Digital evidence in criminal investigations and the C.G. ruling: A shift in phone data access by police?

A. Facts of the case and preliminary questions

On 4 October 2024, the CJEU issued the C.G. judgment, assessing access by the police to digital data contained in a mobile telephone. ⁸ In 2021, the Austrian police conducted a search of CG's residence as part of a criminal investigation initiated after they seized a package addressed to CG containing 85 grams of cannabis. CG was investigated for a minor offence under Austrian criminal law. During the search, police officers seized his mobile phone, which contained a SIM card and a SD card, and they later attempted to access to the digital data contained in the mobile phone, without the authorization of the Public Prosecutor's Office or a court. ⁹

The Landesverwaltungsgericht Tirol (Regional Administrative Court, Tyrol, Austria) ruling on the criminal proceedings against CG referred several questions to the CJEU. First, it asked whether Article 15(1) of the e-Privacy Directive requires to limit the access by public authorities to data stored on mobile telephones to fighting serious offences due to its serious interference with the rights of privacy and data protection. The second question concerns the lawfulness of a domestic provision permitting the access to all digital data contained in a mobile phone without prior authorization of a court or independent administrative body according to Article 15(1) of the e-Privacy Directive read in the light of Articles 7, 8 and 11 and Article 52(1)of the EU Charter of Fundamental Rights (the Charter). The third and last questions address the absence of an obligation to inform the owner of the mobile phone of such measures in the domestic law and its compatibility with the principle of equality of arms and the right to an effective judicial remedy enshrined in Article 47 of the Charter. ¹⁰ These last two questions are not addressed in this case note.

B. Findings of the judgment

The CJEU started by clarifying that the data processing operation in question falls under the Law Enforcement Directive (or LED), rather than the e-Privacy Directive, as the police is directly attempting to access personal data stored on the mobile phone without involving providers of electronic communications services. ¹¹ Following this clarification, the CJEU proceeded to reformulate the questions referred to it. ¹²

Continuing the analysis of the scope of application of the LED, the Luxembourg Court held that the definition of a processing operation, laid down in Article 3(2) LED, covers any operation involving personal data, even if, as in the case at hand, police access was ultimately unsuccessful. ¹³ The non-exhaustive nature of this definition seeks to ensure a high level of protection of the personal data widening the material scope of the LED. ¹⁴ Despite the objection from some governments, the CJEU indicated that excluding attempts to access personal data contained in a mobile phone by state authorities from its scope would undermine this objective. ¹⁵ Given these considerations, these attempts should be regarded as processing operations within the meaning of the LED. ¹⁶

The CJEU then jointly addressed the first and second questions interpreting Article 4(1)(c) LED, in line with Articles 7, 8 and 52(1) of the Charter. The CJEU analysed whether all the requirements set by the Article 52(1) of the Charter allowing the restriction of privacy and data protection rights (Articles 7 and 8 respectively), as non-absolute rights, are met in this particular case. ¹⁷

The CJEU began with the principle of proportionality, which requires that any limitation shall be necessary and genuinely meet objectives of general interest recognized by the European Union or the need to protect the rights and freedoms of others shall be assessed. ¹⁸ The investigation of criminal offences by the police aims to protect public security or national security, or to protect the rights and freedoms of others, constituting objectives of general interest. ¹⁹ Nonetheless, it is important to assess whether a limitation to privacy and data protection rights, such as unrestricted access to the digital data of a mobile device, is necessary and whether the objective pursued cannot reasonably be achieved just as effectively through other means that are less restrictive of the fundamental rights of the data subjects. ²⁰ For that purpose, the CJEU determined that, when assessing the seriousness of the limitation, one must consider the nature and sensitivity of the data, the importance of the objective of general interest and the link between the owner of the mobile phone and the criminal offence in question and the relevance of the data for establishing the facts must be considered. ²¹

Concerning the nature and sensitivity of the data processed, the CJEU held that digital data stored on a mobile device involves different categories of personal data depending on the content of the mobile device in question and the choices made by the police. ²² The content data could involve not only traffic and location data, but also text messages, voice, videos, images, sound and the internet browsing history stored therein. ²³ Furthermore, mobile phones could include sensitive personal data revealing racial or ethnic origin, political opinions and religious or philosophical beliefs, with such sensitivity justifying the specific protection afforded to them by Article 10 LED. ²⁴ In accordance with this provision, sensitive data shall be processed ‘only where strictly necessary’. This is interpreted by the CJEU ‘as capable of being regarded as necessary solely in a limited number of cases’ (only) and that the necessity shall be ‘assessed with particular rigour’ (strictly necessary). ²⁵ As such, the CJEU argues that this personal data processing must be regarded as serious or even particularly serious. ²⁶

