OPINION OF ADVOCATE GENERAL
PIKAMÄE
delivered on 15 June 2023 (1)
Case C‑118/22
NG
Administrative proceedings
v
Direktor na Glavna direktsia ‘Natsionalna politsia’ pri MVR – Sofia,
third party:
Varhovna administrativna prokuratura
(Request for a preliminary ruling from the Varhoven administrativen sad (Supreme Administrative Court, Bulgaria))
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Directive (EU) 2016/680 – Articles 4, 5, 8, 10 and 16 – Retention of data of a natural person convicted of an intentional offence until his death – Natural person convicted by final judgment and subsequently rehabilitated – Refusal of the application for erasure – Necessity and proportionality of the interference in the fundamental rights enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union)
1. Should the retention of personal data in police records saddling the individual subject to the entry in the records with the status of permanently dangerous social deviant, potentially for his whole lifetime, be a cause for concern? Or is there rather cause to be grateful for those police records when investigators of unsolved old cases, now more commonly known as ‘cold cases’, are able to resolve them to the huge relief of victims’ families?
2. This case specifically forms part of that antagonistic debate which seeks to reconcile the public interest in combating crime with the individual’s interest in protection of his personal data and respect for his private life. It gives the Court the opportunity to rule on the question of treatment of such data for law-enforcement purposes from a temporal viewpoint, in the light of the relevant provisions of Directive (EU) 2016/680. (2)
I. Legal framework
A. EU law
3. Articles 4, 5, 8, 10 and 16 of Directive 2016/680 and Article 52(1) of the Charter of Fundamental Rights of the European Union (‘the Charter’) are relevant to the present case.
B. Bulgarian law
4. Article 26(1) and (2) of the Zakon za Ministerstvo na vatreshnite raboti (Law on the Ministry of the Interior, ‘the ZMVR’) provides:
‘(1) When processing personal data related to activities concerning the protection of national security, combating crime, maintaining public order and the conduct of criminal proceedings, the authorities of the Ministry of the Interior:
…
3. may process all necessary categories of personal data;
…
(2) The time limits for data retention referred to in paragraph 1 or the time limits for a periodic review of the need to store such data shall be determined by the Ministry of the Interior. Those data shall be erased pursuant to a judicial decision or a decision by the Personal Data Protection Commission.’
5. Article 27 of the ZMVR states:
‘Data taken from a person’s entry in the police records made pursuant to Article 68 shall be used only in connection with safeguarding national security, combating crime and maintaining law and order.’
6. Article 68 of the ZMVR provides as follows:
‘(1) The police authorities shall create a police record of persons who are accused of an intentional criminal offence subject to public prosecution. The authorities responsible for the investigation shall adopt the measures required for the creation of the record by the police authorities.
(2) The creation of the police record is a form of processing of personal data of the persons referred to in paragraph 1, which shall be carried out in accordance with the requirements of this Law.
(3) For the purposes of creating a police record, the police authorities shall:
1. collect the personal data set out in Article 18 of the [Zakon za balgaskite lichni dokumenti] (Law on Bulgarian identity documents);
2. take a person’s fingerprints and photograph him or her;
3. take samples to create a person’s DNA profile.
…
(6) The entry in the police records shall be erased pursuant to a written order by the personal data processing controller or by officials authorised by the controller for that purpose, of his or her own motion or following a written and reasoned application by the recorded person, where:
1. the record was created in breach of the law;
2. the criminal proceedings are discontinued, except in the cases referred to in Article 24(3) of the [Nakazatelno-protsesualen kodeks (Code of Criminal Procedure)];
3. the criminal proceedings resulted in an acquittal;
4. the person was exempted from criminal liability and an administrative penalty was imposed on that person;
5. the person is deceased, in which case the application may be made by that person’s heirs.
(7) The procedure for making and erasing an entry in the police records shall be determined by a regulation of the Council of Ministers.’
II. Facts, procedure and the question referred
7. An entry in the police records was made in respect of NG in the course of a criminal investigation for failing to tell the truth as a witness, which is a criminal offence under Article 290(1) of the Nakazatelen Kodeks (Criminal Code). Following those proceedings, a criminal charge was brought against him on 2 July 2015 and, by judgment of 28 June 2016, confirmed on appeal by judgment of 2 December 2016, he was found guilty and given a one year suspended sentence. By 14 March 2018, he had served his sentence.
8. On 15 July 2020, NG applied to the relevant district authority of the Ministerstvo na vatreshnite raboti (Ministry of the Interior, Bulgaria) for the erasure of the entry in the police records and enclosed a certificate of good behaviour, which confirmed that he was not the subject of a conviction.
9. By decision of 2 September 2020, the relevant administrative authority refused that application on the ground that, even in a case where rehabilitation had taken place within the meaning of Article 85 of the Criminal Code, a final conviction was not one of the grounds for erasure of an entry in the police records which are exhaustively listed in Article 68(6) of the ZMVR. On 8 October 2020, NG brought an action against that decision before the Administrativen sad Sofia grad (Administrative Court, Sofia, Bulgaria). By decision of 2 February 2021, that court dismissed the action.
10. NG brought an appeal against the decision of the Administrativen sad Sofia grad before the Varhoven administrativen sad (Supreme Administrative Court, Bulgaria). The main ground of the appeal alleges breach of the principle, inferred from Articles 5, 13 and 14 of Directive 2016/680, that there cannot be an indefinite period for the processing of personal data by way of storage. In the absence of a legal ground for the erasure of an entry in the police records following rehabilitation, a convicted person is not able to request the erasure of his or her personal data collected in connection with the criminal offence in respect of which he or she has served the sentence, with the result that the storage of that data is for an unlimited period.
11. Harbouring doubts as to whether the national legislation governing the police records at issue complies with EU law, the referring court decided to stay the proceedings in the main case and to refer the following question to the Court of Justice for a preliminary ruling:
‘Does the interpretation of Article 5 in conjunction with Article 13(2)(b) and (3) of [Directive 2016/680], permit national legislative measures which lead to a virtually unrestricted right of competent authorities to process personal data for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and/or to the elimination of the data subject’s right to have the processing of his or her data restricted or to have them erased or destroyed?’
III. The procedure before the Court
12. The Bulgarian, Czech, Irish, Spanish and Polish Governments and the European Commission have submitted written observations. The applicant in the main proceedings and the Bulgarian, Irish, Spanish, Netherlands and Polish Governments and the Commission also presented oral argument during a hearing which took place on 7 February 2023.
IV. Analysis
A. The applicability of Directive 2016/680
13. It is apparent from the request for a preliminary ruling that the referring court takes it as read that the national legislation at issue comes within the scope ratione materiae of Directive 2016/680, a position which to my mind calls for a number of observations.
14. In accordance with a combined reading of Article 1(1) and Article 2(1) of Directive 2016/680, the directive applies to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Article 2(3)(a) of Directive 2016/680 excludes from its scope the processing of personal data ‘in the course of an activity which falls outside the scope of Union law’. Recitals 12 and 14 of that directive define more closely the content of that exception of inapplicability by stating that it covers, inter alia, activities concerning national security, as opposed to those concerning the maintenance of law and order as a task conferred on the police or other law-enforcement authorities where necessary to safeguard against and prevent threats to public security and to fundamental interests of the society protected by law which may lead to a criminal offence.
15. Interpreting Article 2(2)(a) of Regulation (EU) 2016/679 (3) providing for an exception to the applicability of that regulation in terms identical to those of Article 2(3)(a) of Directive 2016/680, the Court held that that first provision, read in the light of recital 16 of that regulation, must be regarded as being designed solely to exclude from the scope of that regulation the processing of personal data carried out by State authorities in the course of an activity which is intended to safeguard national security or of an activity which can be classified in the same category, with the result that the mere fact that an activity is an activity characteristic of the State or of a public authority is not sufficient ground for that exception to be automatically applicable to such an activity. It stated that the activities having the aim of safeguarding national security encompass, in particular, those that are intended to protect essential State functions and the fundamental interests of society. (4)
16. In the present case, the data have been recorded and retained by the police pursuant to Article 68 of the ZMVR in accordance with Article 27 of that law for the purposes of safeguarding national security, combating crime and maintaining public order. It therefore appears that the police records at issue constitute a unique and hybrid database, since they contain information which may be processed for distinct purposes including that of safeguarding national security, which does not fall within the material scope of Directive 2016/680. In those circumstances, the lawfulness of retaining the data contained in such records cannot be examined in the light of the requirements of that directive in so far as those data are used only for the purposes referred to in Article 1(1) of that directive, which is a matter for the referring court to verify. (5) On the basis of the documents before the Court, it does not appear that the retention of NG’s data in the police record, which he seeks to have erased, can be regarded as data processing falling outside the material scope of Directive 2016/680.
17. It must be pointed out, at this stage, that the national legislation at issue in the main proceedings has already been the subject of a judgment of the Court in response to a question by a Bulgarian court responsible for assessing the refusal of a person accused of committing a tax fraud offence to consent to the collection of her data. The Court ruled, inter alia, on the lawfulness of the collection of the data in the light of Article 10 of Directive 2016/680, holding that that article, read in conjunction with Article 4(1)(a) to (c) and Article 8(1) and (2) thereof, must be interpreted as precluding national legislation which provides for the systematic collection of biometric and genetic data of any person accused of an intentional offence subject to prosecution ex officio in order for them to be entered in a record, without laying down an obligation on the competent authority to verify whether and demonstrate that, first, their collection is strictly necessary for achieving the specific objectives pursued and, second, those objectives cannot be achieved by measures constituting a less serious interference with the rights and freedoms of the person concerned. (6) The present case requires the Court to examine the lawfulness of a distinct interference, namely the retention of information relating to natural persons convicted of a criminal offence identified by their forename and surname in the police record at issue, which constitutes a processing of personal data carried out by a competent authority for the purposes of the prevention, investigation or detection of criminal offences, namely, the Bulgarian Ministry of the Interior, within the meaning of Article 3(1) and (2) and Article 3(7)(a) of Directive 2016/680.
B. Reformulation of the question referred for a preliminary ruling
18. As a preliminary point, it must be recalled that, in the procedure that Article 267 TFEU lays down for cooperation between national courts and the Court of Justice, it is for the latter to provide the national court with an answer which will be of use to it and enable it to determine the case before it. To that end, the Court should, where necessary, reformulate the questions referred to it. The Court has a duty to interpret all provisions of EU law which national courts require in order to decide the actions pending before them, even if those provisions are not expressly indicated in the questions referred to the Court by those courts. (7)
19. The facts of the case in the main proceedings concern an application for the erasure of the entry of personal data in the police record made by a natural person who, after being convicted of perjury, served his sentence and was rehabilitated on 14 March 2020, or almost five years after the aforementioned entry was made. That application was rejected by decision of the competent national authority, confirmed at first instance by decision of the Administrativen sad Sofia grad (Administrative Court, Sofia), itself the subject of an appeal before the referring court, which harbours doubts as to the compatibility of the national legislation with Directive 2016/680 as regards the issue of the retention of data in the police record. The case in the main proceedings therefore clearly concerns the right to erasure of personal data without undue delay, as provided for in Article 16(2) of Directive 2016/680, where processing infringes the provisions adopted pursuant to Article 4, 8 or 10 of that directive, or where personal data must be erased in order to comply with a legal obligation to which the controller is subject.
20. Article 4(1)(c) and (e) of Directive 2016/680 provides that Member States must ensure that, in accordance with the principles respectively of data minimisation and restriction of data retention, personal data are adequate, relevant and not excessive in relation to the purposes for which they are processed and kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed. (8) Article 8 of that directive governs the lawfulness of processing, which is conditional on the processing being necessary for the performance of a task carried out by a competent authority for the purposes set out in Article 1(1) of that directive and on a legal basis in European or national law, the latter having to specify at least the objectives of processing, the personal data to be processed and the purposes of the processing. Finally, Article 10 of Directive 2016/680 determines the legal regime applicable to processing of special categories of personal data, such as the biometric and genetic data used in the police record for the purpose of uniquely identifying a natural person.
21. It must be stated that the provisions mentioned in the previous paragraph are not referred to in the question for a preliminary ruling, although they are manifestly relevant for the purposes of the answer which the Court is required to give in the present case. The referring court requested the interpretation of Article 5 and of Article 13(2)(b) and (3) of Directive 2016/680 which are not included in the provisions expressly mentioned in Article 16(2) of that directive, whose infringement by national legislation justifies the exercise of the right to erasure accorded to the person concerned. However, that right is also recognised where the data must be erased in order to comply with a legal obligation imposed on the controller of the processing, which is capable of fitting the situations provided for in Article 5 and in Article 13(2)(b) of that directive, namely and respectively: the establishment of maximum time limits for data retention or for periodic reviews of the need for such retention (9) and the provision by the controller to the data subject, in specific cases, of additional information to that referred to in Article 13(1) in order to enable that person to exercise his or her rights. On the other hand, Article 13(3) concerns the possibility for Member States of adopting, under certain conditions, legislative measures delaying, restricting or even omitting the provision of information to the data subject pursuant to paragraph 2, which cannot release the controller from a legal obligation imposed on him or her.
22. In any event, it is not apparent from the order for reference that the matter of informing NG of his rights was raised in the proceedings in the main case, since the person concerned was manifestly able to exercise them as demonstrated by the action which he brought before the administrative and judicial authorities regarding the retention of his data. The question before the Court does not therefore appear to require interpretation of Article 13(2)(b) and (3) of Directive 2016/680. Rather, it is, in particular, Article 16(2) of Directive 2016/680 and Articles 4, 5, 8 and 10 thereof which are at issue in the case in the main proceedings.
