Introduction

Location data allows determination of the profile and routine of life, the place where one stays and for how long one stays in a given place. The collection, processing and storage of such data is an interference in the right to privacy (Article 8 of the ECHR, Articles 7 and 8 of the Charter). Constant monitoring of an individual’s behaviour, wherever they are, may give the impression that he/she is under constant surveillance. There is no doubt, however, that location data can provide relevant information that can assist authorities involved in criminal proceedings. Intervention into the sphere of privacy of an individual is warranted as long as it serves the purposes indicated in art. 8 sec. 2 of the ECHR, and the interference itself fulfils the condition of proportionality and necessity in a democratic society. The restriction of the rights of an individual must be proportionate to the aims that the procedural organs wish to achieve, and the expected positive consequences (ensuring public safety, combating crime) must exceed the negative consequences of violating rights and individual freedom.

In EU law, as defined in Directive 2002/58/EC and of the Council of 12th July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (hereinafter: Directive on privacy and electronic communications; Directive 2002/58) “location data” is understood as “any data processed in an electronic communications network, indicating the geographical location of the terminal equipment of a user of a publicly available electronic communications service”. They are considered a type of “personal data” within the meaning of Directive 2016/680 of the European Parliament and of the Council of 27th April 2016 on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of crime prevention, investigation, detection and prosecution of offences and execution of punishments, on the free movement of such data and repealing Council Framework Decision 2008/977 / JHA (hereinafter: Directive 2016/680). The Strasbourg Court - in view of the absence of a separate definition of location data in legal acts adopted at the forum of the Council of Europe - uses the definitions adopted in the European Union.

The CJEU and the ECtHR emphasise the need to balance the interests of the individual and the protection of public safety. The rights to privacy and confidentiality of location data are an important value in a democratic society, but in justified cases, e.g. in connection with the need to fight and prevent crime, it is permissible to interfere with the rights of an individual. Based on the case law of the European Courts and current legislation, it is possible to establish rules for the collection of location data in national law for the purpose of using this data in criminal proceedings. Before analysing this issue, however, it should be clarified how the procedural authorities can obtain location data. Following the ECtHR jurisprudence, the following can be distinguished:

1) real-time data collection (e.g. using GPS transmitters), and

2) obtaining “historical” data, i.e. retained by telecommunications service providers (e.g. from radio transmitters) or collected by applications installed on smartphones and saved on these devices (e.g. data on places where one connects to the wifi network, data derived from Google maps).

As for the technical aspects of locating, for example a smartphone user, it is possible to indicate systems based on: 1) obtaining location data based on GPS; 2) connecting the smartphone to the wi-fi network; 3) GSM technology; 4) determining the location of the radio signal; 5) GNSS. The technical aspects of collecting and obtaining location data - although important for smartphone users, tablets, etc. - are of little importance from the perspective of establishing the rules for accessing this data. Whatever the information gathering technique, access can only be obtained in two ways - either in real time or ex post.

Interference in the privacy of individuals cannot be arbitrary - state authorities cannot ‘cut corners’ to ensure security and public order. Although the technical possibilities for tracking an individual’s behaviour are almost unlimited, they should not be overused. The aim of this paper is to determine whether there is a common European standard for the gathering and processing of location data to prevent and combat crime. The ECtHR and the CJEU are increasingly addressing this issue. However, the question arises whether, at this stage, it is reasonable to claim that a standard has already emerged.

The jurisprudence of the ECtHR and the CJEU is structured according to the way in which data is collected, i.e. either in real time or ex post (from mobile phone companies). The decisions of the Strasbourg and Luxembourg tribunals were analysed chronologically. This method made it possible to show the evolution of the case law and the attempt to adapt the rulings to changing technical conditions.

2. Limitation of the right to privacy - general rules

The collection of location data in the case-law of the ECtHR is considered under Art. 8 of the ECHR. In assessing a complaint of a breach of the right to privacy, the Court takes into account three factors:

1.the existence of legal bases in domestic law allowing interference in the sphere of privacy of an individual;

2. the implementation by public authorities of the objectives indicated in Art. 8 sec. 2 of the ECHR

3. the necessity to interfere with the right to privacy in a democratic society.

The requirement that any interference with the individual’s right to privacy be properly grounded in national legislation is tied to the necessity of ensuring the predictability of the procedure. In the judgement in the case Roman Zakharov against Russia, the Court recalled that the predictability of the proceedings does not mean that a given person should be able to predict when discreet surveillance measures will be imposed on him and therefore be able to adapt his behaviour to the situation. The point is, however, to define the limits of the legality of the actions of public authorities, in order to prevent arbitrary interference with the privacy of an individual. The minimum guarantees that should be provided are:

1.determination of the nature of crimes in cases for which covert surveillance measures may be applied, but the catalogue cannot be too wide; 2. defining the categories of persons against whom covert surveillance measures may be taken; 3. setting a time limit for the application of these measures; 4. establishing a procedure for testing, using and storing data; 5. introducing precautionary measures when communicating data to other people; 6. specifying the circumstances when data may be deleted or destroyed.

The ECtHR also points to the necessity of finding an appropriate balance between the interests of the state and the pursuit of public security (and achievement of the objectives of Article 8 (2) of the ECHR). The margin of freedom of states in introducing specific normative solutions is limited and subject to “supervision” of the Tribunal in Strasbourg. Technical measures aimed at protecting a democratic society must not lead to the destruction of democracy in a given country. When interpreting the concept of “necessity”, the Court indicates that it should be understood as a situation in which the interference is justified by a pressing social need, proportionate to the legitimate aim pursued. Therefore, it is crucial to put in place effective and adequate procedural guarantees to prevent possible abuses. The nature and type of procedural guarantees depend on the degree of interference with the privacy of the individual. The more intrusive the activity is, the stronger these guarantees should be provided for the individual.