Another aspect of relevance when examining the proportionality of the serious interference is the seriousness of the offence investigated. Here, the CJEU acknowledged the importance of the data contained in a mobile phone for criminal investigations for all types of offences since it offers invaluable insights into criminal activities. ²⁷ Following this, it seems that the CJEU left open the possibility of applying this investigative measure beyond serious crimes. In this regard, the access to the digital data must be previously justified by the existence of reasonable suspicions supported by objective and sufficient evidence. ²⁸ Moreover, this limitation must be allowed by national law, which should define its scope with sufficient clarity and precision. ²⁹

The CJEU stressed that the review of these safeguards shall be carried out either by a court or by an independent administrative body, which must ensure the ‘fair balance between, on the one hand, the legitimate interests relating to the needs of the investigation in the context of combating crime and, on the other hand, the fundamental rights to respect for private life and protection of personal data of the persons whose data are concerned by the access’. ³⁰ This authorization must be granted before the start of processing operations that carry a risk of serious or particularly serious interference with fundamental rights, except in cases of duly justified urgency, where the review should take place within a short timeframe. ³¹ The authorization shall be rejected in those cases where the processing operation is disproportionate.

In its conclusion, the CJEU interpreted that national legal rules governing the concerned processing operations shall precisely define the nature and categories of offences concerned, respect the principle of proportionality and require prior review by a judge or an independent administrative body. ³²

A. Relationship between the e-Privacy Directive and the LED

This is not the first time that the CJEU has assessed the limits and implications of the access to telecommunications and other digital data for the investigation of a criminal offence. The CJEU has developed over the years case law on data retention and access to retained data. For the purpose of this case note, one of the most recent cases on this regard, the Prokuratuur case, must be observed.

On 3 March 2021, the CJEU issued the Prokuratuur judgment analyzing access to traffic and location data in the course of a criminal investigation. The facts involve the collection of data related to electronic communications stored by provider of electronic communication services, after authorization by the Estonian Viru District Public Prosecutor's Office, which was subsequently used as evidence. ³³ The Estonian law in question allowed the general and indiscriminate retention of traffic and location data for one year, and envisaged access in relation to any type of criminal offence. Similar to the C.G. case, here the CJEU examined how the principle of proportionality affects the lawfulness of these processing operations in relation to the seriousness of the criminal offences investigated.

The CJEU interpreted this processing operation as a serious interference with the fundamental rights of the data subjects since it allows to draw conclusions concerning the user's private life, such as their habits, permanent or temporary places of residence, social relationships or social environments frequented by them. ³⁴ In line with the principle of proportionality, only the objectives of combating serious crime or preventing serious threats to public security can justify public authorities accessing a set of traffic or location data that allows drawing precise conclusions about the private lives of the persons concerned. ³⁵ Accordingly, when the data subject is connected to a non-serious or minor offence, the data processing shall be limited to the identification of the user concerned. ³⁶ That said, the classification of offences falls under the competence of the Member States. Thus, by virtue of Article 15(1) of the e-Privacy Directive, there must be a correlation between the seriousness of the offence investigated and the seriousness of the interference with the rights of the person concerned.

In contrast, in the C.G. judgment, the CJEU, while reaffirming the importance of assessing the seriousness of the offence in relation to the seriousness of the interference, held that limiting access to data contained in a mobile phone exclusively to serious offences would undermine the objective of establishing an Area of Freedom, Security and Justice (AFSJ) as pursued by the LED. ³⁷ Here, the scope of the processing operation is wider than in the Prokuratuur case, since it concerns not only traffic and location, but also photographs and the internet browsing history on that telephone, or even a part of the content of the communications made with that telephone, in particular by consulting the messages stored therein. ³⁸ Furthermore, this information can potentially involve sensitive personal data. Therefore, it constitutes a serious interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter. ³⁹

With this move, the CJEU deviates from the unequivocal instructions given in the Prokuratuur case, where traffic and location data could only be confined to cases of serious crime. In contrast, the interpretation of the LED in the C.G. judgment grants a more permissive approach based on the principles of proportionality and necessity through a case-by-case analysis. Thus, a general restriction to access traffic and location data in cases involving non-serious crimes cannot be ruled. As noted by Advocate General Campos Sánchez-Bordona in the C.G. case, the case law on data retention concerns to the systematic, general and indiscriminate retention of personal data by providers of electronic communications services for an undefined generic group. ⁴⁰ This contrasts with access to information stored on an individual's mobile device in the course of an individual criminal investigation, which falls under the scope of the LED. ⁴¹ While this interpretation may not directly violate the principle of proportionality, it undoubtedly results in a double standard of protection for the same categories of data and broadens Member States’ discretion.

