Location data drawn from electronic communications must only be used by law enforcement investigations involving ‘serious crimes’ and to prevent ‘serious threats to public security’, the European Court of Justice (CJEU) has ruled.
The CJEU found EU law supersedes national legislation giving prosecutors the power to authorise access to such data.
The ruling, issued this week, concerned the case of a subject referred to as ‘HK’.
Criminal proceedings were brought against HK in Estonia on counts of theft, use of another person’s bank card and violence against persons party to court proceedings. The thefts were for goods worth between €3 and €40, cash thefts totalling between €5.20 and 2100, while the unauthorised bank card use led to a loss of €3,941 for the card holder. HK was found guilty and convicted.
However, following an appeal, Estonia’s Supreme Court referred the case to the CJEU because it had doubts as to whether the use of cell phone location data obtained by the police as evidence was compatible with European Union law.
In its decision, the court said that, unless it’s for a serious crime or in the interest of public safety, countries are prohibited from obtaining location data under the European Union’s 2002 Privacy and Electronic Communications Directive.
The court said: “The Court holds that only the objectives of combating serious crime or preventing serious threats to public security are capable of justifying public authorities having access to a set of traffic or location data, that are liable to allow precise conclusions to be drawn concerning the private lives of the persons concerned, and other factors relating to the proportionality of a request for access, such as the length of the period in respect of which access to such data is sought, cannot have the effect that the objective of preventing, investigating, detecting and prosecuting criminal offences in general is capable of justifying such access.”
PrivSec Global, a live streaming event, takes place on 23-25 March featuring more than 200 speakers and 64 sessions on privacy, data protection and cyber-security.