23. Moreover, as stated in recital 104, Directive 2016/680 respects the fundamental rights and observes the principles recognised in the Charter as enshrined in the TFEU, in particular the right to respect for private and family life and the right to the protection of personal data. According to recital 46 of that directive, any restriction of the rights of the data subject must comply with the Charter and with the European Convention on Human Rights and Fundamental Freedoms, signed in Rome on 4 November 1950 (‘the ECHR’), as interpreted in the case-law of the Court of Justice and of the European Court of Human Rights (‘the ECtHR’) respectively, and in particular respect the essence of those rights and freedoms. It should be borne in mind that the fundamental rights to respect for private life and to the protection of personal data guaranteed by Articles 7 and 8 of the Charter are not absolute rights, but must be considered in relation to their function in society and be weighed against other fundamental rights. Limitations may therefore be imposed, so long as, in accordance with Article 52(1) of the Charter, they are provided for by law, respect the essence of the fundamental rights and observe the principle of proportionality. Under the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others. They must apply only in so far as is strictly necessary and the legislation which entails the interference must lay down clear and precise rules governing the scope and application of the measure in question. (10)
24. In those circumstances, it must be concluded that the referring court asks, in essence, whether Articles 4, 5, 8, 10 and Article 16(2) of Directive 2016/680, read in conjunction with and in the light of Article 52(1) of the Charter, must be interpreted as meaning that they preclude national legislation providing for the retention of personal data in a police record, including the biometric and genetic data of the person concerned, until that person’s death, and which does not allow that person to obtain the erasure of those data following that person’s rehabilitation after his/her criminal conviction (11)
C. Retention of personal data for law-enforcement purposes
25. Before examining the compatibility of the national legislation concerning the police record at issue, I must address the issue of data retention for law-enforcement purposes in the light of certain provisions of Directive 2016/680 and of the case-law of the Court of Justice and of the ECtHR.
26. First of all, it should be noted that Directive 2016/680 is intended to contribute to the accomplishment of an area of freedom, security and justice within the European Union, while establishing a strong and coherent framework for the protection of personal data in order to ensure respect for the fundamental right of protection of natural persons with regard to the processing of personal data recognised in Article 8(1) of the Charter and Article 16(1) TFEU, since that right is closely connected with the right of respect for private and family life enshrined in Article 7 of the Charter. (12) To that end, Chapters II and III of Directive 2016/680 set out, respectively, the principles governing the processing of personal data and the rights of the data subject which all processing of such data must observe. In particular, all processing of personal data must comply with the principles relating to processing of data and the conditions governing lawfulness of processing listed in Articles 4 and 8 of that directive. Since those requirements constitute an expression of the requirements arising from Article 52(1) of the Charter, they must be interpreted in the light of that article. (13)
27. In the answer to be given to the referring court, account should therefore be taken of the principle of ‘data minimisation’ in Article 4(1)(c), of Directive 2016/680 which gives expression to the principle of proportionality. (14) The same applies to the principle of storage limitation, set out in Article 4(1)(e) of that directive, which involves assessing the proportionality of the treatment in relation to its purpose, in the light of the time that has elapsed. The retention of data for a period that is longer than necessary, that is to say, for longer than is necessary for the purposes for which the data have been retained, will contravene that principle. (15) It follows from this that even initially lawful processing of data may, in the course of time, become incompatible with Directive 2016/680 where those data are no longer necessary for the achievement of those purposes and that they must be erased when those purposes have been achieved. (16)
28. The temporal issue of data retention is also addressed in Article 5 of Directive 2016/680 in the form of a supplement to and clarification of the requirements of Article 4 thereof. (17) As stated in recital 26 of that directive, in order to ensure that the data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. It must be stated that Article 5 of Directive 2016/680, first, leaves it to the Member States to assess and establish the relevant storage period and, second, provides for a periodic review of the need for storage of the data as an alternative to the a priori establishment of a maximum storage period. In my view, that second observation is of some importance in this case, since it reflects the EU legislature’s recognition of the possibility that data might be stored for an indefinite period for law-enforcement purposes. (18) That observation must be linked to the wording of Article 16(3) of Directive 2016/680, which provides for the possibility of restricting the processing of data as an alternative to their erasure, in particular in point (b) thereof, where the personal data must be maintained ‘for the purposes of evidence’, which shows that there is no absolute right to erasure. (19)
29. The question of the lawfulness of the data retention includes, necessarily, that of the nature of the data, which in this case covers, in particular, fingerprints, photographs and a DNA sample of the person suspected of having committed an offence or of having been convicted of a crime in that connection, since the processing of that type of data falls within the scope of Article 10 of Directive 2016/680. It must be emphasised that, although the legal conditions laid down in that provision do not, unlike those laid down in Article 9 of the GDPR, contain the prohibition in principle of processing of that data, such processing is allowed ‘only where strictly necessary’, subject to appropriate safeguards for the rights and freedoms of the data subject, and where they are, in particular, authorised by Union or Member State law.
30. According to the case-law, the purpose of Article 10 of Directive 2016/680 is to ensure enhanced protection with regard to that processing, which, because of the particular sensitivity of the data at issue and the context in which they are processed, is liable, as is apparent from recital 37 of the directive, to create significant risks to fundamental rights and freedoms, such as the right to respect for private life and the right to the protection of personal data, guaranteed by Articles 7 and 8 of the Charter. As follows from the very terms in which it is set out in Article 10 of Directive 2016/680, the requirement that the processing of such data be allowed ‘only where strictly necessary’ must be interpreted as establishing strengthened conditions for lawful processing of sensitive data, compared with those which follow from Article 4(1)(b) and (c) and Article 8(1) of that directive and refer only to the ‘necessity’ of data processing that falls generally within the directive’s scope. Thus, first, the use of the adverb ‘only’ before the words ‘where strictly necessary’ underlines that the processing of special categories of data, within the meaning of Article 10 of Directive 2016/680, will be capable of being regarded as necessary solely in a limited number of cases. Second, the fact that the necessity to process such data is to be assessed ‘strictly’ entails that that necessity is to be assessed with particular rigour. (20)
31. Second, I note that, although the Court has already frequently ruled on the question of the lawfulness of data retention for law-enforcement purposes, it has done so in legislative and factual contexts quite different from the context of the present case. Thus, the Court held (21) that the EU law arising from Directive 2002/58/EC, (22) from which it follows that the users of electronic communications services are entitled to expect, in principle, that their communications and data relating thereto will remain anonymous and may not be recorded, unless they have agreed otherwise, precludes general and indiscriminate retention, on a preventive basis, of traffic and location data for the purposes of combating crime, however serious, since such retention is permitted, under certain conditions, only in the case of a serious, genuine and present or foreseeable threat to national security. It added that EU law does not preclude, on the other hand, measures providing, for the purposes of combating serious crime, for the general and indiscriminate retention of data relating to the civil identity of users or, for a period that is limited in time to what is strictly necessary, of their IP addresses, for the targeted retention of data which is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion, for a period that is limited in time to what is strictly necessary, but which may be extended or, for a specified period of time, for the expedited retention of data in the possession of service providers, provided that those measures ensure, by means of clear and precise rules, that the retention of data at issue is subject to compliance with the applicable substantive and procedural conditions and that the persons concerned have effective safeguards against the risks of abuse.
32. The Court has also made use of the criterion of compliance with the limits of what is strictly necessary for the processing of personal data in the context of the transfer, retention and use of data contained in passenger name records of extra-EU flights established by air carriers (‘PNR data’) with a view to preventing and detecting terrorist offences and serious crime. (23) The Court has had occasion to point out that, since the period during which the PNR data may be retained may, under the EU-Canada PNR agreement, last for up to five years, that agreement makes it possible for information on the private lives of air passengers to be available for a particularly long period of time and that, as regards air passengers in respect of whom no risk relating to terrorism or serious transnational crime has been identified on their arrival in Canada and up to their departure from that non-member country, there would not appear to be, once they have left, a connection – even a merely indirect connection – between their PNR data and the objective pursued by the envisaged agreement which would justify that data being retained. It therefore concluded that the continued storage of the PNR data of all air passengers after their departure from Canada for the purposes of possibly accessing that data, regardless of whether there is any link with combating terrorism and serious transnational crime, was not justified. (24)
33. The Court has ruled, in the context of a reference for a preliminary ruling, on the validity and interpretation of Directive (EU) 2016/681, (25) which obliges air carriers to transfer the data of any passenger on an extra-EU flight operated between a third country and the European Union to the passenger information unit of the Member State of destination or of departure of the flight concerned in order to combat terrorism and serious crime. The PNR data thereby transferred are subject to a prior assessment by the passenger information unit for a period of six months and are subsequently retained for five years with a view to any further assessment by the competent authorities of the Member States which may lead to analyses carried out over a considerable – even indefinite – period of time in the case of persons who travel by air more than once every five years. The Court concluded that that directive entails undeniably serious interferences with the rights guaranteed in Articles 7 and 8 of the Charter, in so far, inter alia, as it seeks to introduce a surveillance regime that is continuous, untargeted and systematic, including the automated assessment of the personal data of everyone using air transport services, whilst lending itself to an interpretation that is consistent with Articles 7, 8 and 21 as well as Article 52(1) of the Charter. The Court stated that, after the expiry of the initial retention period of six months, the retention of PNR data does not appear to be limited to what is strictly necessary with regard to air passengers for whom neither the advance assessment nor any verification carried out during the initial retention period of six months, nor any other circumstance have revealed the existence of objective evidence capable of establishing a risk that relates to terrorist offences or serious crime having an objective link, even if only an indirect one, with those passengers’ air travel. On the other hand, it held that the retention, during the initial period of six months, of the PNR data of all air passengers subject to the system established by that directive does not appear, as a matter of principle, to go beyond what is strictly necessary.
34. In contrast to the case-law referred to above, it must be pointed out, first, that, contrary to what is established with regard to data processing in Directive 2002/58, (26) the consent of the data subject does not constitute a legal basis for processing of personal data by the competent authorities for the purposes of the objectives set out in Article 1(1) of Directive 2016/680. As stated in recital 35 thereof, the performance of the tasks of preventing, investigating, detecting or prosecuting criminal offences institutionally conferred by law to the competent authorities allows them to require or order natural persons to comply with requests made. Second, the present case does not concern retention and automated analysis of an ‘ocean of data’ (27) generated in the electronic communications or air transport sectors, stored by private operators and transferred to investigation services, but a single police record containing data of persons in respect of whom there are serious grounds for believing that they have committed an offence and who have been accused and criminally convicted, which is under the exclusive control of a public authority and strictly confidential.
35. In my view, the specific nature of the legislative and factual context of the above case-law precludes the pure and simple transposition of the approaches adopted therein to the answer to be given to the present question for a preliminary ruling, with respect, in particular, to the distinction between the objectives of data retention (safeguarding national security, combating serious crime or offences not falling within that category) and the necessary correlation between the importance of those objectives and the degree of seriousness of the interferences in fundamental rights which might be justified. (28) In other words, the statement that combating criminality in general may justify solely non-serious interferences(29) cannot be adopted in this case, since it would greatly reduce the effectiveness of Directive 2016/680 and of the national instruments of investigation/public security, such as the police record at issue, falling within the scope of that legislation, which specifically aims to address the need to be able to process data in a proportionate manner for policing purposes. It should be noted that, as is apparent from recitals 10 and 11 of Directive 2016/680, the EU legislature sought to adopt rules which take account of the specific nature of the field to be covered by that directive. In that regard, recital 12 states that the activities carried out by the police or other law-enforcement authorities are focused mainly on the prevention, investigation, detection or prosecution of criminal offences, without giving further details, including police activities without prior knowledge whether an incident is a criminal offence or not.(30)
36. Third, it should be noted that Article 7 of the Charter, regarding the right to respect for private and family life, contains rights corresponding to those guaranteed in Article 8(1) of the ECHR, and that the protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, as guaranteed by Article 8 of the ECHR. In accordance with Article 52(3) of the Charter, Article 7 of the Charter is thus to be given the same meaning and the same scope as Article 8(1) of the ECHR, as interpreted by the case-law of the ECtHR. (31)
37. The ECtHR considers that personal data protection plays a primordial role in the exercise of a person’s right to respect for his private life enshrined in Article 8 of the ECHR and that the mere fact of storing data relating to the private life of an individual amounts to an interference within the meaning of that Article 8, regardless of whether the stored information is subsequently used. According to that court, national law should, in particular, ensure that such data are relevant and not excessive in relation to the purposes for which they are stored, and preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored. National law should also comprise safeguards capable of effectively protecting the personal data recorded against inappropriate and wrongful use, while providing a practical means of lodging a request for the deletion of the data stored. The ECtHR took care to state, however, that it fully realises that in order to protect their population as required, national authorities can legitimately set up databases as an effective means of helping to punish and prevent certain offences, including the most serious types of crime. However, such facilities cannot be implemented as part of an abusive drive to maximise the information stored in them and the length of time for which they are kept. (32) On that last point, the ECtHR considers that the absence of a maximum time limit for the storage of the personal data of convicted persons is not necessarily incompatible with Article 8 of the ECHR, but that the existence and functioning of certain procedural safeguards are all the more necessary in that situation. (33)
D. Interference in the fundamental rights guaranteed in Articles 7 and 8 of the Charter
38. As is apparent from Article 68 of the ZMVR and from the observations submitted by the Bulgarian Government at the hearing, the data covered by the national legislation include, inter alia, the civil status of the persons concerned, the reprehensible acts which that person is suspected of having committed or for which that person was convicted, as well as the person’s fingerprints, photographs and DNA samples for profiling purposes. Since the data therefore includes information on identified individuals, the various forms of processing to which the data may be subject affect the fundamental right to respect for private life guaranteed in Article 7 of the Charter. Furthermore, the processing of the data covered by the national legislation also falls within the scope of Article 8 of the Charter because it constitutes the processing of personal data within the meaning of that article and, accordingly, must necessarily satisfy the data protection requirements laid down in that article. (34)
39. Like the ECtHR, according to which the mere fact of storing data relating to the private life of an individual amounts to an interference within the meaning of Article 8 of the ECHR, (35) the Court considers that the retention of data constitutes, in itself, an interference with the fundamental rights to the respect for private life and the protection of personal data, enshrined in Articles 7 and 8 of the Charter, irrespective of whether the information in question relating to private life is sensitive, whether the persons concerned have been inconvenienced in any way on account of that interference, or, furthermore, whether the data retained will or will not be used subsequently. (36)
40. The seriousness of the interference constituted by retention is established in the light of the nature of certain data, particularly the biometric and genetic data contained in the police record, since the Court has described the risks posed by the processing of sensitive data to the rights and freedoms of data subjects as significant, in particular in the context of the tasks of the competent authorities for the purposes set out in Article 1(1) of Directive 2016/680. (37) In that regard, it is stated in recital 23 of that directive that, considering the complexity and sensitivity of genetic information, there is a great risk of misuse and re-use for various purposes by the controller. As regards recital 51 of that directive, it states that the risk to the rights and freedoms of natural persons may result from data processing which could lead to physical, material or non-material damage, in particular where genetic data or biometric data are processed in order to uniquely identify a person or where data concerning criminal convictions and offences are processed.