The Luxembourg Court draws a connection between allowing investigative powers for all types of crimes and reducing the risk of impunity, suggesting that proportionality standards should consider the effectiveness of prosecution. ⁴² However, caution is needed to avoid the recurrent confusion between effectiveness – essential to achieving objectives of general interest – and efficiency of technology, which relates to cost and/or time savings. ⁴³ This blurred line is often invoked by law enforcement agencies, which emphasize limited resources, the increasing sophistication of criminal organizations and the need for rapid responses in a technologically evolving landscape.

Such arguments are increasingly present, even within the European Commission. For example, in January 2024, in the context of the Commission’s Proposal for a Regulation on migrant smuggling and trafficking in human beings – which includes amendments to Europol’s Regulation to assign new tasks to the agency, such as supporting Member States with the effective and efficient processing of biometric data – the Commission omitted the accompanying Impact Assessment. ⁴⁴ This assessment is essential for evaluating the necessity and proportionality of new legislation, but its absence was justified by the Commission on the grounds of ‘urgent operational needs’ or having ‘little or no choice available’. ⁴⁵

In my view, this exemplifies the risk of placing excessive emphasis on efficiency, which can lead to weaker proportionality standards by distorting the interpretation of how competing interests are balanced. This, in turn, may result in unjustified limitations on privacy and data protection rights. Instead, investigative measures – such as those granting access to phone data – must demonstrably enhance or expedite criminal investigations while also representing the least restrictive means, in accordance with the principle of proportionality. Therefore, the efficiency of a technological solution should be considered alongside other critical factors, such as the level of intrusiveness, the evidential value of the data accessed, the scope of the measure, the gravity of the offence and the potential impact on fundamental rights, among others, as interpreted in the C.G. case.

While the AG explicitly stated that the involvement of service providers is of secondary importance, this aspect appears central to the issue as it determines the applicable legal regime. ⁴⁶ These two distinguished legal regimes regulate data protection safeguards with different thresholds owing to their different nature.

On the one hand, the LED is directly linked to the AFSJ and the area of criminal law, both of deeply rooted in domestic political, social and constitutional systems. ⁴⁷ The nature of this field presents significant challenges in developing a uniform data protection framework leading to fragmentation across different national systems. ⁴⁸ Efforts to approximate the AFSJ have consistently faced obstacles, as Member States are reluctant to cede sovereignty and legal diversity in this sensitive area. ⁴⁹ This is particularly evident in the CJEU's approach to interpreting the LED, where the Court acknowledges the complexities of reconciling the objectives of both policies and adopts a cautious stance, allowing Member States, and particularly national courts, considerable discretion.

On the other hand, the CJEU's approach to the e-Privacy Directive is one of a kind, as illustrated by the precedent-setting Digital Rights Ireland judgment. ⁵⁰ The CJEU declared the Data Retention Directive invalid for failing the proportionality test, but (naturally) did not address the validity of the domestic provisions transposing it. ⁵¹ Consequently, numerous preliminary questions were brought before the CJEU, not only concerning data retention standards, but also the criteria governing state authorities’ access to retained information. ⁵² It is essential to stress that the Data Retention Directive was lex specialis to e-Privacy Directive, further developing Article 15(1) of the latter. ⁵³ As a result, the CJEU took a strong stance in shaping the legal limits for investigation measures involving personal data stored by service providers, reducing Member States’ discretion, even though such measures fall within national security, an area outside of EU competence. ⁵⁴ In doing so, the CJEU expanded the reach of EU law, determining that such measures could fall within the scope of application of the e-Privacy Directive. ⁵⁵ Furthermore, it set a high threshold permitting access to such data only under specific exceptions exclusively due to the restrictive nature of Article 15(1).

Both the CJEU and the AG, made several of references to the case law on data retention in the C.G. ruling without clarifying whether this new criterion should be extended to individual criminal investigations under the e-Privacy Directive. Additionally, there is not a clear distinction between data retention case law and the C.G. judgment. These interpretive discrepancies raise questions about the different thresholds applicable to both types of law enforcement access to digital data, depending on the involvement of service providers. This could lead to inconsistencies in the protection of fundamental rights of the individuals affected, especially considering that access to a mobile phone, including spy software technologies, may allow authorities to visualize data stored by communication service providers without their involvement. ⁵⁶ As a result, the scope of access could be even more extensive.

One could point out elemental similarities between both cases. Mainly, the CJEU concluded that access to retained traffic and location data constitutes a serious (or even particularly serious in C.G. ruling), interference with the fundamental rights of the data subject; and the facts involve an individual criminal investigation and similar categories of personal data. Despite this, the conclusions diverge significantly. For instance, in the Prokuratuur ruling due to its link to a general and indiscriminate retention of communication data, a more restrictive interpretation applies. ⁵⁷ Moreover, the data retention case law, even in cases of ‘targeted retention’ of traffic and location data – which, similarly to the C.G. case, requires objective evidence to justify the measure – access is restricted to combating serious crime. ⁵⁸ This illustrates the interdependence between retention and subsequent access to traffic and location data leading to the application of the CJEU's case law on the matter.