3. Real-time data collection

3.1. Real-time data collection in the ECtHR jurisprudence

The first case in which the Strasbourg Court analysed problematic real-time data collection was the case of Uzun vs. Germany. The applicant - suspected of participating in a terrorist group and committing crimes in connection with the activities of that organisation - was ordered to be under secret surveillance and tracked via a GPS transmitter in his car. Thanks to the information obtained from real-time location data collection, the trial authorities obtained incriminating evidence, which then became the basis for his conviction. Although the applicant was not personally subject to geolocation - a GPS transmitter was installed in the car and therefore the movements of every person who used the vehicle were monitored - the ECtHR found that the measures applied constituted an interference with the right to privacy (Article 8 of the ECHR). However, the Strasbourg Court noted that the collection of location data should be distinguished from that of surveillance, which is video or sound recording. By their very nature, covert surveillance methods that permit “spying” on a person’s life are more intrusive to privacy than GPS data observation and collection. Assessing the provisions of the German Code of Criminal Procedure from the perspective of “lawfulness” and predictability of the proceedings, the ECtHR noted that they did not refer directly to the possibility of applying geolocation surveillance, but indicated the possibility of using technical means - other than image or sound recording - enabling the determination of the observed person’s whereabouts. Sharing the position of the German courts, the ECtHR decided that in connection with the development of technology in the field of Art. 100c § 1 section 1 lit. b of the German Code of Criminal Procedure it also included collecting location data using a GPS transmitter. Although at that time there were no regulations limiting the duration of geolocation surveillance, the regulations required that one month from the date of ordering surveillance by the prosecutor, the observation was extended by the court. Judicial control was an important guarantee against the use of illegally obtained location data and the arbitrariness of the actions of law enforcement agencies. In the opinion of the ECtHR - and due to the fact that geolocation surveillance interferes less with the sphere of privacy of an individual than, for example, control and recording of conversations - it is not necessary for the judicial authority to decide on the collection of location data. Due to the allegations made against the applicant - participation in a terrorist group, attempted murder - the use of covert surveillance measures was justified on the grounds of protection of public safety, in particular by preventing new (terrorist) bomb attacks. Moreover, the previously-used less invasive investigative techniques did not bring the expected results (they did not prevent the applicant from committing new crimes). Considering the circumstances of the case, the actions of law enforcement agencies, the procedural guarantees that German legislation provided for people who were subject to covert surveillance and the fact that the investigative steps taken were necessary in a democratic society, the ECtHR found that there had been no violation of Art. 8 sec. 1 of the ECHR.

The Strasbourg Court also dealt with the issue of collecting data on the location in the judgement of Ben Faiza against France. In this judgment, the ECtHR relied on the Uzun v Germany judgement, using the principles developed there. Compared to the previous decision, the novelty was to draw attention to the fact that geolocation monitoring may be applied in two forms: by means of a GPS device installed, for example, directly in a car or other means of transport, or by using its own telephone technology (smartphone), tablet or GPS system included with the car. When analysing French law, the ECtHR noted that, at the time when geolocation surveillance was applied to the applicant, the provisions were not precise enough. The provision of art. 81 of the French CCP referred to “informational activities useful for revealing the truth”. This regulation did not ensure the predictability of the proceedings within the meaning of Art. 8 of the ECHR - it did not define the conditions and rules for collecting location data with sufficient precision - and the jurisprudence of French courts did not develop mechanisms that would protect individuals against unjustified interference with the right to privacy. Due to the defectiveness of the legislation in force in France at the time, the Court found that there had been a violation of Art. 8 of the ECHR, without considering whether the application of geolocation surveillance was necessary in a democratic society and served the purposes of Art. 8 sec. 2 of the ECHR.

3.2. Real-time data collection in the EU law and CJEU jurisprudence

Legislation adopted in the EU requires EU member states to adopt “effective investigative tools” in relation to organised crime and other serious crime, including money laundering, sexual crimes against children (sexual abuse, sexual exploitation, child pornography, solicitation of children for sexual purposes), illegal drug trafficking, trafficking in human beings or protection of the EU’s financial interests. One such “effective tool” is real-time location data tracking. For the first time, the issue of real-time geolocation supervision was dealt with by the Luxembourg Court in the case of La Quadraturedu Net and the Others, and in its ruling it took into account the position of the ECtHR, recognising the Strasbourg standard as the minimum EU standard.

Contrary to the cases heard by the Strasbourg court, the CJEU examined French regulations that obliged electronic service providers to retain and process - in an automated manner - data on the location of persons who were suspected of committing a serious crime or posing a threat to national security. However, the Luxembourg Court noted that in practice, this led to real-time geolocation surveillance being extended to all electronic communications users - irrespective of whether the person was actually involved in any prohibited act. Although location data was collected anonymously, it was possible to identify the user if this information was relevant to the criminal proceedings.

The CJEU found that the automated geolocation surveillance of the almost unlimited number of users of electronic communications goes beyond what is necessary to ensure national security. It is necessary to apply criteria limiting the number of people subject to discrete geolocation surveillance. The earlier agreed models of automatic data processing and the criteria of those people against whom geolocation surveillance may be used, should be specific and credible (enabling the achievement of results identifying persons with a justified suspicion of involvement in terrorist offences) and non-discriminatory. There is a need for prior judicial review or other independent body to assess whether automatic retention of location data is acceptable in a given case. If the information obtained as a result of automatic mass data retention provided information essential for maintaining national security (e.g. that thanks to it, members of an organised terrorist group were identified), the possibility of their use in a criminal trial depends on the subsequent assessment of the court. An individualised, non-automated analysis is required as to whether discreet geolocation surveillance and data collection have been carried out in accordance with the law and served the purposes provided for by this law.