41. The retention period of the data in the police record also contributes to the establishment of the seriousness of the interference, in that such retention is possible for the lifetime of the convicted person. Finally, it follows from Article 26(6) of the ZMVR that personal data may be transferred to competent authorities and recipients in Member States of the European Union, bodies, offices and agencies of the European Union, third countries or international organisations. It should be borne in mind in that regard that the aim of Directive 2016/680 is to facilitate the free flow of personal data between the competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security within the Union and the transfer of such personal data to third countries and international organisations, in order to ensure effective judicial cooperation in criminal matters and police cooperation. (38) In that regard, it should be recalled that the right to the protection of personal data requires, inter alia, that the high level of protection of fundamental rights and freedoms conferred by EU law continues where personal data is transferred from the European Union to a non-member country. (39)
42. In the light of all the foregoing considerations, it must be concluded that the national legislation at issue in the main proceedings entails undeniably serious interferences with the rights guaranteed in Articles 7 and 8 of the Charter, in so far, inter alia, as it seeks to introduce a means of continuous retention of sensitive data, which may cross the borders of the State concerned, of persons convicted of a criminal offence.
E. Justification of interference
43. As was explained above, the fundamental rights enshrined in Articles 7 and 8 of the Charter do not appear to be absolute rights and it is apparent from Article 52(1) of the Charter that the Charter allows limitations to be placed on the exercise of those rights, provided that those limitations are provided for by law, that they respect the essence of those rights and that, in compliance with the principle of proportionality, they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others. (40) According to recital 26 of Directive 2016/680, the law-enforcement authorities may carry out activities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, as long as they are laid down by law and constitute a necessary and proportionate measure in a democratic society with due regard for the legitimate interests of the natural person concerned.
44. As regards compliance with the principle of proportionality, it should be borne in mind that the protection of the fundamental right to privacy requires, according to the settled case-law of the Court, that derogations from and limitations on the protection of personal data must apply only in so far as is strictly necessary, it being understood that where there is a choice between several measures appropriate to meeting the legitimate objectives pursued, recourse must be had to the least onerous. In addition, an objective of general interest may not be pursued without having regard to the fact that that objective must be reconciled with the fundamental rights affected by the measure, through a proper balancing of the objective of general interest against the rights at issue, in order to ensure that the disadvantages caused by that measure are not disproportionate to the aims pursued. Thus, the question whether a limitation on the rights guaranteed in Articles 7 and 8 of the Charter may be justified must be assessed by measuring the seriousness of the interference which such a limitation entails and by verifying that the importance of the objective of general interest pursued by that limitation is proportionate to that seriousness.(41)
1. Observance of the principle of legality
45. The requirement that any limitation on the exercise of fundamental rights must be provided for by law implies that the legal basis which permits the interference with those rights must itself define the scope of the limitation on the exercise of the right concerned. In that regard, the Court has held, moreover, that legislation entailing a measure allowing such interference must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose personal data has been transferred have sufficient guarantees that those data will be effectively protected against the risk of abuse. Therefore, the legal basis of all processing of personal data falling within the scope of Directive 2016/680 should, as the EU legislature emphasised in recital 33 thereof, be clear and precise and its application foreseeable for those subject to it. In particular, the data subjects must be able to identify in what circumstances and on what conditions the scope of the rights conferred on them by that directive can be restricted. (42)
46. The examination of the national legislation at issue, which was provided in the order for reference and supplemented by the Bulgarian Government’s observations, makes it possible, in my view, to conclude that the requirement relating to the ‘quality’ of the law has been met, bearing in mind that that requirement does not preclude the limitation in question from being formulated in terms which are sufficiently open to be able to adapt to different scenarios and keep pace with changing circumstance. (43)
47. It therefore appears that the entry and retention of data in the police records have the exhaustive purposes, according to Article 27 of the ZMVR, of protecting national security, combating crime and maintaining public order, the aim of such processing being to facilitate the operational investigation activity described in detail in Article 8 of that legislation.(44) The extent of the processing as regards the nature of the offences established by that activity, the data concerned, the conditions of their collection, the databases in which they are processed and the duration of their retention is determined with sufficient precision in Article 68 of the ZMVR and in Article 28 of the Naredba za reda za izvarshvane i snemane na politseyska registratsia (Regulation relating to the making and removal of entries in the police record, ‘the ‘NRISPR’). The national legislation lays down, explicitly and in accordance with recital 26 of Directive 2016/680, procedures for preserving the integrity and confidentiality of personal data and procedures for their destruction by means of information provided to the data subject, in accordance with Articles 54 and 55 of the zakon za zashtita na lichnite danni (Law on the protection of personal data), in particular regarding the data subject’s right to apply to the data controller for access to the data or for their amendment or erasure. In that regard, the grounds for erasure, the procedure and the purposes of it are stated in Article 68 of the ZMVR and in Article 18 et seq. of the NRISPR. Those provisions are formulated with sufficient precision and clarity to enable the citizen to adjust his conduct accordingly, and so comply with the requirement of foreseeability laid down in the case-law of the ECtHR. (45)
2. Respect for the essence of the fundamental rights guaranteed in Articles 7 and 8 of the Charter
48. As regards the essence of the fundamental right to respect for private life enshrined in Article 7 of the Charter, the nature of the information contained in the police record is limited to a specific aspect of that private life relating to the criminal past of the person concerned, which does not allow conclusions to be drawn in general about the private life of that person, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, and the social relationships of and social environments frequented by that person and, thereby, to establish a profile of that individual. As regards the essence of the right to protection of personal data, enshrined in Article 8 of the Charter, the foregoing developments show that the national legislation at issue limits the purposes of the data processing and lays down an exhaustive list of the data retained and of the rules designed to ensure that they can be accessed, amended or erased. In those circumstances, the interference entailed in the data retention provided for in that legislation does not undermine the essence of the fundamental rights enshrined in the aforementioned articles. (46)
3. The objective of general interest and the appropriateness of the data processing at issue in the light of that objective
49. As stated in this Opinion, the data from the entry of persons in police records made pursuant to Article 68 of the ZMVR are used for the purposes of safeguarding national security, combating crime and maintaining public order. The Bulgarian Government has stated that the data are collected and processed for the purposes of the criminal proceedings in which the person concerned has been examined and in order to be compared with other data collected during investigations relating to other offences. The latter purpose also concerns comparison with data collected in other Member States. (47)
50. According to the Bulgarian Government, that processing falls within the operational investigation activity described in Article 8 of the ZMVR, the purposes of which are defined as follows: the prevention and detection of criminal offences, threats to national security or public order; searching for persons who are evading their criminal liability or who have evaded enforcement of a penalty for criminal offences subject to public prosecution, and searching for persons who have disappeared; searching for objects or instruments used to commit a criminal offence or which can be used as evidence; as well as the preparation and retention of material evidence and its submission to the competent judicial authorities.
