In a welcome further push back against the tide of personal protections for criminals at the expense of victims, the European Court has decided on 2 October 2018 to extend the decision previously set out in Tel2 Sverige which allowed national authorities access to personal data held by electronic communications providers, in cases of serious crime, despite it being a breach of personal and fundamental freedoms enshrined in the Directive (*).
This case, from Spain (Case C-207/16 Ministerio Fiscal), was in some eyes regarding a small crime, though a prevalent one, of mobile phone theft.
Spanish police sought access to data identifying the users of telephone numbers activated with the stolen telephone during a period of 12 days as from the date of the robbery but were refused by the Magistrate as access to such data was only permitted for serious crimes. The appellate court sought guidance from the ECJ which in considering the directive on privacy and electronic communications noted that it provides that Member States may restrict citizens’ rights when such a restriction constitutes a necessary, appropriate and proportionate measure within a democratic society in order to safeguard national security, defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system.
Whilst it recognised that for broader information the protection was necessary the ECJ determined that given the data sought was limited, it was a proportionate interference with the subjects’ personal data rights because it didn’t give any information about their private lives but it did meet the objective of preventing, investigating, detecting and prosecuting ‘criminal offences’ generally, without it being necessary that those offences be defined as ‘serious’.
* Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 (OJ 2009 L 337, p. 11).