No changes to Estonian investigators' smartphone data collection after ECJ ruling
Authorities in Estonia on average duplicated data contained in nearly 1,500 smartphones per year, over the past five years, in the course of proceedings.
The European Court of Justice (ECJ) has however ruled that if a case and investigation is not pressing, authorities must obtain a court order to access data contained on a smart device owned by a private individual.
While the ruling will not change investigations practice in Estonia, it may do so in neighboring states.
Two weeks ago, the ECJ ruled that accessing the content of a smartphone without prior permission from a court or an independent authority was not permissible.
The court found that accessing all personal data as stored in a mobile phone in the course of a criminal investigation may constitute a serious, or even exceptionally serious, violation of the fundamental rights of the individual concerned.
Data such as messages, photos, and browsing histories can, depending on the situation, serve as a basis for extremely precise conclusions about that person's private life, the court found.
It may also include extremely sensitive information.
The ECJ ruling arose from a plaintiff challenging in an Austrian court the seizure of their mobile phone; the authorities in Austria took the matter to the ECJ.
The case saw Austrian authorities seizing the plaintiff's mobile phone following a drug control check which revealed that a package being sent to the same person contained 85 grams of cannabis.
The police in Austria then unsuccessfully attempted to unlock the mobile phone, to access the data contained therein.
The police had neither a prosecutor's nor a court's permission to do so, and did not document their attempts to unlock the phone, nor did they inform the plaintiff of those efforts.
The plaintiff only learned during proceedings of the attempts to unlock their mobile phone.
The complainant also claimed that the offense they had been charged with constituted a misdemeanor rather than a crime, as it carries a penalty of up to one year of imprisonment.
The court rejected this however, stating that a position where accessing data contained in a mobile phone was only permissible in the case of serious crimes would unjustifiably restrict the investigative competence of the authorities.
"This would lead to a heightened risk of impunity with offenses in general, so therefore a risk for the creation of the zone within the EU which is based on freedom, security, and justice," the ECJ found.
The ECJ also said however that tampering with privacy and data protection must be provided for by the law; this would mean the legislator of a member state must be able to determine with a sufficient degree of precision the circumstances to be taken into account, especially the nature or category of the offenses.
The ECJ found that conditions for accessing the data must include prior checks by either a court or an independent administrative body; conceding that this condition may not in practice always be met in cases of duly justified urgency.
"This control must ensure a fair balance between, on the one hand, the needs of the investigation in the context of the legitimate interests associated with the fight against crime and, on the other, the fundamental rights of the respect for privacy and the protection of personal data," the ECJ noted.
Police must in any case seek permission from courts in Estonia
Under domestic Estonian law, the police must always obtain a court order to access such data.
In Finland, the law is a bit more lenient in this regard, meaning the impact the ECJ ruling will have on police work is currently being debated north of the Gulf of Finland.
Estonia's Supreme Court found as early as 2021 – again in response to an ECJ decision – that requesting telecommunications data solely based on the prosecutor's permission is not in fact permissible.
Later, taking in to account another ECJ ruling, the Code of Criminal Procedure was amended, and since 2022, additional conditions for telecommunications data requests and the requirement for prior court permission have been established in Estonia.
Ministry of Justice spokesperson Sessi Popel told ERR: "With this under current law a court order is always required to obtain telecommunications data, even in pressing cases."
"Only information on the ownership of a smartphone and of an IP address can be requested without court permission," Popel added.
The Police and Border Guard Board (PPA) also said the same thing: In Estonia, a court grants that authority permission for investigative measures involving violations of fundamental rights, including searches, which also include the right to access data carriers belonging to the subject of the proceedings, such as their smartphones.
Ago Ambur, head of the Central Criminal Police Cybercrime Bureau at the, told ERR: "The content of smart devices gets duplicated for later examination, and it is not necessary to reapply to the court for permission to review that content."
When a final court order is made in a criminal case, or when the criminal case is closed, that data stored must be permanently deleted according to the provisions of the order or of applicable regulations.
The number of smart devices reviewed in this way by the police is rising every year, Ambur added.
Specifically, the number of smartphones whose data content has been copied by the PPA in proceedings over the past five years has averaged a little over 1,460 instances per year.
The highest figure came from 2021, when this happened in 1,694 cases.
According to Ambur, the ability to access the content of data carriers is a highly important tool in police work, without which it would be much more difficult.
"This method is undoubtedly extremely important for the police; it could even be said that it represents an indispensable instrument in solving and preventing serious crimes," he said.
Decision may impact police work in Finland
Accessing the content of smart devices is at least as important to the police in Finland, statistics show.
In Estonia's northern neighbor, the police reviewed the contents of 8,665 smartphones during the course of investigations last year, according to daily Helsingin Sanomat.
Under Finnish law, the police retain this right if the penalty for the crime under investigation would be at least six months' imprisonment in the case of a conviction.
This relatively low threshold (see Austrian case above) means that the decision to confiscate and search smart devices can be made even for minor offenses, such as vandalism.
In any case Finnish authorities primarily made use of this right last year in the investigation of crimes involving violence, illicit drugs and also in the case of sex crimes.
The Finnish police and Finland's Ministry of Justice are still assessing the impact of the ECJ ruling.
According to the ministry's initial assessment, the ECJ ruling may indeed change police practice, Helsingin Sanomat reported.
A legal expert who spoke to the paper said the decision was demonstration of the fact that the current Finnish police practice on access to smartphone contents has in fact not been in line with EU law.
The ECJ ruling does not affect the interception of voice phone calls or monitoring SMS and message transmissions. These currently also require a court order in Finland.
In a current case, businessman Parvel Pruunsild is suing the state over alleged misuse of his personal data, including that obtained from a smartphone, in the course of an investigation.
--
Follow ERR News on Facebook and Twitter and never miss an update!
Editor: Andrew Whyte