The judgment of the CJEU in Inspektor (Purposes of the processing of personal data – criminal investigations) of 8 December 2022 and the concept of further processing under the Law Enforcement Directive

Investigation and prosecution of criminal offences constitute different purposes of processing

The Court held that if personal data are collected and processed for the purposes of the detection and investigation of a criminal offence, and following the conclusion of the investigation, those personal data are processed for the purpose of criminal prosecution, the latter processing “serves a purpose other than that for which those data were collected.” ²⁵ In other words, the processing of personal data originally collected for detecting and investigating criminal offences, but for the new purpose of prosecuting criminal offences, constitutes further processing. The Court came to this conclusion regardless of the categorisation of the data subject to whom the personal data processed related as a victim and a suspect thereafter, as in the case at issue. The categorisation obligation, pursuant to Article 6 LED, “is not relevant for the purpose of determining whether the processing of personal data serves a purpose other than that for which those data were collected”. ²⁶

The Court’s literal interpretation of Article 1(1) LED, read in conjunction with ²⁷ and in the context of ²⁸ Article 4(2) and Article 6 LED, was corroborated by the Court’s teleological interpretation ²⁹ and by the consideration of the origin of the provisions at issue. ³⁰ Article 1(1) LED “expressly distinguishes between different categories of processing activities” whose different purposes “correspond to ‘prevention’, ‘detection’, ‘investigation’ and ‘prosecution’ of criminal offences and ‘the execution of criminal penalties’, including the ‘safeguarding’ against ‘threats to public security’ and the ‘prevention’ of such threats.” ³¹ The terms listed in Article 1(1) LED therefore concern “several separate purposes”. ³² This finding was in contrast to the Opinion of the Advocate General, who distinguished three purposes corresponding to three main phases (prevention, investigation in a broad sense, including prosecution, and execution). ³³ The Court noted that the EU legislature on the one hand “sought to adopt rules corresponding to the specific features which characterise the activities carried out by competent authorities”, but at the same time “taking account of the fact that they constitute distinct activities serving purposes specific to them”. ³⁴

Lawfulness of further processing under Article 4(2) LED

The Court held, in essence, that when data collected and processed for one of the purposes listed in Article 1(1) LED are to be processed for another purpose, the further processing is permitted pursuant to Article 4(2) LED, provided it meets the conditions laid down therein. First, the purpose of the further processing must be “among those set out in Article 1(1) LED.” ³⁵ Second, “the controller must be authorised to process such personal data for such a purpose in accordance with EU or Member State law.” ³⁶ Third, further processing “must be necessary and proportionate to that other purpose.” ³⁷ The assessment of compliance with the requirements of Article 4(2) LED by the same controller which collected and processed the personal data for the original purpose or by another controller ³⁸ “must be carried out having regard to each of the purposes referred to in Article 1(1) LED as specific and distinct.” ³⁹ The Court thereafter gave some helpful insights in the assessment of the necessity and proportionality.

The Court accepted, in principle, that the necessity of further processing arises “where a criminal offence has been identified” in the context of processing for ‘detection’ and ‘investigation’ purposes, “and consequently calls for law enforcement action.” ⁴⁰ However, personal data necessary for the purposes of crime ‘detection’ and ‘investigation’ where “competent authorities are required to gather any data that are potentially relevant to the determination of the acts constituting the criminal offence at issue, at a stage where those acts have not yet been established”, ⁴¹ “will not be systematically necessary for the purposes of crime ‘prosecution’”, ⁴² where the aim is “to establish that the acts attributed to the accused persons have sufficient probative value and that the classification of those acts under criminal law is accurate, in order to enable the court having jurisdiction to give a ruling.” ⁴³ In particular, the Court held that “the authority responsible for that prosecution must be in a position to rely on the data collected during that investigation as evidence of the acts constituting the offence, in particular those relating to the persons involved therein, provided that those data are necessary to identify those persons and to establish their involvement.” ⁴⁴

The Court also considered the extent to which the further processing interfered with the rights of the data subjects, which is specifically relevant to the assessment of the proportionality requirement, ⁴⁵ and noted that “the consequences of further processing for the data subjects might be substantially different as regards, in particular, the degree of interference with their right to the protection of their personal data and the effects on their legal situation in the criminal proceedings”. ⁴⁶ Also of relevance is the consideration that further processing needs not to be “limited to the processing in connection with the same criminal offence as that warranting the collection of such data” as stated in recital 27 LED. This is because competent authorities need to develop “an understanding of criminal activities and of making links between different criminal offences detected”. ⁴⁷

