, but the Applicant's objection was rejected by the higher courts. Subsequently, the Applicant brought the issue before the Estonian Supreme Court (Riigikohus). Within the scope of the proceedings, the Estonian Supreme Court addressed two questions to the CJEU regarding the storage of traffic and location data and access to them in the proceedings:
- whether the duration of the investigating authority's access to the data constituted a criterion for determining the seriousness of the interference with the person's fundamental rights, irrespective of the nature of the crime subject to the investigation. In other words, whether or not the investigative authority's short-term and limited access to data justifies interfering with personal rights to fight both serious crimes and all crimes in general.
- whether the Estonian Prosecutor's Office was an independent authority competent to authorize access to the relevant data.
The CJEU examined and evaluated the questions in light of Directive 2002/58/EC on Privacy and Electronic Communications ("Directive") and the European Union Charter of Fundamental Rights. Pursuant to the Directive, member states are obliged to ensure the confidentiality of communication data. Electronic service providers are required to delete or anonymize traffic data when no longer needed; location data other than traffic data can only be processed by anonymization or with the explicit consent of the person concerned. Article 15 of the Directive allows for an exception to these obligations. Accordingly, member states are allowed to adopt legislation that restricts these rights, as long as such restriction is necessary, appropriate and proportionate.
Evaluation of the CJEU
In its evaluation on the first question, the CJEU, referring to its previous decisions, stated that traffic and location data can only be stored in accordance with Article 15 of the Directive, and that general and indiscriminate storage activities are not in accordance with the law. The CJEU stated that access to traffic and location data constitutes severe interference to the personal rights of the persons concerned. Accordingly, such interference would only be considered lawful if it is proportionate to the aim to be achieved.
The CJEU underlined that traffic and location data contains important and precise information about the private lives of individuals. With traffic and location data, people's habits, where they live, places they visit, their daily activities and social relations can be learned. The CJEU further stated that detailed and important information about the private lives of individuals might be revealed even with an access to short-term or a limited amount of data. Because precise information on the data and the seriousness of the interference can only be known after accessing the data, allowing access to traffic and location data poses a serious threat of intrusion into the private lives of individuals.
In light of this, the CJEU held that the interference to personal rights may be proportionate to combat serious crimes and to prevent serious threats to public security by stating that access to traffic and location data would constitute a severe interference. Accordingly, only access within such limits would constitute lawful interference.
In its evaluation on the second question, the CJEU underlined that member states should establish a procedure based on objective criteria for accessing traffic and location data. In this context, access to the relevant data would be subject to the prior control of a competent court or an administrative body. This supervisory authority would decide whether access to the data could be provided, keeping a fair balance between respect for private life and the protection of personal data and the conduct of the investigation. Therefore, the relevant authority would be able to make its assessments independent from third parties. To ensure such independence, the competent authority should not be involved in the investigation process. Based on this, the CJEU did not consider the Estonian Prosecutor's Office an independent authority for prior control, as it carried out the preliminary investigations.
Recent developments in Turkish jurisdiction
The Constitutional Court of the Republic of Turkey ("Constitutional Court") published a decision with respect to a similar matter. With its decision numbered 2018/14040 published in the Official Gazette dated 24 August 2021, the Constitutional Court evaluated the right to request the protection of personal data within the scope of respect for private life. You may access our publication here.
In the criminal proceedings against this applicant, the internet traffic data of the applicant was disclosed to the court. The applicant argued that the data was disclosed after the legal retention period of two years had expired. The Constitutional Court evaluated whether the transfer of data three years after its collection violated the right to request the protection of personal data within the scope of respect for private life. In its evaluation, the Constitutional Court underlined that the unlawful sharing of personal data constituted a crime under the Turkish Criminal Code, and stated that such violations may be considered an act against personal rights within the scope of the facts of the case. Nevertheless, the Constitutional Court stated that the injured parties had the right to appeal for compensatory damages. Accordingly, the Constitutional Court rejected the applicant's application within the grounds that the ordinary legal remedies were not exhausted.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