3.3. Partial conclusions

Summing up, when it comes to collecting real-time location data, it is difficult to speak of a developed European standard at this stage. The Strasbourg case-law cannot be considered as developed - the ECtHR has dealt with this issue only twice. Nevertheless, at a very general level, it is possible to determine what conditions should be met by national law so that the interference with the privacy of an individual as a result of geolocation supervision does not lead to violation of Art. 8 sec. 1 of the ECHR. Firstly, the collection of location data is not “reserved” exclusively for serious crime and may also be used in more common criminal offences. The ECtHR considers geolocation supervision to be a measure less intrusive to the privacy of an individual than other forms of covert surveillance, which allow, inter alia, to record the content of conversations or the image of a given person. Consequently, this form of collecting data about an individual may be used in a greater number of cases. Secondly, the Court emphasises the need to introduce procedural guarantees that will prevent abuse and unjustified interference with the privacy of an individual. National legislation should specify:

material scope, i.e. in cases of what crimes geolocation surveillance can be applied, the subjective scope, i.e. the categories of people for whom real-time geolocation surveillance can be used, should be defined, temporal scope, i.e. the maximum period during which real-time tracking of the individual’s movement is allowed.

Thirdly, geolocation surveillance does not have to be ordered by a judicial authority and the ECtHR considers that judicial control at the stage of assessing the admissibility of using location data is sufficient. The court should check not only whether the statutory conditions for geolocation surveillance have been formally met, but also assess whether such action was “necessary in a democratic society”.

The Court of Justice of the European Union has so far dealt with the problem of mass, automated retention and processing of location data of an unlimited group of users in order to ensure national security. It has allowed for the possibility of automated analysis and collection of location data and the obligation for electronic service providers to transmit this data to procedural authorities, but such activities must be limited to situations where there is a serious threat to national security and it is necessary to ensure effective judicial or independent administrative control. In addition, the collection of real-time traffic and location data must be restricted to only persons reasonably suspected of being involved in terrorist activities, to the extent strictly necessary to ensure national security. National legislation should provide for a maximum period of application of covert geolocation surveillance, but it may be extended - in particularly justified situations.

4. Collecting location data from providers of electronic communications services

4.1. Collecting location data from providers of electronic communications services - the ECtHR jurisprudence

The Strasbourg Court first dealt with the issue of access to location data stored by mobile network operators in the judgement of Ben Faiza against France, which emphasised that any data collection and retention related to the use of a telephone without the knowledge of the person concerned, constitutes an interference with the right to respect for private life under the article 8 of the ECHR. It is necessary to distinguish between situations in which state authorities create a system of surveillance of an individual and monitor their behaviour “on an ongoing basis” from the transfer of information obtained by that entity by a private entity, if it is necessary to establish the circumstances of a criminal case. In the opinion of the ECtHR, obtaining a posteriori access to location data constitutes less interference with the right to privacy than monitoring the individual’s movement in real time. Nevertheless, the duty of state authorities is to comply with the general rules allowing for interference in the private sphere, i.e. such interference must be grounded in national law and serve the purposes of art. 8 sec. 2 of the ECHR and fulfil the condition of necessity in a democratic society. When assessing the French legislation, the Court found that there had been no violation of Art. 8 sec. 1 of the ECHR. The regulations specified which authority could turn to the mobile network operator, in which cases this measure was admissible, and the use of location data was subject to judicial review. There was also an important public interest justifying the interference with the individual’s right to privacy. The applicant was charged with serious crimes - participation in an organised criminal group and drug trafficking, and the information obtained thanks to geolocation data was necessary to establish the truth in the trial.

In the decisions of Ringler vs. Austria and Tretter and others vs. Austria, the ECtHR assessed the Austrian provisions allowing procedural authorities to request mobile network operators to disclose personal data, e.g. location data, list of calls, personal data of the user of a given telephone number, and IP address. In order to obtain data from the network operator, the law enforcement authorities had to adequately justify such a request, indicating that there is a threat and that the data is necessary for the performance of police tasks. With regard to location data, it was necessary to indicate that there was a direct threat to the life or health of a specific person. Subsequent changes to the regulations extended the possibility of requesting access to location data to include situations where there is a direct threat to the freedom of a person. In such a situation, the procedural authorities could ask for geolocation information of the person who was in danger (the aggrieved party), and not only the person suspected of committing a crime. Austrian regulations guaranteed the person whose data had been transferred to law enforcement authorities the right to submit a request for information on the actions taken against him and the sharing of data with the police authorities, he could request the deletion of data, and the supervision of the correct disclosure and processing of personal data was exercised by an independent authority. In the Ringler and Tretter and Others vs. Austria cases, the applicants argued that the provisions did not provide for an effective measures in protecting individual rights and freedoms. The mechanism of notifying the transfer of personal data (including location data) was questioned. According to the complainants, it cannot be expected that the individuals will regularly request state authorities to provide information on whether their personal data has been transferred to the police authorities in connection with ongoing criminal proceedings. Moreover, the regulations allow one to request access to geolocation data in any circumstances - the regulations do not impose any restrictions. The victim’s status was justified by the inability to prove that the applicants had been subject to covert surveillance measures and their personal data (including location data) had been transferred to the police.

In Ringler vs. Austria and Tretter and the other vs. Austria cases the ECtHR recalled that its role was not to summarise the national law of a country or the practice of procedural authorities, but to establish whether, in a particular case, the application of national regulations had led to a violation of the Convention. Nevertheless, the specific characteristics of covert surveillance measures mean that an individual may sometimes rely on the fact that he or she is a victim of the very existence of covert surveillance provisions, even if he is unable to demonstrate that such measures were applied to him. In assessing whether this is the case, the Court takes into account:

the scope of application of the provisions allowing for a covert interference in an individual’s privacy (objective, subjective and temporal), whether such measures could potentially be applied to the complainant due to belonging to a specific category of persons to whom national provisions apply, or examines whether the provisions have a direct impact on all users of electronic communications: availability of domestic remedies; Where there is no possibility at national level to challenge the use of covert surveillance measures, public fears that power may be abused may be justified, and therefore the ECtHR needs to be scrutinised.