Takeaway No. 1: Demonstrating necessity and proportionality under Art 4(2)(b) LED

When the purpose of processing personal data under those listed in Article 1(1) changes from “detection and investigation” to “prosecution”, and the data were collected and originally processed for “detection and investigation” purposes only, the further processing for “prosecution” must be “necessary and proportionate to that other purpose in accordance with Union or Member State law”. Given that every purpose must be considered as specific and separate, competent authorities need to re-assess proportionality and necessity of further processing “in accordance with Union or Member State law” not only in case of change of purpose from “detection and investigation” to “prosecution” but also when the purpose changes from “prosecution” to “execution”, and from “prevention” to “detection and investigation” or even when the original purpose of “detection” changes into that of “investigation”, when the initial processing involved “detection” purposes only. ⁴⁸

There seems to be little leeway for competent authorities to argue that personal data collected in the course of investigations are, in fact, also collected for the purposes of prosecution, thus rendering each purpose mutually exclusive. The Advocate General, instead suggested a sensible interpretation of Article 1(1) LED with the practicalities of law enforcement, the recognition of three phases, with the investigation encompassing prosecution. ⁴⁹ The Court ruled that out when it confirmed that Article 1(1) LED expressly distinguishes between different categories of processing activities, each corresponding to different purposes of processing – and if the purpose changes, a re-assessment of necessity and proportionality must also be properly documented, in order to demonstrate compliance with data protection law, in accordance with the principle of accountability (Article 4(4) LED).

It must be underlined that pursuant to Article 4(2)(b) LED, further processing must be necessary and proportionate with respect to the new purpose in accordance with Union or Member State law. Necessity and proportionality are concepts not unknown to Criminal Procedure. ⁵⁰ When considering the assessment of necessity and proportionality, the Court referred to concepts such as the “relevance to the determination of the acts constituting the criminal offence” and the “sufficient probative value” ⁵¹ of the personal data, which find their technical meaning in national criminal procedural law. Contrary to the concepts of “criminal offence” under Article 10 GDPR ⁵² and “competent authority” under Article 3(7) LED, ⁵³ “probative value” and “relevance to determine criminal acts” do not require an autonomous and uniform interpretation in the EU, given the yet unharmonised landscape of criminal procedural law. However, if national criminal procedural law has not envisaged a necessity and proportionality re-assessment of personal data collected for one purpose and used for another of the purposes listed under Article 1(1) LED, such re-assessment will have to be conducted in accordance with the implementation of the LED at the national level, i.e. in accordance with national data protection law. ⁵⁴ Re-assessing the necessity and proportionality of further processing every time the purpose of processing changes should not, therefore, be excessively burdensome to demonstrate, if the re-assessment is already performed “in accordance with Union or Member State law”, in other words, in the normal course of the exercise of their investigative and prosecutorial functions, as mandated by relevant national criminal procedural law.

In the context of the re-assessment of the proportionality requirement, however, the fundamental right to data protection will require specific consideration. Competent authorities will have to consider “the consequences of the processing of personal data for the data subjects”, “in particular, the degree of interference with the right to the protection of those data” ⁵⁵ which may be “substantially different” in the case of processing for the purposes of detection and investigation, as opposed to the purposes of prosecution, and therefore differently affect the legality of further processing. This may greatly affect the discretion of those competent authorities vested with prosecutorial functions. It may also affect their independence, as the findings on proportionality with respect to the data protection rights may be open to challenge before the data protection supervisory authorities established under Article 41 LED. However, Article 4(2)(b) LED requires the re-assessment of proportionality to be “in accordance with national law and EU law”, which may include, for example, safeguards to the discretion and independence of the prosecutorial function. Similarly, with reference to the discretion of court in the exercise of their judicial capacity, the Court of Justice recently held that a court is bound to observe the principle of data minimisation stemming from the GDPR when deciding on whether to make an order for disclosure in civil proceedings. ⁵⁶ Courts, however, are not subject to the supervision of “ordinary” national data protection supervisory authorities.

