Finding a balance between fighting crime and privacy – the use of metadata
It is customary for the words "security" and "privacy" to appear side by side, associated, or at least, on the same side of the scale. However, in certain cases, this duality may actually collide. This is what happened in Portugal, as a result of the Constitutional Court Ruling declaring the unconstitutionality with general mandatory force of the provisions of articles 4, 6 and 9 of Law No. 32/2008 of July 17 (which transposed into national law Directive (EU) No. 2006/24/EC, of March 15, which was created with the aim of implementing measures to combat terrorism, also called the "Metadata Law"). These articles, which were declared unconstitutional, required telecommunications and electronic communications service providers to retain all traffic and location data (the so-called "metadata") relating to all communications or attempts thereof, for a period of one year, with a view to their possible future use for the prevention, investigation and prosecution of serious crimes.
The decision adopted by the Constitutional Court was actually expected by many, since the Court of Justice of the European Union ("CJEU") had already declared Directive (EU) No. 2006/24/EC invalid in April 2014. In fact, in 2017, the National Supervisory Authority ("Comissão Nacional de Proteção de Dados" - CNPD) issued a statement as the competent entity for the supervision of data storage under Law 32/2008, considering that this law violated the principle of proportionality and necessity, concretized in an interference in fundamental rights.
As a result, the CNPD decided not to apply the administrative offenses that would be its responsibility to apply in the supervision of the obligation to retain data by electronic communications operators. Nevertheless, Portugal maintained Law 32/2008 in force. Mainly due to the fact that the declaration of invalidity of Directive (EU) No. 2006/24/EC was based on a set of assumptions and lack of security measures that the Portuguese law covered.
III. The decision of the Constitutional Court
The question then is, what has now led the Constitutional Court to declare the unconstitutionality of Law 32/2008? In fact, the Constitutional Court considered that, firstly, the right of the data subject to control and audit the processing of his/her data would be compromised by the fact that it was not foreseen that data storage had to take place in an EU Member State. On the other hand, the Constitutional Court considered that an undifferentiated and generalized obligation to store all traffic and location data (metadata) concerning all individuals - which reveal at all times aspects of private and family life of citizens, allowing to track the location of the individual throughout the day and to identify the contacts, duration and regularity of these communications -, restricts in a disproportionate way the rights to privacy and information self-determination. Namely, by reaching subjects for whom there is no suspicion of criminal activity: the electronic communications of almost the entire population are covered, without any differentiation, exception or consideration of the objective pursued.
Additionally, the Constitutional Court also declared unconstitutional the rule of article 9 of Law 32/2008, in the part that does not provide for a notification to the person concerned that the data stored were accessed by the criminal investigation authorities. The Court considered that this would lead the data subjects to be deprived of exercising effective control over the lawfulness and regularity of such access, in violation of the rights to informative self-determination and the right to effective judicial protection.
Once the Constitutional Court's decision had been published, concerns began to be raised about the possible impact on cases in which there had already been a definitive decision (i.e. a final and unappealable decision).
IV. The principles under discussion
In light of the Constitutional Court's decision, it is now up to the government to find a balance between fighting crime and the privacy of citizens. In fact, traffic data (metadata) cannot be stored indiscriminately for all EU citizens, but it may be retained under certain circumstances, such as when there are reasonable suspicions that a serious crime may occur at a certain time and place. Especially in IT crimes, a person's IP is an essential element for the discovery of the truth, both for the defense and the prosecution, and therefore forbidding ab initio any and all metadata retention may become a serious obstacle to fighting crime. On the other hand, metadata can reveal a lot of personal information about every citizen, even those who will never commit a crime.
However, it must be admitted that establishing practical criteria that may be applicable to the storage of metadata may be extremely difficult. A possible balancing path might be to apply the criteria adopted by the CJEU, which provides that general and discriminatory retention of traffic data may occur if there are concrete and specifically determined grounds to suspect the commission of a serious crime.
V. Next steps – the position of the CNPD
In order to fill this legal void as soon as possible, new draft bills have already been presented, all based on the assumption that there will no longer be a specific database to store data for a period of one year, but instead on access for criminal investigation purposes to the database held by telecom operators. However, all proposals were criticized by the CNPD, which underlined, in general terms, that the draft laws presented maintained the obligation of generalized storage of personal location and traffic data, allowing the practically continuous knowledge of the location of each citizen, as well as the identity of the people with whom each citizen relates by means of electronic communications. The CNPD also stated that, in order to comply with the right to provide information on data processing, the notification to data subjects now proposed in the new draft laws, would have to be made not only to the persons under investigation, but also to all natural persons with whom there has been communication or attempted communication.
The President of the Portuguese Republic reiterated that he will request from the Constitutional Court a preventive review of the future law concerning metadata, in order to avoid any doubts in this matter.
It is expected that in the near future, the government will be able to reach a consensus on a draft law to legislate the retention of metadata for the purpose of investigation, detection and prosecution of serious crimes, safeguarding the two pillars: security and privacy. It is not a matter of prevalence of security or privacy, rather of a counterbalance between the two, being both constitutional rights that need to be protected.
Article provided by INPLP member: Ricardo Henriques (Abreu Advogados, Portugal)
Co-authors: José Maria Alves Pereira and Matilde Ortins Bettencourt.
Dr. Tobias Höllwarth (Managing Director INPLP)