Commentary to the Bezirkshauptmannschaft Landeck judgment: a failure by the CJEU in appropriately balancing privacy, data protection and the interests of law enforcement [1]

Tiago Sérgio Cabral [Editor of this blog and Project Expert for the Portuguese team in the "European Network on Digitalization and E-governance" (ENDE)]

1. Background

The Court of Justice’s decision in Case C- 548/21 (Bezirkshauptmannschaft Landeck) probably got less attention than it deserved from legal scholars due to being issued at the same time as other high profile data protection cases and connected to Directive 2016/680/EU (the “Law Enforcement Directive”) instead of the GDPR. However, there are good reasons to engage in a deeper analysis of this case. The Bezirkshauptmannschaft Landeck judgment addresses access by law enforcement to mobile phones, which nowadays store large amounts of personal data that most people prefer to maintain private, but that law enforcement considers key for criminal investigation purposes. The Court of Justice’s conclusions regarding this issue are surprising as they seem out of step with previous case-law. Other less controversial but still relevant takeaways from this judgment, such as those regarding the scope of the concept of “personal data” may have relevance beyond data protection in the context of law enforcement.

2. The Court of Justice’s Decision

The case arises from a request for a preliminary ruling from the Regional Administrative Court of Tyrol (Austria). The factual background of the judgment is relatively straightforward: Austrian customs authorities seized a package for a data subject (CG) containing 85 grams of cannabis. Pursuant to this seizure, law enforcement conducted a search of CG’s residence, questioned him, and requested access to connection data on CG’s mobile telephone. CG refused and, as such, law enforcement seized his mobile phone, including SIM and SD cards.

Police officers made two (unsuccessful) attempts to unlock CG’s mobile phone. Both attempts were carried out at the personal initiative of the police officers concerned, without the authorisation of the Public Prosecutor’s Office or a court (para. 23). The mobile phone was eventually returned to CG after he challenged the lawfulness of the seizure.

The data subject was not, however, adequately informed of the attempts to access the information on his phone. In fact, he only became aware of such attempts when one of the police officers involved was questioned in the context of the subsequent judicial proceedings. The abovementioned attempts were also not recorded in the file compiled by law enforcement regarding this case (para. 25).

Considering that the attempt to access CG’s mobile telephone was unsuccessful, the Court of Justice was required to preliminarily assess whether such an attempt could be considered by itself as the processing of personal data. The Court of Justice concluded that taking into account the broad scope that the European legislator intended to give to the concept of “processing”, along with the objectives of the Law Enforcement Directive, an attempt to access personal data contained in a mobile phone by a law enforcement authority should be considered processing of personal data even if unsuccessful.

The Court of Justice also noted that the opposite interpretation would create a situation in which the applicable rules would not be foreseeable to the person trying to access the data (or to data subjects). Authorities would see the consequences of their conduct depend on the success of the attempt while individuals could have their rights denied because the law enforcement authority failed in its designs (para. 76).

After rejecting objections from some Member States and reformulating the referring court’s questions, the Court of Justice focused on clarifying whether Article 4(1)(c) of Directive 2016/680, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the EU (“CFREU”) and Article 52(1) of the latter legal instrument, precludes national legal rules which afford the competent authorities the possibility of accessing data contained in a mobile telephone for the purposes of preventing, investigating, detecting and prosecuting criminal offences in general, and which do not make this possibility subject to prior review by a court or an independent administrative body (para. 81). To respond to this question, the Court of Justice recalled that any restrictions to the rights under Article 7 and Article 8 of the CFREU should follow the rules established in Article 52 of the CFREU and, as such, must “be provided for by law, respect the essence of those fundamental rights and observe the principle of proportionality. Under the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others. They must apply only in so far as is strictly necessary and the legislation which entails the limitations in question must lay down clear and precise rules governing the scope and application of those limitations’ (para. 85).[2] In assessing the processing in casu, the Court of Justice concedes that access to personal data stored in a mobile phone may constitute a serious or even a particularly serious interference with the fundamental rights under Article 7 and 8 of the CFREU. To support this conclusion, the Court of Justice highlights that special category data may be stored on the mobile phone and, as such, accessed by law enforcement. However, this is not sufficient for the Court of Justice to conclude that such access should be limited to the fight against serious crime, as this would lead to an increased risk of impunity for criminal offences given the importance that such data may have for criminal investigations, and therefore hinder the activities of law enforcement (para. 97).

