Case C‑162/22
Proceedings brought by A.G
(Request for a preliminary ruling from the Lietuvos vyriausiasis administracinis teismas)
Judgment of the Court (First Chamber), 7 September 2023
(Reference for a preliminary ruling – Telecommunications – Processing of personal data in the electronic communications sector – Directive 2002/58/EC – Scope – Article 15(1) – Data retained by providers of electronic communications services and made available to authorities in charge of criminal proceedings – Subsequent use of those data in an investigation into misconduct in office)
Approximation of laws – Telecommunications sector – Processing of personal data and the protection of privacy in the electronic communications sector – Directive 2002/58 – Power of Member States to limit the scope of certain rights and obligations – National measures requiring providers of electronic communications services to retain, generally and indiscriminately, traffic and location data – Data made available to competent authorities for the purpose of combating serious crime – Subsequent use of those data in connection with investigations into corruption-related misconduct in office – Not permissible
(Charter of Fundamental Rights of the European Union, Arts 7, 8, 11 and 52(1); European Parliament and Council Directive 2002/58, Art. 15(1))
(see paragraphs 30-43, operative part)
Résumé
The Lietuvos Respublikos generalinė prokuratūra (Prosecutor General’s Office of the Republic of Lithuania) (‘the Prosecutor General’s Office’) opened an internal investigation into the appellant in the main proceedings, who at the time was a public prosecutor in a Lithuanian public prosecutor’s office, on the ground that there was reason to believe that he had, when leading a pre-trial investigation, unlawfully provided information pertaining to that pre-trial investigation to the suspect and his lawyer.
In its report on that investigation, the Prosecutor General’s Office found that the appellant in the main proceedings had in fact engaged in misconduct in office. According to that report, that misconduct in office was demonstrated by the evidence obtained during the internal investigation. In particular, information obtained during criminal intelligence operations and data collected during two pre-trial investigations confirmed telephone communications between the appellant in the main proceedings and the suspect’s lawyer in the pre-trial investigation led by the appellant in the main proceedings concerning the suspect. On the basis of that report, the Prosecutor General’s Office adopted two orders by which it imposed a penalty on the appellant in the main proceedings and dismissed him from service. The Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius, Lithuania), before which the appellant in the main proceedings brought an action for annulment of those two orders, dismissed that action on the ground, inter alia, that the criminal intelligence operations carried out in the present case were lawful and that the information gathered in accordance with the provisions of the Law on criminal intelligence (1) had been used lawfully to assess whether the appellant in the main proceedings had engaged in misconduct in office.
The appellant in the main proceedings brought an appeal before the Lietuvos vyriausiasis administracinis teismas (Supreme Administrative Court of Lithuania), the referring court in the present case, claiming that access by the intelligence bodies, in connection with a criminal intelligence operation, to traffic data and the actual content of electronic communications constituted such a serious interference with fundamental rights that, having regard to the provisions of the Directive on privacy and electronic communications (2) and the Charter of Fundamental Rights of the European Union (‘the Charter’), such access could be granted only for the purpose of combating serious crime. However, according to the appellant in the main proceedings, the Law on criminal intelligence (3) provides that such data may be used to investigate not only serious criminal offences, but also disciplinary misconduct or misconduct in office related to acts of corruption.
According to the referring court, the issues raised by the appellant in the main proceedings involve two elements: (i) access to data retained by providers of electronic communications services for purposes other than combating serious crime and preventing serious threats to public security; and (ii) once such access has been obtained, the use of those data in investigating corruption-related misconduct in office.
After recalling the conclusions drawn from the judgment in Privacy International (4) concerning the scope of the Directive on privacy and electronic communications, and those drawn from the judgment in Prokuratuur (Conditions of access to data relating to electronic communications) (5) so far as concerns the scope of the objective of preventing, investigating, detecting and prosecuting criminal offences, the referring court notes that the Court of Justice has not yet ruled on the impact of the subsequent use of the data concerned on the interference with fundamental rights. In those circumstances, the referring court harbours doubts as to whether such subsequent use must also be regarded as constituting such a serious interference with the fundamental rights enshrined in the Charter (6) that it can be justified only for the purposes of combating serious crime and preventing serious threats to public security, thus denying the possibility of using the data concerned for the investigation of corruption-related misconduct in office.
By its judgment, the Court clarifies the scope of its case-law stemming from the judgments in La Quadrature du Net and Others (7) and Commissioner of An Garda Síochána and Others, (8) holding that Article 15(1) of the Directive on privacy and electronic communications, read in the light of the Charter, (9) precludes the use, in connection with investigations into corruption-related misconduct in office, of personal data relating to electronic communications which have been retained, pursuant to a legislative measure adopted under that provision, by providers of electronic communications services and which have subsequently been made available, pursuant to that measure, to the competent authorities for the purpose of combating serious crime.
