On October 2nd 2018, the European Court of Justice (ECJ) held a decision confirming the conditions of access to personal data retained by providers of electronic communications services by the police in the context of a criminal investigation.

  • Factual background

A Spanish citizen who was the victim of the robbery of his wallet and mobile telephone lodged a complaint with the police. For the purpose of the criminal investigation, the police requested to the investigating magistrate in charge of the case to grant them access to data identifying the users of telephone numbers activated with the stolen telephone during a period of 12 days as from the date of the robbery. This request was limited to their forename, surname and if need be their address. The request was rejected on the ground of Spanish law 25/2007 which restricts such access only when there is a ‘serious’ offence (i.e., offence punishable by a term of imprisonment of more than five years), which did not correspond to the facts at case.

The Ministerio Fiscal (Spanish Public Prosecutor’s Office) appealed against that decision before the Audiencia Provincial de Tarragona (Provincial Court, Tarragona, Spain) and sought guidance from the ECJ on fixing the threshold of seriousness of offences which would allow national police authority to access personal data retained by providers of electronic communications services.

  • Assessment of the proportionality principle and access to personal data by the police

The Court indicates that while national authorities’ access to personal data retained by providers of electronic communications services constitutes an interference with the fundamental rights of respect for private life and of protection of data enshrined in the EU Charter of Fundamental Rights (in Articles 7 and 8), such interference is not sufficiently serious in the case at hand to entail access being restricted to the objective of fighting serious crimes.

Indeed, the request of access made by the police:

  • does not concern the communications carried out on the stolen telephone or its location and therefore does not allow to draw precise conclusions concerning the private life of the persons whose data is concerned and
  • being limited to the forename, surname and address, it cannot be deemed a serious interference with the fundamental rights of the data subject.

Therefore, the Court concludes that as the interference that the access to personal data entails is deemed not serious, access to such data can be justified by the objective of preventing, investigating, detecting and prosecuting ‘criminal offences’ generally, without it being necessary that those criminal offences to which it relates be ‘serious’.

The conditions of access to personal data by the police for the purpose of investigations is always a sensitive question for companies who are requested to provide such information. This ruling gives some guidance on how to apply the proportionality principle to such request in a context where more and more countries are adopting laws broadening the power of authorities to fight criminal behaviors (e.g., the Cloud Act in the USA, the Assistance and Access Bill 2018 in Australia etc.).