Access should be preceded by review by a court or administrative authority which must strike a balance between the interests of the investigation and the rights of the data subject. In cases of duly justified urgency, this review can occur shortly after the access instead of prior to it. Reasonable suspicions in relation to that person should also be supported by objective and sufficient evidence for this access to be lawful (para. 101).

In order to satisfy the requirement under Article 52(1) of the CFREU, which states that any limitation to the fundamental rights must be provided by a law that establishes the scope of the limitation in a sufficiently clear and precise manner (para. 98), the Court of Justice states that national laws should define the factors with sufficient precision, in particular the nature or categories of the offences concerned (para. 99).

Lastly, in responding to the third question of the referring court, the Court of Justice concludes that data subjects should be informed of the access to their equipment and the grounds authorising such access as soon as doing so is no longer liable to jeopardise the investigations carried out by law enforcement. A national rule completely excluding this right would be incompatible with EU law (paras. 120 and 121).

3. Commentary

The Court of Justice decided well when it rejected arguments from several governments, including the Austrian and French governments, arguing that the incorrect formulation of the first two questions –  as being issues related to the e-Privacy Directive (Directive 2002/58/EC) instead of the Law Enforcement Directive – precluded the Court of Justice from responding to them. In rejecting this argument, the Court of Justice stressed that it sent a request for information to the referring court, by which it asked whether the Law Enforcement Directive might be relevant in the dispute in main proceedings (paras. 31-33). After the referring court confirmed this, the interested persons were notified of this development and able to, in their written observations, express their views on the interpretation of that Law Enforcement Directive and its relevance to the case in the main proceedings. In addition, for the purposes of the hearing, the Court of Justice asked the participants in the oral part of the procedure to answer, at that hearing, certain questions concerning the Law Enforcement Directive (para. 63).

The reality of the matter is that the State (executive) should not benefit from an error by the State (judiciary) at the expense of individual fundamental rights. It is not acceptable that individuals be deprived of or even see delayed their right to an effective remedy and to a fair trial (Article 47 of the CFREU) because of an error in the identification of the applicable law that was detected at an early stage of the proceedings at the Court of Justice.

This conclusion is strengthened when the discussion is purely formal and very close to a delaying tactic by the governments, as they were able to present their arguments without significant issues.

Had the Court of Justice accepted the abovementioned Member States’ arguments and not issued a decision on merits, it is unclear whether another referral in the context of this case would be viable. If that is not the case the individual’s options could be restricted. Additionally, the error of the State (judiciary) would likely result in additional expenses for the individual and some non-material damages (e.g., additional stress motivated by time required to get a resolution to the case). However, it seems difficult to sustain that an incorrect formulation of a referral is enough to justify State (judiciary) liability for breach of EU law that could result in compensation.

The broad interpretation of personal data processing adopted by the Court of Justice may have relevance both under the Law Enforcement Directive and the GDPR. As the concepts are the same and should be interpreted in a coherent manner, the Court of Justice’s position would mean that someone who tries to break encryption to access personal data might be considered as a controller even if failing in this attempt. This could be the case of a threat actor that attempts to obtain access to an encrypted file.

Additionally, if we extend this logic from the device level to the application or network level, it could also affect attempts by governments to break the encryption of encrypted applications or VPNs and similar technologies. This could potentially have wider implications in the context of State access to encrypted communications since even failed attempts to access these types of communications should, following the same logic of the Court of Justice in this decision, be communicated to the data subject once the communication of that information is no longer liable to jeopardise the tasks of the relevant authorities.

