On April 30, 2024, the Court of Justice ruled in Procura della Repubblica presso il Tribunale di Bolzano (C-178/22), addressing the interpretation of Article 15(1) of the e-Privacy Directive 2002/58. The Court clarified that Member States have the discretion to define ‘serious crime,’ which permits derogations from communication confidentiality for criminal investigations. However, judicial authorities must ensure that any interference with data protection rights is justified by the seriousness of the crime in specific cases, adding a layer of protection for individuals.

Background

The case involved a request by a public prosecutor for judicial authorization to access traffic and location data to identify perpetrators of aggravated mobile phone theft. Italian law permits such access for crimes punishable by at least three years of imprisonment, given sufficient evidence of the crime. The referring court questioned the compatibility of Italian law with Article 15(1) of the Directive, particularly regarding proportionality and the definition of ‘serious crime.’

The Court’s Ruling

The Court addressed two main issues:

1. Definition of Serious Crime: It confirmed that Member States could define ‘serious crime,’ reflecting their social realities and legal traditions, as long as they respect EU principles and fundamental rights, particularly proportionality.
2. Judicial Discretion: National laws allowing data access for serious crimes must be complemented by judicial review. Courts must assess if the crime justifies the data access request, ensuring that the intrusion into privacy is proportionate to the crime’s seriousness.

The Court ruled that national laws should not automatically justify data access; judicial authorities must have the discretion to refuse access if the crime is not serious enough.

Significance of Judicial Review

The judgment emphasizes balancing national security interests with privacy rights, especially in the digital age where data-driven investigations are common. Judicial discretion is crucial to preventing potential government overreach and ensuring that exceptions to privacy rights are not misused. This decision reinforces that national security measures and the use of advanced technologies in investigations must comply with EU law and fundamental rights both in general legislation and specific cases.

Conclusion

The Court’s ruling strengthens individual protections by ensuring judicial oversight in data access cases, thus maintaining a balance between privacy rights and the needs of criminal investigations. This decision empowers judicial authorities to define ‘serious crime’ in practice, safeguarding against disproportionate intrusions into privacy.