The CJEU also found that EU law precludes national legislation that gives a public prosecutor’s office the power to authorise access by a public authority to such data for the purpose of conducting a criminal investigation.

Criminal proceedings were brought in Estonia against ‘HK’ on counts of theft, use of another person’s bank card and violence against persons. At first instance, HK was convicted and received a custodial sentence of two years. That judgment was then upheld on appeal. HK appealed to the Estonian Supreme Court.

The evidence in HK’s trial was made up of, inter alia, personal data generated in the context of the provision of electronic communications services. The Estonian Supreme Court referred various questions as to whether the conditions under which the investigating authority had access to the data were compatible with EU law. It asked the CJEU:

1. whether the length of time during which the investigating authority had access to the data was a criterion for assessing the seriousness of its interference with the fundamental rights of the persons concerned, and whether, where that time period is very short or the quantity of data gathered is very limited, the objective of combating crime in general (not just serious crime) is capable of justifying such an interference;
2. whether the Estonian public prosecutor’s office, in the light of its statutory duties, was an “independent” administrative authority, as set out in Case C-203/15 and C-698/15 Tele2 Sverige and Watson, which is capable of authorising access to the investigating authority to the data concerned.

The CJEU held that the E-Privacy Directive (2002/58/EC), read in the light of the Charter, precludes national legislation that allows public authorities to have access to traffic or location data that could provide information on a user’s electronic communications or on the location of his/her terminal equipment such that precise conclusions can be drawn concerning his or her private life for the purposes of prevention, investigation, detection and prosecution of criminal offences, without such access being restricted to procedures and proceedings to combat serious crime or prevent serious threats to public security.

According to the CJEU, the length of time in respect of which access to those data is sought and the quantity or nature of the data available are irrelevant. Further, the E-Privacy Directive precludes national legislation that gives a public prosecutor’s office the power to authorise access to a public authority to traffic and location data for the purpose of conducting a criminal investigation.

As for the circumstances in which access to such data may be granted to public authorities, the CJEU referred to Cases C-511/18, C-512/18 and C-520/18 La Quadrature du Net and Others, in which it found that Member States can, in order to prevent, investigate, detect and prosecute criminal offences, adopt legislative measures to restrict rights and obligations under the Directive, including, inter alia, the obligation to ensure the confidentiality of communications and traffic data, only if the general principles of EU law, which include the principle of proportionality and the fundamental rights guaranteed by the Charter, are observed. Within that framework, the Directive precludes legislative measures which oblige providers of electronic communications services, as a preventative measure, to generally and indiscriminately retain traffic and location data.

As for preventing, investigating, detecting and prosecuting criminal offences, in accordance with the principle of proportionality, the CJEU held that only the objectives of combating serious crime or preventing serious threats to public security were capable of justifying allowing public authorities to have access to traffic or location data, which reveal precise details about the persons’ private lives. Further, other factors relating to the proportionality of a request for access, such as the length of time, should not be used as a way of justifying access in relation to criminal offences in general.

As for the power granted to the public prosecutor’s office to authorise access by a public authority to traffic and location data for the purpose of conducting a criminal investigation, the CJEU pointed out that it is for national law to determine the conditions under which providers of electronic communications services can grant national authorities access to the data in their possession. However, in order to satisfy the requirement of proportionality, such legislation must lay down clear and precise rules governing the scope and application of the measure and impose minimum safeguards, so that the persons whose personal data are affected have sufficient guarantees that their data will be protected against the risk of abuse. That legislation must be legally binding under domestic law and must indicate in what circumstances and under which substantive and procedural conditions a measure providing for the processing of such data can be adopted, thereby ensuring that the interference is limited to what is strictly necessary.

According to the CJEU, in order to ensure that those conditions are fully observed in practice, it is essential that access by national authorities to retained data should be subject to a prior review carried out either by a court or by an independent administrative body, and that the decision of that court or body be made following a reasoned request by those authorities that is submitted within the framework of procedures for preventing, detecting or prosecuting a crime. In cases of justified urgency, the review must take place within a short time.

One of the requirements for the prior review is that the court or administrative body must have all the powers and provide all guarantees necessary to reconcile the various interests and rights in play. As for criminal investigations in particular, such a review must require that the court or body be able to strike a fair balance between the interests of the investigation in the context of combating crime and the fundamental rights to privacy and protection of personal data of the persons concerned. Where that review is carried out not by a court, but by an independent administrative body, that body must be able to act objectively and impartially and must be free from any external influence.

It followed, the CJEU said, that the requirement of independence of the administrative authority means that it must be a third party vis-à-vis the authority requesting access to the data, so that the former is able to carry out the review objectively and impartially and free from any external influence. In particular, in criminal proceedings the authority must not be involved in the conduct of the criminal investigation and must be neutral vis-à-vis the parties to the criminal proceedings. That is not the case where the public prosecutor’s office is, as with the Estonian public prosecutor’s office in this case, the office directing the investigation and bringing the public prosecution. In that situation, the public prosecutor’s office is not in a position to carry out the prior review. (Case C-746/18 HK v Prokuratuur EU:C:2021:152 (2 March 2021) — to read the judgment in full, click here).