Tribunal Constitucional - Ruling 464/2019

From GDPRhub
Tribunal Constitucional - Ruling 464/2019
Courts logo1.png
Court: Tribunal Constitucional (Portugal)
Jurisdiction: Portugal
Relevant Law:
Art. 1(3) and 15(1) of Directive 2002/58/CE
Art. 34(4) of the Constitution of the Portuguese Republic
Art. 3 and 4 of Organic Law 4/2017
Decided:
Published: 21.10.2019
Parties:
National Case Number/Name: Ruling 464/2019
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): Portuguese
Original Source: Diário da República 202/2019, Série I de 2019-10-21 (in Portuguese)
Initial Contributor: Jose Belo

The Constitutional Court was requested to assess and declare the unconstitutionality of the rules contained in articles 3 and 4 of Organic Law no. 4/2017, of 25 August, in the part in which it allows the access of the information officers of the Portuguese Security Information Service (SIS) and the Defense and Strategic Information Service (SIED), regarding basic data and equipment location, when they do not support concrete communication, for the purpose of producing information necessary to safeguard national defense and security internal.

English Summary[edit | edit source]

Facts[edit | edit source]

Thirty-five Deputies to the Assembly of the Republic requested the assessment and declaration of unconstitutionality of the rules contained in articles 3 and 4 of Organic Law no. 4/2017, of 25 August, which approves and regulates the special procedure for accessing telecommunications and Internet data by the Security Information Service (SIS) and the Defense Strategic Information Service (SIED).

Dispute[edit | edit source]

The grounds for the request were : "The relevant question to be considered is to know which types of data are under the protection established in paragraph 4 of article 34 of the Constitution, which expressly provides that "all interference by public authorities in correspondence is prohibited telecommunications and other means of communication, except as provided for in the law on criminal prosecution"."

Based on the question of data protected by the secrecy of communications, it is important to know whether the access to traffic data provided for in articles 3 and 4 of the LO by information officers conforms to the exception contained in the second part of n. 4 of article 34 of the CRP, which allows access to data of this nature in the cases provided for by the law in the area of ​​criminal proceedings.

The answer given by the TC, in its Ruling 403/2015, to the question of whether traffic data, including location data, are within the scope of the protection of paragraph 4 of article 34 of the Constitution, couldn't be clearer.

In the ruling, it is stated, on paragraph 16, that "there is a broad consensus in doctrine and jurisprudence, otherwise there is no known opposite position, in the sense of including traffic data in the concept of communications constitutionally relevant to the prohibition of interference".

And after a wide doctrinal and jurisprudential explanation, the TC concludes that "the area of ​​protection of the confidentiality of communications enshrined in paragraph 4 of article 34 of the CRP, comprises both the content of the communication and the traffic data related to the communication process".

Based on the question of data protected by the secrecy of communications, it is important to know whether the access to traffic data provided for in articles 3 and 4 of the LO by information officers conforms to the exception contained in the second part of n. 4 of article 34 of the CRP, which allows access to data of this nature in the cases provided for by the law in the area of ​​criminal proceedings.

The TC also extensively analyzes this point to conclude that "by allowing public authorities to intervene in the media only in matters of criminal prosecution, and not for any other purposes, the Constitution wanted to ensure that access to these means, to safeguard values ​​of justice and security, be carried out through a procedural instrument that also protects people's fundamental rights". And continues: "because interference in communications puts a fundamental right in conflict with other rights or community values, it was considered that the restriction of that right would only be authorized for the realization of the values ​​of justice, the discovery of material truth and the restoration of peace. Community legal system, the values ​​that the criminal process has to fulfill".

However, the aforementioned Judgment goes further, stating that paragraph 4 of article 34 of the CRP has consequences that are reflected in the constitutional status of the defendant (article 32 paragraph 8 of the CRP) and that lead to consideration the nullity of evidence obtained by tampering with communications.

On the other hand, the aforementioned Judgment also concludes, that "in the case of interference by public authorities in communications, that Article 34, paragraph 4, first part, enshrines as a general principle, the exceptions referred to in the segment end of this precept are subject to the subject of criminal proceedings, and since the restriction is constitutionally authorized only in these terms, there is no point in making any other interpretation that allows the restriction to be extended to other effects, as if the restriction were not specified in the constitutional text itself if it were a purely implicit restriction that allowed to meet other constitutionally recognized values ​​or assets".

There is, as mentioned, an abundant constitutional jurisprudence in this sense (Rulings 241/02, 195/85, 407/97, ​​70/2008, 486/2009 and 699/2013).

The TC therefore considers that, outside the criminal proceedings, there is an absolute ban on interference by public authorities in the media, including in terms of traffic data.

Therefore, it is important to know whether the access of information officers to traffic data, including location data, can be considered as an activity "in matters of criminal prosecution".

Holding[edit | edit source]

The TC decided that access of information officers to traffic data, including location data, is "certainly" negative, since "the purposes and interests that the law is entrusted to SIRP to pursue, the functional powers that it confers on its staff, and the performance and control procedures it establishes, place access to the traffic outside the scope of criminal investigation".

The provisions of Article 3 of the LO are that SIS and SIED intelligence officers can have access to basic and equipment location data for the purpose of producing information necessary to safeguard national defense, internal security and security. the prevention of acts of sabotage, espionage, terrorism, proliferation of weapons of mass destruction and highly organized crime within its exclusive scope.

And Article 4 provides that SIS and SIED information officers may have access to traffic data for the purpose of producing information necessary to prevent acts of espionage and terrorism.

The TC considered that this is the field of collecting information for the purpose of prevention, which in the understanding of the TC "is clearly and precisely dissociated from the criminal investigation activity" (Judgment cit., P. 23).

Under the terms of Law no. 49/2008 , of 27 August, the criminal investigation "comprises the set of measures that, under the terms of the criminal procedural law, are intended to ascertain the existence of a crime, determine its agents and the your responsibility and discover and collect the evidence, within the scope of the process".

In fact, the intelligence services do not have any police or criminal investigation powers, and such activities are legally forbidden.

There is, therefore, (it is the understanding of the TC) "a radical distinction between information and criminal investigation, which prevents information officers from intervening in criminal proceedings".

Although the collection of information can be used in criminal proceedings, the collection for that purpose must address a crime already committed. The collection of information by SIRP, because it is preventive, is not oriented towards an investigative activity of crimes already committed or in execution.

The TC concluded that the information activity produced by the SIRP, because it is not directed towards the discovery of the authorship of a crime, does not have the nature of a criminal investigation. (...) They are, therefore, administrative procedures that, having to respect the rights, freedoms and guarantees, do not obey the legal-constitutional principles that make up the criminal process (Judgment cited p. 24).

As such, the Constitutional Court decided to:

  • Declare unconstitutionality, with general mandatory force, of the rule contained in article 3 of Organic Law no. 4/2017, of 25 August, in the part in which the information officers of the Information Service of Security (SIS) and the Defense and Strategic Information Service (SIED), in relation to basic data and equipment location, when they do not support concrete communication, for the purpose of producing information necessary to safeguard national defense and internal security, for violation of articles 26, paragraph 1, and 35, paragraphs 1 and 4, in conjunction with article 18, paragraph 2, of the Constitution of the Portuguese Republic;
  • Do not declare the rule contained in article 3 of Organic Law no. 4/2017, of 25 August unconstitutional , insofar as it allows the access of the information officers of these services within the scope of their respective duties, with basic and equipment location data, when they do not support concrete communication, for the purpose of producing information necessary to prevent acts of sabotage, espionage, terrorism, proliferation of weapons of mass destruction and highly organized crime;
  • Declare the rule contained in article 4 of Organic Law no. 4/2017, of 25 August unconstitutional, with general mandatory force , for violation of the provisions of article 34, no. 4, of Constitution, with regard to access to traffic data involving intersubjective communication, and for violation of the provisions of articles 26, paragraphs 1 and 35, paragraphs 1 and 4, in conjunction with article 18 2, all of the Constitution, with regard to access to traffic data that do not involve intersubjective communication.

Comment[edit | edit source]

In its Opinion of May 30th, 2017 on the concerned Law stated above (Organic Law 4/2017), the Portuguese CNPD considered, equally, that the Law is in infringement of "the prohibition of intrusion in the electronic communications provided for in the Constitution of the Portuguese Republic, as well as the rules of the Constitution, the Charter of Fundamental Rights of the European Union and the European Convention on Human Rights regarding private and family life, personal data protection and privacy in the communications.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.

SUMMARY

Declares unconstitutionality, with general mandatory force, of the rule contained in article 3 of Organic Law no. 4/2017 , of 25 August, in the part in which it allows the access of the information officers of the Security Information Service ( SIS) and the Defense and Strategic Information Service (SIED), regarding basic data and equipment location, when they do not support concrete communication, for the purpose of producing information necessary to safeguard national defense and security internal, for violation of articles 26, paragraph 1, and 35, paragraphs 1 and 4, in conjunction with article 18, paragraph 2, of the Constitution of the Portuguese Republic; does not declare the rule contained in Article 3 of Organic Law No. 4/2017 unconstitutional, of 25 August, in the part in which it allows the access of the information officers of these services within the scope of their respective duties, in relation to basic data and location of equipment, when they do not support a concrete communication, for the purposes of producing information necessary to prevent acts of sabotage, espionage, terrorism, proliferation of weapons of mass destruction and highly organized crime; declares unconstitutionality, with general mandatory force, of the rule contained in article 4 of Organic Law no. 4/2017, of August 25, for violation of the provisions of article 34, paragraph 4, of the Constitution, with regard to access to traffic data involving intersubjective communication, and for violation of the provisions of articles 26, no. 1, and 35, no. 1 and 4, in conjunction with article 18, no. 2, all of the Constitution, with regard to access to traffic data that do not involve intersubjective communication.

TEXT
Judgment of the Constitutional Court No. 464/2019

Summary: Declares the rule contained in article 3 of Organic Law no. 4/2017 , of August 25 , unconstitutional, with general mandatory force , in the part in which it allows access by the information officers of the Information Service of Security (SIS) and the Defense and Strategic Information Service (SIED), in relation to basic data and equipment location, when they do not support concrete communication, for the purpose of producing information necessary to safeguard national defense and internal security, for violation of articles 26, paragraph 1, and 35, paragraphs 1 and 4, in conjunction with article 18, paragraph 2, of the Constitution of the Portuguese Republic; does not declare the rule contained in Article 3 of Organic Law No. 4/2017 unconstitutional, of 25 August, in the part in which it allows the access of the information officers of these services within the scope of their respective duties, in relation to basic data and location of equipment, when they do not support a concrete communication, for the purposes of producing information necessary to prevent acts of sabotage, espionage, terrorism, proliferation of weapons of mass destruction and highly organized crime; declares unconstitutionality, with general mandatory force, of the rule contained in article 4 of Organic Law no. 4/2017, of August 25, for violation of the provisions of article 34, paragraph 4, of the Constitution, with regard to access to traffic data involving intersubjective communication, and for violation of the provisions of articles 26, no. 1, and 35, no. 1 and 4, in conjunction with article 18, no. 2, all of the Constitution, with regard to access to traffic data that do not involve intersubjective communication

Process No. 26 2018

Agree in the Plenary of the Constitutional Court

I - Report

1 - Thirty-five Deputies to the Assembly of the Republic, under the provisions of paragraph a) of paragraph 1 and in paragraph f) of paragraph 2 of article 281 of the Constitution of the Portuguese Republic, requested the assessment and declaration unconstitutionality of the rules contained in articles 3 and 4 of Organic Law no. 4/2017 , of 25 August, which approves and regulates the special procedure for accessing telecommunications and Internet data by the Service's information officers Security Information Service (SIS) and the Defense Strategic Information Service (SIED) and proceeds to the second amendment to Law No. 62/2013 , of 26 August (Law on the Organization of the Judiciary System).

2 - The standards questioned have the following content:

Article 3

Access to base and equipment location data

SIS and SIED information officers can access basic and equipment location data for the purpose of producing information necessary to safeguard national defense, internal security and prevent acts of sabotage, espionage, terrorism, proliferation weapons of mass destruction and highly organized crime within its exclusive scope.

Article 4

Access to traffic data

SIS and SIED information officers may only have access to traffic data for the purpose of producing information necessary to prevent acts of espionage and terrorism.

3 - In order to challenge the constitutionality of the rules mentioned above, the claimants invoke the violation of paragraph 4 of article 34 of the Constitution.

The grounds for the request are, in summary, the following:

"The relevant question to be considered is to know which types of data are under the protection established in paragraph 4 of article 34 of the Constitution, which expressly provides that" all interference by public authorities in correspondence is prohibited telecommunications and other means of communication, except as provided for in the law on criminal prosecution. "

The answer given by the TC, in Decision No. 403/2015 , to the question of whether traffic data, including location data, are within the scope of the protection of paragraph 4 of article 34 of the Constitution, it couldn't be clearer.

There it is stated (p. 16) that "there is a broad consensus in doctrine and jurisprudence, otherwise there is no known opposite position, in the sense of including traffic data in the concept of communications constitutionally relevant to the prohibition of interference".

And after a wide doctrinal and jurisprudential explanation, the TC concludes that "the area of ​​protection of the confidentiality of communications enshrined in paragraph 4 of article 34 of the CRP, comprises both the content of the communication and the traffic data related to the communication process ".

Based on the question of data protected by the secrecy of communications, it is important to know whether the access to traffic data provided for in articles 3 and 4 of the LO by information officers conforms to the exception contained in the second part of n. 4 of article 34 of the CRP, which allows access to data of this nature in the cases provided for by the law in the area of ​​criminal proceedings.

The Judgment No. 403/2015The TC also extensively analyzes this point to conclude that "by allowing public authorities to intervene in the media only in matters of criminal prosecution, and not for any other purposes, the Constitution wanted to ensure that access to these means, to safeguard values ​​of justice and security, be carried out through a procedural instrument that also protects people's fundamental rights ". And he continues: "because interference in communications puts a fundamental right in conflict with other rights or community values, it was considered that the restriction of that right would only be authorized for the realization of the values ​​of justice, the discovery of material truth and the restoration of peace. Community legal system, the values ​​that the criminal process has to fulfill ".

However, the aforementioned Judgment goes further, stating that paragraph 4 of article 34 of the CRP has consequences that are reflected in the constitutional status of the defendant (article 32 paragraph 8 of the CRP) and that lead to consideration the nullity of evidence obtained by tampering with communications.

On the other hand, the aforementioned Judgment also concludes, that "in the case of interference by public authorities in communications, that Article 34, paragraph 4, first part, enshrines as a general principle, the exceptions referred to in the segment end of this precept are subject to the subject of criminal proceedings, and since the restriction is constitutionally authorized only in these terms, there is no point in making any other interpretation that allows the restriction to be extended to other effects, as if the restriction were not specified in the constitutional text itself if it were a purely implicit restriction that allowed to meet other constitutionally recognized values ​​or assets ".

There is, as mentioned, an abundant constitutional jurisprudence in this sense (Judgments Nos 241/02, 195/85, 407/97, ​​70/2008, 486/2009 and 699/2013).

The TC therefore considers that, outside the criminal proceedings, there is an absolute ban on interference by public authorities in the media, including in terms of traffic data.

Therefore, it is important to know whether the access of information officers to traffic data, including location data, can be considered as an activity "in matters of criminal prosecution".

The TC's answer is "certainly" negative, since "the purposes and interests that the law is entrusted to SIRP to pursue, the functional powers that it confers on its staff, and the performance and control procedures it establishes, place access to the traffic outside the scope of criminal investigation ".

The provisions of Article 3 of the LO are that SIS and SIED intelligence officers can have access to basic and equipment location data for the purpose of producing information necessary to safeguard national defense, internal security and security. the prevention of acts of sabotage, espionage, terrorism, proliferation of weapons of mass destruction and highly organized crime within its exclusive scope.

And Article 4 provides that SIS and SIED information officers may have access to traffic data for the purpose of producing information necessary to prevent acts of espionage and terrorism.

We are thus in the field of collecting information for the purpose of prevention, which in the understanding of the TC "is clearly and precisely dissociated from the criminal investigation activity" (Judgment cit., P. 23).

Under the terms of Law no. 49/2008 , of 27 August, the criminal investigation "comprises the set of measures that, under the terms of the criminal procedural law, are intended to ascertain the existence of a crime, determine its agents and the your responsibility and discover and collect the evidence, within the scope of the process ".

In fact, the intelligence services do not have any police or criminal investigation powers, and such activities are legally forbidden.

There is, therefore, (it is the understanding of the TC) "a radical distinction between information and criminal investigation, which prevents information officers from intervening in criminal proceedings".

Although the collection of information can be used in criminal proceedings, the collection for that purpose must address a crime already committed. Now, the collection of information by SIRP, because it is preventive, is not oriented towards an investigative activity of crimes already committed or in execution.

The perpetual conclusion of the TC is that the information activity produced by the SIRP, because it is not directed towards the discovery of the authorship of a crime, does not have the nature of a criminal investigation. (...) They are, therefore, administrative procedures that, having to respect the rights, freedoms and guarantees, do not obey the legal-constitutional principles that make up the criminal process (Judgment cited p. 24).

The relevance of the nature of the supervisory body

Unlike what happened with the Decree of the AR under which the process of preventive inspection of the constitutionality that culminated in Judgment No. 403/2015 focused , the LO in question does not provide for the control of access to traffic data via a "prior control commission" of an administrative nature, and as such qualified in the aforementioned judgment, despite being made up of judicial magistrates.

In the present case, pursuant to Article 8 of the LO, judicial control and prior authorization for SIS and SIED information officers to access telecommunications and Internet data is carried out by training the criminal sections of the Supreme Court of Justice, constituted by the presidents of the sections and by a judge appointed by the Superior Council of the Judiciary, among the oldest of these sections.

The intensity of the control of access to traffic data by information officers is also considerably higher than that provided for in the decree deemed unconstitutional in 2015, in order to provide guarantees of necessity, adequacy and proportionality to the request made.

However, the applicants understand that the alterations thus made do not rule out the decisive reasons that led to the declaration of unconstitutionality of Decree No. 426 / XII.

If it is true that the criminal sections of the Supreme Court of Justice cannot be qualified as administrative bodies, since this Court is unequivocally a body of a judicial nature, it is no less certain than the functions that the LO assigns to them - at all alien to the functions that until now this Court has been legally called upon to perform - they are not a matter for criminal prosecution.

As in Judgment No. 241/02, the TC considered it unconstitutional that, in a labor proceeding, telecommunications operators could be asked for information regarding traffic data and detailed telephone line billing, as "it does not constitute a matter for criminal process ", this understanding being confirmed in subsequent judgments (cited in Judgment No. 403/2015 , p. 22), particularly in the context of civil proceedings, it is now also necessary to conclude that the provisions of the LO are unconstitutional.

It is that what is at issue is not so much the administrative or judicial nature of the supervisory body (although such a nature is not irrelevant) but the question of whether the judicial control carried out falls within the scope of criminal proceedings or not.

And for the reasons explained above in the light of constitutional jurisprudence, about the radical distinction between information and criminal investigation, which prevents information officers from intervening in criminal proceedings, it appears to proponents that the answer can only be negative ».

4 - Notified to respond, the President of the Assembly of the Republic came to offer the merits of the case file, taking advantage, however, to explain, in summary, the following:

«1 - Brief legal framework

The Organic Law No. 4/2017 of 25 August, came approve and regulate special procedure for access to telecommunications data and Internet, previously stored by electronic communications service providers, by intelligence officers of Service Security Information and the Defense Strategic Intelligence Service.

The Law subject to judicial control the possibility of access to the data that are necessary for the pursuit of the activity of producing information by the Information System of the Portuguese Republic (SIRP) related to internal security, defense, State security and security. prevention of espionage and terrorism.

The matter of access by the Information Services of the Portuguese Republic to telecommunications and Internet data had already been subject to parliamentary approval, with the decree then approved - Decree No. 426 / XII of the Assembly of the Republic (originating in Law Proposal no. 345 / XIV4.ª - Approves the regime of the Information System of the Portuguese Republic) - been subject to preventive inspection of constitutionality, which culminated in the Constitutional Court's pronouncement for the unconstitutionality of the rule of paragraph 2 of article 78 thereof, for breach of the provisions of paragraph 4 of article 34 of the CRP, through Decision No. 403/2015 , of 27 August. This decree was subject to a veto following the aforementioned pronouncement by the Constitutional Court.

2 - Preparatory work for Organic Law No. 4/2017

The Organic Law No. 4/2017 of 25 August, which approves and regulates the special procedure for access to data telecommunications and Internet for official information from the Security Intelligence Service and the Defense Strategic Intelligence Service and proceeds the second amendment to Law No. 62/2013, of 26 August (Law of the Organization of the Judiciary System) originated in Law Proposal No. 79 / XIII / 2nd, of the Government's initiative - "Approves the special regime of access to basic data and data traffic of electronic communications by the SIRP "and in the Bill no. 480 / XIII / 2nd, of the initiative of the eighteen Members of the Parliamentary Group of the CDS / PP -" Access to traffic data, location or other related data of the communications by officials and agents of the intelligence services of the Portuguese Republic ".

The norms object of the request for declaration of unconstitutionality with general mandatory force - articles 3 (Access to basic data and location of equipment) and 4 (Access to traffic data) of the aforementioned Organic Law - correspond, in the its wording, respectively to articles 2 and 3 of Law Proposal no. 79 / XIII. These rules were not subject to any proposals for changes during the legislative process that gave rise to the Law, except with regard to their numbering (as a result of the improvement made in the final wording, approved by the 1st Commission on July 27, 2017 , which consisted of the splitting of article 1 into two articles - 1 and 2 - with consequent remuneration for the following).