The ECtHR agreed with the applicants that the right to request information as to whether an individual had been subjected to covert surveillance measures was of no practical importance. However, it noted that law enforcement authorities were required to notify an independent authority about requests made to mobile network operators. The authority is obliged to inform the person - upon his / her request - about any unlawful measures that were applied against him, and if he refuses to provide information - the person may submit a complaint to an independent commission whose decisions are subject to judicial review. It may also demand the deletion, rectification or limitation of the processing of personal data, if they are no longer needed to protect public security. Apart from the supervisory authority of the protection of personal data, the personal data protection commission and the judicial control of decisions issued by the commission, the system of measures to protect individual rights is supplemented by the institution of the Legal Protection Commissioner, who has the right to access and control the correct application of the provisions on the protection of personal data.

In the cases of Ringler and Tretter and others vs. Austria, the Court dismissed the complaints, questioning the applicants’ victim status. Nor did he find that there were grounds for an abstract review of Austrian legislation. It is worth noting, however, that although the ECtHR stated that it did not assess in abstracto the legislation of the countries of the Council of Europe, in fact - as if in response to the complainants’ allegation - it assessed that the Austrian provisions guarantee effective means of protecting an individual against unauthorised interference with the right to privacy. Although he found some mechanisms (e.g. informing an individual about the use of covert surveillance measures against him / her to be burdensome and even devoid of practical significance), due to the existence of an independent system of supervision over the correct processing of personal data, the ECtHR found that the measures available at the national level to protect individual rights and freedoms are sufficient, and therefore no Strasbourg intervention is necessary. However, it should be emphasised that when assessing the Austrian regulations, the Court essentially examined the compliance of EU solutions regarding the protection of personal data, including location data, introduced by Directive 2016/680.

At present, it appears that the Strasbourg Court is avoiding taking a position on the issue of access to location data collected by mobile operators. The rules that the ECtHR has developed in relation to access to the lists of calls made by the telephone user cannot be applied analogously. This is because location data provides other types of information to procedural authorities and are used for a different purpose. Billing data provides information on who the person contacted, how long the call lasted, and how many times it was made within a certain period of time. Location data refer to the places where a given person has been, they allow to determine their pattern of behaviour. They interfere with the privacy of an individual to a greater degree than the list of calls. It is difficult to determine, solely on the basis of the judgement of Ben Faiz vs. France, what are the requirements of the ECtHR with regard to the countries of the Council of Europe regarding the regulation of the issue of access to location data. In the decisions of Ringler and Tretter and others vs. Austria, the Court did not present its own position, but only held that Austrian solutions - implementing EU solutions - were compatible with the Convention.

4.2. Collecting location data from providers of electronic communications services - the EU law and the CJEU jurisprudence

Much attention is paid to the issue of collecting and sharing location data with procedural authorities in relation to the prevention and combating crime in EU law and the jurisprudence of the CJEU. The provision of the Article 5 of Directive 2002/58 introduces the principle of confidentiality of communications, including the confidentiality of location data. Derogations from this principle are possible for the purposes of ensuring national security, state security, defence, public safety and for the purpose of detecting, investigating and punishing criminal offences (Article 15 of Directive 2002/58). National law must ensure that the investigative measures used in a specific case are necessary, appropriate and proportionate in a democratic society. The clause limiting the confidentiality of location data is exhaustive and cannot be interpreted extensively. Location data is retained in accordance with EU law, provided that the purpose of this activity is to fight crime. These data may be transferred (made available) to state authorities on the terms - and with the guarantee of individual rights - specified in Directive 2016/680. Sharing data is allowed only for the purposes of preventing or combating crime, at the request of a given person, he should be provided with information whether his personal data (including location data) have been processed by the police, and he may request the deletion of his data if it is useless to achieve the objectives referred to in the directive, or they are obsolete or have been obtained unlawfully. Control over the correctness of personal data processing in connection with the prevention and combating of crime should be exercised by an independent authority, and the individual concerned - if his/her data has not been deleted despite the request or considers that it is being processed unlawfully - may bring the matter to court.

However, EU regulations do not specify in which cases location data can be obtained, nor do they indicate how long this data can be stored. The provision of the Article 15 of the Directive 2002/58 indicates that the data collected by service providers may be transferred to law enforcement authorities in order to combat “criminal offences”, and the Article 5 of the Directive 2016/680 requires EU countries to introduce “appropriate deadlines for the deletion of personal data or for periodic review of the necessity to retain personal data”. The EU legislator has left the Member States a margin of discretion in regulating the issue, i.e. in what cases and for what purposes the data will be collected, and for what period of time they will be stored. However, Member States’ freedom of implementation is controlled by the EU Court of Justice.

In the Tele2 and Watson judgement, the CJEU assessed the rules in force in Sweden and the United Kingdom. The law in force in Sweden obliged the provider of electronic communications services to provide - at the request of the prosecutor’s office, the police or another authority responsible for combating crime - the subscriber’s data if they relate to an alleged infringement, without the subject of criminal proceedings having to be a “serious crime”. The solutions adopted in the United Kingdom did not specify the scope of access to location data. The body established to prevent and combat crimes had the right to request the mobile network operator to disclose data due to: national security, economic interests of the state, protection of public health, the need to prevent or detect crimes or to prevent violations of public order, to determine the size or collection of taxes, levies, fees or other obligations, contributions or charges due to a state administration unit, emergencies, in order to prevent injuries or damage to the physical or mental health of a person, or to reduce the extent of damage to a person’s physical or mental health. In addition, the minister of the interior could, by order, specify other situations in which state authorities could gain access to location data.

