CJEU - C‑178/22 - Procura della Repubblica presso il Tribunale di Bolzano: Difference between revisions

Revision as of 11:53, 7 May 2024

CJEU - C‑178/22 Procura della Repubblica presso il Tribunale di Bolzano

Court:	CJEU
Jurisdiction:	European Union
Relevant Law:	Article 15(1) Directive 2002/58 Article 132(3) of decreto legislativo n. 196
Decided:	30.04.2024
Parties:
Case Number/Name:	C‑178/22 Procura della Repubblica presso il Tribunale di Bolzano
European Case Law Identifier:	ECLI:EU:C:2024:371
Reference from:	Giudice delle indagini preliminari presso il Tribunale di Bolzano
Language:	24 EU Languages
Original Source:	Judgement
Initial Contributor:	nzm

The CJEU held that a national provision which requires a national court to authorise access to traffic and location data to a competent national authority for the purpose of investigating an offence punishable by minimum 3 years imprisonment is not contrary to Article 15(1) ePrivacy Directive. However, the Court must be entitled to refuse such a request.

English Summary

Facts

Two complaints were lodged with the Italian Public Prosecutor's office concerning acts of mobile theft. In order to identify the perpetrators, the Public Prosecutor's office requested an authorisation to obtain the telephone records of the stolen telephones from all the telephone companies. These requests concerned all the data in the possession of the telephone companies, with tracking and localisation methods, in particular the users and International Mobile Equipment Identity (IMEI) codes of the devices called or making the calls, the sites visited and reached, the times and durations of the calls and connections, the details of the cells and/or towers concerned, and the users and IMEI code of senders and receivers of SMS and MMS. These requests were made to the judge responsible for preliminary investigations at the District Court, Bolzano (‘Giudice delle indagini preliminari presso il Tribunale di Bolzano’) on the basis of an Italian National law, Article 132(3) of Legislative Decree n°196/2003.

The referring court was uncertain whether Article 132(3) of Legislative Decree No 196/2003 is compatible with Article 15(1) of Directive 2002/58 (‘ePrivacy Directive’) as interpreted by CJEU, 2 March 2021, Prokuratuur, C-746/18. First, according to paragraph 45 of that judgement, national provisions that allow public authorities to access telephone records containing a set of traffic or location data are justifiable if those provisions are intended for the prosecution of serious offences such as threats to public security and other serious crimes. Second, Article 132(3) of Legislative Decree No 196/2003 establishes that if there is sufficient evidence of the commission of an offence for which the penalty is a maximum term of imprisonment of at least three years, the Public Prosecutor may acquire data relevant to the facts, with the prior authorization of the court.

According to the referring court, the Italian courts have a very limited margin of discretion to refuse authorisation to obtain telephone records as the authorization must be granted when there is ‘sufficient evidence of the commission of an offence’ and the data requested are ‘relevant to establishing the facts’.

The Giudice delle indagini preliminari presso il Tribunale di Bolzano decided to stay the proceedings and referred the following question to the CJEU:

Does Article 15(1) of the ePrivacy Directive preclude a national provision which requires a national court to authorise access to a set of traffic or location data for the purposes of investigating a criminal offence with a penalty of a maximum term of imprisonment of at least 3 years, provided that there is sufficient evidence and that those data are relevant to establishing the facts?

Holding

Firstly, the CJEU indicated that access to traffic and location data retained by providers of electronic communications services may be granted to public authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offences pursuant to a national law adopted under Article 15(1) ePrivacy Directive. However, a legislative measure cannot allow the general and indiscriminate retention of traffic and location data as a preventative measure (§35 of the Judgement).

The CJEU also held that only the objectives of combating serious crime or preventing serious threats to public security are capable of justifying a serious interference with the fundamental rights of Articles 7 and 8 of the Charter (§36 of the Judgement).

Secondly, the CJEU assessed the question of whether access to the traffic and location data in the present case may be classified as a serious interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter. Access to the set of traffic or location data requested in the present case may allow precise conclusions to be drawn concerning the private lives of the persons whose data have been retained, for example the habits of their everyday life, their permanent or temporary places of residence, their daily movements, the activities they carried out, their social relationships and social environments frequented by them. The CJEU found that in such a case, the interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter would likely to be classified as serious (§39 of the Judgement).

The Court considered that for the purposes of assessing the existence of a serious interference with the fundamental rights, it was irrelevant that the access may not concern the data of the owners of the phones, but the data of the persons who communicated with each other after the theft. Indeed, Article 5(1) Directive 2002/58 establishes that the obligation to ensure confidentiality of the traffic data covers communications made by the ‘users’ of that network. The ‘users’ are defined as any natural person using a publicly available electronic communications service, without necessarily having subscribed to that service (§41 of the Judgement).

Thirdly, the CJEU added that national law determines the conditions under which providers of electronic communications services grant access to the data in the provider's possession. However, the legislation must lay down clear and precise rules governing the scope and conditions for the application of such access. As a general rule, the CJEU noted that access can be granted in relation to the objective of fighting crime, only for the data of individuals suspected of being implicated in a serious crime. The Court also pointed out that in order to ensure that the interference is limited to what is strictly necessary, the access must be subject to a prior review carried out by a court or an independent administrative body. This does not apply in cases of duly justified emergency (§43 of the Judgement).

Regarding the definition of the concept of 'serious offence', the EU has not legislated in that field. This concept reflects social realities and legal traditions, which vary between the Member States and over time. Therefore, it is up to the Member States to define 'serious offences’ for the purposes of applying Article 15(1) ePrivacy Directive (§46 of the Judgement). The CJEU recalled that Article 15(1) ePrivacy Directive is an exception to the obligation to ensure the confidentiality of electronic communications and data and must not become the rule (§48 of the Judgement). Furthermore, the national measures taken by Member States under this provision must comply with the general principles of EU law, in particular the principle of proportionality and ensuring respect for the fundamental rights enshrined in Articles 7, 8 and 11 of the Charter (§49 of the Judgement).

Therefore, the Court considered that Member States must not distort the concept of ‘serious offence’ and ‘serious crime’ by including within it, offences which are manifestly not serious offences. In the present case, the CJEU pointed out that Article 132(3) Legislative Decree n°196/2003 defines the offences for which access to data retained by providers of electronic communications services may be granted, by reference to a maximum term of imprisonment of at least three years. Additionally, there must be sufficient evidence to the commission of an offence and the data must be relevant to establishing the facts (§52 of the Judgement).

The CJEU held that the definition of ‘serious offence’ cannot cover the vast majority of criminal offences, which would be the case if the maximum term of imprisonment was sent at an excessively low level. The Court considered that a maximum term of imprisonment of three years does not appear excessively low (CJEU, 21 June 2022, Ligue des droits humains, C-817/19, §150).

Lastly, the CJEU found that setting a maximum term of imprisonment may create a situation in which the access would be requested for the purposes of prosecuting offences which do not constitute a serious crime. However, the Court held that setting a minimum period above which the maximum term of imprisonment for an offence justifies the classification of that offence as a serious offence is not necessarily contrary to the principle of proportionality (§58 of the Judgement).

Thus, the CJEU concluded that Article 15(1) Directive 2002/58 does not preclude a national provision which requires a national court, acting in the context of a prior review, to authorise access to traffic or location data for the purposes of investigating criminal offences punishable under national law by minimum 3 years imprisonment. However, the court must be entitled to refuse such access in the context of investigating an offence which is manifestly not a serious offence in the light of the societal conditions prevailing in the Member State concerned.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

