In a ruling handed down on October 2, 2018, the Court of Justice of the European Union (“CJEU”) held that law enforcement agencies are entitled to access certain categories of “non-serious” personal data held by mobile phone companies and other communications providers. Notably, the court found that the right to access this type of personal data—which includes first and last names and addresses—does not infringe the right to private life set out in Articles 7 and 8 of the European Charter of Fundamental Rights (the “Charter”).
The case originated from a police complaint lodged by a Spanish man, a Mr. Hernandez Sierra, in which he sought to recover a stolen cell phone. In February 2015, Mr. Hernandez Sierra had been the victim of a violent mugging during which he was injured and his wallet and phone were stolen. With no obvious leads, the Spanish police asked the local court to order several phone companies to provide details of any new telephone numbers associated with Mr. Hernandez Sierra’s handset, as well as data revealing the identity of the users of any newly activated SIM cards, including first names, last names and addresses.
The Spanish court refused to make the order, ruling that Spanish law limits the ability of the police to access personal data retained by electronic communications providers to the investigation of “serious offences” only. In Spain, “serious offences” are defined as those punishable by five or more years’ imprisonment, and the theft of Mr. Hernandez Sierra’s phone did not appear to constitute such an offence. The ruling was appealed, and, because the case appeared to engage fundamental rights under the Charter, the appeals court asked the CJEU for a preliminary ruling.
In its ruling, the CJEU confirmed that any accessing of personal data by law enforcement constitutes “interference” with the fundamental right to private life enshrined in Article 7 of the Charter, and with the fundamental right to the protection of personal data guaranteed in Article 8 of the Charter. In order to be lawful, the court ruled that any such interference had to be “proportionate.” As such, and in accordance with the principle of proportionality, “serious” interference could be justified only in the prevention, investigation, detection and prosecution of “serious” criminal offences. Whilst this generally reflected the Spanish court’s position at first instance, the CJEU took its analysis of proportionality a step further, holding that when the interference in question is not serious, law enforcement may be justified in accessing personal data in the context of investigating all criminal offences, including low-value theft.
The CJEU was very careful to draw a line between different categories of personal data based on how much information about a person’s private life such data might reveal. In this case, the Spanish police had limited their requests to the names and addresses of individuals linked to Mr. Hernandez Sierra’s phone. The CJEU thought that access to this kind of data represented a “non-serious” level of interference. By contrast, the court suggested that if the requested information had included location data and details of calls and text messages, that would constitute “serious interference” and would only be proportionate in the context of a serious offence.
Under the EU’s new General Data Protection Regulation (“GDPR”), companies which process personal data (such as mobile phone service providers) are required to undertake a risk assessment and assign a risk rating to different types of personal information. The CJEU’s categorisation of personal information as “serious” or “non-serious” could therefore serve as a helpful guide for privacy professionals seeking to assess the risk profile of personal data processed under the GDPR.