In the judgement of Tele2 and Watson, the EU Court of Justice recalled that under the Article 5 of the Directive 2002/58, the protection of the confidentiality of electronic communications is intended to prevent any unlawful access to data, including data related to a message (i.e. location data), irrespective of whether such access could be obtained by public (state) or private entities. The provisions imposing an obligation on telecommunications service providers to provide data fall within the scope of Art. 5 of Directive 2002/58. The CJEU has formulated general rules for data retention, including location data, and then for their transfer to trial authorities. Firstly, clear and precise rules should be introduced in national law regarding the scope and manner of the data storage measure to be applied. The way in which the concept of “national security” is understood in the EU countries does not fall within the scope of the CJEU. However, the Luxembourg Court assesses whether the law in force in a given state does not allow for unauthorised and disproportionate interference with the right to privacy of an individual. Secondly, data retention must be carried out on the basis of objective criteria that show the link between the data that has been retained and the legitimate purpose for which the retention is intended. Third, these criteria must enable the identification and tracking of persons who have, even indirectly, a connection with serious crime. National regulations that ensure universal access to the retained data are inconsistent with EU law, regardless of the existence of any connection with one of the purposes indicated in art. 15 of Directive 2002/58. The generalised and non-differentiated obligation to retain all traffic and location data of all subscribers and users disproportionately violates the fundamental rights of Articles 7, 8 and 11 of the Charter. Users of telecommunications networks cannot be under the constant state surveillance and they should not be afraid that their every move is tracked, registered and may be used against them in the future. In addition, it is necessary to introduce a storage date for location data - it is unacceptable to store information about an entity longer than necessary to ensure public safety.

In response to the preliminary questions, the CJEU questioned the solutions in force in Sweden and the United Kingdom and ruled that the Article 15 par. 1 of the Directive 2002/58 in conjunction with the Articles 7, 8, 11 and art. 52 sec. 1 of the Charter of Fundamental Rights of the European Union should be interpreted in such a way that it precludes national legislation:

providing for generalised and non-differentiated retention of all traffic data and location data of all subscribers and registered users of all electronic means of communication for the purposes of combating crime; and concerning the protection and security of traffic and location data, and in particular access by competent national authorities to stored data, which, in the context of combating crime, does not restrict such access only for the purpose of combating serious crime, and does not make the granting of such access conditional from prior control by a court or an independent administrative authority and do not require that the data be stored within the Union.

The issue of obtaining access to location data was also resolved in the Privacy International case. The basis for a request by the British court for a preliminary ruling was the doubt whether the provisions allowing the mass acquisition of telecommunications data regarding traffic and location of the individual from providers of electronic communications services on the basis of orders issued by the secretary of state to use such collected information to ensure state security are consistent with EU law. British regulations allowed for undifferentiated and generalised access to location data. In order for geolocation information to be passed on to the security services, it was not necessary to prove that the person was related to an activity that could pose a threat to national security.

The CJEU reminded that any interference with the privacy of an individual must meet the condition of proportionality. Limitation of privacy may occur within strictly defined limits and only when it is necessary to achieve a legitimate aim (e.g. ensuring public security, fighting crime). These goals cannot be pursued at all costs, i.e. without taking into account and respecting the rights of an individual. Legal regulations allowing for the intrusion into the privacy of an individual must meet the conditions of specificity, i.e. indicate the grounds and scope of the restriction (i.e. what data will be processed) and provide for procedural guarantees that will reduce the risk of abuse. It is about creating effective mechanisms that will ensure that data will be processed only to the extent that it is necessary. It is worth emphasising, however, that the EU Court of Justice indicated that the goal of ensuring national (public) security allows for further restrictions on fundamental rights than combating crime, including serious crimes. State authorities must have adequate and effective methods of obtaining information about possible threats that could destabilise the state’s activity - constitutional, political or social structures in the country - and directly threaten society and the population. However, the pursuit of national security does not allow for general, universal and undifferentiated collection and processing of location data. In response to a question from a British court, the Luxembourg Court found that the provisions in force in the United Kingdom were incompatible with EU law. It indicated that the Article 15 sec. 1 of the Directive 2002/58 in connection with the Article 4 sec. 2 TEU, as well as the Article 7, 8 and 11 and 52 sec. 1 of the Charter of Fundamental Rights of the European Union, “must be interpreted as precluding national legislation enabling a state authority to impose on providers of electronic communications services a generalised and non-differentiated obligation to transmit traffic and location data to intelligence and security services for national security protection purposes”.

The problem of bulk retention of location data was also analysed in the judgment of La Quadraturedu Net and the Others. In these proceedings, the Luxembourg Court examined French and Belgian legislation which allowed for the preventive retention of traffic and location data in order to ensure public safety and prevent serious crimes. Nevertheless, even if location data is preventively retained to ensure national security, such actions by state authorities must be limited to what is absolutely necessary. It is necessary to introduce restrictions (e.g. by establishing the subjective and temporal scope) and safeguards that will enable effective protection of the data of persons for whom the data has been disclosed to state authorities against the risk of abuse. Systematic, continuous and unlimited retention of location data is unacceptable. In addition, decisions obliging providers of electronic communications services to retain location and traffic data and then transfer them to state authorities should be subject to effective review by a court or an independent administrative authority, which will be able to assess the legality of actions taken by procedural authorities. With regard to the implementation of the goal of ensuring universal security, the CJEU allowed - under the above-mentioned conditions - preventive retention and collection of location data. Conversely, the massive, preventive retention of location and traffic data for the purposes of crime prevention, investigation, detection and prosecution is unacceptable. The Court found that national legislation which provides for the general and non-differentiated retention of these data goes beyond what is necessary to combat serious crime and cannot be justified in a democratic society. French and Belgian legislation allowed for the retention of location data of all users of electronic communications services, even if they were not, even indirectly, in a situation that could lead to criminal proceedings against them. These regulations also included persons whose behaviour did not pose any threat to public safety. It does not matter whether the retained data was used in subsequent criminal proceedings. It is important that the procedural bodies entered the sphere of privacy of the individual, violating the confidentiality of communication, expressed in the Article 5 of the Directive 2002/58. The very possibility of accessing personal data is an interference with the right to privacy.

The CJEU formulated general conditions as should be met by the national laws of European Union member states. It is necessary to introduce time, geographic and subjective restrictions - data may be retained on the location of persons suspected of committing a serious crime, persons otherwise involved in criminal activity and persons who could, for other reasons, contribute to the fight against serious crime. Geographical and subject restrictions must be established on the basis of objective and non-discriminatory factors. The retention time of the location data must not exceed what is strictly necessary for the intended purpose.

4.3. Partial conclusions

In conclusion, the Luxembourg and Strasbourg courts consider that access to ex post location data - previously retained by mobile network operators - is an interference with the right to privacy (the Article 8 of the ECHR, the Article 7 of the Charter). However, this interference is permissible if there are appropriate legal bases in national law, its purpose is to protect the values ​​expressed in the Article 8 sec. 2 of the ECHR and, moreover, has been limited to what is necessary in a democratic society. The ECtHR and the CJEU considered the problem of retention and access to geolocation data from different perspectives. The Strasbourg Court assessed whether, in a specific case, the application of domestic provisions did not result in a violation of the Article 8 of the ECHR. In the Ringler and Tretter and others vs. Austria cases, the applicants tried to induce the ECtHR to analyse abstractly the domestic provisions allowing - in practice - the massive collection of location data. In this regard, the Court did not reply to the applicants. While examining the system of national measures to protect the rights and freedoms of individuals - introduced in connection with the need to implement EU regulations - it concluded that they allow for the enforcement of effective protection of the right to privacy in ‘state’ proceedings, so Strasbourg intervention is not necessary.

The Luxembourg Court assessed the regulations of the European Union countries that allowed for the mass retention of data on the location of users of telecommunications networks. It was possible to obtain geolocation information about any person, regardless of whether they were involved, even indirectly, with any crime. The introduction of such regulations was justified by the need to protect and ensure national security as well as the prevention and combating of serious crime. However, the CJEU recognised that any personal data retention system (including location data) must be organized in such a way that it cannot be transformed into an undifferentiated and general collection of information about individuals. Society cannot be under constant surveillance of state organs. The fight against terrorism and the protection of national security cannot be considered only taking into account the criterion of the effectiveness of actions taken. Each time, the insurmountable limit is respect for the rights of individuals and finding the right balance between the common good and the sphere of individual rights and freedoms. Retaining location data is possible, but on the condition that:

clear and precise rules have been introduced regarding the scope and method of data retention, processing and storage (subject, geographic and temporal limitations); there are objective criteria defining the link between the data to be retained and stored and the legitimate purpose (combating serious crime, protecting national security); they concern people who are involved - even indirectly - with serious crime, and at the same time there are mechanisms protecting against obtaining data about the location of other people not involved in criminal activity.

5. Conclusions

Obtaining information about the location by state authorities and the related analysis of the routine of an individual’s life is an interference with the right to privacy (the Article 8 of the ECHR, the Article 7 of the Charter). Due to the development of technology, law enforcement authorities of a given state can easily collect data relevant to the conducted proceedings. Almost every person uses a mobile phone (smartphone) with GPS, so the services responsible for public safety no longer need to install separate transmitters to track (reproduce) the behaviour of a given person. The ease of obtaining information about the location and its usefulness for achieving the goal of combating and preventing crime, ensuring public safety, gives rise to the risk of abuse. Although the right to privacy is not an absolute right and is subject to limitations due to the overwhelming social (public) interest, it is necessary to properly balance the interests of the individual and society. European courts try to define the relationship between respecting fundamental rights and the obligation to prevent and combat serious crime. Based on the jurisprudence of the ECtHR and the CJEU, it can be deduced in which circumstances the collection of location data does not violate the fundamental rights of an individual.

Compared to other investigative techniques, the collection of location data violates the right to privacy to a lesser extent than, for example, control and recording of conversations or audiovisual observation. The Luxembourg and Strasbourg Courts recognise the acquisition of geolocation data in real time as a more painful method (interfering in a greater scope in the right to privacy of the individual) from obtaining ex post location data from mobile network operators. The degree of interference with the right to privacy and the affliction of a given method affect the material scope (in which cases such methods are permissible), the subjective scope (determining the group of people whose location data can be obtained), and temporal (how long a given measure can be used).

Regarding the collection of real-time location data, the ECtHR stresses that the use of this covert surveillance method is only permissible in connection with serious crime. The decision to apply geolocation surveillance to a specific person does not have to be taken by a judicial authority. Ex-post judicial control is sufficient, i.e. at the stage of assessing whether the geolocation data has been obtained lawfully and whether it can be used as evidence in criminal proceedings. The Strasbourg Court draws attention to the existence of clear and precise provisions in domestic law, specifying the basic principles and conditions for the application of geolocation surveillance, and assesses whether in a specific case the collection of location data served one of the purposes set out in the Article 8 sec. 2 of the ECHR.

Striving to protect national security, combating serious crime, etc. does not entitle state authorities to massive and automated real-time monitoring of an entire society. A person or group of persons to whom geolocation surveillance is applied must be associated - even indirectly - with criminal activity that poses a threat to public security. The European Union Court of Justice in the judgement of La Quadraturedu Net and the Others emphasised that collecting location data for groups is admissible, provided that such action serves solely the protection of national security. It is necessary to introduce regulations that will minimise the risk of abuse. The decision to include a group of people under automated geolocation must be taken by a judicial authority or other independent body, and then, before the location information is used as evidence in the proceedings, a personalised ex-post control by the court is necessary. However, it should be emphasised that the Luxembourg Court ruled out the possibility of using automated, continuous monitoring of the movement of groups of people in order to combat crime, but on the condition that data collected by automated means are subject to non-automated analysis before being used in the future.