Where it seems to us that the Court of Justice’s decision may have failed is in giving sufficient consideration to the impact that access to mobile devices may have on a data subject’s right to data protection (Article 8 of the CFREU) and privacy (Article 7 of the CFREU). The Court of Justice notes that special category data may be saved on the mobile device and thus accessed. We would consider that, nowadays, this is likely not a “may” but a “likely will”. Particularly, smartphones are very likely to contain (large sets of) special category data, such as messages containing political or religious positions or health information stored in apps, calendars, messages or emails. Access to the pictures may also reveal special category data but, even if it does not, is extremely intrusive and should only be accepted in exceptional circumstances. The same argument could be made for financial data contained in mobile devices. Similarly to mobile devices, other computing devices such as personal computers are highly likely to contain special category data and/or personal data whose access should be considered as particularly intrusive by data subjects. In addition, the access to this type of devices, containing information on a wide range of activities carried out by the data subject, is theoretically capable of providing sufficient information to build a very detailed profile of the data subject. 

In not giving sufficient prominence in this judgment to how serious the impact of law enforcement access to mobile phones is on privacy and data protection, the Court of Justice fails to provide guidance to national courts and authorities that will have to conduct a proportionality test. Paragraphs 107 and 108 of the judgment do not do much more than repeat the data minimisation principle and argue that it should be interpreted with particular rigour. 

The issue becomes more serious because the Court of Justice does state that access to the data in mobile devices should not be restricted for the fight against serious crime, accepting that the lack of access to this information would hinder the work of law enforcement and create an increased risk of impunity for criminal offences, and would introduce a deviation, without clear reason, from its case-law on access to metadata (see, for example, Prokuratuur (C‑746/18, para. 35), Ministerio Fiscal (C‑207/16, para. 54), and La Quadrature du Net (C‑470/21, para. 95). It is difficult to argue that direct access to a mobile device cannot allow law enforcement to draw precise conclusions concerning the private lives of the persons concerned in a manner that is probably even more damaging to the fundamental rights of privacy and data protection than access to metadata stored by a third-party. The statement that restricting this type of processing operation in the fight against serious crimes would hinder the work of law enforcement is also no more than an incomplete argument. Certainly, the work of law enforcement would be easier with complete and unrestricted access to all personal data stored in all devices, terminals and databases. However, there is a balance to strike between the important work of law enforcement and a person’s right to privacy and data protection. The Court of Justice failed in justifying why the first interest should prevail over the individual rights in this case when it does not in its previous case-law. There is also the statistically unavoidable conclusion that the wider we cast the net (i.e., the more situations where we allow access to personal devices) the more innocent people will be subject to this type of measures in the course of the investigation. Considering that (i) access to a mobile device by law enforcement is an extremely serious restriction to fundamental rights; (ii) minor crimes have generally low social relevant, raise limited social alarm and are not a danger to society; (iii) the emergence of a surveillance society or the emergence of the mere feeling among citizens of such a society where law enforcement can engage in highly intrusive practices with the justification that is necessary to combat events with low social relevance is, in itself, an event with high social relevance, that raises significant social alarm and that is a danger to society, the Court of Justice’s conclusion may not be the right one.

Even if it did not restrict access for the purpose of fighting against serious crime, to avoid a highly securitarian approach the Court of Justice should have clarified that national courts or authorities must not rely blindly on law enforcement authorities and, considering the wide scope of the restriction to the abovementioned fundamental rights, are at least required to: (i) carefully assess whether reasonable suspicions exist and if there is sufficient evidence to support them. Evidence should exist a priori and, thus, law enforcement should not be able to access mobile devices with the aim of “fishing” for evidence; (ii) critically evaluate whether it is possible without extreme difficulty to rely on less intrusive means to seek additional evidence of unlawful activity; (iii) even if reasonable suspicions exist and there are no less intrusive means available, assess if the public interest in the specific case prevails over the rights of the individual, considering the type of device and the categories of personal data likely to be stored within, along with the fact that any access will likely not be restricted to the personal data of the person under suspicion, but will also affect third parties. Particularly for less serious crimes, it is our view that the balance should frequently favour individual rights and authorisations would be the exception and not the norm.

[1] This essay is an extended version of the Op:Ed originally published at EU Law Live. The Author would like to thank the EU Law Live’s team for the permission to publish this extended version here.

[2] For more development on this issue see Alessandra Silveira, “Commentary to Article 52”, in Alessandra Silveira, Maria Inês Costa, Larissa Coelho and Tiago Sérgio Cabral, The Charter of Fundamental Rights of the European Union: A Commentary (UMinho Law School: Braga, 2024), 477-486.

Picture credits: By Pixabay on pexels.com.