From the preparatory work for the Organic Law, - all elements of the processing of Law Proposal no. 79 / XIII and Bill no. 480 / XIII available in the database "Parliamentary activity" on Parliament's website , at the link http://www.parlamento.pt/ActividadeParlarl/Paginas/DetalheIniciativa.aspx?BID= 41364) - it is possible to remove, with relevance to the issue that is the subject of this inspection request, that:

1 - In the explanatory memorandum to Law Proposal No. 79 / XIII, the proponent explained that the special data access regime recommended was adequate and proportional "to the challenges posed to the national and international security of the State, considering the procedures and methodologies foreseen in similar legal regimes, particularly in the European space (...) ", and also taking into account the regime established in the National Strategy to Combat Terrorism, approved by the Resolution of the Council of Ministers no. 7-A / 2015 , February 20 ».

The initiative foresaw that the activity of gathering information by SIRP officials for the purposes of prevention would be preceded by a mandatory authorization procedure for the responsibility of training the criminal sections of the Supreme Court of Justice, communicated to the Attorney General of the Republic. telecommunications and Internet data obtained - basic, location and traffic data - subject to supervision by the SIRP Data Supervision Commission and the SIRP Supervisory Board, «thus becoming ...» - in the words of the proposer - « ... safeguarding the limits and cumulative levels of internal and external inspection of the system, as well as constitutional restrictions on privacy and fundamental guarantees ».

2 - Since the Government proposer requested the scheduling of the discussion in general of the initiative - which had been admitted to the Bureau of the Assembly of the Republic on May 11, 2017 and was admitted on the subsequent May 16 - for the Plenary session of 17 in May, by dragging on a set of initiatives on the same matter (namely Bill no. 480 / XIII), the Bill did not, in general, refer to the competent committee, so the Constitutional Affairs Committee, Rights, Freedoms and Guarantees on it did not issue an opinion, although it was subsequently the subject of a technical note.

Thus, in addition to this technical document (with possible pertinence in the part relating to the international legal framework and the treatment of the matter in terms of European Union law), there is no other element of appreciation - opinion or minutes of the meeting in which it had been discussed. - likely to be relevant for the analysis of the application.

3 - Subject to the opinion of the Committee on Constitutional Affairs, Rights, Freedoms and Guarantees, outside, at the meeting of May 10, 2017, Bill No. 480 / XIII, which aimed to amend Law No. 30/84 , of September 5 (Framework Law of the Information System of the Portuguese Republic) and Law No. 62/2013 , of August 26 (Law of Organization of the Judiciary System), establishing the competence and the access procedure by the information service officials and agents of the Portuguese Republic, with prior judicial authorization in charge of a special section to authorize access to information and data (traffic, location or other related communications data), which he proposed to create at the Supreme Court of Justice.

In the explanatory memorandum, the proponents considered it "essential to provide the country with all the mechanisms at its disposal to" prevent terrorism, and its "prevention and repression" should be worked on.

This initiative proposed subjecting access to data to judicial authorization "with prior hearing from the National Data Protection Commission, within the framework of its own powers" (cf. Article 5 (1)). The same initiative provided for the creation of a “special section for authorization of access to information and data”, “made up of three judges of the penal section of the Supreme Court of Justice, each year and successively appointed, with the responsibility of a judge as rapporteur and to the other judges the functions of deputies ”, such as the attribution to the Attorney General of the Republic of the annual appointment of“ an assistant attorney general to the special section to authorize access to information and data ”.

The opinion (and the accompanying technical note) states that the initiative called for the adoption of «rules on the form of data transmission, establishing encrypted or encrypted electronic transfer as a rule, similar to what happens in Law no. 32/2008 , of 17 July, for the transmission of traffic data and location data, as well as the related data necessary to identify the subscriber or user ». It should be remembered that Law No. 32/2008 transposed Directive No. 2006/24 / EC , of the European Parliament and of the Council, of 15 March, on the conservation of data generated or processed in the internal legal order. context of the provision of publicly available electronic communications services or public communications networks.

The justification for the legislative impetus was still, according to the proponent, in the National Strategy to Combat Terrorism, approved by the Resolution of the Council of Ministers no. 7-A / 2015 , of February 20, as well as in the "prevention of security threats. national and European policy on terrorism ”, a need highlighted, according to the initiative's authors, by the Information System Supervisory Board of the Portuguese Republic, both in the opinion for the year 2015 and in the first half of 2016.

The technical note pointed out that with Law No. 30/84 , of September 5 (Framework Law of the Information System of the Portuguese Republic), amended by Laws No. 4/95 , of February 21, No. 15 / 96 , of April 30, no. 75-A / 97 , of July 22, and by Organic Law no. 4/2004 , of November 6, which republished it (including Statement of Rectification no. 44-A / 2014, of October 10), the general bases of information in Portugal had been established and the definition of the rules of operation, direction and control of the respective bodies, defining inspection structures. The Law also specified the missions, duties and responsibilities of the services and inspection entities. The fundamental mission of SIRP was "the production of information necessary to safeguard national independence and guarantee internal security" (Article 2 (2)), for which it had three information services: the Information Service Defense Strategies (SIED), the Military Intelligence Service (SIM) and the Intelligence and Security Service (SIS).

The Organic Law 4/2004 , of November 6, introduced material changes to the information system regime, putting the two information services in the direct authority of the Prime Minister and creating the Secretary General of the office of SIRP, which it was tasked with coordinating and conducting superior information service activity. SIEDM lost its military component and was renamed SIED (Defense Strategic Information Service).

The same document recalls that the activity of the SIRP is "specifically limited by some principles inscribed in paragraphs 1 and 3 of article 3 and paragraph 1 of article 4 of the SIRP Framework Law: (i) the principle constitutionality and legality: the activity of intelligence services is subject to scrupulous respect for the Constitution and the law, namely in terms of the protection of people's fundamental rights, especially in the face of the use of computerized data; (ii) the principle of exclusivity: the activity of the services is strictly limited to its attributions, and it cannot carry out an activity of producing information in a domain that has not been granted to it; (iii) the principle of specialty: the activity of the information services is reduced to its strict scope ,its activity must not be confused with the activity of other bodies, such as in the field of court activity or police activity. "

) »(In Annotated Constitution of the Portuguese Republic, Volume I 4th ​​revised edition, page 555)». In this regard, paragraph 4 of article 34 of the CRP may also be mentioned, which prohibits all “interference by public authorities in correspondence, telecommunications and other means of communication, except in the cases provided for by law in criminal prosecution '.

The note finally appeals to the ruling of the Constitutional Court no. 403/2015 , of 27 August, which "underlines the need to" characterize the type of data in question and to know whether access to it is worthy of protection constitutional ". Recalls that the legal system provides a legal definition of" traffic data "(designation used in the bill) - contained in paragraph d) of no. 1 of article 2 of Law no. 41/2004, of August 18, on Telecommunications Security -, which corresponds to "any data processed for the purpose of sending a communication through an electronic communications network or for the purpose of billing it". In this regard, the judgment in question calls for the jurisprudence of the same Constitutional Court, which accepted a tripartite classification of data resulting from the telecommunications service: «(...) the data relating to the connection to the network, said basic data; the functional data necessary to establish a connection or communication; and the data generated by the use of the network (for example, location of the user, location of the recipient, duration of use, date and time, frequency), traffic data; data relating to the content of the communication or message, content data '. Mindful of this distinction, the same judgment considers that the "traffic data", "location data" or other "related data" of communications, necessary to identify the subscriber or user or to find and identify the source, destination, date, time, duration and the type of communication, as well as to identify the telecommunications equipment or its location, must be considered as traffic data, «for respecting the functional elements of the communication, reporting to the direction, destination, route and route of a given message. They are data, therefore, that identify or allow to identify the communication and, once conserved, they allow the identification of the communications between issuer and recipient, the date, the time and the frequency of the calls made Alluding to the existing legal regulation on access to data related to communications,Law 67/98 , of 26 October, which, transposing Directive 95/46 / EC , of the European Parliament and of the Council, of 24 October 1995, on the protection of natural persons with regard to the processing of personal data and the free movement of such data, approved the Personal Data Protection Act.

From the framework of the matter in terms of European Union law, mention should be made, in that note, to the Framework Decision 2008/977 / JHA of the Council, of November 2008, on the protection of personal data processed under judicial and criminal justice cooperation, which covers only police and judicial data exchanged between Member States, authorities and associated systems of the European Union and does not cover national data, and which will be repealed (in May 2018) by the Directive (EU) 2016/680, of 27 April 2016, on the protection of individuals with regard to the processing of personal data by the competent authorities for the purposes of preventing, investigating, detecting or prosecuting criminal offenses or carrying out criminal penalties, and on the free movement of such persons Dice. The directive aims to protect the personal data of natural persons processed by police and judicial authorities, in the same step as it aims to improve cooperation in combating terrorism and cross-border crime in the EU by allowing police and judicial authorities in EU countries to exchange information necessary for the investigations are more effective and more efficient.

The international framework of the topic presents elements of analysis related to Germany, Spain, France and the United Kingdom, giving note of the possibility and conditions of interception of communications by the Information Services of some of those States - alluding, in Germany, to the Gl O Commission , composed of four members (not necessarily members of the Bundestag), chaired by a judge and whose mission is "to implement restrictive inspection measures in the field of correspondence, messages and telecommunications secrecy (GG article 10), being responsible for authorizing orders interception of communications. Its control power also extends to the entire process of collecting, processing and using personal information obtained from that action "; in Spain, " access to information by information services (..) article 15 of Ley 5/2014, of 4 April, of Private Security, which admits this possibility, namely as regards those services being able to request private security companies to grant them access electronic signal surveillance systems when necessary. This must be done to avoid a real danger to public security or for the purpose of criminal investigation, always respecting the provisions of the data protection law "; referring, in relation to France," to the techniques of interception of information in security matters ", for which regulation lists" the recent Loi nº 2015-912 du 24 juillet 2015 (..) approved with the purpose of increasing the detention rates in the scope of the terrorist threat, intended to update the regime for the secrecy of correspondence transmitted by means of telecommunications, regulated by Loi no. 91-646 du 10 juillet 1991 relative to the secret des correspondances émises para la voie des télécommunications. That law repeats the existing provisions on security interceptions and access to connection data, and transposes to the field of prevention techniques for collecting information already permitted in a judicial context (such as capturing images in private places and collecting computer data) .

According to Law no. 91-646, interceptions of communications issued by electronic means (eg telephone tapping) are authorized with the aim of seeking information related to national security, safeguarding the essential elements of the scientific and economic potential of the France, or the prevention of terrorism, crime and organized crime.

In terms of procedure, it is up to the Prime Minister, on the basis of a written and reasoned request from one of the ministries responsible for the six intelligence services, to grant authorization to perform, for example, a wiretapping, after consulting the Commission nationale de contrôle des interceptions de sécurité (CNCIS).

Law No. 2015-912 of July 24, 2015 alters this regime, providing that the authorization is extended to the entourage persons of the target person (article 852-1 internal security code), replacing the CNCIS by the Commission nationale of control of renseignement techniques (CNCTR).

It is also important to refer to Loi nº 2006-64 of 23 janvier 2006 concerning the struggle against terrorism and therefore different dispositions related to the securité et aux contrâles frontaliers, which instituted a regime of administrative requisition of the connection data. This diploma was reformulated by the military programming law of 2013. However, the validity of several of its provisions has been successively extended in the scope of the anti-terrorism policy, and is still in force at the end of 2015. The provisions in question concern identity control on board of cross-border trains, administrative device for requesting data relating to electronic communications and access by services to combat terrorism to certain administrative archives. The aforementioned military programming law of 2013 also extended the ability to access connection data to all information services - and not just relevant Ministry of Interior services - for any reason connected with defending the nation's fundamental interests. In reality, more than an innovation, it was a legal simplification, given that this was already possible. In the Code of interior security, special techniques for collecting information subject to authorization are needed, covering the following matters: Administrative access to connection data (articles L851-1 to L851-7); Security interceptions (article L852-1); Sound of certain installations and vehicles and capture of computer images and data (articles L853-1 to L853-3); Surveillance measures for international electronic communications (articles L854-1 to L854-9). "And, as for the United Kingdom, pointing out that the Regulation of Investigatory Powers 2000 (RIPA) is the law that regulates the powers of public entities in the scope of surveillance and investigation, as well as the interception of communications. It was introduced for the purpose of accommodate technological changes in the field of communication, such as the Internet and encryption. More recently, the UK Investigatory Powers Act 2016 introduced changes in the scope of interception of communications, interference of equipment (hacking to obtain information) and acquisition of communication data in This law came into force at the end of 2016. pointing out that the Regulation of Investigatory Powers 2000 (RIPA) is the law that regulates the powers of public entities in the scope of surveillance and investigation, as well as the interception of communications. It was introduced with the purpose of accommodating technological changes in the field of communication, such as the Internet and encryption. More recently, the UK Investigatory Powers Act 2016 introduced changes in the scope of interception of communications, interference of equipment (hacking to obtain information) and acquisition of mass communication data. This law came into force at the end of 2016. pointing out that the Regulation of Investigatory Powers 2000 (RIPA) is the law that regulates the powers of public entities in the scope of surveillance and investigation, as well as the interception of communications. It was introduced with the purpose of accommodating technological changes in the field of communication, such as the Internet and encryption. More recently, the UK Investigatory Powers Act 2016 introduced changes in the scope of interception of communications, interference of equipment (hacking to obtain information) and acquisition of mass communication data. This law came into force at the end of 2016. More recently, the UK Investigatory Powers Act 2016 introduced changes in the scope of interception of communications, interference of equipment (hacking to obtain information) and acquisition of mass communication data. This law came into force at the end of 2016. More recently, the UK Investigatory Powers Act 2016 introduced changes in the scope of interception of communications, interference of equipment (hacking to obtain information) and acquisition of mass communication data. This law came into force at the end of 2016.

The United Kingdom's information system is composed, at the level of strategic direction, by the Joint Intelligence Committee (JIC) (Lords and Commons), instituted by the Intelligence Services Act 1994.

The United Kingdom also has the Intelligence and Security Committee, created by government initiative, through which members are appointed by the Prime Minister, under the appointment of Parliament and consultation with the opposition leader, the Commission responding directly to the Prime Minister. The UK Investigatory Powers Act 2016 also created the Investigatory Powers Commission (IPC), in order to supervise, together with the Intelligence and Security Committee, the use of all investigative powers.

Another of the measures contained in the new law of 2016 relates to the requirement of confirmation by a judge (at the service of the IPC) of the authorization to access the content of communications (or equipment interference) authorized by a secretary of state (equivalent to a minister) in the Portuguese system).

A detailed description of the new regulations of the UK Investigatory Powers Act 2016 can be consulted in the various information documents of the proposal that gave rise to it, highlighting the related Information Data, Equipment Interference and Interception of communications - and appealing to the instruments of international law and applicable supranational jurisprudence - Article 12 of the Universal Declaration of Human Rights, in the wording taken up by Article 17 of the International Covenant on Civil and Political Rights; Article 8 of the European Convention on Human Rights (ECHR), according to which paragraph 2, “there can be no interference by public authority in the exercise of this right unless this interference is provided for by law and constitutes a measure that, in a democratic society, is necessary for national security,

The President of the Assembly of the Republic also draws attention to the written statements about the legislative initiatives of the National Commission for Data Protection, the Commission for the Supervision of Data of the Information Services of the Portuguese Republic, the Secretary-General of the Republic's Information System Portuguesa, the Supervisory Board of the Information System of the Portuguese Republic and the Attorney General's Office.

Finally, a part of the parliamentary debate that preceded the approval of Organic Law No. 4/2017 is transcribed in the response of the author of the rule .

5 - The memorandum prepared by the President of the Constitutional Court, under the terms of article 63, paragraph 1 of the LTC, was discussed in plenary, the Court's orientation was fixed; after the case was distributed to the rapporteur designated by lot, the draft judgment was presented and discussed; In view of the Rapporteur's position, the President of the Court, after hearing the same, appointed a new rapporteur to prepare the judgment in accordance with the project discussed.

It is now necessary to decide in harmony with what was then established.

II - Fundamentals

6 - Background

a) The standards questioned in the framework of the new metadata access system

The standards questioned are contained, as already stated, in Organic Law No. 4/2017 , which came to institute a special procedure for accessing telecommunications and Internet data, previously stored by providers of electronic communications services, by the officers of information from SIS and SIED. The diploma was regulated by Ordinance No. 237-A / 2018 , of 28 August, which defines the technical and security conditions for electronic communication, for the purpose of deferred transmission of telecommunications and Internet data obtained in accordance with the established regime. in the said Organic Law.

In the explanatory memorandum to Law Proposal No. 79 / XIII, one of the legislative initiatives that led to the approval of the Organic Law now in question, the Government explains the following:

"The Information System of the Portuguese Republic (SIRP), through the Strategic Defense Information Service (SIED) and the Security Information Service (SIS), in strict compliance with the Constitution and the Law and in an exclusive regime, ensures the production of information necessary to safeguard national interests, national independence and internal security.

The Information Services, SIED and SIS, in the exercise of their missions and competences, continue the activities of producing information regarding the maintenance of the citizens' security conditions, as well as the full functioning of democratic institutions, respecting the legality and principles democratic rule of law.

In this context, the results of the activities of the Information Services, SIS and SIED, constitute an exclusive and permanent assessment of the main threats to the democratic rule of law, some of which are particularly corrosive to the pillars of the democratic rule of law, such as the terrorist phenomenon, due to its scope. and impact.

Seeking to match the procedures and methodologies of the activity of the Information Services of the Portuguese Republic to the challenges posed to national and international security of the State, considering the procedures and methodologies provided for in legal regimes applicable to similar services, particularly in the European space, a space where these naturally services are registered and, taking into account, also, the regime established in the National Strategy to Combat Terrorism, approved by the Resolution of the Council of Ministers no. 7-A / 2015 , of February 20, it is appropriate and proportional to the consecration of a special regime for access to basic data and electronic communications traffic data under the Constitution and the law by the SIRP ".

The legislator's intention was, therefore, to enshrine in ordinary legislation the possibility of access to a wide set of data on data, or metadata, related to communications, by the SIRP information officers, purging the legal regime of the unconstitutionalities pointed out by the Constitutional Court, in its Decision No. 403/2015 , regarding the preventive assessment of the constitutionality of Article 78 of Decree No. 426 / XII of the Assembly of the Republic.

In order to fully understand the meaning and scope of the rules under analysis and to be able to carry out the consideration that should preside over the judgment on their constitutional validity, it is necessary to bear in mind the prescriptive sense of the normative precepts that are incidental to it, whether those enshrined in the law itself. Organic Law no. 4/2017 , or those contained in Ordinance no. 237-A / 2018 .

In this way, and highlighting only the most relevant ones, it is important to highlight the rules of Organic Law no. 4/2017 , which establish the following:

Article 5

Communication to the Public Ministry and judicial authorization

1 - The access of information officers of the SIS and SIED to telecommunications and Internet data in the scope of the research activity depends on prior and mandatory judicial authorization, by a formation of the criminal sections of the Supreme Court of Justice, constituted under the terms of article 8, which guarantees the weighting of the relevance of the grounds of the request and the safeguarding of the constitutionally provided rights, freedoms and guarantees.

2 - The process of authorizing access to data is always communicated to the Attorney General.

Article 6

Admissibility of the application

1 - The request can only be authorized when there are reasons to believe that the due diligence is necessary, adequate and proportional, under the following terms:

a) To obtain information about a specific target or intermediary; or

b) To obtain information that would be very difficult or impossible to obtain in another way or in a timely manner to respond to the urgent situation.

2 - Interconnection in real time with the databases of telecommunications and Internet operators is prohibited for direct online access to the required data.

Article 8

Judicial control and prior authorization

Judicial control and prior authorization for SIS and SIED information officers to access telecommunications and Internet data are carried out by a formation of the criminal sections of the Supreme Court of Justice, consisting of the presidents of the sections and a judge appointed by the Council Superior of the Judiciary, among the oldest of these sections.

As for Ordinance No. 237-A / 2018 , reading it results in a clearer perception of the effective way the information access system works by SIS and SIED officers, with emphasis on the rules that are transcribed below , because they make it possible to understand the set of procedural steps to be taken:

Article 1

1 - The procedural procedures related to the electronic communication of telecommunications and Internet data to information services by electronic communications service providers, under the terms set forth in Organic Law No. 4/2017 , of 25 August, are practiced via of a computer service, based on the Internet, specifically made available for the purpose in the so-called "System of Access or Request for Data to Electronic Communications Service Providers", for short referred to as SAPDOC.

2 - SAPDOC is developed and managed by the Institute of Financial Management and Justice Equipment, IP (IGFEJ, IP), who will also be responsible for the management of the system and the respective access accreditation.