Obtaining location data ex post, i.e. from mobile network operators constitutes less interference with the right to privacy. Procedural authorities may, in individual cases, request geolocation information not only when the subject of the proceedings is a serious crime, but also in relation to prohibited acts of a lower gravity. However, national law may not require mobile network operators to retain location data in a compulsory manner. It is necessary to introduce criteria limiting the subjective and objective circle, determining the time of data retention and a system of domestic remedies that will allow a person whose rights have been violated to assert his or her rights before the courts of a given state.

When analysing the jurisprudence of the ECtHR and the CJEU, one can see a difference in the approach to the protection of individual privacy in relation to the collection of location data. Firstly, the ECtHR assesses whether, in a specific case, the investigative measures applied had a proper basis in national law, were proportionate and necessary in a democratic society. As a general rule, it does not assess the laws of the Council of Europe states in general. It reacts post factum to flawed action by state authorities. The CJEU, on the other hand, examines national legislation in isolation from the circumstances of the particular case. It checks whether the adopted solutions can be reconciled with EU law (and the EU level of protection of fundamental rights).

Secondly, the lengthiness of the ECtHR proceedings means that the decisions concerning the collection of location data are inadequate to the current technological possibilities. The Strasbourg Court has not yet addressed the issue of automatic processing and collection of data in real time, and thus has not determined under what conditions such information obtained may be used in a criminal trial. For this reason, among others, the CJEU is in a better position to develop coherent, European (EU) rules for the collection and processing of location data in the future. The case law of the Luxembourg court also has the advantage of pointing in the right direction and suggesting to EU countries how they should amend their national laws.

A major challenge to the protection of individual privacy is the problem of mass and automated collection of location data. In order to protect national security, in the La Quadre du net judgment, the CJEU allowed for this, provided that the data are individualised and analysed in a traditional (non-automated) way before being used in criminal proceedings. Also the ECtHR - if criteria are specified in national law - allows for the bulk collection of data on an individual.

To sum up, it seems that the European Courts are trying to create a harmonised (or at least inconsistent) standard of protection of the right to privacy in relation to the collection of location data for the purpose of preventing and combating serious crime. The ECtHR does not try to interfere with the competences of the CJEU, and the CJEU - in creating an EU model of protection of the right to privacy - is based on the case law of the ECtHR. The case law of the ECtHR is late in relation to the developing technological possibilities, but the existing Strasbourg acquis, the general conditions for interference with the right to privacy, provides a good basis for the CJEU to create a model within the EU which, on the one hand, will protect the public against serious crime and, on the other hand, will not lead to a disproportionate interference with individual freedoms and rights.

Bibliography

BREYER Patric. Telecommunication Data Retention. European Law Journal, v. 11, no. 3, 2005. https://doi.org/10.1111/j.1468-0386.2005.00264.x.

BU-PASHA Shakila, ALEN-SAVIKKO Anette, MEIKINEN Jenna, GUINNESS Robert, KORPISAAR Päivi. EU Law Perspectives on Location Data Privacy in Smartphones and Informed Consent for Transparency. European Data Protection Law Review vol. 2, no. 3, 2016; https://doi.org/10.21552/EDPL/2016/3/7

CELESTE Edoardo. The Court of Justice and the Ban on Bulk Data Retention: Expansive Potential and Future Scenarios. European Constitutional Law Review, v. 15, 2019; https://doi.org/10.1017/S1574019619000038

CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION, published in the Official Journal of the European Union no. C 326/391 on 26 October 2012. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT

COUNCIL FRAMEWORK DECISION 2004/757/JHA of 25 October 2004 laying down minimum provisions on the constituent elements of criminal acts and penalties in the field of illicit drug trafficking; published in the Official Journal of the European Union no. L 335/8 of 25 October 2004, https://eur-lex.europa.eu/

COURT OF JUSTICE OF THE EUROPEAN UNION. Judgment (Grand Chamber) of 6 October 2020. C-511/18, C-512/18, C-520/18, La Quadrature du Net, French Data Network, Fédération des fournisseurs d'accès à Internet associatifs, Igwan.net (hereinafter: La Quadrature du Net and the others). http://curia.europa.eu/

COURT OF JUSTICE OF THE EUROPEAN UNION. Judgment of 2 October 2018, Ministerio Fiscal, C-207/16, http://curia.europa.eu/

COURT OF JUSTICE OF THE EUROPEAN UNION. Judgment of 21 December 2016, Tele2 and Watson, C 203/15 and C 698/15, http://curia.europa.eu/

COURT OF JUSTICE OF THE EUROPEAN UNION. Judgment of 6 October 2020, Privacy International, C-623/17, http://curia.europa.eu/.