51. The Court has stated that the objective of protection of public security constitutes an objective of general interest of the European Union that is capable of justifying even serious interferences with the fundamental rights enshrined in Articles 7 and 8 of the Charter. Moreover, such protection also contributes to the protection of the rights and freedoms of others. In this connection, Article 6 of the Charter states that everyone has the right not only to liberty but also to security of the person and guarantees rights corresponding to those guaranteed in Article 5 of the ECHR. (48) In the case concerning the compatibility of the collection of data stored in the same Bulgarian police records, the Court clearly concluded that such processing concerning persons accused in a criminal procedure, in order for them to be entered in a record, pursues purposes set out in Article 1(1) of Directive 2016/680, in particular those relating to the prevention, investigation, detection and prosecution of criminal offences, which constitute objectives of general interest recognised by the European Union. It added that such collection may contribute to the objective set out in recital 27 of Directive 2016/680, which states that, for the prevention, investigation and prosecution of criminal offences, it is necessary for competent authorities to process personal data collected in the context of the prevention, investigation, detection or prosecution of specific criminal offences beyond that context in order to develop an understanding of criminal activities and to make links between different criminal offences detected. (49) Those considerations clearly apply to the data retention measure.
52. It seems to me difficult to dispute that the retention of the data in police records is a form of processing which enables the objectives of detecting, and consequently, of preventing criminal offences to be achieved. It is obvious that police records containing civil identities, photographs, biometric and genetic data and therefore the unique and unfalsifiable personal physical characteristics of the individuals identified are an investigative tool wholly relevant to the work of the security services for the purposes of shedding light on offences and identifying their perpetrators. In that regard, the national legislation at issue meets objective criteria that establish a connection between the data to be retained and the objective pursued. (50)
4. The necessity and proportionality of the interference at issue
53. Although the retention of data in the police record at issue is manifestly appropriate for attaining the objective of general interest pursued, it remains to be ascertained whether the interference with the rights guaranteed in Articles 7 and 8 of the Charter which results from such retention is limited to what is strictly necessary, in the sense that the objective could not reasonably be achieved in an equally effective manner by other means less prejudicial to those fundamental rights of the data subjects, and whether that interference is not disproportionate to that objective, which implies, in particular, a balancing of the importance of the objective and the seriousness of the interference.(51)
54. In carrying out that assessment, account must be taken, in the present case, of the purpose of the police record, the nature of the offences concerned and the number of persons who may be entered in it, the particular sensitivity of the personal data collected and the duration of their retention, as well as the legal and/or technical safeguards provided for in the national legislation with regard to consultation of the record and to the review of maintenance of the data in it.
(a) The purpose of the record
55. In its written observations, the Irish Government submitted, in essence, that data retention may be necessary for vetting and related purposes which serve the public interest in preventing crime and safeguarding public security. Thus, the information contained in a police record must be able to be consulted, not only in order to trace the perpetrators of offences but also for police administration purposes in the context of enquiries made prior to recruitment decisions or decisions conferring authorisation relating to certain public or sensitive positions, the aim being to verify that the conduct of the persons concerned is not incompatible with the exercise of the duties of those positions.
56. At the hearing, the Bulgarian Government confirmed what could be inferred from the explicit wording of Article 27 of the ZMVR, namely that the police record at issue is an aid to judicial, not administrative, investigations. That finding is of some importance, since it relates to the consequences of making a record of a person’s previous offences, in that the inconvenience of being in a record does not result in it being impossible to have access to certain professional activities. (52) The entry in the police records at issue is neither a punishment nor an additional penalty, its purpose is clearly limited to judicial investigation and its use is reserved for services subject to an obligation of confidentiality.
57. The fact remains that it is a single record serving extremely broad police aims, containing diverse information ranging from mere civil status details to biometric and genetic data, and listing individuals who do not have the same procedural status. Rather than having the same form of processing covering all types of information, it was considered preferable, in other legislation, to provide for many kinds of police record pursuing specific aims with a single use and recording one type of data.
(b) The offences and persons concerned
58. The retention of data in police records concerns persons charged and sentenced for intentional offences involving public prosecution, meaning that the charge is brought by the public prosecutor. According to the information provided by the Bulgarian Government, unintentional offences, offences and crimes of a private nature and certain offences which are the subject of an administrative penalty are excluded from that category. It has already been pointed out that the vast majority of the offences provided for by the Nakazatelno-protsesualen kodeks (Code of Criminal Procedure) are intentional and almost all involve public prosecution. (53)
59. It must be stated that the national legislation does not refer to exhaustively listed offences, does not distinguish between the offences in terms of their nature, itself linked to the seriousness or the penalty applicable, and does not adopt any criterion relating to a specific quantum of custodial sentence. They are grouped together in a single, broad category covering diverse forms of unlawful conduct with, admittedly, the reservation that that conduct must be intentional, resulting in the exclusion in principle of minor offences for which the material committing of the incriminated offences charged is itself sufficient (54) and offences characterised by the mere fault of imprudence or negligence. When asked at the hearing to clarify the content of the category of offences at issue, the Bulgarian Government unfortunately confined itself to stating that it does not only cover offences punishable by a term of imprisonment of at least five years.