3 - SAPDOC is endowed with technical functionalities that allow it to practice, at least, the following procedural acts, in execution of the procedures foreseen in the Organic Law no .

a) Presentation of the request, prepared by the directors of the Security Information Service (SIS) or the Defense Strategic Information Service (SIED) and sent by the Secretary / a-General of the Information System of the Portuguese Republic (SIRP) to the President of the Supreme Court of Justice (paragraph 1 of article 9 of Organic Law No. 4/2017 );

b) Communication of the request to the Attorney-General of the Republic (paragraph 1 of article 9 of Organic Law No. 4/2017 );

c) Eventual pronouncement by the Attorney-General of the Republic to the request made by the directors of SIS or SIED;

d) Submission of the request, by the President of the Supreme Court of Justice, to the special training of judges (paragraph 1 of article 5 and article 8 of Organic Law no. 4/2017 );

e) Elaboration or annexation of the deliberation of the special training of judges (no. 3 of article 10 and no. 1 of article 12 of Organic Law no. 4/2017 );

f) Communication of the decision to the information service, to the electronic communications service provider, depositary of the data and to the Attorney-General of the Republic (no. 2 of article 5 of Organic Law no. 4/2017 );

g) Communication of the resolution to the SIRP Data Supervision Committee, with nominative reference;

h) Eventual reaction of the SIS or SIED, the provider of electronic communications services, depositary of the data or the Attorney-General of the Republic to the deliberation of the special training of judges;

i) Remittance of the response file with the data, by the provider of electronic communications services, with knowledge of the special training of judges of the Supreme Court of Justice that deliberated and of the Attorney-General of the Republic (no. 1 of Article 11 of Organic Law No. 4/2017 );

j) Eventual pronunciation of the Attorney General;

k) Validation of data processing (paragraph 2 of article 12 of Organic Law no. 4/2017 ) and respective sending, by special training of judges of the Supreme Court of Justice that decided, to the Director of the Data Center the SIS or the Director of the SIED Data Center, with knowledge of the Attorney General;

l) Communication, by the Director of the SIS Data Center or by the Director of the SIED Data Center, of the successful receipt and storage of the response file;

m) Cancellation of ongoing data access procedures, by special training of judges of the Supreme Court of Justice (paragraph 3 of article 12 of Organic Law no. 4/2017 );

n) Communication of the decision to cancel access and immediate destruction of data to the Director of the SIS Data Center or to the Director of the SIED Data Center, to the electronic communications service provider, data depositary, to the Attorney -General of the Republic and the SIRP Data Supervision Commission, for the purposes of exercising their legal powers (paragraphs 3, 4 and 5 of article 12 of Organic Law no. 4/2017 );

o) Communication, by the Director of the SIS Data Center or by the Director of the SIED Data Center, to / to the Attorney General of the Republic, of the data obtained that indicate the practice of espionage and terrorism crimes (article 13 of Organic Law No. 4/2017 ), whenever possible and under the terms of the applicable legislation.

b) The European framework

It follows from the precepts above that the access of SIS and SIED to data previously stored by providers of electronic communications services implies that the latter proceed with the registration and organization of personal data for the purposes of storage and its unauthorized transmission to third parties. It is, therefore, the treatment of communications data without the prior consent of its holders, which naturally interferes with the protection of privacy in the electronic communications sector.

Such matter is subject to the discipline contained in Law no. 41/2004 , of 18 August ("Electronic Communications Privacy Law"), which transposed Directive no. 2002/58 / EC , of the European Parliament and of the Council, of 12 July, on the processing of personal data and the protection of privacy in the electronic communications sector (in the version resulting from Directive 2009/136 / EC of the European Parliament and of the Council, of 25 November 2009) - hereinafter referred to only as " Directive No. 2002/58 ".

The provisions of Directive No. 2002/58 were intended to specify and complement Directive No. 95/46 / EC of the European Parliament and of the Council, of October 24, 1995 - transposed into Portuguese law by the "Law for the Protection of Personal Data "( Law No. 67/98 , of 26 October) - which was revoked by the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 , whose execution was ensured, in the domestic legal order, by Law No. 58/2019 , of 8 August, which revoked that Law No. 67/98, of October 26th. Article 1 (1) states that the objective of the Directive is to provide for "the harmonization of the Member States' provisions necessary to guarantee an equivalent level of protection of fundamental rights and freedoms, including the right to privacy. and confidentiality, with regard to the processing of personal data in the electronic communications sector and to guarantee the free movement of such data and electronic communications equipment and services in the Community '.

The Law No. 41/2004 , in paragraph 4 of Article 1 refers to special legislation defining the exceptions and the appropriate legal regime that are strictly necessary to protect activities related to public security, defense, state security and the prevention, investigation and prosecution of criminal offenses. Such a provision is justified and understood in the light of the provisions of Articles 1 (3) and 15 (1) of the said Directive No. 2002/58 , which provide for the following:

Article 1

3 - This Directive does not apply to activities outside the scope of the Treaty establishing the European Community, such as those covered by Titles V and VI of the Treaty on European Union, and in no case is it applicable to activities related to public security, defense, State security (including the economic well-being of the State when activities relate to matters of State security) and State activities in matters of criminal law.

Article 15

1 - Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in articles 5 and 6, in paragraphs 1 to 4 of article 8 and in article 9 of this directive whenever these restrictions constitute a necessary, adequate and proportionate measure in a democratic society to safeguard national security (ie State security), defense, public security and prevention, investigation, detection and prosecution of violations criminal or unauthorized use of the electronic communications system, as referred to in Article 13 (1) of Directive 95/46 / EC. To that end, Member States may, in particular, adopt legislative measures providing that data will be kept for a limited period, for the reasons set out in this paragraph. All measures referred to in this paragraph must comply with the general principles of Community law, including those mentioned in Article 6 (1) and (2) of the Treaty on European Union.

Through such provisions, Directive 2002/58it intends to make an effort to reconcile the community requirements for the prevention of serious crime and the principles of confidentiality, anonymity and non-retention of data. In order to achieve this objective, the Directive provides for the possibility for Member States to adopt legislative measures restricting the scope of the rights and obligations provided for in the following precepts: (i): in Article 5, which establishes the principle of confidentiality of communications and respective traffic data, including the prohibition on storing traffic data without users' consent, without prejudice to the legal exceptions provided for in article 15, paragraph 1; (ii) in article 6, laying down the obligation for traffic data relating to subscribers and users treated and stored by the provider of a public communications network or a publicly available electronic communications service to be deleted or made anonymous “when they are no longer needed for the purpose of transmitting the communication ", but without prejudice to the aforementioned article 15, paragraph 1; (iii) in paragraphs 1 to 4 of article 8, which concern the presentation and restriction of the identification of the calling line and the connected line; (iv) and, finally, in article 9, which deals with the treatment of location data in addition to traffic data, namely in the case of the provision of a value added service.

Now, Organic Law No. 4/2017 , by regulating the special procedure for accessing data previously stored by the providers of electronic communications services necessary for the pursuit of the activity of producing information by the SIRP related to national security, defense , the security of the State and the prevention of espionage and terrorism, rightly translates a realization of the optional exception to the rule-regime of privacy in matters of electronic communications allowed in article 15, paragraph 1, of Directive 2002 / 58, with reference to Member States' activities, in principle excluded from the scope of the same Directive, according to the respective Article 1 (3). In other words, a legislative measure adopted by a Member State to restrict the scope the rights and obligations provided for in certain provisions of that Directive designed to safeguard national security (that is, State security), defense, public security and the prevention of criminal offenses.

Such a measure, as a result of the exercise of the legislative power of a Member State, is naturally subject to the respective Constitution and, due to the matter in question, must also respect the limits set out in Article 15 (1) of the Directive 2002/58 . European Union law does not impose, rather it allows the adoption of that type of derogating measures, in well-identified circumstances and defined in clear and precise laws, in order to protect the fundamental rights of the affected citizens.

In these exact terms, and despite the fact that it is an exclusive initiative of the Member State - which may or may not decide to use the option of derogating from certain rights and obligations enshrined in Directive 2002/58 -, the adoption of derogations under the aforementioned Article 15 (1), also represents an application of "Union law" for the purposes of Article 51 (1) of the Charter of Fundamental Rights of the European Union (" CDFUE "), with the consequence of immediately binding the Portuguese Republic, in accordance with its respective competences, with respect for the rights and with the observance of the principles provided for therein.

In this regard, the judgment of 21 December 2016, Tele2 Sverige and Watson, C-203/15 and C-698/15, EU: C: 2016: 970 (hereinafter "Tele2 judgment"), paragraphs 73 and 74:

«73. [Article 15 (1) of Directive 2002/58 ] necessarily presupposes that the national measures mentioned therein, such as those relating to data retention for the purpose of combating crime, fall within the scope of that directive , since the latter only expressly authorizes Member States to adopt them as long as the conditions they provide for are respected.

74 - In addition, the legislative measures referred to in Article 15 (1) of Directive 2002/58 regulate, for the purposes mentioned in this provision, the activity of providers of electronic communications services. Therefore, this Article 15 (1), read in conjunction with Article 3 of that Directive, must be interpreted as meaning that such legislative measures fall within the scope of that Directive. "

On the other hand, although Article 15 (1) of Directive No. 52/2008 refers only - but by way of example only - to legislative measures that require data to be kept for a limited period, none there is doubt that national measures granting access to previously preserved data also fall within the scope of that provision, as understood by the Court of Justice in the aforementioned Tele2 judgment:

«76 - A legislative measure which has as its object [...] the access of national authorities to data held by providers of electronic communications services also falls within that scope.

77 - Indeed, the protection of the confidentiality of electronic communications and related traffic data, guaranteed in Article 5 (1) of Directive 2002/58 , applies to measures taken by all persons who other than users, regardless of whether they are natural persons or private or public entities. As recital 21 of this directive confirms, it aims to prevent unauthorized "access" to communications, including "any data related to them", to protect the confidentiality of electronic communications.

78 - In these circumstances, a legislative measure whereby a Member State imposes, on the basis of Article 15 (1) of Directive 2002/58 , on providers of electronic communications services, for the purposes mentioned in that provision , the obligation to grant national authorities, under the conditions provided for in that measure, access to the data held by the said providers has as its object the processing of personal data by the latter, a treatment that falls within the scope of this directive. "

Still in this regard, it is important to indicate the decision pronounced by the CJEU on that occasion in response to the specific questions that are the subject of the reference in which that Judgment was given:

"1) Article 15 (1) of Directive 2002/58 / EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and the protection of privacy in the communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136 / ECof the European Parliament and of the Council of 25 November 2009, read in the light of Articles 7, 8 and 11, as well as Article 52 (1) of the Charter of Fundamental Rights of the European Union, must be interpreted as opposing national regulations that provide, for the purposes of combating crime, the generalized and undifferentiated preservation of all traffic data and location data of all subscribers and registered users in all electronic means of communication.

2) Article 15 (1) of Directive 2002/58 , as amended by Directive 2009/136 , read in the light of Articles 7, 8 and 11 as well as Article 52. 1 of the Charter of Fundamental Rights, must be interpreted as precluding national regulations governing the protection and security of traffic data and location data, in particular, access by national authorities competent authorities to kept data, without limiting, in the context of the fight against crime, that access only for the purpose of fighting serious crime, without subjecting that access to prior control by a court or an independent administrative authority, and without requiring that the data concerned be kept on Union territory. '

This framework in the light of European Union law is directly and indirectly relevant: on the one hand, it determines, by virtue of the principle of the primacy of that order (in relation to matters that fall within the powers and competences of the European Union) and, as well, of the statute in Article 8 (4) of the Constitution, that national legislative measures adopted on the basis of the power enshrined in Article 15 (1) of Directive 2002/58 respect that provision, as well as the other rules and principles of Union law, including the rights and principles enshrined in the Charter (cf. the respective Article 51 (1)); on the other hand, it justifies the interpretation and application of such measures in accordance with the same right.

Without prejudice to the competence of the national legislator to adopt the access measures provided for in Organic Law No. 4/2017, it is based on Article 15 (1) of Directive 2002/58, it is reiterated that this is a faculty granted and not an obligation imposed by European Union law. In other words, Member States are allowed, within certain limits, to act in this area, according to the forms and with the restrictions that their legal orders determine. Now, since the acts of public authorities in the domestic legal order are subordinate to the principle of constitutionality (Article 3, paragraph 3, of the Constitution), the question arises whether national legislation respects the Constitution. To the exact extent that this is not the case, it is incumbent upon the Constitutional Court to eliminate the corresponding rules of the domestic legal order, through a declaration of unconstitutionality with general mandatory force (article 282, paragraph 1, of the Constitution).

It does not follow, however, that European Union law, as well as the European Convention on Human Rights (for which, moreover, Article 15 (1) of Directive No. 2002/58 also refers - cf. the reference to paragraph 2 of article 6 of the Treaty on European Union in the last sentence of such a precept), must be disregarded here, when assessing the constitutionality of articles 3 and 4. of Organic Law No. 4/2017. In effect, by virtue of the rules of article 8 of the Constitution which establish the relevance of international law and Union law in the domestic legal order and, also, of the open clause in the field of fundamental rights enshrined in article 16 of the Constitution , this Court cannot fail to consider the fundamental rights enshrined in the CDFUE and in that Convention, and must also take into account, in a perspective of inter-jurisdictional dialogue, the interpretation that has been made by the competent bodies for its application, namely the Court of Justice of the European Union ("ECJ") and the European Court of Human Rights ("ECHR").

c) European case law on the protection of the privacy of electronic communications

As mentioned, the issue of the processing of data relating to communications is subject to regulation by European Union and ECHR law, so it is justified to take into account the protection that the right to privacy and the protection of personal data has known. in the jurisprudence of the ECJ and in the jurisprudence of the ECHR.

i. The EU Charter of Fundamental Rights

Respecting the constitutional traditions of the EU member states, the CDFUE reaffirms in its preamble “the rights that stem, in particular, from the constitutional traditions and international obligations common to the Member States, the Treaty on European Union and the Community Treaties, the European Convention for the protection of human rights and fundamental freedoms, the Social Charters approved by the Community and the Council of Europe, as well as the case law of the Court of Justice of the European Communities and the European Court of Human Rights'.

In this proclamation document of fundamental rights, of a binding nature for the Member States (article 6, paragraph 1, TEU), two norms of fundamental relevance in this matter stand out, namely, the norms contained in articles 7. And 8

The norm of article 7 enshrines the right to respect for private and family life, the home and communications, being the tax norm for the entire process of densification of these rights traveled at European level until their approval. In fact, under the terms of paragraph 3 of article 52, this right has the same meaning and scope as the corresponding article of the ECHR. Consequently, the restrictions that could be legitimately imposed on it are identical to those tolerated under Article 8 of the Convention.

In turn, the rule in Article 8 enshrines the right to the protection of personal data, access to that data and its fair treatment and with a legitimate basis. The concept of data, of interest in the present case, includes "any information relating to an identified or identifiable natural person, being considered identifiable any person who can be identified, directly or indirectly, namely by reference to an identification number or a or more specific elements of their physical, physiological, psychological, economic, cultural or social identity "(cf. Catarina Sarmento e Castro," Commentary on Article 8 ", in Commented Charter of Fundamental Rights of the European Union, Alessandra Silveira and Mariana Canotilho (ed.), Almedina, Coimbra, 2013; see also the legal notion of "Directive 2002/58 ). As for the densification of the concept of data processing, which is also relevant for the present analysis, "personal data are subject to protection when subjected to any operation or set of operations (that is, a" treatment "), carried out examples of such personal data processing, data collection, registration, organization, conservation, adaptation or alteration, recovery, consultation, use, communication by transmission, dissemination or any other form of provision are examples of such personal data processing , with comparison or interconnection, as well as blocking, erasing or destroying data) "(cf. also the legal definition of" processing "provided for in article 4, 2), of the aforementioned Regulation).

The Court of Justice has intensified the meaning of the rules contained in Articles 7 and 8 of the CDFUE in line with the case law of the ECHR, maintaining that "with regard to the level of protection of fundamental freedoms and rights guaranteed within the Union, regulation of such protection which implies interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter must, according to the settled case law of the Court of Justice, establish clear and precise rules governing the scope and application of a measure and impose minimum requirements, so that the persons whose personal data are at stake have sufficient guarantees to effectively protect their data against the risks of abuse and against any access and any unlawful use of that data "(Judgment of October 6, 2015, Schrems, C-362/14, EU: C: 2015: 650, paragraph 91).

As mentioned, Directive 2002/58 / EC on privacy and electronic communications, according to Article 1 (1), aims to harmonize the Member States' provisions necessary to ensure an equivalent level of protection of fundamental rights and freedoms, namely the right to privacy, with regard to the processing of personal data in the electronic communications sector. This Directive seeks to make an effort to reconcile the Community requirements for the prevention of serious crime and the principles of confidentiality, anonymity and non-retention of data (cf. Articles 1, 5, 6, n 1, 8 and 9).

The Directive admitted the possibility of derogating from those principles, in well-identified circumstances and defined in clear and precise laws. Article 15 (1) aims at addressing Union law to this issue as a conflict between the public interest in the investigation and prevention of serious crime and the fundamental rights of citizens to freedom and privacy, referring to regulation of the conflict, through restrictive measures, to the margin of determination of the Member States, but without lowering the level of protection of rights as guaranteed in the jurisprudence of the CJEU and the ECHR.

In recital 11 of the said Directive, it was also stated that "Therefore, this Directive does not affect the ability of Member States to legally intercept electronic communications or to take other measures, if necessary, for any of those objectives and in accordance with the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted in the case law of the European Court of Human Rights. These measures must be adequate, strictly proportional to the objective to be achieved and necessary in a democratic society and must, in addition, be subject to adequate safeguards, in accordance with the European Convention for the Protection of Human Rights and Fundamental Freedoms'.

The CJEU, in its case law on the matter of access to personal data, decided in the Tele2 judgment, among other issues, that Article 15 (1) of Directive 2002/58 , read in the light of Articles 7. , 8 and 11, as well as Article 52 (1) of the CDFUE, must be interpreted in the sense that a national regulation that deals with the access of the competent national authorities to the preserved data, must obey to the following requirements: 1) access, by the competent national authorities, to personal data should be limited to cases of serious crime; 2) that access must be subject to prior control by a court or an independent administrative authority; 3) the data in question must be kept on Union territory.

The CJEU, in this Tele2 decision, despite mentioning only the three requirements mentioned in the statement, in the statement of reasons, still requires that citizens be informed, a posteriori, of this access, and have at their disposal means of reaction or remedies that allow them to control and challenge access to your data, when unlawful (No. 121).

Finally, a word for Directive 2006/24 / EC of the European Parliament and of the Council, on the conservation of data generated or processed in the context of the provision of publicly available electronic communications services or public communications networks with a view to to ensure the availability of such data for the purpose of investigating, detecting and prosecuting serious crimes, thereby subtracting such data from the scope of application of Article 15 of Directive No. 2002/58 . Such a Directive was declared invalid by the CJEU in the judgment of 8 April 2014, Digital Rights Ireland and Others, C-293/12 and C-594/12, EU: C: 2014: 238 (hereinafter, "Judgment Digital Rights). It considered the CJEU, in the mentioned process, that " Directive 2006/24does not establish clear and precise rules governing the extent of interference with fundamental rights enshrined in Articles 7 and 8 of the Charter "(paragraph 65). Consequently, it understood that it was inevitable" to conclude that this Directive involves interference in these fundamental rights, of great breadth and particular gravity in the Union's legal order, without this interference being precisely framed by provisions that allow to guarantee that it is effectively limited to what is strictly necessary "(ibidem).

The directive invalidated by the CJEU was transposed into the domestic legal order by Law No. 32/2008 , of 17 July, which, however, was not immediately affected by the declaration of invalidity of Directive No. 2006/24 / EC ( this without prejudice to considering it "imperative to assess its conformity with European Union law, in particular with the Charter of Fundamental Rights of the EU"; in this sense, see C. Guerra and F. Calvão, "Note to the Court's Judgment of Justice of the European Union (Grand Chamber) ", in Data Protection Forum, no. 1, July 2015 and also the Ombudsman's Recommendation no. 1 / B / 2019 on Law no. 32 / 2008 , of July 17).

Although Law No. 32/2008 refers to the processing of data (collection, registration or conservation), which will be, at a later time, transmitted to the information and security services, therefore, its provisions are in a relationship of complementarity with the standards now under consideration, relating to access to previously preserved data - although, as is clear from the provisions of Directive 2002/58 previously mentioned, the providers of electronic communications services can or should proceed to store data also for technical reasons or related to billing in the present case, so no pronouncement will be made in this regard.

In fact, such a question has not been integrated into the object of the case, as defined by the principle of the request, nor can it be said that there is a relationship of functional dependence or unreliability between standards, capable of justifying an extension of the request. Any constitutionality problems, due to violation of constitutional norms and principles, will have to be placed in a successive abstract inspection process by the entities legitimized for that purpose, or in concrete inspection processes, checking their specific admissibility assumptions.

ii. The European Convention on Human Rights

The minimum standard for the protection of fundamental rights is that enshrined in the rules of the European Convention on Human Rights, interpreted in accordance with the case law of the ECHR. The jurisprudence of the ECHR should be considered by the Constitutional Court in its decisions as a supporting criterion in the interpretation of constitutional rules, taking into account, in particular, the weighting judgments in the context of the application of the principle of proportionality and the densification of the content of fundamental rights, especially when they are concerned new rights or new dimensions of pre-existing rights. Under the open clause in the field of fundamental rights enshrined in Article 16 of the Constitution, this Court cannot, in fact, fail to consider the fundamental rights enshrined in the said Convention,

The cornerstone of this European standard of protection and guarantee of fundamental rights to the reserve of the privacy of privacy, the secrecy of communications and the protection of data, at issue here, of course, is Article 8 of the ECHR. The rules of this article provide that: 1) any person has the right to respect for his or her private and family life, home and correspondence and 2) there can be no interference by public authority in the exercise of this right unless this interference is provided for in the law and constitute a measure that, in a democratic society, is necessary for national security, for public security, for the country's economic well-being, the defense of order and the prevention of criminal offenses, the protection of health or morals , or the protection of the rights and freedoms of others.

