Criminal Procedural Law – Metadata
Right to the privacy of personal life;
Prohibition of interference with communications by public authorities;
Principle of proportionality
RULING No. 420/17
13 of July of 2017
Seen as a corollary to the protection afforded to the privacy of people’s personal life, the privacy of communications encompasses both a prohibition on real-time interference with telephone calls, and the requirement to make it impossible for third parties to subsequently gain access to elements that reveal the factual conditions under which a communication took place.
In a democratic state based on the rule of law, any citizen has the right to make telephone calls when and to whom he/she wants with the same privacy as that applicable to the content of their conversation.
In the present case, the Constitutional Court only considered the constitutional conformity of a normative dimension embodied in the duty of “providers of publicly available electronic communications or of a public communications network” to store the data regarding the “name and address of the subscriber or registered user to whom the IP protocol address” was attributed “at the moment of the communication…for a period of one year counting from the date on which the communication was concluded”.
The Court recalled that its case law on this subject means that the protection provided by the Constitution – a prohibition on all forms of interference by the public authorities with correspondence and tele- and other types of communication, save in the cases provided for in the law governing criminal procedure – does not cover base data like those addressed by the norm before it here. ‘Base data’ are those regarding the connection to a network (the number and other data via which a user accesses the service). Data concerning the mere identification of the user to whom a given IP address is attributed are not included within the scope of the protection afforded to the secrecy of communications enshrined in the applicable constitutional precept, inasmuch as they do not presuppose a specific communicational act.
The same absence of constitutional protection also applies to mobile location data that do not presuppose any actual act of communication – i.e. they exist merely because a mobile phone is switched on and capable of receiving calls.
The Court said that when they don’t support a concrete communication, base data and equipment location data are not objects of the protection of the right to the secrecy of communications. They are, however, subject to the constitutional protection of the right to the privacy of personal life. The Court took the view that the duty to preserve such data in case they need to be given to the authorities in compliance with the law, fulfils the requirement that it be fit for its purpose, in that obliging providers to keep base data is a measure that is appropriate to the goal of identifying the registered user to whom an IP address was attributed and who is suspected of having committed one of the serious crimes referred to in the Law; it also meets the requirement of need, inasmuch as it is not possible to configure a less restrictive means for the competent authorities to achieve that identification; and it is not excessive, because the data in question are not very invasive, but can be central to the conduct of criminal investigations of such crimes.
The regime under which these data can be accessed limits the universe of data subjects whose data are subject to transmission to the authorities, and requires prior authorisation of such transmissions in the shape of a duly justified order signed by the investigating judge. As such, it does not violate the principle of proportionality either.
The Court consequently found no unconstitutionality in the norm that imposes the duty on providers of publicly available electronic communication services and/or public communications networks to preserve the name and address of the subscriber or registered user to whom the IP address was attributed at the moment of each communication, for one year counting from the end of that communication.
The Public Prosecutors’ Office (MP) was legally required to bring the present appeal against an order by a criminal investigating judge denying a request to authorise the transmission of data identifying a user to whom a given IP protocol address was attributed. The user in question was a suspect in proceedings involving the investigation of facts capable of forming part of the commission of a crime of child pornography.
The investigating judge based his refusal on the view that a norm contained in Law no. 32/2008 of 17 July 2008, which transposed Directive no. 2006/24/EC of the European Parliament and the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks, was unconstitutional.
The object of the present appeal was linked to the so-called ‘metadata’, which are usually defined as ‘data about data’, because they concern the circumstances under which communications occur and not the content of those communications itself.
The Court said that for Portuguese legal purposes the term should be ‘traffic data’, because the latter was already defined in Portuguese Law.
The Court distinguished between: base data – those regarding connection to the network (the number and other data via which a user accesses the service); traffic data – the functional data needed to establish a connection or communication, and the data generated by using the network (e.g. user location, recipient location, date and time, and frequency); and content data – those regarding the content of the communication or message.
Unlike base data, the so-called traffic data and the so-called content data directly concern a communication itself, both in terms of identifiability and with regard to the actual content of the message or communication.
The grounds for the judicial order denying the Public Prosecutors’ Office’s request for authorisation of the transmission by the service provider of data identifying a user to whom a given IP address was attributed lay in an alleged unconstitutionality on the part of the applicable norm. In taking this position, the investigating judge relied on the Judgment of the Court of Justice in the case of Digital Rights Ireland (Joined Cases nos. C-293/12 and C-594/12), in which the CJ declared the invalidity of Directive no. 2006/24/EC of the European Parliament and the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks.
The Constitutional Court recalled that a declaration of the invalidity of an EU Directive has no automatic consequences for the validity or otherwise of a Portuguese legislative act transposing it. Even though the latter’s objective is to fulfil the duty to transpose a Directive, which is derived from EU Law, it possesses its own, autonomous source of validity and legitimacy.
The Court of Justice has no jurisdiction to consider the validity of national-law acts of Member States, and in the aforementioned Judgment, limited its analysis to the text of the Directive. The validity of the Portuguese transposing Law cannot be questioned just because the Union’s normative act was declared invalid.
However, the Constitutional Court said that this did not mean that in the present case it was unable to review the validity of the Portuguese Law in the light of the various applicable parameters – namely the International-Law parameters laid down in the European Convention for the Protection of Human Rights and Fundamental Freedoms, the EU-Law parameters enshrined in the Charter of Fundamental Rights of the European Union, and the Portuguese-Law parameters derived from the Constitution. Although it was appropriate to take the grounds on which the Court of Justice reached its decision into account, the Constitutional Court’s own considerations had to be autonomous from the latter.
When it transposed the Directive into the country’s national law, the Portuguese legislator broadened the framework of the regulations governing the data-storage process, going far beyond the requirements established in the Directive. Most of the criticisms aimed at the Directive by the Court of Justice were already covered in Portuguese Law, and the general view since the CJ handed down its Judgment has been that the latter does not affect the validity of the Portuguese transposing Law. As such, the Constitutional Court rejected the argument that the norm in question was unconstitutional and upheld the appeal.
- Portuguese Constitutional Court, Rulings nos. 241/02 (29-05-2002); 486/09 (28-09-2009); and 403/15 (27-08-2015).
- Court of Justice, Judgment of the Grand Chamber of 8 April 2014 in Joined Cases C 293/12 and C 594/12; Judgment of the Grand Chamber of 21 December 2016 in Joined Cases C 203/15 and C 698/15.
- Coimbra Court of Appeal (TR-C), Ruling of 03/10/2012, given in case no. 84/11.6JAGRD-A.C1.
(All Court of Appeal Rulings available at http://www.dgsi.pt/)
- Opinions of the Consultative Council of the Attorney-General’s Office (CCPGR) nos. 16/94, voted on 24/06/94, http://www.dgsi.pt/; 16/94 – complementary, voted on 2/05/1996, in Pareceres, vol. VI, pp. 535-573; and 21/2000 of 16/06/2000, Series II of the Diário da República of 28/08/2000.