Advocate General Giovanni Pitruzzella presented his opinion on the Estonian data retention law, advising on how Member States may arrange the contentious retention of personal data for law enforcement purposes while keeping in line with Union law (opinion of 21 January 2020, Case C-746/18, H.K. v Prokuratuur).

The case is related to criminal proceedings against HK for several robberies, fraud, and violence against parties to court proceedings. The criminal court of first instance based H.K.’s conviction on, inter alia, reports drawn up using data relating to electronic communications in accordance with the established Estonian data retention law. The investigating authority had obtained the data from a telecommunications service provider in the pre-trial procedure, after having been granted authorisation from an assistant public prosecutor. The data provided insight into the location, length, partners, etc. of the accused’s communication within a given period of time. HK argued that the reports are inadmissible evidence and his conviction therefore unfounded.

The Estonian Supreme Court, indeed, had doubts on the compatibility with EU law of the circumstances in which investigating authorities had access to that information. The Estonian Supreme Court raised the question of whether Art. 15(1) of Directive 2002/58/EC on privacy and electronic communications, read in the light of Arts. 7, 8, 11, and 52(1) CFR, must be interpreted as meaning that the categories of data concerned and the duration of the period for which access is sought are among the criteria for assessing the seriousness of the interference with fundamental rights that is associated with the access by competent national authorities to the personal data that providers of electronic communications services are obliged to retain under national legislation.

AG Pitruzzella confirmed this view. Examining the lessons learned from the judgments in Tele2 Sverige/Watson (Joined Cases C-203/15 and C-698/15, see eucrim 4/2016, p. 164) and Ministerio Fiscal (Case C-207/16, see eucrim 3/2019, pp. 155-157), the AG concludes that both the categories of data concerned and the duration of the period for which access to these data is sought are relevant. He further states that, depending on the seriousness of the interference, it was up to the referring court to assess whether this access was strictly necessary to achieve the objective of preventing, investigating, detecting, and prosecuting criminal offences.

In addition, the Estonian Supreme Court posed the question of whether the public prosecutor who granted access – also in view of the various duties assigned to it under Estonian law – can be considered an “independent” administrative authority. This question refers to the CJEU requirement set out in its Tele2 Sverige/Watson judgment in that access to retained data “should, as a general rule, … be subject to a prior review carried out either by a court or by an independent administrative body, and that the decision of that court or body should be made following a reasoned request by those authorities submitted, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime.” The AG maintains that this requirement is not met by the public prosecutor’s office, because it is responsible for directing the pre-trial procedure, on the one hand, while also being likely to represent the public prosecution in judicial proceedings, on the other.

The AG’s opinion on the Estonian data retention law comes shortly after the opinion of his colleague Manuel Campos Sánchez-Bordona, who examined the general lawfulness of data retention regimes in France, Belgium, and the UK. The topic of data retention will continue to keep the CJEU busy.