COURT OF JUSTICE OF THE EUROPEAN UNION. Judgment of 8 April 2020, Digital Rights Ireland, C 293/12 and C 594/12, http://curia.europa.eu/

DIRECTIVE (EU) 2011/36 of the European Parliament and of the Council of 5 April 2011 on preventing and combating trafficking in human beings and protecting its victims, and replacing Council Framework Decision 2002/629/JHA, published in the Official Journal of the European Union no. L 101/1 of April 2011, https://eur-lex.europa.eu/

DIRECTIVE (EU) 2011/92 of 13 December 2011 on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA published in the Official Journal of the European Union no. L 335/1 of 17 December 2011, https://eur-lex.europa.eu/

DIRECTIVE (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC, published in the Official Journal of the European Union no. L 141/73 of 5 June 2015; https://eur-lex.europa.eu/

DIRECTIVE (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA; The Official Journal of the European Union no. L 119/89 on 4 April 2016; https://eur-lex.europa.eu/

DIRECTIVE 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); The Official Journal of the European Union no. L 201/37 on 31 July 2002; https://eur-lex.europa.eu/

DOCKSEY Christopher, HIJMANS Hielke. The Court of Justice as a Key Player in Privacy and Data Protection: An Overview of Recent Trends in Case Law at the Start of a New Era of Data Protection Law. European Data Protection Law Review (EDPL), vol. 5, no. 3, 2019. https://doi.org/10.21552/edpl/2019/3/6

DOCKSEY Christopher. Ministerio Fiscal: Holding the line on ePrivacy. Maastricht Journal of European and Comparative Law, vol. 26, no. 4, p. 585-594, 2019; https://doi.org/10.1177/1023263X19853714

EUROPEAN CONVENTION OF HUMAN RIGHTS, adopted in Rome on 4 November 1950. Available at: https://www.echr.coe.int/documents/convention_eng.pdf

EUROPEAN COURT OF HUMAN RIGHTS. Decision of 12 May 2020, Ringler v Austria, case no. 2309/10, https://hudoc.echr.coe.int/.

EUROPEAN COURT OF HUMAN RIGHTS. Decision of 29 September 2020, Tretter and the others v Austria, case no. 3599/10, https://hudoc.echr.coe.int/.

EUROPEAN COURT OF HUMAN RIGHTS. Judgment of 10 July 2019, Big Brother Watch and the Others v the United Kingdom, case no. 58170/13, https://hudoc.echr.coe.int/.

EUROPEAN COURT OF HUMAN RIGHTS. Judgment of 1 March 2007, Heglas v the Czech Republic, case no. 5935/02, https://hudoc.echr.coe.int/.

EUROPEAN COURT OF HUMAN RIGHTS. Judgment of 12 January 2016, Szabó and Vissy v Hungary, case no. 37138/14; https://hudoc.echr.coe.int/.

EUROPEAN COURT OF HUMAN RIGHTS. Judgment of 2 September 2010, Uzun v Germany, case no. 35623/05; https://hudoc.echr.coe.int/.

EUROPEAN COURT OF HUMAN RIGHTS. Judgment of 4 December 2015, Roman Zakharov v Rosji, case no. 47143/06. https://hudoc.echr.coe.int/.

EUROPEAN COURT OF HUMAN RIGHTS. Judgment of 8 December 2009, Previti v Italy, case no. 45291/06, https://hudoc.echr.coe.int/.

EUROPEAN COURT OF HUMAN RIGHTS. Judgment of 8 February 2018, Ben Faiza v France, case no. 31446/12. https://hudoc.echr.coe.int/.

GARLICKI Lech. in: GARLICKI, Lech, HOFMANSKI, Piotr. Konwencja o Ochronie Praw Czlowieka i Podstawowych Wolnosci. Tom I. Komentarz do artykulów 1-18, Warszawa 2011.

JASINSKI Wojciech. The limits of interference with the right to liberty, privacy property and privilege against self-incrimination in criminal proceedings - European standards, in: SKORUPKA, Jerzy (ed.), The Model of Acceptable Interference with the Rights and Freedoms of a Individual in the Criminal Process, Warsaw 2017.

MURPHY Maria Helen. Data Retention in the Aftermath of Digital Rights Ireland and Seitlinger. Irish Criminal Law Journal t. 105, v. 24, no. 4, 2014.

OJANEN Tuomas. Privacy Is More Than Just a Seven-Letter Word: The Court of Justice of the European Union Sets Constitutional Limits on Mass Surveillance: Court of Justice of the European Union Decision of 8 April 2014 in Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others, European Constitutional Law Review, v. 10, no. 3; https://doi.org/10.1017/S1574019614001345.

OPINION OF ADVOCATE GENERAL Campos Sanchez-Bordona delivered on 15 January 2020, C 623/17, Privacy International. http://curia.europa.eu/.

OPINION OF ADVOCATE GENERAL Campos Sanchez-Bordona, delivered on 15 January 2020, case no. C-520/18; http://curia.europa.eu/.

OPINION OF ADVOCATE GENERAL Paolo Mengozzi, delivered on 8 September 2016, opinion 1/15; http://curia.europa.eu/.

REGULATION (EU) 2016/679 of European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; published in the Official Journal of the European Union no. L 119/1 of 4 May 2016; https://eur-lex.europa.eu/.

STACHNIK-ROGALSKA Agnieszka, ROGALSKI Maciej. Udostepnianie billingów rozmów telefonicznych. Panstwo i Prawo no. 8.

STEIN Shlomit. In Search of 'Red Lines' in the Jurisprudence of the ECtHR on Fair Trial Rights. Israel Law Review v. 50, no. 2, 2017. https://doi.org/10.1017/S0021223717000073.

THE TREATY ON EUROPEAN UNION. consolidate version published in the Official Journal no C 326 on 26 October 2012. https://eur-lex.europa.eu/.

THIERSE Stephen. The Never-Ending Story of Data Retention in the EU, [in:] THEIERSE, Stephen, BADANJAK, Sanja. Opposition in the EU Multi-Level Polity. Legal Mobilization against the Data Retention Directive. Springer 2020, https://doi.org/10.1007/978-3-030-47162-0.

ZUBIK Marek, PODKOWIK Jan, RYBSKI Robert. Prywatnosc. Wolnosc u progu D-day. Gdanskie Studia Prawnicze, t. XL, p. 391-408, 2018, https://czasopisma.bg.ug.edu.pl/index.php/gdanskie_studia_prawnicze/article/view/3501.

Notes

Author notes

Corresponding author: Dominika Czerniak , University of Wrocław, Poland. Email: dominika.czerniak@uwr.edu.pl.