Siding with a small-time thief, the decision is the latest in a series of rulings clamping down on states overstepping their citizens’ right to digital privacy.
LUXEMBOURG (CN) — Personal cellphone data can be used only in the investigation of serious crimes, the EU’s high court found on Tuesday.
In its decision, the European Court of Justice noted that, unless it’s for a serious crime or in the interest of public safety, countries are prohibited from obtaining location data under the European Union’s 2002 Privacy and Electronic Communications Directive.
“The access of state authorities to data making it possible to identify the source and destination of a telephone communication from a suspect’s landline or mobile telephone, to determine the date, time, duration and type of that communication, to identify the communications equipment used and to establish the location of the mobile communication equipment used amounts to interference with the fundamental rights at issue which is so serious that such access should be restricted to combating serious crime,” the Luxembourg-based court wrote.
Estonia’s Supreme Court, known as the Riigikohus, referred the matter to the Court of Justice after an individual identified in court documents only as H.K. appealed a conviction for theft and fraud based in part on cellphone location data obtained by the police from H.K.’s cellular provider.
The thefts H.K. was convicted of committing occurred over about a year from 2015 to 2016, involving goods whose value ranged between just 3 and 40 euros, as well as cash ranging between 5 euro 20 and 2,100 euros.
H.K also caused a loss of nearly 4,000 euros by using another person’s bank card, and was convicted of performing acts of violence against people who were party to court proceedings.
Sentenced to two years in prison, H.K. argued that the government’s seizure of the phone data violated his or her right to privacy.
But Estonia denied this as the information the public prosecutor had requested was limited to the dates that H.K. committed the crimes.
This argument held little sway with the court. “Even access to a limited quantity of traffic or location data or access to data in respect of a short period may be liable to provide precise information on the private life of a user of a means of electronic communication,” the 11-judge panel wrote.
Previous rulings by the court on data privacy require police and prosecutors in the 27-member politician and economic union to obtain permission from a court or an “independent administrative authority” before they can request cell phone data. In Tuesday’s ruling, the court found that Estonian’s public prosecution service did not qualify as such an authority. “Whilst the Estonian public prosecutor’s office is, under national law, obliged to act independently, is subject only to the law and must examine the incriminating and exculpatory evidence in the pre-trial procedure, the objective of that procedure nevertheless remains the gathering of evidence and fulfilment of the other conditions necessary for judicial proceedings,” the Grand Chamber wrote.
The Court of Justice has historically been critical of lax data privacy protections. It has twice shut down data-sharing agreements between the EU and the U.S., in decisions known as Schrems I and Schrems II. Last year, it ruled that European spy agencies can only keep bulk personal data in the event of a serious emergency and broadened who is allowed to bring complaints about privacy breaches. Spain was slapped with a $18.3 million fine last month for failing to protect personal data gathered by police.