@@ Line 41: / Line 41: @@
 }}
-The CJEU held that a national provision which requires a national court to authorise access to traffic and location data to a competent national authority for the purpose of investigating an offence punishable by minimum
+The CJEU held that a national provision which requires a national court to authorise access to traffic and location data to a competent national authority for the purpose of investigating an offence punishable by minimum 3 years imprisonment is not contrary to Article 15(1) ePrivacy Directive. However, the Court must be entitled to refuse such a request.
 ==English Summary==
@@ Line 48: / Line 48: @@
 Two complaints were lodged with the Italian Public Prosecutor's office concerning acts of mobile theft. In order to identify the perpetrators, the Public Prosecutor's office requested an authorisation to obtain the telephone records of the stolen telephones from all the telephone companies. These requests concerned all the data in the possession of the telephone companies, with tracking and localisation methods, in particular the users and International Mobile Equipment Identity (IMEI) codes of the devices called or making the calls, the sites visited and reached, the times and durations of the calls and connections, the details of the cells and/or towers concerned, and the users and IMEI code of senders and receivers of SMS and MMS. These requests were made to the judge responsible for preliminary investigations at the District Court, Bolzano (‘Giudice delle indagini preliminari presso il Tribunale di Bolzano’) on the basis of an Italian National law, Article 132(3) of Legislative Decree n°196/2003.
-The referring court was uncertain whether Article 132(3) of Legislative Decree No 196/2003 is compatible with Article 15(1) of Directive 2002/58 (‘ePrivacy Directive’) as interpreted by CJEU, 2 March 2021, Prokuratuur, C-746/18. First, according to paragraph 45 of that judgement, national provisions that allow public authorities to access telephone records containing a set of traffic or location data are justifiable if those provisions are intended for the prosecution of serious offences such as threats to public security and other serious crimes. Second, Article 132(3) of Legislative Decree No 196/2003 establishes that if there is sufficient evidence of the commission of an offence for which the penalty is a maximum term of imprisonment of at least three years, the Public Prosecutor may acquire data relevant to the facts, with the prior authorization of the court.
+The referring court was uncertain whether Article 132(3) of Legislative Decree No 196/2003 is compatible with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02002L0058-20091219 Article 15(1) of Directive 2002/58] (‘ePrivacy Directive’) as interpreted by CJEU, 2 March 2021, Prokuratuur, C-746/18. First, according to paragraph 45 of that judgement, national provisions that allow public authorities to access telephone records containing a set of traffic or location data are justifiable if those provisions are intended for the prosecution of serious offences such as threats to public security and other serious crimes. Second, Article 132(3) of Legislative Decree No 196/2003 establishes that if there is sufficient evidence of the commission of an offence for which the penalty is a maximum term of imprisonment of at least three years, the Public Prosecutor may acquire data relevant to the facts, with the prior authorization of the court.
 According to the referring court, the Italian courts have a very limited margin of discretion to refuse authorisation to obtain telephone records as the authorization must be granted when there is ‘sufficient evidence of the commission of an offence’ and the data requested are ‘relevant to establishing the facts’.
 The Giudice delle indagini preliminari presso il Tribunale di Bolzano decided to stay the proceedings and referred the following question to the CJEU:
-- Does Article 15(1) of the ePrivacy Directive preclude a national provision which requires a national court to authorise access to a set of traffic or location data for the purposes of investigating a criminal offence with a penalty of a maximum term of imprisonment of at least 3 years, provided that there is sufficient evidence and that those data are relevant to establishing the facts?
+* Does Article 15(1) of the ePrivacy Directive preclude a national provision which requires a national court to authorise access to a set of traffic or location data for the purposes of investigating a criminal offence with a penalty of a maximum term of imprisonment of at least 3 years, provided that there is sufficient evidence and that those data are relevant to establishing the facts?
 === Holding ===
@@ Line 69: / Line 70: @@
 Therefore, the Court considered that Member States must not distort the concept of ‘serious offence’ and ‘serious crime’ by including within it, offences which are manifestly not serious offences. In the present case, the CJEU pointed out that Article 132(3) Legislative Decree n°196/2003 defines the offences for which access to data retained by providers of electronic communications services may be granted, by reference to a maximum term of imprisonment of at least three years. Additionally, there must be sufficient evidence to the commission of an offence and the data must be relevant to establishing the facts (§52 of the Judgement).
 The CJEU held that the definition of ‘serious offence’ cannot cover the vast majority of criminal offences, which would be the case if the maximum term of imprisonment was sent at an excessively low level. The Court considered that a maximum term of imprisonment of three years does not appear excessively low (CJEU, 21 June 2022, Ligue des droits humains, C-817/19, §150).