The ECHR has well-known jurisprudence on the matter, and it is customary to subject national legal regimes that allow state interventions in this field to a very strict proportionality test. Thus, despite the fact that the ECHR recognizes the importance of the state's duty to protect society against all forms of terrorism and threats to democratic values, and to admit restrictions on the rights enshrined in Article 8 of the ECHR for that reason, however, it requires intense scrutiny and attentive to the circumstances of each specific case. In several decisions, already cited in Judgment No. 403/2015 , of this Court, a series of assumptions about the validity of restrictive interventions in the scope of communications and the collection of personal data were clarified.

As the Constitutional Court already noted in that Judgment, the ECHR stated:

"... that a process of accessing data, because it is not subject to scrutiny by the individuals concerned, must be compensated by a law that sufficiently protects fundamental rights (Judgment of 06/06/2006, Segerstedt-Wiberg and others c Sweden, complaint No. 62332/2000); that this law must employ terms that are sufficiently clear to enable all citizens to be aware of the circumstances and requirements that allow the public authorities to make use of a secret measure that undermines the right to private and family life and correspondence (Judgment of 02 / 08/1984, Malone v. United Kingdom, complaint no. 8691/79); that it would be contrary to the requirements of Article 8 (2) of the ECHR if interference in telecommunications were conferred on public authorities through a broad and discretionary power, and that clear and detailed rules are needed, especially due to the fact that the available technology becomes increasingly sophisticated, in order to guarantee adequate protection against arbitrary interference (Judgment of 16/02/2000, Amann c. Switzerland, complaint no. 27798/95); and in the Valenzuela c. Spain (Judgment of July 30, 1998, complaint No. 27671/95) and Prado Bugallo c. Spain (Judgment of 02/18/2003, complaint no. 58496/00), reached the same conclusion, stating that the law that allowed interference in communications was not sufficiently clear and precise, not mentioning the nature of the infractions that they can give place them, the fixing of a limit of the duration of the measure, the conditions of access to the data and the elimination of the same ». in order to ensure adequate protection against arbitrary interference (Judgment of 16/02/2000, Amann v. Switzerland, complaint no. 27798/95); and in the Valenzuela c. Spain (Judgment of July 30, 1998, complaint No. 27671/95) and Prado Bugallo c. Spain (Judgment of 02/18/2003, complaint no. 58496/00), reached the same conclusion, stating that the law that allowed interference in communications was not sufficiently clear and precise, not mentioning the nature of the infractions that they can give place them, the fixing of a limit of the duration of the measure, the conditions of access to the data and the elimination of the same ». in order to ensure adequate protection against arbitrary interference (Judgment of 16/02/2000, Amann v. Switzerland, complaint no. 27798/95); and in the Valenzuela c. Spain (Judgment of July 30, 1998, complaint No. 27671/95) and Prado Bugallo c. Spain (Judgment of 02/18/2003, complaint no. 58496/00), reached the same conclusion, stating that the law that allowed interference in communications was not sufficiently clear and precise, not mentioning the nature of the infractions that they can give place them, the fixing of a limit of the duration of the measure, the conditions of access to the data and the elimination of the same ».

The ECHR has understood, in this regard, that interference with these rights must be in accordance with the law, and that, for reasons of legal certainty, the law must be sufficiently clear in terms to provide individuals with an adequate indication of which it is the circumstances and conditions that enable the authorities to use these measures.

The most recent ECHR decision of 13 September 2018 (Big Brother Watch and Others v. The United Kingdom, complaints 58170/13, 62322/14 and 24960/15) on the protection of the right to privacy in In the face of interference in communications and traffic data, it focused on complaints from journalists and human rights organizations in relation to three different surveillance regimes: (1) the mass interception of communications; (2) sharing information with foreign governments; and (3) the acquisition of communication data previously stored by companies providing communications services.

Although the ECtHR has already ruled in other cases (eg Centrum För Rättvisa c. Sweden, Weber and Saravia c. Germany; Liberty c. The United Kingdom), the Big Brother Watch case is the first in which the ECHR specifically considers interception and access to traffic data (as opposed to content data) as interfering with people's private lives.

Regarding the acquisition of previously stored data, the ECHR, in the case of Big Brother Watch, establishes the following criteria for the compliance of these measures with Article 8 of the ECHR (§§464 to 467): (1) the regime must be in accordance with the law, in the sense that it is clear, accessible and has predictable effects for citizens; (2) it must pursue a legitimate objective, (3) and be necessary in a democratic society, restricting itself to combating serious crime; (4) access must be subject to prior authorization decided by a court or an independent administrative body; (5) the law must provide adequate safeguards against arbitrariness.

Although referring to the mass collection of data and the interception of communications, issues not at issue in the present case, the ECHR says that the law must provide for means of notification of the surveillance measures to the target parties, which enable them to use the resources provided to question the legality of the measures retrospectively, or, alternatively, that anyone who suspects having been monitored may question the information services and go to the courts in case of illegality in the collection of your personal data (Big Brother Watch, § 310 , following the guidance of the Roman Zakharov v. Russia Judgment, decision of 4 December 2015, complaint no. 47143/06), which required the United Kingdom to foresee, under national law, provisions for the supervision of covert security measures. surveillance,mechanisms for notifying the persons concerned and redress procedures.

7 - The personal data to be transmitted to the SIRP under the terms of articles 3 and 4 of the Organic Law no. 4/2017

The Organic Law No. 4/2017 attaches to official information SIRP functional powers of access to communication data to identify, among other data, the subscriber or user of the medium, the source, destination, date , the time, duration and type of communication, as well as identifying the telecommunications equipment used or its location.

Now, the activity of these information officers has already been broadly characterized by this Court, in the mentioned Judgment No. 403/2015 , where it was understood that the collection of "information" for the purposes of "prevention" - which is the legal definition of the scope from the activity of the information services - the dissociation, of course, from the activity of criminal investigation. In fact, under Law no. 30/84 (Framework Law of the Information System of the Portuguese Republic), "the information services are responsible for ensuring, in compliance with the Constitution and the law, the production of information necessary for the preservation of security internal and external, as well as national independence and interests and the unity and integrity of the State "(Article 2 (2)).

Also under the terms of no. 2 of article 3 of Law no. 9/2007 (which establishes the structure of the Secretary-General of the Information System of the Portuguese Republic, the Defense Strategic Information Service and the Information Service Security), "SIED is the only body charged with producing information that contributes to safeguarding national independence, national interests and the external security of the Portuguese State"; and under the terms of paragraph 3 of the same article "the SIS is the only body responsible for producing information aimed at guaranteeing internal security and necessary to prevent sabotage, terrorism, espionage and the practice of acts which, due to their nature, may alter or destroy the constitutionally established rule of law ".

It is true that the existence of information services appears to be one of the instruments at the disposal of the State to guarantee national security, an objective embodied in several constitutional precepts, demonstrating both its importance and its place within the framework of the Constitution. The guarantee of security as a fundamental task of the State is established, from the outset, in paragraphs a) and b) of article 9, pursuant to which it is responsible for: a) Guaranteeing national independence and creating the political, economic, social conditions and cultural factors that promote it; and b) Guarantee fundamental rights and freedoms and respect for the principles of the democratic rule of law; it is also echoed, in the form of a fundamental right, in paragraph 1 of article 27, and in the organizational plan, in articles 272 and 273 of the constitutional text.

The wording of article 9 of the Constitution thus invests the State with a set of obligations in the field of security and has an implicit duty to make the necessary efforts to pursue it. This duty results, throughout the Constitution, from the definition of the attributes for the different institutions created for that purpose, and constitutionally enshrined, such as the police, the armed forces or the Republic's information system (provided for in paragraph q) of article 164. of the Constitution, which includes in the matters of absolute reserve of parliamentary competence the approval of its legal regime).

However, the legal framework of SIRP's activity imposes clear limits on its performance, namely, establishing (i) the principle of constitutionality and legality, under which the activity of intelligence services is subject to scrupulous respect for the Constitution and by law, namely in terms of the protection of people's fundamental rights, especially in the face of the use of computerized data; (ii) the principle of exclusivity, under which the services' activity is strictly limited to their attributions, and the production of information in a domain that has not been granted to them is prohibited; (iii) and the principle of specialty, according to which the activity of information services is reduced to its strict scope, and cannot be confused with the activity of other organizations,Judgment No. 403/2015 - point 7).

The question of constitutionality now under analysis is really reduced to the investigation of the constitutional conformity of the possibility of access, by the information officers of SIS and SIED, to basic data and location of equipment (article 3) and to traffic data (Article 4). In the first case, the legislator restricts this access to cases where it is essential to produce the information necessary to safeguard national defense, internal security and prevent acts of sabotage, espionage, terrorism, proliferation of weapons of mass destruction and highly criminality. organized and in its exclusive scope; in the second, and even more restrictively, it is predicted that access to traffic data should be limited to the production of information necessary to prevent acts of espionage and terrorism.

The Organic Law no. 4/2017 adopts, in article 2, no. 1, a distinction between two groups of data - the "telecommunications data" and the "Internet data" - defined, respectively, in the paragraphs a) and b) of paragraph 1:

"a) 'Telecommunications data' means the records or information contained in databases previously stored by providers of electronic communications services relating to the provision of publicly available telephone services and the transfer support network, between network end points, voice communications, messaging and multimedia services and other forms of communication;

b) «Internet data», the records or information contained in databases previously stored by providers of electronic communications services, relating to transmission systems and switching or routing equipment that allow the sending of signals or data, when not support concrete communication ".

Within this generic designation of "Telecommunications and Internet data", paragraph 2 of the same article 2 adheres to a tripartite classification - basic data, equipment location data and traffic data - which defines in its paragraphs the ), b) and c), in the following terms:

"a) 'Basic data' means data for users to access the network, including their identification and address, and the network connection contract;

b) «Equipment location data», data processed in an electronic communications network or within the scope of a telecommunications service that indicate the geographical position of the terminal equipment of a publicly available telecommunications service, when they do not support a specific Communication;

c) «Traffic data» means data processed for the purpose of sending a communication through an electronic communications network or within the scope of a telecommunications service, or for the purpose of billing the same ".

These concepts are distinct from those commonly used by constitutional jurisprudence. In effect, this is what results from Judgment No. 241/2002, in which the Court accepted the tripartite classification that distinguishes basic data, traffic data and content data, a classification that was reiterated by Judgments No. 486/2009 and No. 420/2017 (this, following the case law of the aforementioned Decision No. 403/2015).

It is recognized, however, that the categories of data and their name change according to technological developments and according to the normative source used: for example, while Law No. 32/2008 , in Article 2, paragraph 1 , al a), uses a broad concept of "data", which includes traffic data, location data and related data to identify the subscriber or user, Law no. 41/2004 , of 18 August , uses a bipartite category of location data and traffic data, defining them, respectively, in points e) and d) of article 2.

On the other hand, some of the location data can be brought back to a broader concept of traffic data, as is expressly assumed in Judgment No. 403/15 and supported by the doctrine (cf. Catarina Sarmento e Castro, Informatics Law , Privacy and Personal Data, Almedina, 2005, p. 181), while other location data appear dissociated from any act of communication. This last category is, however, merely residual, because, according to the opinion of CNPD nº 38/2017, nowadays there are communications even when the user of the communication equipment does not directly and intentionally activate it. This is, for example, the case for updates made by email applications or other types of messages, which means that data generation and exchange are practically constant,

Finally, mere user identification data (referred to as basic data), considered in isolation, according to the jurisprudence of the Constitutional Court (Judgments no. 241/02, 486/2009, 403/2015 and 421/2017), do not they are covered by the secrecy of communications, but by the right to private life (Article 26 (1) of the CRP) and informational self-determination (Article 35 (1) of the CRP).

In any case, the relevant aspect for assessing the question of constitutionality now posed is not the categorical or conceptual plane, but the material and teleological plane, and therefore normative, for the purpose of determining the parameter that can serve as a reference for the assessment of the constitutionality.

Therefore, although the letter of the law makes a distinction between basic data, equipment location data (article 3 of Organic Law no. 4/2017 ) and traffic data (article 4 of Organic Law no. 4th 2017), in assessing the constitutionality of the rules questioned, account will be taken in particular of the subdivision between two major categories with which this tripartite legal classification is crossed: (i) data associated with an act of communication (consummated or attempted) between two people and that are the telecommunications data and internet traffic data linked to the circumstances of interpersonal communication; (ii) and data that are not associated with an effective or attempted communication between two subjects, but that are translated into the subject's identification data (name, address, mobile phone number), equipment location data, when they do not give support for concrete communication, and traffic data that only involve communication between a subject and a machine, such as, for example, consulting websites.

Therefore, both basic data and equipment location data, referred to in article 3 of the Organic Law, no. 4/2017, should not be considered as data pertaining to a communication, since both in some, in others, there is no subjective dimension inherent to communication. The first are, under the terms of paragraph a) of paragraph 2 of article 2 of the same Law, written data related to a contractual relationship between a person and a telecommunications operator, referring to the identification and address of the holder and the network connection contract itself; the second covers the detection of location data from a connected telephone, but in standby mode, and / or via the GPS satellite system or other (see, in this sense, Manuel da Costa Andrade, "Comment on article 194. of the Penal Code ", in J. Figueiredo Dias (direction), Conimbricense Commentary on the Penal Code - Tomo I, 2nd Edition, Coimbra Editora, 2012, p. 1104). However, even if they include, as provided for in paragraph b) of paragraph 2 of article 2 of the same Law, "the data processed in an electronic communications network or in the scope of a telecommunications service that indicate the geographical position of the equipment terminal of a publicly available telecommunications service ", may not include data that" supports concrete communication ".

Já no que se refere aos dados de internet, a ressalva que é feita no último segmento da alínea b) do n.º 1 do artigo 2.º da Lei Orgânica n.º 4/2017 - «quando não deem suporte a uma concreta comunicação» - impõe que se distinga dados de internet que traduzem comunicações intersubjetivas, envolvendo um número finito de interlocutores, por regra determinado pelo emissor da comunicação, por via de email ou outro tipo de mensagem (v.g. whatsapp, skype, etc), e dados de internet que exprimem comunicações de massa, dirigidas a um número potencialmente infinito de utilizadores, como a simples "navegação" em rede, saltando "link to link", visitando e lendo informação em websites. Qualquer um destes tipos de interatividade - interpessoal e bidirecional ou massiva e unidirecional - gera dados que permitem a identificação da comunicação, como a fonte, direção, percurso, destinatário, hora, duração, intensidade/frequência e equipamento utilizado. Correspondem a elementos funcionais da comunicação, na medida em que constituem elementos necessários ao estabelecimento da comunicação e, quando conservados e tratados, permitem identificar os utilizadores da rede.

These personal data are of various types: identification codes assigned to the user and the recipient, telephone number of the telephone communication via the internet, name and address of the subscriber and registered user, IP address - Internet Protocol -, date and time of the start ( log in) and the end (log off) of the connection to the internet access service or e-mail service, internet service used, number requesting access by telephone line, digital subscriber line or any other author's terminal identifier of communication.

Any of these data incorporates the concept of traffic data contained in paragraph 2 c) of the referred article 2: data that allow connection to the network and that are automatically generated by the use or transmission in the network, being provided to identify or allow to identify internet access, e-mail or other exchange of messages over the internet and telephone communications over IP. So that internet data comprises traffic data that supports intersubjective communications and traffic data that supports and produces mass electronic communications.

For this reason, the content of the normative provision of article 4 of the same Organic Law No. 4/2017 - one of the rules questioned in the present case - includes all categories of traffic data: those that respect telephone communications through fixed, mobile or internet networks, and those relating to the network's own access as well as electronic mail and other forms of online communication.

8 - The parameters of constitutionality control

The constitutional parameter invoked by the claimants, which corresponds, as we shall see, to that mobilized by the Constitutional Court in similar cases, is that of the fundamental right to the inviolability of the home and of correspondence, made concrete, under the terms of paragraph 4 of article 34 of the CRP, in a prohibition of "interference by public authorities in correspondence, telecommunications and other means of communication, save the cases provided for by law in matters of criminal procedure".

However, the plaintiffs' claim does not preclude that, under the terms of article 51, paragraph 5 of the LTC, the Constitutional Court can and must know the question of constitutionality based on “the violation of constitutional norms or principles other than those whose violation has been invoked '.

This is the case with the norm of article 3 of Organic Law no. 4/2017 , which is outside the scope of no. 4 of article 34 of the Constitution, insofar as the “basic data and equipment location ”do not respect, according to the definitions of these concepts given in paragraph 2 of article 2 of Law no. 4/2017, to a «concrete communication». This is what was understood in Judgment No. 403/2015: the prohibition of interference by public authorities in telecommunications, contained in article 34 of the CRP, covers the so-called "metadata", but presupposes a "concrete communication" between people ( point 15). Therefore, basic data (eg telephone number, e-mail address, network connection contract) and equipment location data, when they do not support concrete communication, even though protected by the privacy reserve, are not available. covered by the protection of communications secrecy.

And it is also what happens with the ideal segment of article 4 of the Organic Law no. 4/2017which has as its object traffic data that do not involve intersubjective communications. In fact, the distinction made in article 2 of that Law, having as reference the set of "data previously stored" by the providers of electronic communications services, between "telecommunications data" and "Internet data", and within of this category, between data that support a communication and data that do not support a communication, ends up being reflected in the determination of the constitutional parameter that protects access to such data. Although carried out exclusively for the purposes of this Law, whose precepts do not provide for a differentiated legal regime for each of the aforementioned categories, the distinction may imply that the constitutional legitimacy of access rules is assessed by different constitutional parameters, having as reference the protection scope defined for article 34 of the Constitution, restricted to intersubjective communication and its circumstances or functional elements (through telecommunications or internet). The inclusion of internet data, which does not support concrete intersubjective communication, in the concept of traffic data may call for a constitutional parameter distinct from that with which the constitutional compliance of access to traffic data of interpersonal communications carried out through telecommunications or other means of communication, if one considers the case law of theJudgment No. 403/2015 as to the meaning and scope of the aforementioned constitutional provision.

As mentioned, the object of protection of the confidentiality of communications, enshrined in paragraph 4 of article 34 of the Constitution, refers exclusively to interactivity between users, made possible by means such as electronic mail, chat or videoconference ( user-user). Internet data treated for other types of interactivity, namely that of the user with the computer and the respective programs (for organizing, searching and selecting information) and the intra and inter documents navigation published on the web pages, are outside the scope of protection of that constitutional precept.

However, as the computerized treatment of this category of data allows the identification of the user's name, address and other identification data, they are considered "personal data" protected by Article 35 of the Constitution. Paragraph 2 of this article assigns to the law the definition of the concept of personal data, which was done in paragraph a) of article 3 of Law no. 67/98, of 26 October: «any information, of any nature and regardless of its support, including sound and image relating to an identified or identifiable natural person (" data subject "); a person is considered identifiable if he can be identified directly or indirectly, namely by reference to an identification number or to one or more specific elements of his physical, physiological, psychological, economic, cultural or social identity '. Therefore, the information contained in the traffic data, even if separated from an inter-subjective communication process, is considered to be of a personal nature, as it allows the identification of the respective holder.

Thus, in relation to this specific category of traffic data, the relevance in verifying the constitutional conformity of the rule in the light of the fundamental right to informative self-determination, enshrined in article 35, paragraphs 1 and 4, of the Constitution, remains.

As a consequence of the above, the constitutionality of the norms of article 3 and an ideal segment of article 4 - which regulate access to personal data that do not involve intersubjective communication (basic data, location data and traffic data, dissociated from an act of communication, consummated or attempted, between two people) - will have to be assessed in the light of the fundamental rights enshrined in articles 26, paragraph 1, and 35, paragraphs 1, 3 and 4 , of the Constitution; while access to that traffic data that involves communication between people (e-mail messages, cell phone calls, Voip conversations, namely, Skype or Whatsapp) will, in this perspective, be covered, right from the start (and without prejudice to also being personal data protected under the terms of the aforementioned articles 26, paragraph 1, and 35, paragraphs 1, 3 and 4),

Given the specialty of the protection provided by this last provision, it is necessary to start by setting the respective meaning and scope, bearing in mind what was decided in Judgment No. 403/2015 .

9 - Constitutional protection of intersubjective communications

In their request for successive abstract inspection of the rules in Articles 3 and 4 of Organic Law No. 4/2017 , the applicants invoke a violation of Article 34, paragraph 4, of the Constitution:

"All interference by public authorities in correspondence, telecommunications and other means of communication is prohibited, except in cases provided for by law in matters of criminal prosecution".

It is recalled that it was on the basis of such a parameter that this Court, in Judgment No. 403/2015 , ruled for the unconstitutionality of paragraph 2 of article 78 of Decree No. 426 / XII of the Assembly of the Republic, which dealt precisely with access to data and information by SIS and SIED officers, namely “traffic data, location or other related data of communications, necessary to identify the subscriber or user or to find and identify the source , the destination, the date, the time, the duration and the type of communication, as well as to identify the telecommunications equipment or its location '.

At the time, the Court, considering the terms of the request, limited its assessment to traffic data, as defined in Directive No. 2002/58 and Law No. 41/2004 (cf. the respective points 6 and 9 and supra point 7): data "that identify or allow the identification of the communication and, once preserved, make it possible to identify the communications between the issuer and the recipient, the date, the time and the frequency of the calls made". And it was precisely the non-consented access to these data - data from the communications actually made or attempted - outside the scope of the criminal process that the Court considered harmful to the fundamental rights of the people involved in the communication act.

338) "and paragraph 12 of Judgment No. 403/2015). It is, therefore, clear “that the illegal or illegitimate manipulation of the content and circumstances of the communication can violate the privacy of the intervening interlocutors, jeopardizing or endangering the nuclear spheres of people, their lives, or dimensions of their way of being and be. So that the possibility of accessing communications data collides with a set of values ​​associated with private life that underlie and legitimize legal and constitutional protection »(see ibidem). or dimensions of your way of being and being. So that the possibility of accessing communications data collides with a set of values ​​associated with private life that underlie and legitimize legal and constitutional protection »(see ibidem). or dimensions of your way of being and being. So that the possibility of accessing communications data collides with a set of values ​​associated with private life that underlie and legitimize legal and constitutional protection »(see ibidem).

