The Court of Justice of the European Union (CJEU) reaffirmed the prohibition of the general and undifferentiated retention of data generated by electronic communications for the purpose of combating serious criminal offences, in a judgment handed down on Tuesday 5 April (Case C-140/20).
Graham Dwyer, who was sentenced to life imprisonment for murder in 2015, is challenging the use of phone call data as evidence in Irish courts.
In a case brought by the Irish Supreme Court, the CJEU confirms its established case law (Case C-293/12 - see EUROPE 11056/24) that the ePrivacy Directive (2002/58) precludes national legislation which provides for the general and indiscriminate retention of data generated by electronic communications which could be used as evidence in criminal cases.
According to the Directive, the retention of traffic and location data constitutes a derogation from the general principle of prohibition of storage and an interference with fundamental rights (Articles 7 and 8 of the Charter).
And, while it is possible, for the purpose of combating serious criminal offences, to limit these rights, such a limitation must respect the principle of proportionality and reconcile public interest objectives with fundamental rights.
Thus, the Court considers that for the purposes of combating serious crime and serious threats to public security, EU law does not preclude:
(1) targeted retention of traffic and location data according to categories of persons concerned or by means of a geographical criterion (e.g. average crime rate in a geographical area);
(2) the general and indiscriminate retention of IP addresses assigned to the source of an Internet connection;
(3) the general and indiscriminate retention of data relating to the civil identity of users of electronic communications;
(4) the ‘quick freeze’ of traffic and location data held by service providers.
The Court noted in particular that the Directive on privacy and electronic communications does not preclude the competent national authorities from ordering, as soon as a criminal investigation is opened and within the limits of what is strictly necessary, the rapid preservation of data generated during electronic communications concerning persons other than those suspected of a serious offence, if those data, such as the data of the victim or those of his or her social or professional entourage, contribute to the elucidation of a case.
Furthermore, the Court confirms that under EU law, a police officer cannot be empowered to deal with requests from the police for access to electronic communications data. This is the case even if the police officer is assisted by a unit established within the police which has a certain degree of autonomy and whose decisions may subsequently be subject to judicial review. Requests for access to the data concerned must be controlled by the judiciary or an independent administrative body.
See the judgment: https://aeur.eu/f/15E (Original version in French by Mathieu Bion)