Lorna Woods, Professor of Internet Law, University of Essex

Introduction

A recent judgment from the Court of Justice of the European Union (CJEU) in the case of Ministerio Fiscal contributes to the understanding of the ePrivacy Directive, specifically Article 15, which allows Member States to make exceptions to the confidentiality of communications for certain purposes. This article played a role in the legal framework surrounding the mass retention of communications data from the Digital Rights Ireland case, where the CJEU established that data retention is justified only in cases of “serious crime,” as per the Tele2/Watson case. This decision raised questions about the definition of “serious crime” and the potential existence of EU law standards defining it. This reference aimed to address these questions within a different factual context.

Facts

The case originated from a police investigation into a stolen wallet and mobile phone. Spanish police, aiming to identify the new number linked to the stolen phone and the individuals associated with it, encountered a legal hurdle. Spanish law mandated that accessing such information required the investigation of a serious crime, which the domestic courts determined was not applicable in this instance. The “serious crime” threshold, stemming from the CJEU’s decision in Digital Rights Ireland and considering Articles 7 and 8 of the EU Charter of Fundamental Rights, serves as the minimum justification for the bulk retention of communications data by telecommunications providers.

Considering this jurisprudence, the national court submitted a question regarding the interpretation of Article 15(1) of the ePrivacy Directive (Directive 2002/58/EC, as amended). This article allows Member States to restrict certain rights granted by the Directive, including for purposes such as the prevention, investigation, detection, and prosecution of criminal offenses. The national court sought clarification on whether the potential sentence length for a crime can determine if specific harm levels to individual and/or legally protected interests are necessary. If sentence length alone is sufficient, is there a minimum requirement to align with the Digital Rights Ireland judgment?

Judgment

The CJEU first addressed the question of its jurisdiction to hear the case. Both the Spanish and UK governments argued that criminal law falls outside the scope of the Data Protection Directive (Art 3(2)) and the ePrivacy Directive (Art 1(3)). However, the Court referred to its previous judgments, affirming that legislative measures deviating from the ePrivacy Directive based on Article 15 remain within its purview even if they significantly overlap with areas outside the Directive’s scope, as per Article 1(3). Citing Tele 2/Watson, the CJEU concluded that the ePrivacy Directive’s scope:

encompasses not only laws requiring electronic communications providers to retain traffic and location data but also laws concerning national authorities’ access to data held by these providers.

The CJEU rejected additional admissibility arguments presented by the Spanish government, reaffirming its established stance that it is generally obligated to rule when national courts raise questions regarding the interpretation of EU law.

The CJEU considered the two questions referred by the Spanish court together, clarifying that the issue was not about service providers’ compliance with the law. Instead, it focused on whether, and to what extent, the legislation’s objective justifies access to the data by public authorities like the police. The Court reiterated the Advocate-General’s approach, recognizing that such access constitutes an interference, even if not serious or involving sensitive data.

The Court emphasized that Article 15 ePrivacy Directive’s list of objectives is exhaustive and that authorities must demonstrate a genuine need for access aligning with one of those objectives. However, Article 15 doesn’t restrict access solely to combating serious crime; it refers to criminal offenses in general. The “serious” qualification originates from the Court’s case law concerning situations involving substantial interference with the right to privacy.

Conversely, when access doesn’t lead to serious interference, it can be justified by the objective of preventing, investigating, detecting, and prosecuting ‘criminal offences’ broadly.

The CJEU then shifted its focus to determining whether the interference in this case was “serious.” The requested data, limited to a short timeframe and lacking cross-referencing possibilities, wouldn’t allow drawing precise conclusions about the individuals’ private lives. Therefore, it didn’t constitute a severe interference with their right to privacy.

Comment

This judgment can be seen as a strategic one. The CJEU reaffirmed its jurisdiction in areas covered by Article 15. While earlier case law on the ePrivacy Directive distinguished between data retention obligations of commercial operators (falling under the internal market) and access to that data by law enforcement, the CJEU, following its approach in Tele2/Watson, did not limit its power of review in this case. Notably, access to data by state authorities necessitates processing by telecommunications operators.

Simultaneously, the CJEU avoided directly addressing the complex question of defining “serious crime” and whether it constitutes an autonomous EU concept by reframing the referring court’s question. In doing so, the CJEU followed its Advocate General’s stance that “criminal law” should not be an independent concept in EU law. Although the Court indirectly addressed whether accessing communications data for less than serious crime is permissible under EU law, it did not offer clear guidance to the Spanish court dealing with national law requiring a seriousness threshold. Furthermore, the emphasis on proportionality, suggesting that access for less serious crimes could be acceptable, risks implying that national laws should allow such access, potentially overstepping the CJEU’s competence.

The judgment reinforces that Articles 7 and 8 of the Charter apply regardless of the severity of interference, acknowledging varying intrusion levels requiring different justifications. This case involved limited data in type and timeframe. However, the question of what constitutes an intrusion, particularly with predictive analytics, remains unanswered.

The CJEU’s emphasis on past case law, especially Tele2/Watson and DRI, suggests an attempt to establish a consistent approach and reaffirm those cases’ principles. Therefore, this judgment might signal the CJEU’s commitment to its position in Tele2/Watson, which holds relevance given pending references challenging that stance. These include questions referred by the Investigatory Powers Tribunal in the Privacy International litigation, addressing the scope of Member States’ exclusive competence concerning national security.

Finally, the ruling has implications for recent English case law, particularly the Court of Appeal’s decision in Watson and the Divisional Court’s decision in Liberty. In Liberty, the UK government successfully argued that “entity data,” a category of communications data in the Investigatory Powers Act, was outside the ePrivacy Directive’s scope because it didn’t constitute “traffic data” or “location data” as per Article 2. Therefore, the Tele2/Watson ruling wouldn’t apply. The Court considered the matter acte clair and declined to refer it to the CJEU. However, the data sought by Spanish authorities in the CJEU case aligns with what would identify phone users, not the content of their communications. Despite the Spanish government presenting a similar argument, the CJEU deemed it irrelevant, stating that the ePrivacy Directive governs all personal data processing related to electronic communications services. This contradicts the Divisional Court’s view on the Directive’s scope and its acte clair interpretation.

Barnard & Peers: chapter 9

JHA4: chapter II:7

Photo credit: PixelVulture