On March 2, 2021, the Court of Justice of the European Union (“CJEU”) ruled on (i) the criteria for establishing the lawfulness of public authorities accessing external communication records (“ECR”) stored by electronic service providers to carry out criminal investigations; and (ii) the possibility of using such data as evidence during a criminal proceeding (decision No. C‑746/18 H.K./Prokuratuur).
By accessing ECR, public authorities can learn the source, destination, date, time, duration, and type of communication, as well as the terminal used (i.e., phone or mobile phone) and its location.
Notwithstanding the functional inability of ECR to reveal the content of the communication in question, they can offer information about individuals’ private lives; hence, the CJEU established specific safeguards and limits to the power of public authorities to acquire such data and use it in criminal proceedings.
In particular, the CJEU established that the ECR of individuals under investigation may be accessed only for the purpose of fighting serious crimes or for preventing serious threats to public security. Moreover, it stated that if the public prosecutor is directing the criminal investigation and conducting public prosecution, the public prosecutor cannot be considered an independent party and, therefore, may not be granted the power to authorize access to the records.
The EU landscape
Section 15(1) of the EU Directive on privacy and electronic communications[1] (“E-privacy Directive”) provides the possibility to derogate from the normal confidentiality regime for ECR only for the following purposes: to “[…] safeguard national security defense, public security, and the prevention, investigation, detection, and prosecution of criminal offences […].” Even then, such derogation must constitute a necessary, appropriate, and proportionate measure for the above purposes. In any case, all relevant measures shall be taken in accordance with EU general principles, laws, and regulations.
The abovementioned regulation must be interpreted in the light of the fundamental privacy rights set forth in the EU Charter of Fundamental Rights (the “Charter”),[2] as well as the following principles established by the CJEU:
- public authorities’ access to ECR shall be proportionate to the seriousness of the interference with the fundamental rights entailed by that access. This means that serious interference can be justified only by fighting serious crimes. Conversely, when the interference that such access entails is not serious, that access may be justified for the general purpose of preventing, investigating, detecting, and prosecuting criminal offenses;[3]
- the access of competent national authorities to ECR shall be subject to prior authorization of a court or of an independent administrative authority; the relevant data shall be retained within the EU; and such access is precluded in places where, for the purpose of fighting crimes, national legislation provides for general and indiscriminate retention of such data.[4]
The case at hand
In 2017, the Estonian Court of First Instance convicted a party of having committed several thefts of goods and cash. To find him guilty, the court relied on several reports drafted on the basis of external electronic communication data obtained by the investigating authority during the pre-trial procedure from a provider of electronic telecommunications services, after it had been granted the relevant authorization by the public prosecutor’s office, in accordance with the Estonian Code of Criminal Procedure. The Estonian Court of Appeals confirmed the decision of the Court of First Instance.
The convicted party then brought an action before the Estonian Supreme Court asking that those reports be deemed inadmissible and alleging that the applicable provisions of Estonian laws violated Section 15 of the E-privacy Directive when interpreted in light of the fundamental privacy rights indicated in the Charter.
The Estonian Supreme Court decided to stay the proceeding and to refer the case to the CJEU for a preliminary ruling on the following three main points, all concerning the interpretation of Section 15 of the E-privacy Directive:
- whether public authorities in a criminal proceeding may be allowed to access the ECR of a person under investigation only in case of very serious crimes;
- whether public authorities’ access to ECR should be proportionate to the seriousness of the resulting interference in fundamental privacy rights; and
- whether the public prosecutor’s office that directs the pre-trial procedure, ascertains the circumstances both incriminating and exonerating the accused, and represents the public prosecution in the judicial proceedings may be considered an independent authority, and therefore may validly authorize access to such data.
The CJEU conclusions
The CJEU stated that interference with the fundamental privacy rights determined by access to a set of traffic or location data may always be considered serious, regardless of the length of time or the quantity or nature of the data available. The CJEU also stressed the fact that a limited quantity of ECR for a short period may be capable of providing precise information on the private life of the user. Therefore, the CJEU held that only the objectives of combating serious crimes and preventing serious threats to public security were justification for public authorities to have access to traffic or location data.
Moreover, the CJEU also confirmed the fact that it is essential that the access of the appropriate national authorities be subject to prior review carried out by a court or by an independent administrative body. One of the requirements for the prior review is that the court or body entrusted with carrying it out must provide all guarantees necessary to reconcile the various interests and rights at issue. This independent role cannot be played by the public prosecutor’s office that directs the investigations and brings the public prosecution before the court, as in the Estonian case. It follows that the public prosecutor’s office is not in a position to authorize access to ECR.
Hence, ECR retrieved in violation of the abovementioned principles may not be used to support a search for evidence and, therefore, cannot be validly acquired in a criminal proceeding and used to ascertain the guilt of the person under investigation.
Possible consequences of the CJEU decision in criminal investigations in Italy
The decision of the CJEU sets an important precedent for supporting the need to adopt specific regulations on the limits and modalities by which Italian public authorities acquire ECR. The interpretation given by the CJEU for Section 15 of the E-privacy Directive is, in fact, relevant in evaluating the compatibility of Italian legislation with EU law.
Pursuant to Section 132 of Legislative Decree No. 196/2003, access to ECR must be authorized by a decree of the public prosecutor, regardless of the seriousness of the crime. However, as in Estonia, in Italy the public prosecutor is in charge of heading the investigation and representing the public prosecution in the trial.
In 2019, the Italian Supreme Court[5] held that this is compatible with EU regulations and rulings on privacy protection, which only established the principle of proportionality between the seriousness of interference with the fundamental privacy right and the seriousness of the investigated crime, to be assessed on a case by case basis by the judicial authority.
Now, the CJEU decision of March 2, 2021 may dismantle the beliefs Italian courts have traditionally held and lead to establishing new specific limits on access and use of ECR in criminal proceedings.
The discussion is open and the CJEU decision could lead the Italian legislature to align ECR access regulations with those on phone tapping, which is permitted (i) only for investigating specific crimes and (ii) only after the judge for the preliminary investigations has provided authorization to the public prosecutor.
[1] Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002, as amended by Directive 2009/136/EC of the European Parliament and of the Council of November 25, 2009.
[2] The fundamental privacy rights provided in the Charter are, by means of example, the respect for private and family life communications and the protection of personal data.
[3] This principle was most recently confirmed by CJEU decision No. C‑207/16 of October 2, 2018.
[4] CJEU decisions Nos. C‑203/15 and C‑698/15 of December 21, 2016.
[5] Decision of the Italian Supreme Court No. 48737 of December 2, 2019.
