D11.6: Survey on Mobile Identity

The legal framework for LBS in Europe EUROPEAN LEGAL FRAMEWORK FOR ACCESSING LOCATION DATA BY LAW ENFORCEMENT

European legal framework for accessing location data by law enforcement

In the EU, there is no general legal framework for law-enforcement powers, since this is an issue still left to Member States to regulate. Only for some specific measures is there considered to be a need for harmonisation, for example, for data retention (see above, section 4.3.7), and for criminalisation of attacks on computer systems. The Data Retention Directive contains one relevant provision in this respect, article 4: “Member States shall adopt measures to ensure that data retained in accordance with this Directive are provided only to the competent national authorities in specific cases and in accordance with national law.” This does not provide guidance for national law on the conditions under which law enforcement agencies can access location data, however.

For such guidance, we need to look at the Council of Europe. The general legal framework here is the European Convention on Human Rights and Fundamental Freedoms (ECHR), in particular article 8. This provision protects the right to private life and, among other things, correspondence. Law-enforcement powers to access personal data have to fulfil the requirements of article 8, paragraph 2: they must be established by law and be foreseeable for citizens, in the interest of, among other things, national security or crime prevention, and they must be ‘necessary in a democratic society’. This implies a proportionality test, but leaves a fairly wide margin of appreciation for European states to establish law-enforcement powers.

More specific provisions are found in the Council of Europe Convention on Cybercrime (CCC). This convention entered into force on 1 July 2004 for those states who ratified it. As of February 2007, the convention has 19 party states. The convention needs to be implemented by the party states in their national laws.

The general provision to access location data is the article relating to real-time collection of traffic data. Party states should establish a power for law enforcement to collect or record, with the help of service providers, ‘traffic data, in real-time, associated with specified communications in its territory transmitted by means of a computer system’. This power should be usable at least for cybercrimes, but preferably for all crimes where electronic evidence is relevant (art. 14 CCC). It should also be used in cases where mutual legal assistance is required, i.e., when a party state requests another party state collect real-time traffic data (art. 33 CCC).

For location data that are not traffic data (categories 3 and 7 in Figure 1), the powers of a production order (art. 19 CCC) and search and seizure of stored computer data (art. 19) may be used. The Explanatory Memorandum explains that the production order may also cover the fixed location data of end equipment. A crucial difference with the traffic-data regime is that traffic data should be provided by service providers in real-time, contrary to other kinds of data.

Since traffic data are volatile, the convention also contains powers to command the preservation of specific data, including traffic data, for a maximum period of 90 days (art. 16 CCC). This is not a sweeping ex-ante data-retention measure, since it regards only data specifically designated ex-post in concrete cases. It is not relevant for EU member states, where data retention is mandatory anyway, except perhaps in very rare cases where law enforcement needs to obtain traffic data just when the mandatory data-retention period is about to expire. It may also be relevant, however, for location data that are not traffic data, e.g., data generated by certain GPS applications.