9.1 - It is in this context that the Court analyzes freedom of action and a series of rights related to the intimate sphere and the private sphere (right to loneliness, right to anonymity and right to informational self-determination) as a reserve of the privacy of the private sphere and, more broadly, the right to personality development enshrined in Article 26 of the Constitution.

Now, one of the dimensions of the freedom of action inherent in the development of personality is the freedom to communicate, which protects interpersonal communication: "the communication that is intended for an individual recipient or a group of recipients previously determined" ( Judgment No. 403 / 2015 , point 13). Such freedom thus encompasses "the faculty of communicating with confidence and confidence and mastery and self-control over communication, as an expression and expression of one's own person" (see ibidem). And it is this same freedom, as a refraction of the right to personality development and the protection of privacy, that deserved a specific material cut in the constitutional text, through the autonomy, in article 34, of the secrecy of the means of private communication (see ibidem).

It is with reference to the latter that the right to communicative self-determination can be made autonomous, which is simultaneously a negative right (or defense, namely the reserve of the privacy of private life) and a right to positive actions (see ibidem, points 13 and 14):

«In terms of defending the reserve of the privacy of privacy, the right to communicative self-determination protects the personal sphere in the face of public or private interference, that is, the interest of the people who communicate in preventing or controlling the taking of knowledge, the disclosure and circulation of the content and circumstances of the communication. In this sense, intervening interlocutors are entitled to a negative act: the non-intervention of third parties in the communication and in the circumstances that accompany it. It is a guarantee that all private communications should benefit, prima facie, regardless of whether or not they concern the privacy of the stakeholders [...].

However, the right to communicative self-determination still encompasses spheres of protection broader than that of the simple reserve of private life. Technological progress, by facilitating the accumulation, conservation, circulation and interconnection of data related to communications, has increased the possibilities of wantonness. Now it is the individual's own domain of action that is called into question, as he no longer has the means to ensure the confidentiality of communication. The freedom to exchange information, news, thoughts and opinions with the recipients freely chosen by each one is compromised with the unimaginable possibilities of their affront for technological advances. Therefore, it is necessary to ensure that distance communication between private individuals is carried out as if they were present, ie, that the communications between sender and receiver, as well as their circumstantialism, have as a closed communication, in which the subjects self-determine as to the realization of it and legitimately expect the community to protect the circumstantialism of that intended communication. Now, as the interaction between people who are at a distance has to be done through the necessary mediation of a third party, a communication service provider, it is required that this operator and the regulatory State also guarantee the integrity and confidentiality of the systems of communication.

In this context, the right to communicative self-determination is assumed as a right of freedom, freedom to communicate, without fear or constraints that the communication or the circumstances in which it is carried out can be investigated or disclosed. Without that trust, the individual will feel coerced in the freedom to be able to communicate with whomever he wants, whenever he wants, for as long as he wants and as many times as he wants. It is, therefore, a matter of allowing a free development of interpersonal relationships and, at the same time, of protecting the trust that individuals place in their private communications and in their service provider. As Costa Andrade says, «the protection of the inviolability of telecommunications is thus rooted in the" specific situation of danger " due to the domain that the third party has - and while it does - over communication (content and data). Domain that ensures the factual possibility of arbitrary interference removed from the control of the communicator (s). As such, the legal system of secrecy in the security and reservation of systems only aims to protect confidence in the security and reservation of telecommunications systems (companies) »(cf. Costa Andrade, ob. Cit., P. 339). In this sense, communicators are entitled to positive actions by operators and the State that not only ensure the confidentiality of communications and the circumstances in which they take place, but also allow them to control the data produced, saved and transmitted that respect communications already made. Domain that assures you the factual possibility of arbitrary meddling subtracted from the control of the communicator (s). As such, the legal system of secrecy in the security and reservation of systems only aims to protect confidence in the security and reservation of telecommunications systems (companies) »(cf. Costa Andrade, ob. Cit., P. 339). In this sense, communicators are entitled to positive actions by operators and the State that not only ensure the confidentiality of communications and the circumstances in which they take place, but also allow them to control the data produced, saved and transmitted that respect communications already made. Domain that ensures the factual possibility of arbitrary interference removed from the control of the communicator (s). As such, the legal system of secrecy in the security and reservation of systems only aims to protect confidence in the security and reservation of telecommunications systems (companies) »(cf. Costa Andrade, ob. Cit., P. 339). In this sense, communicators are entitled to positive actions by operators and the State that not only ensure the confidentiality of communications and the circumstances in which they take place, but also allow them to control the data produced, saved and transmitted that respect communications already made. the legal system of secrecy in the security and reservation of systems only aims to protect confidence in the security and reservation of telecommunication systems (companies) ”(cf. Costa Andrade, ob. cit., pg. 339). In this sense, communicators are entitled to positive actions by operators and the State that not only ensure the confidentiality of communications and the circumstances in which they take place, but also allow them to control the data produced, saved and transmitted that respect communications already made. the legal system of secrecy in the security and reservation of systems only aims to protect confidence in the security and reservation of telecommunication systems (companies) ”(cf. Costa Andrade, ob. cit., pg. 339). In this sense, communicators are entitled to positive actions by operators and the State that not only ensure the confidentiality of communications and the circumstances in which they take place, but also allow them to control the data produced, saved and transmitted that respect communications already made.

[...]

14 - Communicative self-determination is protected in article 34 of the CRP through the inviolability of communications. The "inviolability of principle" is justified, as Gomes Canotilho and Vital Moreira refer, in order to "limit the possibility of restrictions to the greatest extent possible, subjecting them to closely linked assumptions" (cf. ob. Cit, Vol. I, page 540). This inviolability includes, in paragraph 4 of that constitutional precept, the prohibition of interference by public authorities in the media, not only those that are vested with public authority powers, but, most of all, the other public entities and private entities (Article 18 (1) of the CRP).

The guarantee of non-interference, however, has a broader meaning than the confidentiality of communications, and may assume a double relevance.

From the outset, it appears as a guarantee of a negative meaning, of inviolability, which protects the individual from interference by the State or third parties. In this context, it is assumed as a right that guarantees the respective holder legal positions before the State to defend abuses related to the use of the data in question. In correspondence with this guarantee, the State has a duty of non-interference, of non-aggression. This right derives, as already mentioned, not only from the principle obligation of not disclosing the content of private communications, but also from accessing the circumstances in which they were made.

On the other hand, the guarantee of non-interference can also claim a corresponding duty to positive actions on the part of the State. From the outset, the obligation of the State to adopt the legal instruments necessary to maintain communication and its circumstantialism as "closed" (namely, through the approval of laws designed to protect communication data). In this sense, paragraph 2 of article 26 of the CRP establishes, precisely, a lawful obligation, forcing the legislator to establish guarantees against obtaining and using abusive, or contrary to human dignity, information. Then, through the implementation of the aforementioned "right to erase" or "block" traffic data, which is inherent in the right to communicative self-determination, and in the corresponding "right to be forgotten".

In short, article 34 of the Constitution aims to enshrine and protect the fundamental right to inviolability of the home and correspondence, that is, and prima facie, the freedom to maintain a sphere of privacy and secrecy, free from interference and interference state level, either with respect to the home, or - this being the relevant dimension for the case below - regarding communication. It is, moreover, a settled doctrinal understanding that the scope of protection of the constitutional rule covers all means of individual and private communication, and all kinds of correspondence between people, in physical or electronic support, including not only the content of the correspondence, but the traffic as such (type, time, duration, intensity of use), excluding only the residual category of personal data,

Based on this understanding, the scope of the rule enshrined in paragraph 4 of article 34 of the Constitution must be delimited, in order to exclude from the protection afforded by the rule all data and all actions that cannot truly qualify. as telecommunication or personal means of communication. For this reason, the secrecy of telecommunications «only applies to authentic communication data, that is, those that refer to telecommunication actions and are, as such, protected against arbitrary interference» (Manuel da Costa Andrade, "Commentary on the article 194 of the Penal Code ", ob. Cit. 2012, p. 1103). In these terms, the area of ​​constitutional protection of telecommunications includes, alongside an objective dimension, an indispensable subjective dimension,

Thus, it is important to consider that paragraph 4 of article 34 of the Constitution protects both the communicative process and the content of the communication, whenever - but only when - an effective communicative process is at stake. In other words, there must have been, at least by one of the parties, the awareness and the will to "participate in the remote transmission of data or news", even if the communication has not been completed, due to the absence or rejection of an answer by the other part.

A similar position is found in German doctrine and jurisprudence, with regard to the scope of protection of Article 10 of the Basic Law: “A different level of protection is designed here, within the scope of Article 10. The narrowest circle is made up of the essential core of privacy, which is guaranteed not only within the home, but also in remote communication. Less intensively, but also with a high level of protection, the content of the communication is protected against eavesdropping, reading or other forms of interference. With regard to data on the circumstances of the communicative process, namely connection data, the Federal Constitutional Court emphasizes the importance of effective protection of fundamental rights ”(Mangoldt / Klein / Starck, GG - Grundgesetz Kommentar, Band 1, 7. Auflage, CH Beck, 2018, art.

Finally, it should be noted that the communicational relevance of traffic data does not mischaracterize them as personal data linked to the privacy of individuals and the free development of their personality - legal assets protected by Article 26, paragraph 1, of the Constitution - all the more so since its computer processing and access by third parties affects the right of each person to control the information that concerns him, that is, his right to informational self-determination, enshrined in Article 35 of the Constitution (cf. below). 10).

9.2 - Paragraph 4 of article 34, although it prohibits interference with correspondence, telecommunications and other means of communication, admits them in "cases provided for in the law in matters of criminal procedure", that is, "the express constitutional authorization for the restriction of the right to inviolability of communications is complemented by the discrimination of the purposes and interests to be pursued with the restrictive law or with the criterion that should guide the intervention of the ordinary legislator ”(see Judgment No. 403/2015 , point 16). This constitutes, at the same time, the "guarantee that such restrictions are not authorized in other matters and for other purposes" (see ibidem).

Thus, paragraph 4 of article 34 of the CRP leads to the inevitable conclusion that the constitutional legislator explicitly resolved, in the text of the Constitution, the sense in which eventual collisions between the constitutionally protected values ​​must be resolved, and the corresponding fundamental rights, to individual freedom, and to its specific dimension of the right to the inviolability of telecommunications, on the one hand, and, on the other, to security and preservation of the constitutional order, which translates into the need to prevent the occurrence of acts liable to putting you in danger. By expressly resolving such axiological and justifiable tension, the constituent legislator removed the space for the constitutional interpreter to find, by way of interpretation, a different solution for the practical agreement operation in question.

In this sense, it was understood in Judgment No. 403/2015:

«17 - In defining the scope of the law restricting the right to inviolability of communications by the" matter of criminal process ", the Constitution considered and took a position (in part) on the conflict between the legal assets protected by that fundamental right and the values community, especially security, to which criminal proceedings are directed. Notwithstanding the legal restrictions on the right to inviolability of communications that the legislator is authorized to establish, they must obey the weighting of the principle of proportionality, the abstract preference for the value of security to the detriment of the privacy of communications can only apply in matters of criminal proceedings. Is that the non-inclusion of other matters within the scope of the restriction of the right to inviolability of communications, it is not contrary to the ordering plan of the legal-constitutional system. Although it could be considered, in the abstract, that there are other matters in which the value of security overrides the values ​​proper to the right to the inviolability of communications, the lack of normative coverage of the restriction in extra-procedural matters does not frustrate the ordering intentions of the current system, because there are political and legal reasons that are the basis for the abstention of the constitutional legislator.

That we are not facing an "incompleteness contrary to the normative plan" of the Constitution is confirmed, implicitly, but clearly, by the valuation options taken during the 4th and 5th constitutional revisions. In these reviews, increased security imperatives and the need to increase measures against crime referred to in paragraph c) of paragraph 2 of article 4 of Decree No. 426 / XII were openly taken into account. This objective led to changes that translated into restrictions on fundamental rights in this area, with the consecration of new normative balances between the values ​​at stake here.

Thus, by the 4th revision, article 33, paragraph 3, started to provide for the extradition of Portuguese citizens, under conditions of reciprocity established in an international convention, in the cases of terrorism and organized international crime, and provided that the legal order of the requesting State enshrines guarantees of a fair and equitable process. Paragraph 4 of the same article also started to admit extradition for crimes punishable by life imprisonment (even if only through the guarantee of non-application to the case).

Article 34 itself was re-weighted, in the 5th constitutional revision, and in paragraph 3, it is admitted, at night, at people's homes, with judicial authorization, "in cases of criminality, especially violent or highly organized, including terrorism and trafficking in persons ".

The rethinking of this matter, in the aforementioned constitutional reviews, left the terms of the permissive norm of interference in telecommunications, established in the 2nd part of paragraph 4 of article 34, unchanged, and its scope restricted to "criminal prosecution matter. ". The scope of the ban was only extended to "other media" in the 1997 review.

Nothing authorizes, therefore, to admit a possible extension of the scope of the final caveat of paragraph 4 of article 34 - for which, moreover, the interpreter, in this specific context, does not have adequate methodological instruments. "

Therefore, it is possible to speak of an absolute reserve of criminal process:

“In fact, the reference to criminal prosecution is not just a teleological indication, but also the location of the restriction on the prohibition of interference in a normatively structured area in terms of offering sufficient guarantees against abusive intrusions. By allowing public authorities to intervene in the media only in matters of criminal prosecution, and not for any other purposes, the Constitution wanted to ensure that access to these means, to safeguard the values ​​of "justice" and "security", be carried out through a procedural instrument that also protects people's fundamental rights. Because interference in communications puts a fundamental right in conflict with other community rights or values, it was considered that the restriction of that right would only be authorized for the realization of the values ​​of justice, the discovery of material truth and the restoration of community legal peace, the values ​​that it is incumbent upon the criminal process to carry out. Thus, it referred to the criminal procedural legislator the task of "practical agreement" of the conflicting values ​​in the interference in private communications: on the one hand, the protection of the right to the inviolability of communications; on the other, the feasibility of criminal justice. In fact, as Figueiredo Dias writes, “the criminal process is one of the places par excellence where the solution of the conflict between community requirements and the freedom to fulfill the individual personality must be found” (cf. Criminal Procedural Law, Coimbra Publisher, 1974, page 59). the discovery of material truth and the restoration of community legal peace, the values ​​that the criminal process is responsible for realizing. Thus, it referred to the criminal procedural legislator the task of "practical agreement" of the conflicting values ​​in the interference in private communications: on the one hand, the protection of the right to the inviolability of communications; on the other, the feasibility of criminal justice. In fact, as Figueiredo Dias writes, “the criminal process is one of the places par excellence where the solution of the conflict between community requirements and the freedom to fulfill the individual personality must be found” (cf. Criminal Procedural Law, Coimbra Publisher, 1974, page 59). the discovery of material truth and the restoration of community legal peace, the values ​​that the criminal process is responsible for realizing. Thus, it referred to the criminal procedural legislator the task of "practical agreement" of the conflicting values ​​in the interference in private communications: on the one hand, the protection of the right to the inviolability of communications; on the other, the feasibility of criminal justice. In fact, as Figueiredo Dias writes, “the criminal process is one of the places par excellence where the solution of the conflict between community requirements and the freedom to fulfill the individual personality must be found” (cf. Criminal Procedural Law, Coimbra Publisher, 1974, page 59). referred to the criminal procedural legislator the task of "practical agreement" of conflicting values ​​in the interference in private communications: on the one hand, the protection of the right to inviolability of communications; on the other, the feasibility of criminal justice. In fact, as Figueiredo Dias writes, “the criminal process is one of the places par excellence where the solution of the conflict between community requirements and the freedom to fulfill the individual personality must be found” (cf. Criminal Procedural Law, Coimbra Publisher, 1974, page 59). referred to the criminal procedural legislator the task of "practical agreement" of conflicting values ​​in the interference in private communications: on the one hand, the protection of the right to inviolability of communications; on the other, the feasibility of criminal justice. In fact, as Figueiredo Dias writes, “the criminal process is one of the places par excellence where the solution of the conflict between community requirements and the freedom to fulfill the individual personality must be found” (cf. Criminal Procedural Law, Coimbra Publisher, 1974, page 59).

Thus, the reference to criminal proceedings, being closely associated with the Constitution, where rules directly related to that matter are detected and which condense the respective structuring principles (article 32) - to the point of talking about a criminal procedural constitution -, it has an unmistakable hermeneutic meaning, and cannot fail to be understood as the "sequence of legally foreordained acts practiced by legitimately authorized persons in order to decide on the commission of a crime and its legal consequences". »

This constitutionally established criminal process reserve has, moreover, extremely relevant consequences in the legal sphere of the person, particularly when constituted defendant, such as the determination of the nullity regime of evidence obtained through inadmissible methods and the mandatory intervention of a judge when the practice of acts potentially harmful to fundamental rights is at stake:

"[O] article 34, paragraph 4, by delimiting the restriction on the matter of criminal procedure, also has other consequences, reflected in the constitutional status of the accused.

Right from the start, the realization of justice, not being a single end of the criminal process, can only be achieved in a procedurally valid and admissible way and, therefore, with respect for the fundamental rights of the people who are involved in the process. Respect for those rights leads, for example, to consider certain methods of evidence inadmissible and to nullify "all the evidence obtained through torture, coercion, offense against the person's physical or moral integrity, abusive intrusion into private life, at home, correspondence or telecommunications' (cf. article 32, paragraph 8, CRP). The nullity of the evidence, with the consequent impossibility of its valuation in the process, when they are obtained by abusive interference in the communications,

On the other hand, the reference to criminal proceedings implies that restrictive intervention requires prior judicial authorization. As the criminal process is a heterocompositive form through which the functions of the jurisdiction referring to the performance of claims based on public rules of criminal law are performed, the intervention of a body qualified for these functions is required (cf. article 202 of the CRP ). Although this is not a case in which the judge's reserve or the first decision reserve is especially individualized in the Constitution, [...] it cannot be overlooked that the judge's absolute reserve tends to assert itself when there is no reason or material basis for opting for a non-judicial dispute resolution procedure (Gomes Canotilho, ob. cit., p. 663). This is particularly evident when dealing with issues that relate to the hard core of the judicial function, as is the case with the exclusive powers of the investigating judge (Articles 268 and 269 of the Code of Criminal Procedure), in which it relates the practice of acts that affect people's rights, freedoms and guarantees (cf. Vieira de Andrade, "Reserve of the judge and ministerial intervention in the matter of setting compensation for nationalizations", Scientia ivridica, Tomo XLVII, nos. 274-276, July / December, 1998, page 225). This is certainly the case when interception, recording or recording of communications is at stake (article 269, paragraph 1, point c) of the CPP). " Of the Code of Criminal Procedure), which highlights the practice of acts that affect people's rights, freedoms and guarantees (cf. Vieira de Andrade, "Reserve of the judge and ministerial intervention in terms of setting compensation for nationalizations", Scientia ivridica , Tomo XLVII, nos. 274-276, July / December, 1998, p. 225). This is certainly the case when interception, recording or recording of communications is at stake (article 269, paragraph 1, point c) of the CPP). " Of the Code of Criminal Procedure), which highlights the practice of acts that affect people's rights, freedoms and guarantees (cf. Vieira de Andrade, "Reserve of the judge and ministerial intervention in terms of setting compensation for nationalizations", Scientia ivridica , Tomo XLVII, nos. 274-276, July / December, 1998, p. 225). This is certainly the case when interception, recording or recording of communications is at stake (article 269, paragraph 1, point c) of the CPP). "

Hence the conclusion, which is now repeated:

«Being excluded the possibility, in all this context, to make an interpretation of the constitutional norm that consents the access to data of traffic, location or other related data of the communications within the scope of the assignments of the information services, in spite of any criminal process or judicial authorization, even if it has in view the criminal prevention of very relevant legal assets (articles 4, paragraph 1, point c), and 78, paragraph 2, of the Decree), it will be difficult to face the idea of ​​an extension of the scope of the restriction contained in article 34, paragraph 4, 2nd part, from the end of the regulation or the connection of the norm's meaning. First of all, because the purpose of the precept, as pointed out in the Constitutional Court Judgment No. 241/2002, is to delimit the scope of the restrictions to guarantee the inviolability of communications. AND, as stated above, this delimitation is expressly assumed by the Constitution to be only applicable to situations covered by criminal proceedings. There is, therefore, no hidden gap that justifies, against its literal meaning, an interpretation that conforms to the normative teleology of the norm, since it itself aims to define the precise scope of the restriction, without it becoming possible to establish a valuable identity between the criminal process and the investigation carried out by the intelligence services. In addition to the extension of the scope of the constitutional rule, to be admitted, it would have a double meaning, implying not only an extension of the application scope of the restriction to the principle of non-interference in communications, but also a reduction of the guarantee of the judge's reserve,

It can then be concluded that, in the case of the prohibition of interference by public authorities in communications, that Article 34 (4), first part, enshrines as a general principle, the exceptions referred to in the final segment of this precept are subject to the subject of criminal proceedings, and since the restriction is constitutionally authorized only in these terms, there is no point in making any other interpretation that would allow the restriction to be extended to other effects, as if the restriction was not specified in the constitutional text itself or if dealt with a purely implicit restriction that would allow it to serve other constitutionally recognized values ​​or assets. "

It is thus clear that, in the understanding established in Judgment 403/2015, the limitation of the restriction of the right to confidentiality of communications to the subject of criminal proceedings is not exclusively based on the literal or grammatical element of interpretation (the letter of the law), but in a combination of several elements - the systematic, the historical and the teleological - that give special meaning to the constitutional requirement of an absolute reserve of criminal proceedings, according to our socio-political tradition based on the importance of criminal proceedings for the defense of rights, freedoms and guarantees for citizens suspected of committing a crime. Even considering the particular legal hermeneutics of constitutional interpretation, which gives the interpreter greater freedom, in the face of the literal argument,

10 - Constitutional protection of informational self-determination

Communicative self-determination, being correlated with informational self-determination and partially overlapping it, however, does not fail to be distinguished from it.