Defence of the public prosecutor’s office in civil proceedings is governed by GDPR

Having rejected the argumentation against the admissibility of the second question referred, ⁵⁸ the Court of Justice held that the GDPR is applicable to the processing of personal data by the Public Prosecutor’s Office for the purpose of exercising its rights of defence in an action for damages against the State. ⁵⁹ Importantly, the Court’s findings were regardless of the applicability of Article 9(1) or (2) LED , ⁶⁰ although the Court confirmed that the processing activity at issue cannot be considered as further processing for any of the purposes of Article 1(1) LED. ⁶¹ Consequently, such processing activity is an instance of further processing which is, in principle, prohibited under Article 9(1) LED. The Court deployed its consolidated approach when assessing the applicability of the GDPR, ⁶² and verified the subsistence of each of the elements of GDPR’s material scope. ⁶³

Firstly, the Court held that information concerning a natural person collected and processed by the Public Prosecutor’s Office for the purposes of Article 1(1) LED constitutes processing of personal data. This is because “both in terms of its content and its purpose and effect, that information is linked to a particular person, who is identifiable both by the party that disclosed it and by the court” ⁶⁴ when the defendant in civil proceedings informs the court, even succinctly, in its written pleadings or at the hearing, of the opening of files in criminal matters concerning the natural person who had brought the civil proceedings. ⁶⁵ That activity “involves, at the very least, the ‘use’ and ‘disclosure by transmission’” and therefore constitutes ‘processing of personal data’ within the meaning of the GDPR. ⁶⁶

Being satisfied that the activity at issue fell under the GDPR’s definition of ‘processing of personal data’, the Court went on to confirm its broad interpretation of the scope of application of the GDPR ⁶⁷ and the consequent strict interpretation of the exceptions listed in Article 2(2) thereof. ⁶⁸ The Court excluded the applicability of the exception under Article 2(2)(d) GDPR, as the aim of the State’s defence in an action for damages against the State for alleged misconduct of the Public Prosecutor’s Office in criminal proceedings “is not to perform, as such, that Public Prosecutor’s Office’s tasks for the purposes set out in Article 1(1)”. ⁶⁹ The Court also excluded the applicability of the exception under Article 2(2)(a) of the GDPR as the State’s defence “does not seek to safeguard national security; nor can it be classified in that same category of activities” ⁷⁰ , which are the sole exclusions from the scope of the GDPR, according to the Court’s case-law on that exception. ⁷¹

As regards the third and final element of the material scope of the GDPR, namely the existence of a ‘controller’ within the meaning of Article 4(7) thereof, the Court applied by analogy its consolidated case-law on Directive 95/46/EC ⁷² aimed at ensuring effective and complete protection of the rights of the data subjects. ⁷³ Also within the meaning of Article 3(8) LED, the Public Prosecutor’s Office is a ‘controller’, “in that, alone or jointly with others, it determines the purposes and means of that processing”. ⁷⁴ It is the Public Prosecutor’s Office, “as a party to the proceedings, which informs the court having jurisdiction of the existence of files opened in criminal matters concerning the other party and which transmits those files to it. Its status as ‘controller’ … is independent of the extent of its involvement and its level of responsibility, which may be different from those of the court having jurisdiction, for which it is to authorise or order such processing”. ⁷⁵

Lawful basis of processing in the defence of public prosecutor’s office in civil proceedings

As the defence of the Public Prosecutor’s Office in civil proceedings is governed by the GDPR, the Court went on to determine the lawful basis of such processing according to Article 6 GDPR. ⁷⁶ It held that the defence, in principle, can qualify as processing for the purposes of the performance of a task in the public interest or the exercise of an official authority within the scope of point (e) of the first subparagraph of Article 6(1)GDPR. ⁷⁷ The defence of the legal and financial interests of the State in an action for damages “preserves the legal certainty of the acts carried out and decisions adopted in the public interest that are being called into question by the applicant” ⁷⁸ , and prevents “the performance of the tasks carried out in the public interest that are being called into question in the action for damages from being hindered by the prospect of actions for damages, where those tasks are liable to harm the interests of individuals”. ⁷⁹ On the other hand, the Court held that it is irrelevant that the Public Prosecutor’s Office “is, in its capacity as defendant, on an equal footing with the other parties, as is the case in the performance of its tasks in criminal matters”. ⁸⁰

