The CJEU has issued its ruling in Case C-548/21 | Bezirkshauptmannschaft Landeck.
The Austrian police seized the mobile telephone of the recipient of a parcel following the discovery that the parcel contained 85 grams of cannabis. The police then tried unsuccessfully to unlock the mobile telephone to access the data it contained. The police were not authorised by the Public Prosecutor’s Office or a court, they did not document their attempt to unlock the telephone and did not inform the owner. The owner went to court to challenge the seizure of his mobile telephone and during those proceedings, he became aware of the attempts to unlock the telephone.
The Austrian court referred the case to the CJEU and asked if the Austrian legislation which, in its view, allows the police to act in this way, is compatible with EU law. It observed that the telephone’s owner was accused of an offence which was punishable by a maximum of one year’s imprisonment and so was only a minor offence.
Firstly, the Court of Justice stated that contrary to what certain governments have argued, the relevant EU legislation applies to attempts to access data as well as to successful access.
It then said that access to all the data contained in a mobile telephone may constitute a serious, or even particularly serious, interference with the fundamental rights of the data subject. That data, which may include messages, photos and internet browsing history, may, depending on the circumstances, allow very precise conclusions to be drawn concerning that data subject’s private life. In addition, the information may include particularly sensitive data.
The seriousness of the offence under investigation is one of the main parameters when examining the proportionality of such serious interference. However, to consider that only the fight against serious crime is capable of justifying access to data contained in a mobile telephone would unduly limit the investigative powers of the competent authorities. This would result in an increased risk of impunity for criminal offences in general and therefore in a risk for the creation of an area of freedom, security and justice in the EU.
However, such an interference with private life and data protection must be provided for by law, which implies that the national legislature must define with sufficient precision the factors to be taken into account, in particular the nature or categories of offences concerned. Such access must be subject to a review carried out in advance by a court or an independent administrative authority, except when a case is urgent. A review must strike a fair balance between the legitimate interests relating to the needs of the investigation in the context of combating crime and the fundamental rights to private life and the protection of personal data.
Finally, the data subject must be informed of the grounds on which the authorisation to access their data is based, once telling them will not jeopardise the investigation.