Ministerio Fiscal (C-207/16)

Date02 October 2018
IssuerCourt of Justice of the European Union

JUDGMENT OF THE COURT (Grand Chamber)

2 October 2018 ( *1 )

(Reference for a preliminary ruling — Electronic communications — Processing of personal data — Directive 2002/58/EC — Articles 1 and 3 — Scope — Confidentiality of electronic communications — Protection — Article 5 and Article 15(1) — Charter of Fundamental Rights of the European Union — Articles 7 and 8 — Data processed in connection with the provision of electronic communications services — Access of national authorities to the data for the purposes of an investigation — Threshold of seriousness of an offence capable of justifying access to the data)

In Case C‑207/16,

REQUEST for a preliminary ruling under Article 267 TFEU from the Audiencia Provincial de Tarragona (Provincial Court, Tarragona, Spain), made by decision of 6 April 2016, received at the Court on 14 April 2016, in the proceedings brought by

Ministerio Fiscal,

THE COURT (Grand Chamber),

composed of K. Lenaerts, President, A. Tizzano, Vice-President, R. Silva de Lapuerta, T. von Danwitz (Rapporteur), J.L. da Cruz Vilaça, C.G. Fernlund and C. Vajda, Presidents of Chambers, E. Juhász, A. Borg Barthet, C. Toader, M. Safjan, D. Šváby, M. Berger, E. Jarašiūnas and E. Regan, Judges,

Advocate General: H. Saugmandsgaard Øe,

Registrar: L. Carrasco Marco, Administrator,

having regard to the written procedure and further to the hearing on 29 January 2018,

after considering the observations submitted on behalf of

the Ministerio Fiscal, by E. Tejada de la Fuente,

the Spanish Government, by M. Sampol Pucurull, acting as Agent,

the Czech Government, by M. Smolek, J. Vláčil and A. Brabcová, acting as Agents,

the Danish Government, by J. Nymann-Lindegren and M. Wolff, acting as Agents,

the Estonian Government, by N. Grünberg, acting as Agent,

Ireland, by M. Browne, L. Williams, E. Creedon and A. Joyce, acting as Agents, and by E. Gibson, Barrister-at-Law,

the French Government, by D. Colas, E. de Moustier and E. Armoet, acting as Agents,

the Latvian Government, by I. Kucina and J. Davidoviča, acting as Agents,

the Hungarian Government, by M. Fehér and G. Koós, acting as Agents,

the Austrian Government, by C. Pesendorfer, acting as Agent,

the Polish Government, by B. Majczyna, D. Lutostańska and J. Sawicka, acting as Agents,

the United Kingdom Government, by S. Brandon and C. Brodie, acting as Agents, and by C. Knight, Barrister, and G. Facenna QC,

the European Commission, by I. Martínez del Peral, P. Costa de Oliveira, R. Troosters and D. Nardi, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 3 May 2018,

gives the following

Judgment

1

This request for a preliminary ruling concerns, in essence, the interpretation of Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 (OJ 2009 L 337, p. 11) (‘Directive 2002/58’), read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (‘the Charter’).

2

The request has been made in proceedings brought by the Ministerio Fiscal (Public Prosecutor’s Office, Spain) against the decision of the Juzgado de Instrucción No 3 de Tarragona (Court of Preliminary Investigation No 3, Tarragona, Spain, ‘the investigating magistrate’) refusing to grant the police access to personal data retained by providers of electronic communications services.

Legal context

EU law

Directive 95/46

3

According to Article 2(b) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31), ‘processing of personal data’ means ‘any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction’.

4

Article 3 of the directive, entitled ‘Scope’, provides as follows:

‘1. This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

2. This Directive shall not apply to the processing of personal data:

in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,

by a natural person in the course of a purely personal or household activity.’

Directive 2002/58

5

Recitals 2, 11, 15 and 21 of Directive 2002/58 state:

‘(2)

This Directive seeks to respect the fundamental rights and observes the principles recognised in particular by the [Charter]. In particular, this Directive seeks to ensure full respect for the rights set out in Articles 7 and 8 of that Charter.

(11)

Like Directive [95/46], this Directive does not address issues of protection of fundamental rights and freedoms related to activities which are not governed by Community law. Therefore it does not alter the existing balance between the individual’s right to privacy and the possibility for Member States to take the measures referred to in Article 15(1) of this Directive, necessary for the protection of public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the enforcement of criminal law. Consequently, this Directive does not affect the ability of Member States to carry out lawful interception of electronic communications, or take other measures, if necessary for any of these purposes and in accordance with the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the rulings of the European Court of Human Rights. Such measures must be appropriate, strictly proportionate to the intended purpose and necessary within a democratic society and should be subject to adequate safeguards in accordance with the European Convention for the Protection of Human Rights and Fundamental Freedoms.

(15)

A communication may include any naming, numbering or addressing information provided by the sender of a communication or the user of a connection to carry out the communication. Traffic data may include any translation of this information by the network over which the communication is transmitted for the purpose of carrying out the transmission. …

(21)

Measures should be taken to prevent unauthorised access to communications in order to protect the confidentiality of communications, including both the contents and any data related to such communications, by means of public communications networks and publicly available electronic communications services. National legislation in some Member States only prohibits intentional unauthorised access to communications.’

6

Article 1 of Directive 2002/58, entitled ‘Scope and aim’, provides:

‘1. This Directive provides for the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community.

2. The provisions of this Directive particularise and complement Directive [95/46] for the purposes mentioned in paragraph 1. Moreover, they provide for protection of the legitimate interests of subscribers who are legal persons.

3. This Directive shall not apply to activities which fall outside the scope of the Treaty establishing the European Community, such as those covered by Titles V and VI of the Treaty on European Union, and in any case to activities concerning public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the activities of the State in areas of criminal law.’

7

Article 2 of Directive 2002/58, entitled ‘Definitions’, is worded as follows:

‘Save as otherwise provided, the definitions in Directive [95/46] and in Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive) [(OJ 2002 L 108, p. 33)] shall apply.

The following definitions shall also apply:

(b)

“traffic data” means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT