Privacy and data retention: the contrast with Italian law

By judgment of 2 March 2021 (C746/18), the Court of Justice of the European Union clarified the limits between the right to privacy and the need to fight crime through access to and storage of traffic data (so-called “data retention”).

The case concerned the criminal proceedings against an Estonian citizen, who was convicted also thanks to data collected during investigations with telecommunications service providers.

Therefore, the Court was asked to clarify in what cases and under what conditions national authorities are allowed access to traffic data and, in particular, to data that allows authorities to draw precise conclusions about the private life of the subject, such as data on the source and destination of a phone call, data enabling to determine date, time, duration and nature of the communication or data identifying and locating the device used.

The access to this set of data, in fact, is in contrast with the right to respect for private and family life, as well as the right to the protection of personal data, recognized respectively by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

The Court replied by interpreting Article 15 of Directive 2002/58 (on privacy and electronic communications) stating that ‘only the fight against serious forms of crime and the prevention of serious threats to public security can justify serious interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, such as those involving the retention of traffic data and location data’.

The Court then made it clear that, in order to ensure compliance with the precautions imposed by Community legislation, it is essential to make access to data by national authorities subject to prior control by a judge or an indipendent administrative entity.

And it is with regard to the requirement of independence that there has been a conflict between the Italian legislation and the European Directive, as interpreted in the judgment in commentary.

According to the Commission, the authority responsible for carrying out prior checking must be a third-party in relation to the authority requesting access to the data. With particular reference to the criminal field, the Court states that the authority responsible for such prior checking must not be involved in conducting the criminal investigation at hand and must be neutral to the parties of the proceedings.

The interpretation is therefore contrary to Article 132, paragraph 3, of Legislative Decree 196/2003, which gives the Public Prosecutor the competence to issue the reasoned decree for the acquisition of data relating to telephone traffic.

The Public Prosecutor, in fact, not only directs the investigation procedure, but also represents the public prosecutor in the trial and, therefore, does not have the requirement of independence considered essential by the European Judge.

While waiting for the legislator to adapt the Code on the protection of personal data, some national courts have already transposed the Court’s orientation and by decree of 26 April 2021 the G.I.P. of Rome decided to disapply Article 132(3) of Legislative Decree 196/2003, due to the recent interpretative judgment of the Court of Justice.