As was made clear in Judgment No. 403/2015:

«The object of protection of the right to communicative self-determination refers to individual communications actually carried out or attempted and only these are covered by the confidentiality of communications. In that other right, personal information collected and processed by public and private entities is protected, whose form of treatment and disclosure can cause offenses to the privacy of the people concerned ”(cf. the respective point 13)

10.1 - In effect, article 35 of the Constitution establishes "a fundamental right to informative self-determination, translated into a set of rights related to the automatic processing of citizens' personal information, which aim, simultaneously, to protect them against threats of collection and dissemination, as well as other uses made possible by the new technologies, and also to assure the respective holders of a set of powers of choice in this context "(Catarina Sarmento e Castro," 40 Years of "Use of Informatics" - Article 35. º of the Constitution of the Portuguese Republic ", in e-Pública vol. 3, no. 3, December 2016, pages 42-66).

According to Gomes Canotilho and Vital Moreira, «The treatment formula covers not only individualization, fixation and data collection, but also its connection, transmission, use and publication. The linguistic statement data is the plural of the Latin expression datum and is used in the Constitution in the sense that computer science today lends it: conventional representation of information, in analogue or digital form, enabling its automatic treatment (introduction, organization, management and data processing) ”(Constitution of the Annotated Portuguese Republic, Volume I, ob. cit., page 550).

In the scope of the use of information technology, the rules contained in article 35 of the CRP recognize “the right to know the information that is treated about each one of us, and that translates, essentially, into the right to know what personal data to be collected, used preserved, communicated and for what purpose, and by whom they are being treated - what, by whom, for what? - in order to allow citizens to retain or regain control over their data. To this set of legal-subjective claims, reflected in paragraph 1 of article 35, the Portuguese doctrine, for Germanic inspiration, called the right to informative self-determination, which, to a certain extent, also includes the right to rectification or updating data, even though this is already a subjective dimension that presupposes the realization of those dimensions ”(cf. Filipa Urbano Calvão. «The fundamental right to the protection of personal data and privacy 40 years later», Days in the forty years of the Constitution of the Portuguese Republic, Impact and Evolution, Universidade Católica Editora, Porto, 2017, p. 89).

The right to informative self-determination thus gives each person the right to control the information available about him, unfolding into several rights: «a) the right of access, that is, the right to know the data contained in computer records, any that they are (public or private); b) the right to know the identity of those responsible, as well as the right to clarify the purpose of the data; c) the right to contest, that is, the right to rectify the data and the identity and address of the person responsible; d) the right to update (the fundamental scope of which is to correct the content of the data in the event of outdated information); e) finally, the right to delete data whose registration is prohibited ”; and the right to know the purpose for which the data is intended is "a right to self-determination of information relating to personal data that requires clear protection as to the" diversion of purposes "for which that information is intended. Hence the legal and constitutional requirements related to the purposes of the information: (1) legitimacy; (2) determinability; (3) explanation; (4) adequacy and proportionality; (5) accuracy and timeliness; (6) time limitation (cf. ob. Cit. Vol. I, pages 552 and 553).

In addition, people not only have the right to know what is in them in computer records, but also the right to have these data safeguarded against wanton or dissemination. This last right, in turn, encompasses several specific rights: (a) the prohibition of third parties' access to personal data (article 35, paragraph 4, of the Constitution); (b) prohibition on the interconnection of files of databases and personal databases (Article 35 (2) of the Constitution).

This clearly shows that the constitutional consecration of the protection of personal data is an instrument for the free development of the human person in a democratic society and a condition for the enjoyment of freedom and the affirmation of personal identity. As Gomes Canotilho and Vital Moreira refer, “the set of fundamental rights related to the computer processing of personal data starts from some“ parent rights ”in terms of rights, freedoms and guarantees. This is the case with the right to the dignity of the human person, the development of personality, personal integrity and informational self-determination. The statement "personal data" expresses the close connection between these rights and the respective computer processing; being able to affirm that the more the data relate the dignity, the personality and self-determination of people, the more restrictions are imposed on their use and collection (database). It is in this context that there are two fundamental problems related to the processing of computer data: (1) determining the categories of data; (2) grading of the interferences necessary for the protection of other constitutional assets ”(ob. Cit. Volume I, ob. Cit., P. 550).

It can, in fact, be said that the secrecy of personal data and the subject's power of control over them constitute a guarantee of the right to the free development of the personality as a possibility of "autonomous interiorization" of the person or the right to "self-affirmation" in relation to itself, against any heterogeneous impositions (of third parties or public authorities). This right to "self-assertion" shelters several "nameless personality rights", even if not specifically stated in the Constitution, such as, for example, the right to personal documents and the right to informational self-determination regarding personal data contained in manual or computer files. , the right to confidentiality of personal data contained in public acts or decisions regarding marital status,

On the other hand, as Filipa Urbano Calvão says: «As a way of guaranteeing privacy, it also asserts itself as an instrument for guaranteeing freedom (freedom of action, expression, thought) and the development of the personality of each one and free participation in society. To that extent, it is still essential to ensure democracy itself, in the sense that a space of thought and choice is recognized, free of external public and private influences and pressures ”(cf. ob. Cit., P. 88).

In the specific form of prohibition of access by third parties, the right to data protection is presented as a right to guarantee a set of individual fundamental values ​​- freedom and privacy - legal assets encompassed in individual self-determination, covering two dimensions: negative dimension or abstention from the State of interference in the legal sphere of citizens and the positive dimension as an active function of the State to prevent such interference on the part of third parties. In terms of the prohibition on the processing of personal data liable to generate discrimination, this fundamental right is still directly linked to the guarantee of equality between citizens, "[...] demonstrating that the protection of personal data is not in itself just an objective protection of privacy,

Thus, it appears that there is a strong interaction between the rules contained in Article 35 and the fundamental rights enshrined in Article 26 of the Constitution. The norms of article 35 are enriched in their content by the fundamental rights enshrined in article 26, which refer to the development of personality and the reserve of privacy and private and family life of citizens. In turn, the right to reserve private life is a vulnerable right to technological advances, also protected by Article 35 of the Constitution, which enshrines, as we have seen, the protection of citizens against the processing of computerized personal data.

Therefore, it can be said that the fundamental rights enshrined in Articles 34 (inviolability of home and correspondence) and 35 (4) (prohibition of access to third parties' personal data) function as guarantees of the right to private life., which is analyzed in two minor rights: (a) the right to prevent strangers from accessing information about private and family life, and (b) the right to have nobody divulge the information they have about private life. and someone else's family. The personality rights enshrined in article 26 mean, in the words of Gomes Canotilho and Vital Moreira (Vol. I, ob. Cit., P. 468), a “right to the secret of being” (right to the image, right to voice, right to privacy in private life, right to practice activities in the intimate sphere without video surveillance). Due to the valuation dimension of these rights,

Finally, it is important to underline that the protection of privacy is inherently linked to individual freedom. To be free is to have the right to express yourself, but also to have the right to reserve your private life and to build a free existential space for others - "the right to be alone" or, as Paulo Mota Pinto says, "the interest of the individual in your privacy, that is, in subtracting yourself from the attention of others, in preventing access to yourself or in hindering the taking of knowledge or the disclosure of personal information ”(cf.“ The Right to Reserve on the Intimacy of Life Privada », BFD, University of Coimbra, LXIX (1993), pp. 508-509).

10.2 - It happens that, for these rights, the constituent legislator explicitly authorizes the intervention of the ordinary legislator in the sphere of fundamental rights to the privacy reserve of privacy and the protection of personal data. This is the case, namely, in paragraphs 1, 3 and 4 of article 35 of the Basic Law, where exceptions to the right to protection of personal data are allowed, in the various dimensions in which it is expressed, namely in relation to the absolute prohibition on the processing of certain types of data relating to "private life" and the prohibition of access by third parties. In these precepts, the Constitution authorizes the ordinary law to restrict the content of the law, assigning regulatory powers that are subject to the regime of restriction of rights, freedoms and guarantees enshrined in article 18.

It is known that paragraph 2 of article 18 imposes the observance of the principle of proportionality in matters of restrictive fundamental rights interventions, establishing that the law must be limited to what is necessary to safeguard other constitutionally protected rights or interests. Therefore, in the matter to which the present case relates, one cannot fail to take into account the need for practical agreement between the fundamental rights of the people about whom the SIRP intends to gather information and the interests of public security and the fight against crime. organized crime, such as espionage and terrorism. It is evident that meddling in communications data directly conflicts with constitutional rights and values: on the one hand, it affects a spectrum of legal goods or fundamental rights as eminent as human dignity, the development of personality, personal integrity, privacy / intimacy, informational self-determination and the confidentiality and integrity of technical and computer systems; and on the other, it ensures community constitutional values, such as internal security and national defense.

It follows that, in the weighting judgment, in the light of the principle of prohibition of excess, it has to be analyzed whether the intervention of public entities in the privacy and freedom of citizens constitutes or represents an unreasonable cost for citizens' rights, excessive or disproportionate, in relation to the aims pursued by the measure in question.

However, it should be borne in mind that the weighting, in accordance with the principle of proportionality, in the light of Article 18 (2) of the Constitution, takes place in methodological molds similar to those provided for in the jurisprudence of the CJEU (Article 52. 1, of the CDFUE), and in the ECHR jurisprudence regarding article 8 of the ECHR. Accordingly, Article 52 (1) of the CDFUE, like Article 18 (2) of the Constitution, requires that the limitation of a fundamental right, namely, the rights to private life and the protection of personal data, enshrined in Articles 7 and 8 of the Charter, is provided for by law, respects the essential content of fundamental rights and is justified and necessary for the achievement of the objectives of general interest recognized by the EU or to satisfy a need to protect the rights and freedoms of others.

Once the scope of protection of the constitutional rules that establish the right to informative self-determination has been defined, now is the time to appreciate the constitutionality of the syndicated rules starting with the questions raised by the traffic data, taking into account the greater degree of damage from the intrusion in this domain .

11 - The question of the constitutionality of Article 4 of Organic Law No. 4/2017

Traffic data, whose access is regulated in article 4, will, following the above, have to be subdivided into two categories: (i) traffic data associated with intersubjective communication acts and their circumstances; (ii) and traffic data disconnected from a subjective intercommunication, such as the consultation of websites and the acts of communication between a person and a machine, or between machines.

This second category of internet traffic data, although it does not involve intersubjective communication, expresses several aspects of the users' personality and behavior, with each person having the right to choose whether or not to share this information with third parties, as well as the power to prohibit third party access to this data and to control who has access to it and at what time. For this reason, these traffic data are included in the objective scope of protection of the constitutional rules concerning the privacy reserve of privacy and informational self-determination, protected by articles 26, paragraph 1, and 35 of the CRP.

As stated above, the rules contained in paragraphs 1 and 4 of article 35 of the Constitution admit exceptions to the right to the protection of personal data, in the various dimensions in which it is expressed, assigning regulatory powers that are subject to the regime restriction of rights, freedoms and guarantees (article 18 of the CRP).

However, unlike the type of restriction allowed by paragraph 4 of article 34 of the Constitution, which only authorizes the restriction of the right to inviolability of communications in a specific area - "in matters of criminal procedure" -, the restriction allowed by Article 35 the right to the protection of personal data and informational self-determination - through the expression "under the terms of the law" - takes on distinct, less demanding outlines, which give the legislature a greater margin of determination. That is to say: in the normative domain of article 34, the express constitutional authorization for the restriction is completed with the discrimination of the purposes and interests to proceed with the restrictive law or with the criterion that must guide the intervention of the ordinary legislator; as to the fundamental rights enshrined in article 35,

11.1 - Access to traffic data that involve intersubjective communication

As for traffic data covered by the confidentiality of communications, as noted, the constituent legislator carried out its own weighting, under the terms established in paragraph 4 of article 34. This rule limits, as is known, the possibility of state interference in communications within the scope of criminal proceedings. Therefore, it is important to ask whether there is any relevant difference regarding the system of access to traffic data now under analysis that justifies an assessment different from that made by the Constitutional Court in Judgment No. 403/2015 .

Basically, it is a question of whether the changes introduced in the access system by Organic Law No. 4/2017 present such significant differences in relation to the rules previously analyzed by this Court, which bring it, in a decisive way, to criminal proceedings, justifying a change in the constitutionality judgment.

11.1.1 - The access of SIS and SIED information officers to metadata, including traffic data, in the light of Organic Law No. 4/2017 , is subject to several admissibility assumptions:

a) First and foremost, respect for the principle of proportionality, in a broad sense, including the dimensions of necessity, adequacy and proportionality in the strict sense. This requirement is reflected in the obligation to provide adequate grounds for the request for access to data (Articles 5 and 6 of Organic Law No. 4/2017 );

b) Secondly, under the terms of paragraph 2 of article 6 of the aforementioned Organic Law, the prohibition on interconnection of data in real time;

c) Thirdly, the existence of a prior authorization for access, for which the formation of the criminal sections of the Supreme Court of Justice is competent, consisting of the presidents of the sections and a judge appointed by the Superior Council of the Judiciary, of these sections (Article 8). The decision to grant or deny authorization must also be substantiated on the basis of clear and complete information, namely regarding the purposes of processing (Article 10 (3)).

d) Finally, the implementation of a permanent control system, both internal and external, namely, to ensure both the timeliness of the data, as well as the cancellation of the access procedures and the destruction of the data obtained illegally, in addition to within the scope of the authorization previously granted, or that do not matter for the process. In this authorization and control system, intervening judge judges of the Supreme Court of Justice, the Attorney General of the Republic, the SIRP Data Supervisory Commission and the SIRP Supervisory Board, respectively, under the terms of articles 4 to 11, intervene. 14, 15 and 15 of Organic Law no . 4/2017 .

Thus, basically, and as already explained, the rules in question seem to seek to respond to the objections of a legal and constitutional nature previously raised, promoting the mandatory intervention of an authority composed of judicial magistrates and a control system that allows framing and limit the activity of intelligence services in this area.

Thus, and keeping in mind everything that has been stated so far, the question is whether, in this case, it can be considered that the intervention of judges and the existence of mechanisms to control access to traffic data may have occurred. materially equivalent to those that characterize a criminal procedural structure in a democratic rule of law, under the terms unequivocally required by the Constitution.

Now, it can be said in advance that the answer to that question can only be in the negative, for different reasons.

11.1.2 - In the first place, it is worth recalling, in this headquarters, what this Court stated, in Judgment No. 403/2015 , about the characterization of the SIRP: "the purposes and interests that the law is incumbent upon the SIRP to pursue, the functional powers it confers on its staff and the action and control procedures it establishes, place access to traffic data outside the scope of criminal investigation ", so" the characterization of this specific activity as the collection of "information" for the purposes "prevention" dissociates it, clearly and precisely, from the criminal investigation activity "(cf. the respective point 19).

In this way, and despite the changes made in the system of access to traffic data, in relation to what was foreseen in the rules inspected in Judgment No. 403/2015 , we cannot fail to consider that, also in the rules in question, the access to the data is only intended, and without any doubt, for the continuation of the attributions of the SIRP, under the legally defined terms; that is, the collection of traffic data is not intended for investigation or evidence in the context of an ongoing criminal proceeding. It is intended, as can be read in Article 1 of Organic Law No. 4/2017, to allow, whenever necessary "the pursuit of the activity of producing information by the Information System of the Portuguese Republic (SIRP) related to internal security, defense, State security and the prevention of espionage and terrorism".

However, the Information Services play, within the framework of the legal-constitutional system, a specific function, clearly distinct from the police or the Public Prosecutor's Office, which operate in the context of criminal proceedings. Between the criminal process and the intelligence service mediates an insurmountable difference. In criminal proceedings, the State reacts to a past event, which can be renewed to an injury or to a danger to legal assets. The State's activity is based on the well-founded suspicion of the practice of the fact, so it is a question of confirming (or invalidating) its occurrence, identifying and punishing its agents. In contrast, intelligence services move on the margins of any indication or suspicion of the practice of an unlawful fact: they act in the "advanced field" (Vorfeld) of data collection to anticipate hazards, in order to clarify the areas or situations of danger and eventually accompany supposedly dangerous people. In addition, they are not assisted in the practice of any acts of interference or invasion in the sphere of freedom of the target persons.

In addition, the instances of criminal proceedings (prosecutors and criminal police bodies) act, in principle, in a public manner, obeying a principle of transparency and a set of significant and detailed legal rules. On the other hand, those services operate, by the very nature of their mission, in secret, and must limit themselves to observing, collecting and processing information on facts that may imply a significant risk to the constitutionally protected rights and values. Thus, intelligence services operate only in obedience to the fundamental principles of the legal order, and not to criminal procedural rules (see the distinction drawn, in this same sense, in the Judgment of the German Constitutional Court of April 24, 2013, 1 BvR 1215/07).

There is, as concluded in Judgment 403/2015:

«(...) a radical distinction between information and criminal investigation, which prevents information officers from intervening in criminal proceedings. The information, in the sense of «elements of knowledge systematized in interpretative tables, through criteria that overlap the structure of meaning to the causal relationship (...) produced through its own method and preserved from the attention and knowledge of third parties», translating into this the «two essential distinguishing features: - its own method; - a regime of secrecy »(cf. Arménio Marques Ferreira," The Information System of the Portuguese Republic ", in Law and Security Studies, Almedina, 2007, pg. 69), aim at obtaining the specific knowledge necessary to make decisions decisions and not the collection of evidence leading to the prosecution.

Not wishing to deny the connections and similarities between the activity of gathering information, under the responsibility of SIRP, and the exercise of criminal action, in the context of criminal proceedings, the truth is that, in the absence of criminal proceedings, an essential element is missing, in the current constitutional framework, for the balance between, on the one hand, the need for State access to private communications, to guarantee constitutional rights and values ​​such as freedom and security, and on the other, the obligation to respect rights, freedoms and guarantees, such as the inviolability of the home and correspondence, as set out in article 34 of the CRP. This element is embodied in the existence of constitutional guarantees of the accused. It is true that it is possible that, in the initial phase, there is no defendant even in the context of criminal proceedings. Yet, if there is a well-founded suspicion of a crime in relation to a person, the natural consequence of the criminal process will be your constitution as an accused, under the terms of articles 57 and 58 of the Code of Criminal Procedure. This procedural position assures you, in the light of articles 60 and 61 of the said Code, an important range of procedural rights and duties, namely, the right to intervene in the investigation and investigation and the right to appeal against unfavorable decisions .

However, outside the criminal proceedings there is never an accused, thus, the set of guarantees for the exercise of fundamental rights associated with this statute is not ensured.

Therefore, and bearing in mind the intrinsic link between criminal proceedings and the defendant's constitutional guarantees, it is easy to understand that the simple intervention, or intermediation, of a group of judges - even though they are experienced magistrates, coming from the Supreme Court of Justice - in the access to communication and internet data by the SIRP information officers is not enough to give this process a criminal nature, not even a materially analogous nature. In fact, that intervention does not guarantee the possibility of defending those affected by the restriction of fundamental rights that access to communications data necessarily entails. Those affected will, moreover, completely ignore, in most situations, the existence of restrictive intervention in their individual legal sphere, since the executive's power is, in this field, exercised in secret. Such a circumstance, although it can be easily justified, inevitably also increases the risk of arbitrariness and serious injury to those rights.

Second, and if the above considerations were not enough, a closer analysis of the process of access to communications traffic data by the information services allows us to conclude that, although the new standards clearly intend to tighten the mechanisms of control in relation to what was foreseen in the previous legislation, the claimed greater demand for such mechanisms seems, after all, in practice, still insufficient, especially if we want to equate them with the criminal process.

Indeed, part of the material objections raised by this Court in Judgment No. 403/2015 can be repeated in relation to the rules under analysis:

(i) Little densification of the legislative framework

So, pay attention, from the start, in paragraph 1 of article 6 of Organic Law no. 4/2017, under which information services will only be allowed access to the data in question "when there are reasons to believe that due diligence is necessary, adequate and proportionate, in the following terms: a) To obtain information about a target or a determined intermediary; or b) To obtain information that would be very difficult or impossible to obtain otherwise or in a timely manner to respond to the emergency situation ". This formulation, which is intended as a guarantor, actually repeats an element that is, by virtue of the Constitution, inherent to all State action in the field of fundamental rights - respect for the principle of proportionality. At the same time, it attributes a wide discretionary power to assess the possibility of state interventions restricting such rights, without a sufficiently densified normative framework, since the use of imprecise and indeterminate concepts ("very difficult to obtain in another way", "useful time") makes it impossible to build clear and prior legal limits to the implementation of restrictions. In these terms, the consideration of the proportionality and legitimacy of a restrictive intervention of fundamental rights on the part of SIRP officers is not subject to any minimally precise or determined criterion of distinction between licit and illicit interventions, from which the judges of the training of the STJ to decide on its authorization. ) precludes the construction of prior and clear legal limits to the implementation of restrictions. In these terms, the consideration of the proportionality and legitimacy of a restrictive intervention of fundamental rights on the part of SIRP officers is not subject to any minimally precise or determined criterion of distinction between licit and illicit interventions, from which the judges of the training of the STJ to decide on its authorization. ) precludes the construction of prior and clear legal limits to the implementation of restrictions. In these terms, the consideration of the proportionality and legitimacy of a restrictive intervention of fundamental rights on the part of SIRP officers is not subject to any minimally precise or determined criterion of distinction between licit and illicit interventions, from which the judges of the training of the STJ to decide on its authorization.

