CENTRUM FÖR RÄTTVISA v. SWEDEN JUDGMENT
retained by providers of electronic communications services, may be
justified.
110. On 2 October 2018 the Grand Chamber of the CJEU ruled that
Article 15(1) of Directive 2002/58/EC, read in the light of Articles 7 and 8
of the Charter of Fundamental Rights of the European Union, had to be
interpreted as meaning that the access of public authorities to data for the
purpose of identifying the owners of SIM cards activated with a stolen
mobile telephone, such as the surnames, forenames and, if need be,
addresses of the owners, entailed an interference with their fundamental
rights which was not sufficiently serious to entail that access being limited,
in the area of prevention, investigation, detection and prosecution of
criminal offences, to the objective of fighting serious crime. In particular, it
indicated that:
“In accordance with the principle of proportionality, serious interference can be
justified, in areas of prevention, investigation, detection and prosecution of criminal
offences, only by the objective of fighting crime which must also be defined as
‘serious’.
By contrast, when the interference that such access entails is not serious, that access
is capable of being justified by the objective of preventing, investigating, detecting
and prosecuting ‘criminal offences’ generally.”
111. It did not consider access to the data which were the subject of the
request to be a particularly serious interference because it:
“only enables the SIM card or cards activated with the stolen mobile telephone to be
linked, during a specific period, with the identity of the owners of those SIM cards.
Without those data being cross-referenced with the data pertaining to the
communications with those SIM cards and the location data, those data do not make it
possible to ascertain the date, time, duration and recipients of the communications
made with the SIM card or cards in question, nor the locations where those
communications took place or the frequency of those communications with specific
people during a given period. Those data do not therefore allow precise conclusions to
be drawn concerning the private lives of the persons whose data is concerned.”
4. Maximillian Schrems v. Data Protection Commissioner (Case
C-362/14; ECLI:EU:C:2015:650)
112. This request for a preliminary ruling arose from a complaint against
Facebook Ireland Ltd which was made to the Irish Data Protection
Commissioner by Mr. Schrems, an Austrian privacy advocate. Mr. Schrems
challenged the transfer of his data by Facebook Ireland to the United States
and the retention of his data on servers located in that country. The Data
Protection Commissioner rejected the complaint since, in a decision of
26 July 2000, the European Commission had considered that the United
States ensured an adequate level of protection of the personal data
transferred (“the Safe Harbour Decision”).
113. In its ruling of 6 October 2015, the CJEU held that the existence of
a Commission decision finding that a third country ensured an adequate