Out-Law News | 03 May 2018 | 2:37 pm | 4 min. read
That non-binding view, expressed by advocate general to the Court of Justice of the EU (CJEU) Henrik Saugmandsgaard Øe, could have major implications for the scope of communications data laws in place across Europe, including the UK.
Communications data laws generally require electronic communication service providers to retain details pertinent to communications, excluding their contents, such as details of the routing and duration of phone calls, and the location of those making and receiving emails, to help the police detect and investigate certain crimes
Just last week, the High Court in London gave the UK government until 1 November to update communications data laws after ruling that existing laws were unlawful. The High Court held that this was the case for two reasons: because those laws do not limit access to retained data "to the purpose of combating 'serious crime'", and because access to the data "is not subject to prior review by a court or an independent administrative body".
The High Court's ruling was shaped to a large extent by its interpretation of a 2016 ruling by the CJEU, which said that EU law precludes EU countries from passing a law that "provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication" in order to help fight crime.
The CJEU also said that EU law does permit national law makers to, "as a preventive measure", require traffic and location data to be retained on a targeted basis, but only where the objective of the data retention rules is to fight "serious crime".
The CJEU's 2016 ruling concerned UK data retention laws applicable to communications data which were fast-tracked into law after the CJEU had earlier effectively invalidated EU-wide data retention laws that previously applied with a judgment issued in 2014.
However, advocate general Saugmandsgaard Øe said that the CJEU's 2014 ruling does not automatically mean that powers provided for under communications data laws can only be exercised for the purposes of combatting serious crime.
The legal adviser said that the CJEU's 2014 ruling established a link between "the seriousness of the interference [with privacy]" stemming from the use of communications data powers and "the seriousness of the reason that could justify the interference". It led the court to conclude that a serious interference with privacy can be justified for the purposes of fighting serious crime, he said.
However, Saugmandsgaard Øe said that, because of the link, it is also possible for communications data laws to be applied for combating non-serious crime where the exercise of powers under those laws would not seriously interfere with privacy rights.
He said: "It is not essential that the offences conferring legitimacy on the restrictive measure at issue … may be classified as ‘serious’... In my view, it is only where the interference is particularly serious … that the offences capable of justifying such an interference must themselves be particularly serious. On the other hand, in the case of a non-serious interference, it is necessary to go back to the basic principle that emerges from the wording of that provision, namely that any type of ‘criminal offence’ is capable of justifying such an interference."
The advocate general's opinion is non-binding on the CJEU, but the court often follows the recommendations the legal advisers make.
The case before the CJEU, which is likely to be ruled on formally later this year, stems from a dispute in Spain over the scope of Spanish communications data laws. A court in Spain previously held that the police cannot access communications data to help them investigate the robbery of a wallet because the crime is not classed as 'serious' under Spanish law. Only offences punishable by a term of imprisonment of more than five years are considered to be serious offences in Spain and therefore subject to the country's communications data laws.
Saugmandsgaard Øe said, though, that it is his view that Spanish authorities should be granted access to the communications data in the case. He explained his reasons in his opinion.
The advocate general said: "In the present case, the measure in question is not one that relates to a general and undifferentiated obligation to retain traffic and location data of every subscriber or registered user that would concern all means of electronic communication, but a targeted measure intended to allow access, by competent authorities and for the needs of a criminal investigation, to data held for commercial purposes by service providers and relating solely to the identity (surnames, forenames and possibly addresses) of a restricted category of subscribers or users of a specific means of communication, namely those whose telephone numbers were activated from the mobile telephone the theft of which forms the subject matter of the investigation, during a limited period, namely around 12 days."
"I would add that the potentially harmful effects for the persons concerned by the request for access in question are both slight and circumscribed. As they are intended to be used in the sole context of a measure of investigation, the requested data are not intended to be disclosed to the public at large. In addition, the right of access given to the police authorities is accompanied by procedural guarantees under Spanish law, since it is subject to review by a court, which, moreover, resulted in the rejection of the police request in the main proceedings," he said.
"The interference with the abovementioned fundamental rights entailed by the communication of those data relating to civil identity is not in my view particularly serious, since data of such a type and such a limited scope do not in themselves make it possible to obtain varied and/or specific information about the persons concerned and therefore do not directly and seriously affect their right to a private life in those particular circumstances," he said.