(ii) Administrative nature of the process, despite the intervention of magistrates

The "formation of the criminal sections of the Supreme Court of Justice", which oversees the case, does not likewise have a well-defined legal nature. Even though it is a group of judges, this type of action seems to be outside the jurisdictional scope, so we are dealing with an administrative and non-judicial nature. However, the transfer of decision-making discretion in matters of access to data, from SIRP bodies to magistrates, although it represents a positive step in terms of citizens' guarantees, given the experience and training of Judge Counselors of the Supreme Court of Justice, as well as his particular sensitivity to fundamental rights and criminal proceedings, is not, however, liable to cause the transformation of an administrative proceeding into a criminal proceeding,

(iii) Indefinition of the meaning and scope of the role of the Attorney General

Furthermore, it should be noted that, with regard to the intervention of the Attorney General, provided for in paragraph 2 of article 5 of Organic Law no. 4/2017 ("the process for authorizing access to data is always communicated to the Attorney General of the Republic "), and presented as one of the elements of guarantee of respect for the fundamental rights of citizens, that this has little practical relevance. Therefore, and definitely, as the MP's intervention in this process does not fit the role and the role of the MP in the criminal process. Furthermore, its role in the entire process needs to be densified, even after the entry into force of Ordinance No. 237-A / 2018, the nature of his intervention is not fully understood, especially when it would consist of one of the elements of equating the guarantees of access to traffic data to the guarantees of criminal proceedings.

Thus, the Law provides that the Attorney General's Office is "aware" of the request for access to data (article 9), of the deferred transmission of that data (article 11); to be notified of decisions to cancel access and to destroy data, for the purposes of exercising its legal powers (Article 12); and that the data obtained that indicate the practice of crimes of espionage and terrorism be immediately communicated (article 13). From the provisions of Ordinance No. 237-A / 2018it is concluded that the Attorney General may comment on the request for access (subparagraph c) of paragraph 3 of article 1) and that she is informed of the deliberation of the training of judges of the Supreme Court of Justice on access to the data, being able to react, without knowing in what terms (subparagraphs f) and h) of paragraph 3 of article 1); it is also aware of the remittance of the response file with the data, by the electronic communications service provider, and may also comment here (paragraphs i) and j) of paragraph 3 of article 1). Thus, it is clear that the role of the Public Prosecutor in the process of accessing traffic data by the SIRP information officers is clear, and its powers in this matter are not clear, nor the legal effects of any prosecutor's pronouncements, when legally permissible.

(iv) Difficulty in exercising the right of access to retained data

Finally, it should be noted that the right of citizens to access data processed or stored in the data centers of SIS and SIED, which corresponds to the fundamental right provided for in paragraph 1 of article 35 of the Constitution, can only be exercised through the SIRP Data Supervision Commission, in the light of paragraph 6 of article 15 of Organic Law no . 4/2017 . In other words, it is a right that can only be enforced under the terms of article 26 of Law no. 30/84, being, under the legal terms, the exclusive competence of the SIRP Data Inspection Commission. It thus acts as an intermediary between the citizen and the information services, and performs its supervisory functions through periodic checks of the programs, data and information by sampling, provided without a nominal reference; and, equally, for the access to data and information with nominative reference (particularly when the Commission considers to be facing a denunciation or reasoned suspicion of its illegitimate or unfounded collection). The Audit Committee must order the cancellation or rectification of collected data that involve violation of the rights, freedoms and guarantees enshrined in the Constitution and the law and, if necessary, exercise the corresponding criminal action. Yet,

11.1.3 - In view of what has been said, it can be said that, in addition to the procedure for accessing communications and internet data by SIRP information officers, it is not, naturally and obviously, a criminal process from the point of view of formal view, it is also very different from the material and guarantor point of view.

In fact, a legal-constitutional interpretation according to which the literal element of paragraph 4 of article 34 of the Constitution could be removed, and to admit the existence, in this matter, of a restriction to a fundamental right, expressly authorized by the Constitution, whose scrutiny would center, on the part of the Constitutional Court, on a mere proportionality judgment, under the terms of article 18 of the Constitution, taking into account the conflicting constitutional rights and values ​​whose balance is sought. The divergences in relation to the criminal process, as it is conceived in our democratic rule of law, are too obvious for this position to be fully supported.

It should be noted, however, that the Constitutional Court does not ignore that this is a matter in which, as in the broader question of interference in private communications in the context of criminal proceedings, and, most of all, echo "with particular resonance, the fundamental political-criminal antinomies underlying the entire right to prohibition of evidence "; do not forget, also, that in this field "it is very relevant to that 'dramatization of violence and threat' (HASSEMER) induced in collective representations by the most recent explosion of organized crime, the maximum of terrorism and drug trafficking" (Manuel da Costa Andrade , On the prohibitions of evidence in criminal proceedings, Coimbra Editora, 1992, p. 281).

And do not ignore, equally, that in this type of matter it is necessary to take into account the state duty to guarantee security, which stems from paragraph 1 of article 27 of the Constitution. However, the Constitutional Court is the guarantor of a certain constitutional parameter, in which many of the considerations between potentially conflicting constitutional rights and values ​​have already been carried out by the constituent legislator. It is not, therefore, within the framework of a democratic rule of law, to replace itself, so that, in the matter now under analysis, the operation of practical agreement carried out by the legislator and enshrined in paragraph 4 of Article 34 of the Constitution, because this was the option of the democratically legitimated constituent power.

11.2 - Access to traffic data that does not involve intersubjective communication

It is now important to analyze the constitutionality, in the light of articles 26, paragraphs 1 and 35, paragraphs 1 and 4, both of the Constitution, of the ideal segment of article 4 that refers to access to data on traffic, which do not involve intersubjective communication, as the knowledge of these data by SIS and SIED necessarily represents a more intense want of privacy than access to basic data or location data, as provided for in Article 3.

In assessing the extent of the interference necessary to protect other constitutional assets, it should begin by examining whether the degree of harm caused by access to and treatment of this specific category of traffic data differs substantially from the intensity of the intrusion and that the access to other data from traffic included in the provision of that article 4 causes privacy and informational self-determination of the data subject.

Despite that data not refer to concrete and effective communications made or attempted between people, but only between people and machines or even between machines (machine-to-machine communications) provided by "software agents", the truth is that they can be based on the same basic data as the seconds and, like these, enable the monitoring, surveillance and control of the movement of people, as well as the construction of user profiles that involve evident risks of loss of privacy. In fact, the collection and processing of "browsing data" on the internet, even if it is not in real time or through access to the totality of data stored by the providers of electronic communications services, makes it possible to know the choices, behaviors, habits, inclinations likes experiences and centers of interest of the data subject, and based on them, evaluate and typify their behavior and their particularities. Therefore, as is the case with the collection and processing of data from an authentic interpersonal communication, in which the loss of privacy of the respective interlocutors is evident and significant, the knowledge and treatment of the trace of the marks and signs that the Internet connection leaves behind you can cause equivalent damage to the privacy of the data subject.

In fact, with the exception of the data needed to find and identify the recipient of electronic mail via the internet or telephone communication via the internet, the treatment of other internet traffic data affects the same dimensions of privacy and protection of personal data, whatever the use of the internet. In both modes of use, intersubjective communications and mass communications, the non-consensual treatment of the respective traffic data calls into question the user's values ​​and interests, such as (i) the trust he has in the security and reserve of the supplier's computer systems the internet access service; (ii) the interest in deciding, himself, about the use that may be made of your personal information; (iii) the interest in not being subject to exclusively automated decisions on your data; (iv) the interest in knowing, having, controlling, updating, correcting or deleting the personal data that concern you; (v) the interest in knowing the purpose of the processing of your data (vi) the interest in the non-disclosure of data subject to treatment.

Hence, given the similarity of the values ​​and interests affected by the non-consenting treatment of both categories of internet data and the equivalent degree of harm it can cause to the user, the density of scrutiny to be applied by the constitutional jurisdiction to the evaluation of the legislative choice cannot be less in some of them. Although it is admitted that not all internet data contained in the provision of article 4 of the Organic Law no. 4/2017, of August 25, are covered by the same area of ​​protection that the Constitution reserves for electronic communications, their unauthorized treatment may directly contend with the same legal-constitutional assets. As with the secrecy of telecommunications ensured in paragraph 4 of article 34 of the Constitution, what is also at stake here is to ensure the free development of personality and the privacy of each person through the use of the internet. advertising margin. Because of this, the density of scrutiny will have to be all the greater the more evident, or manifest, the inexistence of a basis for a different regime of intrusions with reference to internet data.

11.2.1 - It is true that, as we have seen, the Constitution enshrines a differentiated system of interference in internet data: according to the provision of article 34, paragraph 4, of the Constitution, traffic data relating to communications among people are included in the area of ​​protection of the inviolability of telecommunications, with a special constitutional authorization for the interference of public authorities in this area, limited only to the matter of criminal investigation; internet traffic data that does not involve interpersonal communications, inasmuch as they allow the user's name, address and other identification data to be identified, are considered "personal data" protected only by the general rules of article 35 of the CRP, that admit restrictions in areas that can go beyond the scope of criminal investigation.

There is no doubt that, with regard to traffic data in the context of intersubjective communications, including internet data, the special tutelage of communicative self-determination removes or dispenses the general tutelage of informative self-determination; and as for internet traffic data outside this scope, only this last general protection is summoned.

It does not follow, however, that the dimensions of privacy and protection of personal data of the users in question have less constitutional merit than those that can also be harmed in the context of interpersonal communications. For this reason, the intensity of scrutiny required, despite the difference in the constitutional parameters in question, cannot fail to be similar or equivalent.

In fact, if the Constitution authorizes the non-consenting processing of traffic data relating to communications between people, it is said that it also does not exclude the invasion of traffic data that does not support authentic communications, since in that case the loss of privacy does not reach one dimension of that other (the privacy of communications). More: the raison d'être of the constitutional legitimacy of interference with traffic data will not be so much in the different category of data - whether or not they presuppose an act of intersubjective communication -, but above all in the specificities in terms of public interest and guarantees of the domain where the restriction can act: criminal investigation.

11.2.2 - It happens that the activity of the public entity that wants access to internet traffic data that does not respect intersubjective communications - the SIRP - and the purpose for which they are located is in the field of prevention: «information necessary to prevent espionage and terrorism '. The production of information necessary for the preservation of internal and external security, as well as the independence and national interests and the unity and integrity of the State, in principle, is dissociated from criminal prevention and investigation in the strict sense, and the information services cannot carry out any acts within the competence of criminal police bodies or judicial authorities or detrimental to citizens' rights, freedoms and guarantees (articles 3 and 4 of Law no. 30/84, of September 5, last amended by Law No. 4/2014 , of August 13; v. also supra point 11.1.2. and paragraph 19 of Judgment No. 403/2015).

In the context of Organic Law No. 4/2017, of August 25, the preventive nature of the traffic data collection and processing activity is reinforced, since if the scope of the crime of espionage and terrorism is indicated, it must be immediately reported to the Public Prosecutor's Office (Article 13). Accessing this category of data - which is part of the concept of personal data - also allows foreseeing the occurrence of such crimes or identifying people for whom there is evidence that they have committed them or that they are preparing to commit them. It is, therefore, an activity that makes it possible to obtain "information" through acts that contend with rights, freedoms and guarantees, and which is part of a broad concept of criminal prevention, a "phase prior" to the criminal prevention itself in charge of police, and that, for this very reason,

11.2.3 - The prevention of crimes as a function of the security police and the judicial police is constitutionally supported by paragraph 3 of article 272 of the Constitution, with the following limits: “it can only be done with observance of the general rules on the police and with respect for the rights, freedoms and guarantees of citizens ”. As already mentioned in Judgment 403/2015, the activity of SIRP - service that is part of the security forces and services (paragraph c) of paragraph 2 of article 25 of Law no. 53/2008 , of 29 August - Internal Security Law - LSI) - is also covered by this constitutional precept (cf. the respective point 19).

And it follows that "crime prevention measures will only be measures for the protection of people and property, surveillance of suspicious individuals and places, but they cannot be measures to limit the rights, freedoms and guarantees of citizens" (Gomes Canotilho and Vital Moreira , Annotated Portuguese Republic Constitution, 4th ed., Vol. II, p. 861).

As a rule, the infraconstitutional laws that define the material activity of the public security police, criminal police or criminal police bodies differentiate the prevention functions from the criminal investigation functions through a temporal criterion: the acquisition of the news of the crime it is a sine qua non condition for initiating a criminal investigation. From the start, article 1 of Law no. 49/2008, of August 27 - Criminal Investigation Organization Law - begins by defining criminal investigation as «the set of steps that, under the terms of the criminal procedural law, are aimed at investigating the existence of a crime, determining its agents and their responsibility and discover and collect evidence, within the scope of the process'; then, the various organic laws of the police, in addition to granting competence to practice acts within a criminal process, as supporting bodies of the judicial authorities, define the powers that they have within the scope of criminal prevention extradelictum or post-delictum (articles 3 And 4 of Law no. 37/2008, of August 6 - Organic Law of the Judiciary Police); finally, "precautionary or police measures", administrative or criminal proceedings, which the police can take on their own initiative (articles 28 and 29 of the LSI and articles 248 to 253 of the Code) Criminal Procedure).

However, as the majority of police with criminal investigation functions, developed during the investigation or investigation phases of a criminal case, also have preventive functions in relation to violations related to their competences, sometimes there are difficulties in characterization and differentiation. between these two domains, all the more delicate as it is true that the rules to be observed depending on whether it operates in the field of prevention or research, are not - or may not be - the same. The formal and traditional criterion of distinction between prevention and investigation, based on the intervention time of the authorities, loses its clear contours. The hidden means of investigation, even when they start from the criminal process, can discover possible or probable "crimes" or dangers likely to be updated. Positive or proactive criminal prevention, such as that which the State intends to fight against new forms of organized crime, does not wait for the practice of crime to begin investigating and collecting evidence. That is why, in certain cases, the collection of information even before the fumus commissi delicti emerges, to be valued in a future criminal case, can substantiate an "advanced field investigation", or a tertium genus or third police task, materially elevated to the status of investigation specific to criminal proceedings (cf. Costa Andrade, ob. cit., "Abruptly last summer", the reform of the Penal Procedure Code ", p. 324). he does not wait for the crime to start investigating and collecting evidence. That is why, in certain cases, the collection of information even before the fumus commissi delicti emerges, to be valued in a future criminal case, can substantiate an "advanced field investigation", or a tertium genus or third police task, materially elevated to the status of investigation specific to criminal proceedings (cf. Costa Andrade, ob. cit., "Abruptly last summer", the reform of the Penal Procedure Code ", p. 324). he does not wait for the crime to start investigating and collecting evidence. That is why, in certain cases, the collection of information even before the fumus commissi delicti emerges, to be valued in a future criminal case, can substantiate an "advanced field investigation", or a tertium genus or third police task, materially elevated to the status of investigation specific to criminal proceedings (cf. Costa Andrade, ob. cit., "Abruptly last summer", the reform of the Penal Procedure Code ", p. 324).

In any case, the truth is that the procedure for collecting information through traffic data, provided for in the questioned article 4 of Organic Law No. 4/2017 , is not oriented towards an investigative activity of crimes committed, nor is it aimed at gather “evidence” of the planning of organized terrorist crimes. Under the terms in which access to traffic data is regulated in the diploma, with the assumptions provided for in its article 6, it is not a criminal investigation purpose, but only a functional accumulation of information for preventive reasons, that is, a activity exclusively inserted in the preventive function.

However, the principle of proportionality stipulates that this State power, in accessing citizens' personal data, in addition to requiring a foundation, precise and determined, in the law - principle of determinability - cannot be used beyond what is strictly necessary. It is not enough that it has a content sufficiently defined in the law, it is also necessary to comply with the requirements of necessity, demandability and proportionality (or prohibition of excess). In effect, it follows from article 272 of the Constitution the concern to limit and link police measures restricting fundamental rights, which “will only be legitimate if suitable (suitable for the elimination of danger), necessary (need to eliminate a serious danger) current “disorder”), proportional (proportion between the sacrifice of rights and the result),

Prevention actions by the police must therefore be translated into measures to defend against concrete dangers. Indeed, the probability / predictability of the occurrence of potentially damaging situations for legal assets whose protection is under the responsibility of the State calls for necessary measures to prevent them - to deny such a statement means to exonerate the state authorities from one of their primary tasks: ensuring the security of people and goods. For this reason, preventive measures presuppose legal qualifications for interference against dangerous situations, understood in the sense of "an objective threat of immediate damage to legal assets by illegal individual conduct that is particularly susceptible to generating it in a concrete situation" (Sérvulo Correia, The Right of Manifestation - Scope of Protection and Restrictions, Coimbra, 2006, p. 98).

It should be noted, however, that, as intelligence services are not police bodies, their activity being of a secret nature and not observable by the affected citizens, the rule in Article 4 must be subject to strict constitutionality control.

Thus, the principle of necessity, one of the dimensions of the principle of prohibition of excess, requires that access to traffic data harmful to informational self-determination is intended to react to situations of danger sufficiently indicated, that is, to situations in which if nothing is done. done to prevent it, constitutionally protected assets - such as life, liberty and personal integrity or national independence and integrity - are likely to be harmed.

However, in the context of criminal prevention actions, the law has not provided for intrusions in electronic communications: access to the content of communications can only be authorized in the "inquiry" or in any other stage of the criminal procedure (articles 187 and 189. CPP and article 18 of Law no. 109/2009 , of 15 September, on the domain of cybercrime). As a result, the processing of personal data for the purpose of criminal investigation "should be limited to what is necessary to prevent a specific danger or the prosecution of a specific offense" (paragraph 3 of article 8 of the previous Law no. 67/98 , of October 26 - LPDP); and the conservation and transmission of data are for "the sole purpose of investigating the detection and prosecution of serious crimes" (paragraph 1 of article 3 of Law no. 32/2008, of July 17).

In general, it can be said that "practical agreement" between the constitutional values ​​of persecution and punishment of crime with fundamental rights must be made in the context of criminal proceedings. Any preventive action that interferes, in the sense of compressing or debauchery, with rights, freedoms and guarantees, cannot take place outside a properly formalized criminal process, because “it is evident that a proceduralized and publicized investigative action, in the form of a preliminary investigation or of instruction, not only safeguards freedom and security in the course of the process but also guarantees that the evidence channeled to it was obtained with respect for fundamental rights. The same conclusion cannot be drawn from a non-procedural or even not sufficiently formalized prevention action, covered by State secrecy,Judgment No. 403/2015 , paragraph 19).

11.2.4 - Simply, the norm of article 4 of Organic Law no. 4/2017 , framed in the respective legal regime, clearly departs from this paradigm.

The need for access to traffic data is based on two alternative assumptions, mentioned in article 6: (i) obtaining information from a specific target or intermediary; (ii) impossibility or difficulty in obtaining the information in another way or in a timely manner to respond to an emergency situation. Preventive action is thus modeled by an opening of concepts ("determined target", "urgent situation", "very difficult to obtain", "useful time"), semantically malleable and insufficiently determined, within which the uncertainty about the assumptions for accessing traffic data are quite large, given the uniqueness of each specific case.

Indeed, the intrusion into this category of data depends only on the existence of a specific target and on the impossibility or difficulty of obtaining information through open means in a short time. The determination of a "target" or the assessment of a "situation of urgency" depends on the material existence of de facto assumptions entirely chosen by the information services and on the valuation judgment you make about them. The same is true, moreover, with the connection of the information targeted by the access request (either about the "target" or other unspecified information) and the prevention of acts of espionage or terrorism: the facts that support such request, the the purposes that underlie it and the reasons that advise the same access are those that the services deem necessary to indicate in the authorization request [cf. Article 9 (2)Organic Law No. 4/2017 ]. Consequently, the relevance of the grounds for the request, which, as a weighting factor for the judges' decision, limits the safeguarding of the fundamental rights in question (cf. Article 5 (1) of the same law), also only it can be assessed according to what the services themselves state in their request. In this way, any citizen can potentially be referred to as a target, just as any situation can be configured as urgent. It all depends on the judgment of prognosis or the assessment that the information services make of the concrete situation experienced.

In defining the target citizen of the measure, the law does not indicate objective criteria for selection, related to the likelihood that the target persons are directly or indirectly involved in the preparation or execution of terrorist attacks, or a relationship, at least indirectly, with acts of serious crime, namely espionage, the norm not being passed, also in this point, the test of proportionality, due to the lack of densification of the legal regime that serves as an assumption.

without the latter being aware of this or having any power to react a posteriori to request the destruction of the data and hold the entities that had access to it or that provided it to the information services responsible, without any indication or causal relationship with acts corresponding to the practice of the aforementioned crimes. We are, therefore, faced with situations in which the individual loses control over the circulation of his personal data and in which his right to informational self-determination can clearly be violated, being transformed into an “object of information”.

