tabulati telefonici

Court of Justice: access to phone records and (un)serious crimes

In case no. C-178/22, which originated from a reference for a preliminary ruling by the Court of Bolzano, the Court of Justice issued a significant decision regarding judicial authority access to telephone records of electronic communication service providers.

Under Italian law, this type of access is limited to specific crimes-which includes aggravated theft-provided there is authorization from a judge. The Court reiterated that authorized access must relate only to individuals who are suspected of having committed serious crimes, with the clarification that the definition of what constitutes a “serious crime” must in each case be identified by individual member states.

However, the Court has made it clear that the court responsible for authorization must have the power to deny or restrict such access if it determines that the injury to an individual’s fundamental rights-privacy and personal data protection-is excessive in the face of an offense considered manifestly not serious “in light of the social conditions existing in the member state concerned.”

The main proceedings

After two reports of cell phone thefts, two criminal cases were registered with the Bolzano Public Prosecutor’s Office for aggravated theft under Articles 624 and 625 of the Criminal Code. In order to identify the perpetrators of the thefts, the prosecutor had requested permission from the Judge of Preliminary Investigation in Bolzano to acquire telephone records from telecommunications service providers. The requests included a wide range of data, including utilities, IMEI codes, websites visited, times and durations of communications, cell location data used, and the personal details of the utilities’ holders.

The heart of the issue raised by the Judge for Preliminary Investigation concerns the compliance of Article 132(3) of the Privacy Code[1] (governing the retention of traffic data for the detection and prosecution of crime) with Article 15(1) of Directive 2002/58/EC, as interpreted by the Court of Justice in its March 2, 2021, judgment, Prokuratuur[2].

The Italian legislation, in detail, allows access to phone records to prosecute crimes punishable by imprisonment of at least three years, a criterion that the referring judge feared could also include less serious crimes, such as cell phone theft, certainly not considered serious threats to public safety.

According to the Prokuratuur judgment, such data accesses are justifiable only if they are aimed at combating serious crimes, such as serious threats to state security, and should be proportional to the severity of the interference with fundamental rights, based on Articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union[3]. The Bolzano judge had thus expressed doubts about the wide discretion left to the Italian legislature and the risk of an overly broad application of this rule, in violation of the principle of proportionality.

Doubts about the issue

Incidentally, the Court ruled on the admissibility of the question, which was contested by the Italian and Irish governments. In particular, they argued that the court’s request took on a hypothetical character, also asking about the compatibility of Article 15(1) of Directive 2002/58 with other less serious offenses other than those in the main proceedings.

However, case law[4] of the European Court has already ruled that requests by national courts for interpretation of EU law are generally considered relevant and admissible unless it is clear that the request has no connection with the facts of the case or the subject matter of the main proceedings, or that the problem is purely hypothetical. In addition, the Court has a duty to respond to questions raised when they concern the interpretation of Union law.

On the contrary, given that the court reproduced in full the wording of Article 132(3) of the Privacy Code in the preliminary ruling question, and given that this encompasses the offenses for which data access authorizations were requested in the present case, the court held that the question was not hypothetical in nature and was therefore admissible.

The preliminary question

The Court considered to clarify in the introduction its power to intervene in preliminary reference cases. And in particular, he reiterated that he could not interpret the national legislation of individual member states or verify its compliance from EU law. In fact, under the Article 267 procedure, the Court can only interpret Union law within the limits of the Court’s jurisdiction.

And even if the question is improperly phrased, the Luxembourg courts can only identify the elements of Union law that require interpretation on the basis of the matter at hand, including by considering rules not considered by the national court.

With respect to the matter under discussion, a critical element in recent case law cited in the ruling is the need for data retention to be both limited and differentiated according to the severity of the crimes. Indeed, access to data should not be generalized or undifferentiated but must be specifically justified by legitimate and serious objectives, such as combating severe forms of crime or preventing serious threats to public safety.

Another relevant aspect, moreover, concerns the prior control of such access. National legislation, in the opinion of the decider, should provide for independent judicial or administrative supervision to ensure that any access to data is justified and limited to cases where it is strictly necessary. This control is essential to ensure that abuse does not occur and that access to data is made only when actually justified by circumstances that make it proportional and necessary.