The further processing must be necessary “for the purpose of defending the legal and financial interests of the State which falls to the Public Prosecutor’s office in those proceedings”, in accordance with Article 6(3) GDPR, and comply with all the other applicable requirements provided for by the GDPR. ⁸¹ The Court of Justice, however, gave no hints to the referring court on how to interpret the necessity requirement. However, in the very last paragraph of its analysis, the Court indicated that the further processing must satisfy in particular the principle of ‘data minimisation’ referred to in Article 5(1)(c) GDPR, “which gives expression to the principle of proportionality”. ⁸² Further processing must be carried out “in compliance with appropriate safeguards, in particular the possibility of effectively submitting comments on the information and evidence provided in that connection by the Public Prosecutor’s Office, but also, in accordance with Article 21(1) of the GDPR, of objecting to the communication of that information and evidence to the court having jurisdiction, subject to the restrictions on that right of objection provided for by national legislation, in accordance with Article 23(1) of that regulation.” ⁸³

The Court mentioned that the processing at issue could also be based on point (c) of the first subparagraph of Article 6(1) GDPR where, pursuant to the applicable national law, the Public Prosecutor’s Office is required to comply with the request of the court itself for transmission of the files, ⁸⁴ but that national law must “lay down, first, the basis for processing and, second, the purposes of that processing”. ⁸⁵ The Court did not mention, however, that the defence of the Public Prosecutor’s Office in civil proceedings could also be carried out by the Public Prosecutor’s Office pursuant to Article 6(4) GDPR in the exercise of the right to defend itself. ⁸⁶ Processing of personal data in order for State authorities to defend the lawfulness of their actions is amongst the objectives of general public interest mentioned by Article 23(1)(e) GDPR, and may have been implemented by national law provisions which must be necessary and proportionate to achieve that objective. ⁸⁷

Takeaway No. 2: The lawfulness principle requires compliance with Article 9 LED

The Court’s findings in respect of the use of personal data originally processed for the criminal law purpose of ‘prosecution’ by the Public Prosecutor’s Office for the new purpose of defending the actions of the Public Prosecutor’s Office in civil proceedings against alleged misconduct is relevant particularly for the authority vested with the task of such defence (‘the vested authority’). The lawful basis of the further processing is, according to the Court, pursuant to Article 6(1) first subparagraph, letter e) GDPR, the necessity of performing a task in the public interest vested in the authority designated to defend the actions of the Public Prosecutor of a Member State. However, when processing of personal data originally processed for certain purposes is carried out for the purpose of defence in judicial proceedings, the correct basis for the further processing should be Article 6(4) GDPR. The necessity and proportionality assessment will concern the legislative provision safeguarding the objective of general public interest, not the further processing itself. The further processing would therefore be permitted in principle for such objectives, and necessity and proportionality would be more correctly assessed throughout the defence activity.

Further processing must comply with all the principles relating to processing of personal data under the GDPR. ⁸⁸ The vested authority –in the case at issue, the Public Prosecutor’s Office itself– will have to demonstrate the necessity of further processing under Article 6(3) GDPR. Existing case-law of the Court will require to be adapted, however, to the particular objective of the further processing, i.e. the defence in civil proceedings, where necessity may vary in accordance, for example, to new elements that may arise in the course of proceedings. As regards proportionality, the safeguards to the right of the other party to a fair trial may also achieve proportionality of further processing. The Court stated that to provide appropriate safeguards would require the possibility of effectively submitting comments on the information and evidence provided, ⁸⁹ and the possibility of objecting to the communication of information and evidence to the court having jurisdiction, pursuant to Article 21(1) GDPR. ⁹⁰ This may be a challenge, however, when the data subjects do not coincide with any party to the proceedings.

The Court found that the applicability of Article 9(1) LED is not relevant for assessing the material scope of the GDPR and determining the lawful basis for processing under Article 6(1) thereof. However, competent authorities such as the Public Prosecutor’s Office of a Member State providing vested authorities with personal data collected for the purposes of their prosecutorial activities for the different purpose of defending their actions in civil proceedings are, in fact, conducting further processing of personal data collected in the context of criminal law enforcement which, in general, is prohibited under Article 9(1) LED. Competent authorities will have ensure that the prohibition does not apply, in accordance with Article 9(2)to 4) LED itself. ⁹¹ The transmission must be authorised under Union or Member State law. Competent authorities would therefore benefit from an assessment of the status of national law related to the tasks and powers vested in them for purposes other than those listed under Article 1(1) LED, but also the national law on information related to criminal law enforcement more generally.