JUDGMENT OF THE COURT OF JUSTICE IN THE CASE OF AN ATTEMPT TO ACCESS PERSONAL DATA STORED ON A MOBILE PHONE

#131Judgment of the Court of Justice in the case of an attempt to access personal data stored on a mobile phone

During an inspection of the package for narcotics, the Austrian police found that there were 85 grams of marijuana in the package. Subsequently, the police seized the mobile phone of the addressee of the package and tried to unlock it in order to gain access to the data on the phone, but was unsuccessful. At the same time, the police did not have the permission of the prosecutor's office or the judge, did not inform the person concerned and did not document their attempts to unblock the phone. The concerned person challenged the seizure of the mobile phone in an Austrian court, and learned about the effort to unblock the phone only in these proceedings.

The Austrian court asked the Court of Justice whether the Austrian legislation which, in its view, allows the police to do so is compatible with EU law. At the same time, he stated that the person concerned faces a prison sentence of up to one year for the unlawful conduct he is accused of, i.e. it is only a misdemeanor.

In its judgment in Case C-548/21 of 4.10.2024, the Court clarified that, contrary to the claims of some governments, the relevant Union legislation applies in the same way in the case of an attempt to access personal data contained in a mobile phone, not only in the case of successful access to such data.

The Court has held that the data contained in a mobile phone may contain highly sensitive data of the data subject and, therefore, access to such data may constitute a serious interference with his fundamental rights for the data subject.

For assessing the proportionality of such a serious interference, one of the main parameters is the gravity of the infringement under investigation. However, the assumption that only the fight against serious crime could justify access to mobile phone data would limit the investigative powers of the authorities too much. This could increase the risk of impunity for crimes in general and threaten the creation of an area of freedom, security and justice within the Union.

According to the Court, such an interference with privacy and data protection must:

1. Be regulated by law, with the national legislator having to clearly define the conditions to be considered, including the specific types or categories of offences concerned;
2. Be subject to prior review by a court or an independent administrative authority.

At the same time, it is necessary to inform the data subject of the reasons for granting permission to access his data immediately after the investigation cannot be threatened by the disclosure of this information.