On 07 September 2023, the Court of Justice of the European Union (“CJEU”) delivered its ruling in Case C-162/22 (Lietuvos Respublikos generalinė prokuratūra).
In essence, the CJEU was asked for a preliminary ruling on the interpretation of Article 15 (1) of the ePrivacy Directive in a case where, in order to demonstrate the misconduct in office by the data subject, a public prosecutor, the competent authorities used evidence obtained during criminal intelligence operations and data collected during two pre-trial investigations led by the public prosecutor in question. Specifically, the evidence used consisted in telephone communications between the data subject in the main proceedings and the suspect’s lawyer in the pre-trial investigation, as well as information transmitted over electronic communications networks.
According to the referring court, the issues raised by the data subject involve two elements: (i) access to data retained by providers of electronic communications services for purposes other than combating serious crime and preventing serious threats to public security; and (ii) once such access has been obtained, the use of those data in investigating corruption-related misconduct in office.
As main points, the CJEU highlighted that:
- the Charter precludes the general and indiscriminate retention of traffic and location data;
- the list of objectives justifying a limitation of the rights and obligations laid down in art. 15 of the ePrivacy Directive is exhaustive;
- the objective of safeguarding national security is capable of justifying measures entailing more serious interferences with fundamental rights;
- only action to combat serious crime and measures to prevent serious threats to public security are capable of justifying serious interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, such as the interference entailed by the retention of traffic and location data;
- access and subsequent use of traffic and location data retained by providers may, in principle, be justified only by the public interest objective for which those providers were ordered to retain those data.
As follows, the CJEU concluded that:
- Article 15 (1) of the ePrivacy Directive precludes the use of personal data relating to electronic communications for investigations into corruption-related misconduct in office, data that have been retained by providers of electronic communications services and subsequently been made available to the competent authorities to combat serious crime.
The conclusion is in line with the Opinion of AG Campos Sánchez-Bordona (see also link). However, in comparison the CJEU did not find it necessary to interpret the provisions of Law Enforcement Directive (EU Directive 2016/680) in reaching such a conclusion.