Constitutional Court: The Criteria for Access to Traffic Data Too Loose

12.12.2023

Slovenia’s Constitutional Court found the provisions of the Criminal Procedure Act (CPA) enabling the prosecution (police) to access and seize traffic data (data about the circumstances of a communication) to be disproportionate and therefore in violation of the constitutionally guaranteed freedom to communication privacy. The Court set a one-year period in which the Parliament is to amend the CPA accordingly.

The relevant CPA provisions allowed for a criminal court to issue a subpoena to the telecommunication or information-society provider, forcing them to send relevant data about a certain communication (i.e., traffic data; never the contents of the communication) to the police or/and prosecution, if such data was necessary (“need to be acquired”) for the discovery, prevention, or proof of a criminal act. The subpoena could relate not only to the communication of the suspect of a criminal act but also to the communication made by the criminal act’s victim or by a person whose communication could reveal the suspect’s location.

According to the CPA, the subpoena could have been granted in case of a “reason to suspect” that a criminal act was carried out or is being carried out or is being prepared or organized. There was a list of criminal acts in relation to which the subpoena could have been granted. In addition, the CPA provided for the possibility of real-time traffic data relaying/broadcasting if a criminal act in question was punishable by more than a year’s imprisonment or if the owner of the communication device in question agreed to it.

The Constitutional Court observed that the Constitution of the Republic of Slovenia is rather strict when it comes to the derogation of one’s communication privacy. It also stressed out that in certain cases traffic data might provide even deeper insight into someone’s life, habits and relations than the contents of the communication itself. Therefore, in the Court’s view, the provisions in question failed to pass the constitutional test of proportionality. Namely, the Court found that:

  • the required standard of “reason to suspect”, as opposed to the probable cause, was too broad, meaning that subpoena could have been used against many persons, including the ones absolutely not connected to the criminal act,
  • there were neither limitations with regard to the time period for which it was possible to request the traffic data nor any criteria to ascertain that time period,
  • since, in line with the ECHR and the CJEU jurisprudence, the derogation of communication privacy should only be allowed for the most severe criminal acts, hence the catalogue of the criminal acts in the CPA that could trigger the subpoena was too broad.

The relevant CPA derogation by the Constitutional Court was not the first one in the field of communication privacy. Sadly, here the Parliament and the Government seem to have a particularly hard time striking a balance between (the legitimate goal of) fighting crime and respecting people’s constitutional and convention rights. 

 

Article provided by INPLP member: Boris Kozlevcar (JK Group d.o.o. /  JK Group ltd, Slovenia)

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.