It is worth mentioning that, in C.G., the CJEU reaffirmed the obligation to obtain authorization prior to accessing digital data stored on the mobile phone directly by public authorities in cases of serious interferences, as established in its previous decisions, even in urgent cases. ⁵⁹ While this measure includes safeguards for the protection of fundamental rights, the matter is ultimately left to the discretion of domestic judges and national law. Consequently, varying interpretations of proportionality – and level of fundamental rights protection – will emerge, with some Member States applying more flexible standards than others. It undoubtedly shows the Luxembourg judges’ unwillingness to engage in judicial activism, which is not surprising. Police surveillance is a controversial topic, as debates on the use of emerging technologies by law enforcement have revealed. ⁶⁰ Additionally, even in data retention cases, while generally adhering to its established jurisprudence, the CJEU has gradually opened the door to new exceptions permitting state authorities to access retained data. ⁶¹

B. Impact on judicial cooperation: e-Evidence Regulation

The disparities exposed could impact the mutual recognition of judicial decisions, particularly in the context of cross-border evidence gathering. The interdependence between mutual trust and mutual recognition and fundamental rights protection is undeniable. ⁶² It does not only require common EU standards, as established by the LED, but also a harmonized interpretation and implementation. ⁶³ Therefore, a common interpretation or further clarification on the lawfulness of accessing mobile data for criminal investigations would be highly beneficial, given the growing importance of this type of evidence in criminal proceedings.

Following this, it is important to assess the e-Evidence Regulation, which entered into force on 17 August 2023 and will apply from 17 August 2026, introducing a new instrument for the cross-border gathering of electronic evidence. It allows authorities to directly request stored data from a designated establishment or the legal representative of service providers in the context of a criminal proceeding. ⁶⁴ Such requests must be made through a European Production Order (EPO) or a European Preservation Order (EPrO). The Regulation will apply in cross-border cases when the data is stored by a service provider offering services in the Union and that is established in another Member State, or, if not established, represented by a legal representative in another Member State (cross-border element). ⁶⁵

The EPrO orders the service provider to preserve or retain electronic evidence, including stored traffic, content and subscriber data. ⁶⁶ Whereas, the EPO is a decision ordering the access to electronic evidence. ⁶⁷ The latter allows law enforcement to access such data through a provider of communication services, similar to the processing operations examined in the Prokuratuur case. For this reason, this assessment will focus on the EPO.

On the one hand, the scope of the e-Evidence Regulation is not restricted to serious crimes. It applies to offences punishable in the issuing State by a custodial sentence of a maximum of at least three years, as well as certain crimes wholly or partially committed using information systems, among others (see Article 5(4) of the e-Evidence Regulation). ⁶⁸ According to the Commission Staff Working Document Impact Assessment for the e-Evidence Regulation, limiting the EPO to serious crimes was dismissed early in the legislative process. ⁶⁹ Such restriction was consider to have a potential negative impact on investigations into offences like cybercrime or fraud, which, although not classified as serious crimes, often rely exclusively on electronic evidence. ⁷⁰ Moreover, without the EPO for non-serious offences, requests would default to the EIO Directive, creating the same challenges. ⁷¹

Furthermore, both investigation measures shall be proportionate and ‘may only be issued if a similar order could have been issued under the same conditions in a similar domestic case’. ⁷² The reference to domestical law raises questions about the compatibility of the Regulation with national provisions restricting the access to traffic, location and content data to serious offences, in compliance with the CJEU's case law. Moreover, the absence of a legal framework on data retention will inevitably impact on the effectiveness of the new instrument highlighting the pressing need for a common ground on this regard. ⁷³

On the other hand, in line with the relevant case law, the Union legislator recognized the significant interference with fundamental rights when accessing traffic data and content data, imposing the additional obligation to obtain mandated judicial validation for EPOs issued by investigating authorities. ⁷⁴ This validation mirrors the requirement for authorization emphasized by the CJEU in prior rulings, reinforcing this case law within the new instrument.

As a result, this approach introduces great discrepancies in the level of protection for individuals’ rights. Specifically, in purely domestic criminal investigations, the rights granted may differ from those applicable in cases with a cross-border element where the EPO applies, even for non-serious offences. Moreover, this disparity could arise in cases that appear to have no cross-border dimension – for instance, where the service provider is established outside the Member State versus the same case where the service provider is located within that Member State.