Given the sensitivity of the issue to fundamental rights, it must be understood that the substantial assumptions of the meddling action on traffic data are not sufficiently dense in the law, that is, they are not predetermined to prevent hazards whose threat is based on circumstances in fact, normatively described, for legal assets of transcendent importance for the individual and for the community organized under the rule of law. In the diffuse and indeterminate terms that result from the articulation of article 4 with the aforementioned article 6, it is up to the information services to choose the elements of the concrete situation relevant to the access to traffic data, not resulting from the law that access only must occur in the presence, in the specific case, of a situation in which, with a high probability, and in a relatively short time, there will be damage to legal assets or fundamental rights of transcendent relevance for citizens and for the whole community. The legal authorization for the legitimate invasion of traffic data does not even incorporate as a presumption a certain degree of suspicion of the practice of crimes of espionage and terrorism, nor is the danger or suspicion of concrete danger stated in the law as a possible object of preventive action. In effect, from that precept it is not expressly stated that the collection of the information has as its object news of facts capable of substantiating suspicions of danger of the practice of certain crimes against a circumscribed number of fundamental legal assets for the community. damage to legal assets or fundamental rights of transcendent relevance to citizens and the entire community will occur. The legal authorization for the legitimate invasion of traffic data does not even incorporate as a presumption a certain degree of suspicion of the practice of crimes of espionage and terrorism, nor is the danger or suspicion of concrete danger stated in the law as a possible object of preventive action. In effect, from that precept it is not expressly stated that the collection of the information has as its object news of facts capable of substantiating suspicions of danger of the practice of certain crimes against a circumscribed number of fundamental legal assets for the community. damage to legal assets or fundamental rights of transcendent relevance to citizens and the entire community will occur. The legal authorization for the legitimate invasion of traffic data does not even incorporate as a presumption a certain degree of suspicion of the practice of crimes of espionage and terrorism, nor is the danger or suspicion of concrete danger stated in the law as a possible object of preventive action. In effect, from that precept it is not expressly stated that the collection of the information has as its object news of facts capable of substantiating suspicions of danger of the practice of certain crimes against a circumscribed number of fundamental legal assets for the community. The legal authorization for the legitimate invasion of traffic data does not even incorporate as a presumption a certain degree of suspicion of the practice of crimes of espionage and terrorism, nor is the danger or suspicion of concrete danger stated in the law as a possible object of preventive action. In effect, from that precept it is not expressly stated that the collection of the information has as its object news of facts capable of substantiating suspicions of danger of the practice of certain crimes against a circumscribed number of fundamental legal assets for the community. The legal authorization for the legitimate invasion of traffic data does not even incorporate as a presumption a certain degree of suspicion of the practice of crimes of espionage and terrorism, nor is the danger or suspicion of concrete danger stated in the law as a possible object of preventive action. In effect, from that precept it is not expressly stated that the collection of the information has as its object news of facts capable of substantiating suspicions of danger of the practice of certain crimes against a circumscribed number of fundamental legal assets for the community.

The need for intervention in matters of rights, freedoms and guarantees must be formally included as a precondition for preventive action. The existence of a specific target or an emergency situation, without specifying guidelines that guide the choice of the relevant elements for the detection of the target or the qualification of the situation as urgent, does not allow to evaluate, in itself, the need for intrusion and wantonness. traffic data. Without the legal fixing of such guidelines, access to traffic data can be based either on defense against dangers or on anticipation of risks. It is evident that, in order to justify a preventive action in the light of proportionality, a perceived but not verifiable danger does not have the same evaluative weight as a concrete and susceptible to objective demonstration.

Hence, the norms attributable to the power of defense against dangers have to establish with precision and sufficient density the assumptions that underlie the need to take preventive or interference measures. Accepting the reasoning of the German Constitutional Court, when fundamental rights based on "prognosis judgments" are at stake, it is required that the "pertinent legal authorizations contain elements that limit the action". This is so that "limiting the scope of authorized meddling ... makes it possible to tolerate, in matters of fundamental rights, the risk of an incorrect prognosis" (BVerfGE, 110, 33, 57 and 60).

In the same sense, the jurisprudence of the CJEU requires that national regulations contain clear and precise rules that indicate under what circumstances and under material and procedural conditions providers of electronic communications services should grant national authorities access to data, and legislation cannot. national law merely refer to the general objectives of Article 15 (1) of Directive 2002/58 (cf. TJUE Acórdão Tele 2, n.os 117 e 118 e Digital Rights, n.º 61). De acordo com a jurisprudência do TEDH e do TJUE, só pode ser concedido o acesso de uma autoridade pública a dados de comunicação ou de tráfego, mediante critérios determinados e objetivos, definidos numa lei clara e detalhada nos seus termos, acessível e de efeitos previsíveis para os cidadãos, e relativa a pessoas suspeitas de estarem a planear ou terem planeado, de estarem a cometer, ou terem cometido um ato terrorista, ou de estarem, de algum modo, envolvidas nessa infração (TJUE Tele 2 n.º 119, TEDH Zakharov v. Russia, §260).

The absence or normative indeterminacy of these assumptions allows for restrictive interventions in situations whose harmful potential does not require the adoption of preventive measures. The possibility of taking preventive measures without specifying the substantial conditions for their exercise, would constitute an unpredictable aggravation for citizens, without any compensation for certainty and security. As Reis Novais points out, “a restriction of contours not well established in advance potentially broadens the scope for restrictive action of the powers constituted to a plan that is not in line with the principle of the distribution of the rule of law and the prohibition of excess and generates inhibitory effects on the side of the exercise of freedoms »(The Structural Constitutional Principles of the Portuguese Republic, Coimbra Editora, 2004, p. 192).

The norm of article 4 of Organic Law no. 4/2017 deals with matters of parliamentary law reserve: rights, freedoms and guarantees (articles 165 (1), point b), and 18 n 2, both of the Constitution). In these matters, namely in the field of the use of information technology in relation to the processing of personal data, the law must foresee and prescribe clearly and precisely the framework of circumstances in which restrictive interventions can be taken, and cannot be written in terms as broad as it can be. be interpreted as including, in its prediction, the freedom to choose the assumptions that justify the need for intervention. A vague, imprecise and too comprehensive law would convert restrictive measures into arbitration, due to the absence of objective criteria as to the reason for their use.

Especially since, in this case, access to traffic data represents an intrusion without the respective owners being aware of the fact or being aware of it, or without being able to react during its execution, or even at the end of it, since it does not are not notified, nor are any acts or procedures foreseen to allow the knowledge or knowledge of the interference by the interested parties, contrary to what is required by the Court of Justice: concerned, within the framework of the applicable national procedures, from the moment that such communication is not liable to jeopardize the investigations carried out by those authorities',since this information is indispensable for the activation by such persons of effective judicial protection of their rights in this area, namely the right to rectify or delete the data in question (cf. the Tele2 judgment, paragraph 121, and the Schrems judgment, C-362/14, EU: C: 2015: 650, no. 95).

As the ECtHR ruled in its judgment of 6 June 2006 (Segrstedt - Wiberg et al. Sweden case, No. 62332/00), “in these cases, the risk of arbitrariness is, of course, greater; because secret surveillance measures are not, by their nature, capable of being controlled by the general public nor are they known to the individuals concerned, the law must indicate, with precision and sufficient clarity, the scope of that discretion conferred on the competent national authorities, and the way it should be exercised by them, thus granting the individual the defense against arbitrary interferences in their rights ».

It is not, therefore, any urgent target or lack of information that legitimizes a law restricting the right to informative self-determination of traffic data.

As mentioned, the collection of information through internet data is only in conformity with informational self-determination when there are situations in which it is possible to have a substantially grounded judgment of the occurrence of danger for a circumscribed number of extremely important legal assets. for the community, such as people's lives, bodies and freedom, or the security of the rule of law. The principle of proportionality requires the State to invoke a situation of foreseeable, concrete danger and highly probable verification, justifying the prognostic judgments through the normative identification of the factual situation that is at the origin of the danger, the possibility of the occurrence of harmful events within a period of time. proximity and the relationship of the danger situation with determined people.

However, the normative statements taken from article 4 in conjunction with the provisions of article 6 of Organic Law no. 4/2017 do not meet these requirements. As the assumptions of intrusion are formulated, there is the possibility of accessing this data in indefinite situations, in more or less unlikely verification events, without any reference to de facto circumstances, in which case it is impossible to avoid arbitration.

It is evident that the State, in order to safeguard unquestionable social values, such as public security or the public danger of terrorist actions, can and must take preventive measures.

And it was with this objective in mind that LSI created the Anti-Terrorism Coordination Unit (UCAT), under the responsibility of the Secretary General of the Internal Security System, composed of representatives from various services, including the Secretary General of SIRP and the directors of the SIED and SIS, whose main function is "coordinating and sharing information, in the context of combating terrorism", which was put into operation by Regulatory Decree No. 2/2016 , of 23 August. However, the action of this service and the police that integrate it moves above all in the advanced field of anticipation, assessment and risk management of terrorism, an area in which, due to the uncertainty it entails, it is excessive to restrict the fundamental right to informational self-determination. .

In the proportionality judgment on restrictive measures, the risk that, under the cover of the fight against terrorism and espionage, citizens are reduced to digitally created and heteroconstructed identities, based on profiles defined by third parties, with the consequent dehumanization has to be considered. of people and standardization of their behaviors, destroying privacy and conditioning freedom, thus ending up perverting democracy. The devaluation of the sacrifice imposed on citizens' freedom here assumes a special weight in the analysis of the middle-end relationship inherent to the test of proportionality

It is understood, therefore, that the preventive action provided for in article 4 of Organic Law no. 4/2017 , of August 25, as articulated with the admissibility conditions provided for in article 6 of the same diploma and taking into account the insufficiency of the citizens' means of reaction against unlawful interventions, unreasonably unbalances the weighting of the end-point inherent in the aspect pointed out of the principle of proportionality, violating the right to informational self-determination, enshrined in articles 26, paragraph 1 and 35, paragraphs 1 and 4, in conjunction with article 18, paragraph 2, of the CRP.

12 - The question of the constitutionality of Article 3 of Organic Law No. 4/2017

As has already been said and is repeated, Article 34 (4) of the Constitution does not apply to the area covered by that Article 3, the constitutionality of this rule must be assessed on the basis of Articles 26, paragraph 1 (right to the development of personality and the privacy reserve of privacy) and 35, paragraphs 1 and 4 (prohibition of access to personal data) of the Constitution. The data to which the norm of article 3 of Organic Law no. 4/2017 allows access are "personal data of third parties", for the purposes of article 35, no. 4, of the Constitution, covered, therefore, by a principle of prohibition of access, in which the negative aspect of defense before the State stands out.

The right to informational self-determination encompasses a broader protection than the simple reservation of private life, including the personal data of individuals, even though autonomous from concrete acts of communication, whose possibility of wanton increases exponentially with technological progress, and which reflect, for example, the lifestyle of an individual, the places he attends, his tastes, his health, the way he spends his free time, the conduct and characteristics of the user or even fundamental traits of his personality. Access by SIRP to data of this nature conditions the informational self-determination of citizens to which this data relates - one of the refractions of constitutional protection of the free development of personality - and constitutes a threat of invasion of the privacy of those targeted.

As stated in paragraph 13 of Judgment No. 403/2015, the right to informational self-determination enshrined in article 35 of the Constitution, with a view to protecting people from the processing of computerized personal data, does not refer, as the right to communicative self-determination, to individual communications actually made or attempted, these already protected by communications secrecy. “In that other right, personal information collected and processed by public and private entities is protected, whose form of treatment and disclosure can cause offenses to the privacy of the people concerned. [...] In this case, it is intended to prevent the information provided to a private individual or an entity from being able to be disclosed to other persons or entities, that is, the person becoming "a mere object of information", in view of all the computer records you leave in your daily life. The prohibition of interference or debauchery in this area implies not only the prohibition of access to personal data to third parties, but also the prohibition of disclosure or even interconnection of files with data of the same nature ».

However, as mentioned, these rights can be subject to restrictions through legislation - laws restricting rights, freedoms and guarantees. In some constitutional rules, the Constitution authorized the ordinary law to restrict certain rights in some aspects or for some purposes, in others it specifically gave the legislator a power to regulate the matter, which includes powers of restraint. Thus, with regard to the right enshrined in article 35, paragraph 4, the Constitution expressly provides for the possibility of its restriction, in the final item "except in exceptional cases provided for by law", but does not indicate its assumptions or purposes . However, the restriction will have to observe, in addition to the legal reservation in a formal sense enshrined in article 165, paragraph 1, point b) of the Constitution, the limits imposed by article 18, paragraphs 2 and 3: proportionality in the broad sense; reservation of law in a material sense; prohibition of retroactivity; and inviolability of the essential content. The doubts in this case focus on respect for the principle of proportionality.

Regarding the restriction of defense rights or negative content - the right to which the State does not have access to personal data -, the problem that arises is whether the legislator, in the solution stipulated in article 3, contextualized in the respective legal regime, violated the prohibition on excess.

The first stage of the judgment is to identify the reasons that may justify the restriction of the rights involved here - reasons that, under the terms of paragraph 2 of article 18, necessarily translate into a duty to protect other fundamental rights or in the pursuit of legitimate interests that the constitutional order entrusts to the public power, especially the legislative. With regard to Article 3 of Organic Law No. 4/2017, the purpose of the norm is brought back to the constitutional value of security, which adds the positive dimension of a very wide set of fundamental rights (eg, life, integrity, property) and collective interests such as national independence and public order. In short, these are subparagraphs a) (guaranteeing national independence), b) (guaranteeing fundamental rights and freedoms) and c) (defending political democracy) of Article 9 of the Constitution, which defines the “fundamental tasks of State". The constitutional text goes so far as to subject security, in article 27, paragraph 1, in fine, treating it as a fundamental right.

In practice, limitations on fundamental rights must comply with the following requirements: (a) the formulation of a clear and predictable standard; (b) means necessary to achieve an objective of general interest or to protect the rights or freedoms of others; (c) proportionality in relation to the objective pursued; (d) preservation of the essential content of the fundamental right.

It is therefore necessary to determine, in this light, whether access by "SIS and SIED information officers" to "basic data and equipment location" is a disproportionate measure or an excessive means of achieving the purposes - itself not only legitimate but constitutionally imposed on the public power - to which it is intended.

Before submitting the standard to tests of adequacy, necessity and proportionality in the strict sense, included in the principle of prohibition of excess, it is essential to analyze the access regime established by Organic Law No. 4/2017 for this specific category of data, namely the purposes, criteria, forms, limits and guarantees provided for therein.

With regard to the purposes, the law provides (article 3) access to basic data and location data exclusively "for the purpose of producing information necessary to safeguard national defense, internal security and prevent acts of sabotage. , espionage, terrorism, proliferation of weapons of mass destruction and highly organized crime ". In other words, national defense and internal security appear, either as legal assets underlying a closed list of criminal types or categories of crimes, or as residual reasons for accessing the data.

As for the criteria, the law requires (article 6) that access be adequate, necessary and proportional in each specific case - that is, that diligence does not prove excessive, taking into account all relevant circumstances -, increasing this requirement through the requirement that the information obtained relates to a specific target or intermediary (requirement of individuation) and that it is impossible or very difficult to obtain the information in another way or in a timely manner (requirement of need). Article 10 (1) further establishes that access does not comprise "all data", but only the "categories of data" that due diligence demands (restriction requirement), with due regard for "conditions of protection professional secrecy '.

Regarding the form, the law determines that access to data by SIS and SIED information officers is subject to judicial authorization “by a formation of the criminal sections of the Supreme Court of Justice, consisting of the presidents of the sections and a judge appointed by the Superior Council of the Judiciary, among the oldest of these sections ”(articles 5 and 8). The process begins with a request from the information officers subject to certain content requirements (Article 9), which is subject to a judicial assessment based on a 48-hour period (Article 10 (3)). Although it is understood that this training, in practice, works, not as a court, but as an administrative entity,

With regard to the limits, the prohibition, contained in paragraph 2 of article 6, of «interconnection in real time with the databases of telecommunications and Internet operators for direct online access to the required data, stands out »This means that SIS and SIED information officers are allowed access only to data previously stored by telecommunications operators, as is clear from the definition of the object contained in article 1, paragraph 1.

Finally, with regard to guarantees, in addition to the requirement for judicial authorization, the law gives the formation of the Supreme Court of Justice competent to authorize access the power to “determine at any time the cancellation of ongoing data access procedures. . obtained illegally or abusively "," that violate the scope of prior judicial authorization "or that are" manifestly alien to the process "(Article 12 (3)). Assigns to a SIRP Data Supervision Commission the competence to supervise the activity of information officers, with the aim of guaranteeing "respect for the principles and compliance with the rules regarding the quality and safeguarding the confidentiality and security of the data obtained" (Article 15 (1)). It also recognizes supervisory powers, in this area, to the SIRP Supervisory Board (article 16). º). Finally, Article 7 provides for the tightening of penalties abstractly applicable to the various types of crime that may be involved in illegal access to personal data.

All of these measures seek to ensure the safeguarding of a very fundamental sphere of privacy and informative self-determination, limiting state interference to the minimum necessary.

Access to the data provided and with the objectives set out in Article 3 of Organic Law No. 4/2017 , can hardly be censored in terms of adequacy and necessity. On the one hand, it is obvious that the measure is a suitable means of producing information that may prove useful in preventing acts and in protecting the interests mentioned in the law. On the other hand, there is no evidence that there are less harmful means that allow, with equal effectiveness, to achieve the objectives for which the regime is intended, all the more so since the law makes the authorization of access and its maintenance dependent on the verification of the need due diligence.

It is in proportionality in the strict sense that the constitutional conformity of the rule is played. Two essential questions are raised here. The first is whether a regime of access to "basic data and equipment location" by SIRP information officers, with the inhibiting effect of citizens' informational self-determination and with the risk of abuse of personal privacy that mere existence of such a regime inevitably implies, fails the proportionality test. Understanding that it is not, a second question arises: the question of whether the regime established in Organic Law No. 4/2017limits access to personal data referred to in Article 3 to specific cases in which, all things considered and considered, such access is justified - or, at least, reduces the possibility of error or abuse to the minimum possible. can judge constitutionally tolerable.

As for the first question, it must be understood that the existence of such a regime, despite its restrictive effect on fundamental rights, is constitutionally admissible. Access to personal data provided for in Article 3 of Organic Law No. 4/2017 is intended for the fulfillment of duties to protect fundamental rights and to protect collective interests with a high axiological burden in the constitutional order. It is, as we have seen, the performance by the State of fundamental tasks defined in the Constitution, in circumstances where the omission of measures of this nature can reasonably be considered detrimental to the safeguarding of the constitutional values ​​underlying those tasks.

As for the second question, it is believed that access for the purpose of preventing acts that integrate the types or categories of crimes referred to in article 3, as regulated by law, is not disproportionate. The indeterminacy of the access criteria - which are embodied in a case-by-case judgment, subject to the aforementioned requirements of individuation, need and restriction - translate the inevitable and desirable practical agreement between the values ​​of privacy and security that arise from the circumstances. And the risk of abuse and error is strongly limited by prior control over the special formation of the Supreme Court of Justice: the risk of abuse is mitigated by the statutory guarantee of independence and impartiality of the judges;

However, such a judgment cannot be extended to the norm segment that allows access to the data for the purpose of immediate safeguarding of national defense and internal security, without the mediation of determinability criteria for these concepts through «action-limiting typifying elements», as expressed by the German Constitutional Court (cf. BVerfG, 110, pp. 33, 57 and 60).

The concepts used in the questioned standard are too vague, on the one hand, and are foreign to the universe of judicature, on the other; the requirement for judicial authorization does not give, as far as they are concerned, sufficient guarantees that interference with citizens' privacy is limited to the minimum necessary and proportional. In fact, due to their very nature of concepts of essential SIRP attributions, they refer to an assessment prerogative of SIS and SIED that frustrates the balance that only the rigorous judicial scrutiny of each access request can ensure. Thus, the legislator has the burden of specifying, in a rigorous and precise manner, which criteria may be justified, under the terms of article 3 of Organic Law no. 4/2017, the access, by public entities, to the basic data and location of citizens' equipment.

Therefore, the rule contained in Article 3 of Organic Law No. 4/2017 is deemed unconstitutional, in the segment that gives SIS and SIED information officers access to basic data and equipment location, for purposes of producing information necessary to safeguard national defense and internal security, in violation of articles 26, paragraph 1, and 35, paragraphs 1 and 4, in conjunction with article 18, paragraph 2 of the Constitution.

III - Decision

Based on the above, it is decided to:

a) Declare unconstitutionality, with general mandatory force, of the rule contained in article 3 of Organic Law no. 4/2017 , of 25 August, in the part in which the information officers of the Information Service of Security (SIS) and the Defense and Strategic Information Service (SIED), in relation to basic data and equipment location, when they do not support concrete communication, for the purpose of producing information necessary to safeguard national defense and internal security, for violation of articles 26, paragraph 1, and 35, paragraphs 1 and 4, in conjunction with article 18, paragraph 2, of the Constitution of the Portuguese Republic;

b) Do not declare the rule contained in article 3 of Organic Law no. 4/2017 , of 25 August unconstitutional , insofar as it allows the access of the information officers of these services within the scope of their respective duties, in relation to basic and equipment location data, when they do not support concrete communication, for the purpose of producing information necessary to prevent acts of sabotage, espionage, terrorism, proliferation of weapons of mass destruction and highly organized crime;

c) Declare the rule contained in article 4 of Organic Law no. 4/2017 , of 25 August unconstitutional, with general mandatory force , for violation of the provisions of article 34, no. 4, of Constitution, with regard to access to traffic data involving intersubjective communication, and for violation of the provisions of articles 26, paragraphs 1 and 35, paragraphs 1 and 4, in conjunction with article 18 2, all of the Constitution, with regard to access to traffic data that do not involve intersubjective communication.