The Court also made it clear that the seriousness of the interference is not mitigated by the short duration of the data collection period (two months in this case). In fact, the set of data collected is in every case capable of revealing significant details about the private lives of the individuals involved.

The ruling, then, specifies that it is irrelevant to the assessment of the severity of the interference with fundamental rights that the data accessed belonged not to the original owners of the phones but to the people who used them after the thefts. Directive 2002/58, in fact, requires confidentiality of electronic communications and traffic data regardless of the identity of the users; for these purposes, “user” is defined as any natural person who uses such services for private or commercial purposes, regardless of whether or not he or she subscribes to the service.

Finally, the question includes consideration of what crimes can be considered sufficiently serious to warrant interference with fundamental rights guaranteed by the Charter. The definition of “serious crimes” must reflect a balance between the need to combat crime and the need to protect the fundamental rights of individuals. Member states do have some discretion in defining these offenses-due in part to differences in social realities and legal traditions-but they must exercise it in a way that respects the principles of proportionality and necessity, without overextending the scope of access to personal data.

Also in light of the April 5, 2022, judgment, Commissioner of An Garda Síochána and Others,[5] the Court criticizes the Italian legislature’s choice to identify a particularly low edictal threshold for “serious offenses” such as that under Article 132 paragraph 3 Privacy Code.

The identification of such crimes in national law allows for very intrusive access to individuals’ communications; therefore, it should not be so broad as to make access to such data the rule rather than the exception. Consequently, it cannot encompass most of the crimes in the system, which is what happens with a threshold of imprisonment set at an excessively low level-as is the three-year threshold in the present case.

At the same time, a reading of the national legislation leads the Court to believe that even such a low threshold does not necessarily violate the principle of proportionality. Indeed, where the requested data do not allow precise conclusions to be drawn about the lives of the people to whom they belong, access may not constitute a serious interference deserving of protection.

However, at the same time, the national court must be able to deny or limit access whenever it finds that there is indeed serious interference in the face of a manifestly non-serious crime.

The decision

Therefore, in light of this reasoning, the Court established the following principle of law: “Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that it does not preclude a national provision which requires the national court – when intervening in a prior check following a reasoned request for access to a set of traffic data or location data capable of allowing precise conclusions to be drawn as to the privacy of the user of an electronic communications medium, stored by providers of electronic communications services, submitted by a competent national authority in the context of a criminal investigation – to authorize such access if the latter is requested for the purpose of the investigation of offences punishable under national law by a term of imprisonment of not less than a maximum of three years provided that there is sufficient evidence of such offences and that such data are relevant for the establishment of the facts, provided, however, that such court shall have the possibility of denying such access if the latter is requested in the context of an investigation concerning a manifestly non-serious offence, in the light of the social conditions existing in the Member State concerned.”

Avv. Antonio Laudisa
Avv. Marco Della Bruna



Download the Court’s ruling here.


[1] D. Lgs. 196 of June 30, 2003.

[2] Case C-746/18.

[3] Article 7 – Respect for private and family life.
“Everyone has the right to respect for his or her private and family life, home and communications.”

Article 8 – Personal data protection
“1.Everyone has the right to the protection of personal data concerning him or her.
Such data must be processed in accordance with the principle of fairness, for specified purposes, and on the basis of the data subject’s consent or other legitimate basis provided by law. Every person has the right to access and obtain rectification of the data collected about him or her.
Compliance with these rules is subject to monitoring by an independent authority.”

Article 11 – Freedom of Expression and Information
“1. Every person has the right to freedom of expression. This right includes freedom of opinion and freedom to receive or communicate information or ideas without interference by public authorities and without boundary limits.
2. The freedom of the media and their pluralism shall be respected.”

[4] Judgment of March 21, 2023, Mercedes-Benz Group (Liability of manufacturers of vehicles equipped with handling equipment), C-100/21, EU:C:2023:229, para. 52 and case law cited

[5] Case C-140/20.