60. As regards the individuals concerned, it should be noted that the data processing complained of is limited with regard to the age of the data subjects, since it follows from Article 4 of the NRISPR that minors are not subject to entry in police records, which reduces accordingly the number of persons entered in those records. The measure at issue distinguishes two categories of individuals, namely, investigated persons and those with a criminal conviction. The persons thus targeted have been identified beforehand, in the course of the applicable national procedures and on the basis of objective and non-discriminatory factors, as posing a threat to public security or the maintenance of public order. Member States have the option of imposing retention measures targeting persons who, on the basis of such an identification, are the subject of an investigation, that is to say, a category of persons for which there are serious grounds for believing that they have committed a criminal offence or have a conviction reflecting the fact that their criminal liability has been established, which are situations where there is a high risk of reoffending. (55) Recidivism, understood in the common, broader sense of repeat offending, is a phenomenon that each Member State tries to measure and account for, which is not an easy task as it depends on the availability of objective and reliable statistical data on offending. Where they exist, they may show that a person’s criminal past is an important factor in reoffending.(56)
61. It must also be observed that investigated persons and their data are required to ‘disappear’ from the police records where the criminal proceedings concerning them are discontinued or result in an acquittal according to Article 68 of the ZMVR, which quite clearly has an impact on the number of persons entered in the records which the Bulgarian Government has been unable to specify. (57)
(c) The nature of the data and the retention period
62. As regards the data concerned, the Court has held that, in the light of the enhanced protection of persons with regard to the processing of sensitive data, the controller in respect of that processing should satisfy itself that that objective cannot be met by having recourse to categories of data other than those listed in Article 10 of Directive 2016/680. (58) As was explained above, the data whose retention is provided for are clearly such as to contribute to the prevention, detection or prosecution of offences for the purposes of combating crime and maintaining public order. Similarly, I find it difficult to consider that those purposes can be fulfilled as effectively solely on the basis of the civil status particulars or photographic images of the individual concerned without excessively limiting the investigators’ ability to clear up offences on the basis of a comparison of the data collected during the investigation with data entered in the records during previous investigations. (59) The time is fortunately long past when a confession was regarded as the ultimate in evidence, since the evidence collected by forensic services has replaced in the hierarchy of evidence to better effect a form of evidence calling for caution. It can therefore be concluded that the data concerned are totally relevant and not excessive in the light of the purposes assigned to the processing.
63. It should be noted, moreover, that, in the national legislation at issue, no precise maximum period for retention of the information entered in the records was established, since the data are retained only for the duration of the proceedings, which are discontinued or result in an acquittal in the case of certain investigated persons or last their whole lifetime in the case of finally sentenced persons. According to the information provided at the hearing by the Bulgarian Government, which it will be for the referring court to verify, deletion automatically occurs upon the death of the person concerned and the person’s heirs also have the right to apply for erasure of the entry made pursuant to Article 68(6) of the ZMVR. Should it be concluded that that situation reflects, in relation to the wording of Article 5 of Directive 2016/680, the lack of establishment of appropriate time limits for the erasure of personal data, in the sense that the concept of a time limit should necessarily mean a period expressed in years, months or days? If so, that provision would imply, as an alternative, the establishment, in the national legislation, of time limits for a periodic review of the need to store those data. (60)
64. As regards the data of investigated persons and in view of the Bulgarian legislature’s choice not to retain them where the proceedings concerning them do not result in criminal convictions, the necessarily random duration of those proceedings hardly leaves any other option other than establishing a maximum period in order to prevent excessively long proceedings. As regards convicted persons, I consider that the mention of death is indeed that of a time limit linked to the biological life of the person concerned which excludes any classification of indefinite or unlimited duration for the retention of data. (61) The expiry of the retention is predetermined even if the exact date of its expiry is, by definition, indeterminate. In any event, I note that the Bulgarian Government stated at the hearing that an internal periodic review of entries in police records is, in this case, carried out every three months, which meets the requirements of Article 5 of Directive 2016/680.
65. It remains indisputable that, depending on the age at which the person concerned is entered in the records and the age of the person’s death, the retention may be very long, longer than the period laid down for establishing reoffending or than the limitation period for prosecution for the most serious offences. (62) That retention period can nonetheless be justified by the criminal investigation purpose of the processing, that of gathering indicia and evidence in order to identify the perpetrators of past or future offences, since the risk relating to the criminal offences, whether serious or not, is general and permanent. (63) The sometimes very late resolution of unsolved cases shows the great difficulty of the task of the investigation services and the relevance of long-term retention of the biometric and genetic data collected in the records. (64)
(d) The existence of legal and technical safeguards with regard to the retention of and access to data
66. The proportionality of the interference involved in the retention of the data in the police record cannot be assessed independently of the rules governing access to that record and the review of the justification for maintaining the data in the record. According to the ECtHR, where a State allocates to itself the most extensive power of indefinite retention, the existence and functioning of certain safeguards becomes decisive. Thus, the domestic law should comprise safeguards capable of effectively protecting the personal data recorded against inappropriate and wrongful use and enabling the deletion of that data as soon as their continuous retention becomes disproportionate, in particular by offering a practical possibility of submitting an application to have the stored data removed. (65)
(1) The conditions for consulting the record
67. It is apparent from recitals 28, 56 and 57 of Directive 2016/680 and from Articles 24, 25 and 29 thereof that the Member States must adopt measures aimed at ensuring that personal data are processed so as to guarantee an appropriate level of security and confidentiality, in particular by preventing unauthorised access to such data and to the equipment used for their processing as well as the unauthorised use of such data and of that equipment. Those measures include the maintenance, by the controller, of records able to provide the supervisory authority, on request, with a certain amount of information on the processing of the data carried out and with logs for certain processing operations such as consultation, transfers and erasure. According to recital 60 of Directive 2016/680, the controller should implement measures to mitigate the risks previously evaluated inherent in the processing in question, in particular those relating to unauthorised disclosure of or access to data.
68. At the hearing, the Bulgarian Government stated that the national legislation complied with those requirements, referring to the existence of a set of rules providing, in particular, for the establishment of lists of names of agents having access to the data, the need for each user to state the justification for the right of access, his or her identity, the date and the time of access. (66) Those safeguards regarding the scope of persons authorised to consult the record and the rules for consulting it appear to be such as to prevent any wrongful or fraudulent use of access to the records and thereby any undue prejudice to the fundamental rights enshrined in Articles 7 and 8 of the Charter, which it will be for the referring court to verify.