Findings of the Court
As regards the conditions under which traffic and location data relating to such communications may be used during an internal procedure concerning corruption-related misconduct in office, the Court recalls, first of all, that access to those data may be granted, pursuant to a measure adopted under Article 15(1) of the Directive on privacy and electronic communications, only in so far as those data have been retained by those providers in a manner that is consistent with that provision. Next, subsequent use of those data is possible only on condition, first, that the retention of those data by providers of electronic communications services was consistent with Article 15(1) of the Directive on privacy and electronic communications, as interpreted by the case-law of the Court, and, second, that the access to those data granted to the competent authorities was itself consistent with that provision.
As regards the objectives capable of justifying the use, by public authorities, of data retained by providers of electronic communications services pursuant to a measure in accordance with Article 15(1) of the Directive on privacy and electronic communications, read in the light of the Charter, the Court recalls that that provision enables the Member States to introduce exceptions to the obligation of principle to ensure the confidentiality of personal data, laid down in Article 5(1) of that directive, and to the corresponding obligations, referred to, inter alia, in Articles 6 and 9 of that directive, where such a restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security, defence and public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system. To that end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on one of those grounds.
However, the Court recalls that Article 15(1) of the Directive on privacy and electronic communications cannot permit the exception to the obligation of principle to ensure the confidentiality of electronic communications and data relating thereto and, in particular, to the prohibition on storage of those data, laid down in Article 5 of that directive, to become the rule, if the latter provision is not to be rendered largely meaningless.
As regards the objectives that are capable of justifying a limitation of the rights and obligations laid down, in particular, in Articles 5, 6 and 9 of the Directive on privacy and electronic communications, the Court recalls that the list of objectives set out in the first sentence of Article 15(1) of that directive is exhaustive, as a result of which a legislative measure adopted under that provision must correspond, genuinely and strictly, to one of those objectives.
As regards the public interest objectives that may justify a measure taken pursuant to Article 15(1) of the Directive on privacy and electronic communications, the Court recalls that it is clear from its case-law, in particular from the judgments in La Quadrature du Net and Others and Commissioner of An Garda Síochána and Others, that, in accordance with the principle of proportionality, there is a hierarchy amongst those objectives according to their respective importance and that the importance of the objective pursued by such a measure must be proportionate to the seriousness of the interference that it entails. In that regard, the importance of the objective of safeguarding national security exceeds that of the other objectives referred to in Article 15(1) of the Directive on privacy and electronic communications, inter alia the objectives of combating crime in general, even serious crime, and of safeguarding public security. Subject to meeting the other requirements laid down in Article 52(1) of the Charter, the objective of safeguarding national security is therefore capable of justifying measures entailing more serious interferences with fundamental rights than those which might be justified by those other objectives.
As regards, more specifically, the objective of preventing, investigating, detecting and prosecuting criminal offences, the Court notes that, in accordance with the principle of proportionality, only action to combat serious crime and measures to prevent serious threats to public security are capable of justifying serious interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, such as the interference entailed by the retention of traffic and location data. Accordingly, only non-serious interference with those fundamental rights may be justified by the objective of preventing, investigating, detecting and prosecuting criminal offences in general.
It follows from that case-law that the fight against serious crime and the prevention of serious threats to public security are of lesser importance in the hierarchy of objectives of public interest than the safeguarding of national security, but, by contrast, that their importance is greater than that of fighting crime generally and of preventing non-serious threats to public security. In that context, the Court nevertheless recalls that the question whether the Member States may justify a limitation on the rights and obligations laid down, inter alia, in Articles 5, 6 and 9 of the Directive on privacy and electronic communications must be assessed by measuring the seriousness of the interference entailed by such a limitation and by verifying that the importance of the public interest objective pursued by that limitation is proportionate to that seriousness.
Moreover, the Court recalls that access to traffic and location data retained by providers in accordance with a measure taken under Article 15(1) of the Directive on privacy and electronic communications, which must be given effect in full compliance with the conditions resulting from the case-law interpreting that directive, may, in principle, be justified only by the public interest objective for which those providers were ordered to retain those data. It is otherwise only if the importance of the objective pursued by access is greater than that of the objective which justified retention.
According to the Court, those considerations apply mutatis mutandis to the subsequent use of traffic and location data retained by providers of electronic communications services pursuant to a measure adopted under Article 15(1) of the Directive on privacy and electronic communications for the purpose of combating serious crime. Once they have been retained and made available to the competent authorities for the purpose of combating serious crime, such data cannot be transmitted to other authorities and used in order to achieve objectives, namely, in the present case, combating corruption-related misconduct in office, which are of lesser importance in the hierarchy of objectives of public interest than the objective of combating serious crime and preventing serious threats to public security. To authorise, in that situation, access to retained data and the use thereof would be contrary to that hierarchy of public interest objectives recalled above.