(2) The review of maintenance of data in the record
69. It is not disputed that the aforementioned review, as provided for in Article 68(6) of the ZMVR, is of a twofold nature, since it is carried out by the competent authorities of their own motion, under a self-review procedure, and at the reasoned request of the data subject or his or her heirs, the grounds for erasure of an entry in the records being, in both cases, stated exhaustively in the aforementioned provision. Those grounds do not include the situation of an individual who has been rehabilitated, entailing the erasure of the conviction in question from his criminal record, only the ground referred to in Article 68(6), point 1 of the ZMVR, concerning an entry made in breach of the law, can justify an application for erasure made by a convicted person submitted, as in this case, in that person’s lifetime and therefore before the expiry of the legal period for retention occurring on that person’s death.
70. When questioned at the hearing on the scope of Article 68(6) of the ZMVR with regard to its application by the competent authorities and courts, the Bulgarian Government stated that that provision permitted amendment of an entry in the records relating to a person placed under investigation which had become incorrect following a reclassification of the offence by the court. It excluded any possibility of erasure of an entry in the records following the rehabilitation of the convicted person. I note, in that regard, that the record at issue is an investigation tool designed to facilitate the operational activity of the criminal investigation department and is not, properly speaking, a register of prior offences like a criminal record. Those two instruments do not serve the same purpose. One is a record for the exclusive use of investigators with a view to enabling them, in the long term, to shed light on past or future offences, the other is intended to guide the work of the courts when imposing a criminal penalty in a given case. Thus, by virtue of the rehabilitation resulting in the erasure of the conviction concerned from the criminal record, the individual may, where applicable, be in the situation of a first offender eligible for lighter penalties or penalty adjustment. For all that, the retention of the person’s data in the police record is still necessary in principle in the light of the broader objective of detecting, solving and preventing offences.
71. It is still apparent from the Bulgarian Government’s observations that the ground referred to in Article 68(6), point 1, of the ZMVR does not cover an assessment of the need to retain data from a temporal perspective. It appears that there is neither any provision in the national legislation nor any administrative or judicial practice enabling the competent authority to erase the entry in the records created as part of quarterly checks or the individual concerned to apply for its erasure if the retention of the personal data no longer seems necessary in view of the time that has elapsed since the record was created. Nor does the referring court called upon to determine the legality of the decision to reject the application for erasure appear to be able to make such an assessment.
F. Interim conclusion
72. Can it be concluded that the criteria used for the purposes of data retention described above are sufficiently targeted, proportionate and specific, and that the processing of personal data at issue observes the limits of what is strictly necessary or of absolute necessity? The Court might answer that question in the negative for the following reasons.
73. It must be emphasised, first, that the issue of the necessity of retaining personal data becomes particularly acute where the processing of such data is authorised, as in this case, for preventive purposes. In that regard, the true criterion justifying the recording and retention of the data in the police record at issue is the danger posed by the data subjects, which entails an assessment of the risks. In the present case, it must be stated that that assessment ends merely on the finding that there exists a suspicion of or proof of perpetration of an intentional offence, a vague criterion if ever there was one, since it concerns a constituent element of offences, even the very basis of criminal liability. Therefore, the national retention regime seems to me to have regard to a minimum degree of seriousness in relation to offending and covers a wide variety of public order offences, without the a priori requirement of a penalty consisting of a prison sentence, which permits the conclusion that it applies whatever the nature or seriousness of the offence. (67) I note that the Court held that Bulgarian legislation, such as that at issue in the main proceedings, which provides for the systematic collection of the biometric and genetic data of any person accused of an intentional offence subject to public prosecution, is, in principle, contrary to the requirement laid down in Article 10 of Directive 2016/680, because it is liable to lead, in an indiscriminate and generalised manner, to collection of the biometric and genetic data, since the concept of ‘intentional criminal offence subject to public prosecution’ is particularly general and is liable to apply to a large number of criminal offences, irrespective of their nature and gravity. (68)
74. Although statistical studies may show that a person’s criminal past is an important factor in reoffending, they also point to the existence of objective factors aggravating the risk of reoffending linked, in particular, to the type, age and nature of the initial offence, the periods of reoffending and the fact that the repeat offending is closely linked to the nature of the offence which led to imprisonment. (69) By adopting any conviction for an intentional offence, including the initial one, as a criterion for data retention until the death of the data subject, (70) it appears that the underlying logic of the processing of such data is to have a particularly extensive grasp of the history of offending, whether regarding both the nature and/or gravity of the offences or the offender’s age. Like the ECtHR, one might ask whether, when taken somewhat to an extreme, that type of logic is not, in practice, tantamount to justifying the storage of information on the whole population and their deceased relatives, which would most definitely be excessive and irrelevant. (71) I note that the Court has held that the mere fact that a person is accused of an intentional criminal offence subject to public prosecution cannot be regarded as a factor that in itself enables it to be presumed that the collection of his or her biometric and genetic data is strictly necessary in the light of the purposes that it pursues. (72)
75. It appears, second, that the data are retained without regard to the need to store them until the death of the data subject. According to the wording of Article 68(6) of the ZMVR and the interpretation made thereof, the competent authorities are vested with the power to erase the data only in exceptional circumstances, regardless of the change in that person’s situation since the entry in the records was made. The same logically applies to an application for erasure, provided for therein, of which that person may avail, and which is insufficiently effective since it does not permit the review of whether the period of retention of the data is proportionate to the aim of the interference at issue. That assessment should take into account various criteria, such as the nature and seriousness of the offences established, the length of time that has elapsed since the offences, the remaining legal retention period or the applicant’s age in this case in the light of his personal situation, as regards the age when he committed the offences, his behaviour since, (social integration, compensation of the victims) and his personality, since the benefit of rehabilitation may, in that context, constitute a factor in the overall assessment. In those circumstances, the review available, in particular, to the person entered in the record would appear to be so narrow as to be almost hypothetical. (73)
76. The findings made above must be regarded in conjunction with the fact that sensitive data may be retained over a very long period and that the record at issue may serve its users’ very intrusive operational purposes, in particular identification, analysis and comparison. It should be noted that, under Article 68(3) of the ZMVR, the police authorities must, for the purposes of the entry in the police records, take samples to create a person’s DNA profile and photograph them, and facial recognition technology may, where necessary, be applied to the photographs taken.
V. Conclusion
77. In the light of the foregoing considerations, I propose that the Court reply as follows to the Varhoven administrativen sad (Supreme Administrative Court, Bulgaria):
Articles 4, 5, 8, 10 and Article 16(2) of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, read in conjunction with and in the light of Article 52(1) of the Charter of Fundamental Rights of the European Union,
must be interpreted as meaning that they preclude national legislation providing for the retention of personal data in a police record, including the biometric and genetic data, of any person convicted of an intentional offence, without further differentiation regarding the nature or seriousness of the offence, until that person’s death and without the possibility of reviewing the retention of the data contained in that record in the light of the time that has elapsed since it was created and, where appropriate, obtain the subsequent erasure of those data.
The assessment of the proportionality of the period of the data retention to the purpose of the processing in the light of the convicted person’s situation may take account of any rehabilitation to which that person has been subject.