The Constitutional Court found No 161 / 2019 Coll.

The Constitutional Court found of 14 May 2019 sp. zn.

Valid The Constitutional Tribunal found
Text versions: 27.06.2019
Contents
I. II. III. IV. V. VI. § 97 § 88a § 68 § 71 VII. VIII.
161
FIND
The Constitutional Court
On behalf of the Republic
The Constitutional Court decided under sp. zn. Pl. ÚS 45 / 17 on 14 May 2019 in plenary composed of the President of the Court of Pavel Rychetský and Judge Louis David, Jaroslav Fenyk, Josef Fialy, Jan Filip, Jaromír Jirsy (Judge Rapporteur), Tomáš Licenčník, Vladimir Sládeček, Radovan Suchanek, Kateřina Šimáková, Vojtěch Šimíček, Milady Tomková, David Uhlíř and Jiří Zemánek on the proposal of the group of Members, represented by Mgr. et Mgr. Jan Vobořil, a lawyer, based in Prague 7, U Smaltovna 1115 / 32, on the abolition of the provisions of § 97 (3) and 4 of the Act of the Act of the Act of the Czech Republic and of the Czech Republic.
as follows:
Motion denied.
Reasons

I.

Definition of the case
1. A group of 58 Members (hereinafter referred to as the "Group of Members" or "the draftsman"), pursuant to Article 87 (1) (a) and (b) of the Constitution of the Czech Republic (hereinafter referred to as "the Constitution"), shall, by means of a proposal of 20 December 2017, apply to the Constitutional Court, in proceedings under § 64 et seq. of Act No. 182 / 1993 Coll., on the Constitutional Court, as amended (hereinafter referred to as "the Law on the Constitutional Court"), for annulment under the heading of those provisions.
2. The proposal challenges certain provisions of the legislation governing the prevention of the storage of electronic communications data by telecommunications service providers (hereinafter referred to as "data retention ') and the possibility of subsequent provision of such information: (a) law enforcement authorities, (b) the police of the Czech Republic (hereinafter referred to as" police') for the purposes of an ongoing search for a specific wanted or missing person, identification of a person of unknown identity or identity found dead or the prevention or detection of specific terrorist threats, (c) the Security Information Service, (d) Military Intelligence, (e) the Czech National Bank for capital market surveillance purposes.
3. The contested legislation follows, as is apparent from the relevant explanatory notes, different objectives, which are also deductible from the list of authorities authorised to dispose of stored data. It concerns the security and defence of the state, the protection of persons and property from criminal activity, the search for persons wanted, missing or lost, and the supervision of the capital market. The original legislation setting up the obligation to store operational and localisation data was adopted in 2005 in response to increasing security risks related to the increasing use of electronic communication systems, which required to adapt the powers of the authorities responsible for carrying out the tasks of ensuring the security and defence of the Czech Republic, and constituted the implementation of Directive 2006 / 24 / EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or public communications networks and amending Directive 2002 / 58 / EC ("the Data Retention Directive ') - from the Decision of the Court of Justice of the European Union (" SDEU') today (see below).
4. In order to fulfil those objectives, the contested legislation requires mandatory bodies (electronic communications service providers, hereinafter referred to as "operators') to retain" data packages' on all clients, telecommunications users, for a period of six months retroactively. For example, for telephone calls or SMS and MMS messages (including unsuccessful connection attempts), the operator shall keep data on the phone numbers of the call and call, the date and time of the initiation and termination of the communication, the location and movement of the user of the service. In addition, in case of use of Internet services and e-mail communication, operators are required to collect in particular user accounts, computer identifier and search server (IP address, port number), e-mail address details of communication participants and e-mail protocol.
5. To put it simply, on the basis of the contested legislation, operators retain information on each telephone connection, text message, Internet connection or e-mail correspondence, i.e. detailed data on all communication, location of communication participants and internet services provided. Some of these data are kept by operators for their own needs (billing, complaints, marketing) even without the obligation laid down by the contested law.

II.

Arguments of the appellant
6. The Group of Members proposes to repeal the contested legislation as it unconstitutionally interferes with the Charter of Fundamental Rights and Freedoms (hereinafter referred to as "the Charter") of the guaranteed right of privacy under Article 7 (1) of the Charter, the protection against unauthorised interference in private and family life under Article 10 (2) of the Charter, the right to protection against unauthorised collection, disclosure or other abuse of personal data under Article 10 (3) of the Charter, and the right to the secrecy of reports submitted by telephone or other similar devices under Article 13 of the Charter. The appellant also contends that the contested arrangements are contrary to Article 8 of the Convention on the Protection of Human Rights and Fundamental Freedoms ("the Convention ').
7. The appellant refers to the precaselaw of the Constitutional Court and the Court of Justice of the European Union, which has already dealt with the issue of the date retention [the finding of the Constitutional Court sp. zn. Pl. ÚS 24 / 10 of 22.3.2011 (N 52 / 60 CollNU 625; 94 / 2011 Coll.); the finding of the Constitutional Court sp. zn. Pl. ÚS 24 / 11 of 20.12.2011 (N 217 / 63 SbNU 483; 43 / 2012 Coll.); judgment of the Court of Justice of the European Union of 8.4.2014 in Joined Cases C-293 / 12 and C-594 / 12 (Digital Rights Ireland Ltd) and of 21.12.2016 in Joined Cases C-203 / 15 and C-698 / 15 / 15 (Tele2 Sverige AB)].
8. First of all, it is argued that the contested legislation is non-discriminatory in relation to the constitutional right to privacy, as it does not conserve its substance and meaning under Article 4 (4) of the Charter. According to the appellant's conviction, the monitoring, collection and storage of traffic and location data is already unconstitutional, as it is comprehensive and non-selective. The appellant submits that the measure creates a legitimate feeling that everyone is under constant supervision and does not allow any distinction. Today, much more data is being generated than was the case in 2011, when the Constitutional Court last decided on the case, as the use of data services on mobile ("smart") phones has expanded, allowing a detailed overview not only of the social links and habits of the individual, but also of its movements. The appellant considers that the retention of traffic and location data also applies to persons with a duty of confidentiality - professional secrecy (lawyers, doctors, advisers). The widespread retention of sensitive data carries a risk of abuse - data on journalists (Poland) has been misused abroad or identified by participants in the anti-government demonstration (Belarus).
9. Furthermore, in relation to the various contested provisions, the appellant contends that the definition of the purposes for which operational and localisation data can be stored under national law is disproportionately broad and, as a result, in breach of Article 15 (1) of Directive 2002 / 58 / EC of the European Parliament and of the Council of 12.7.2002 on the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), in an effective manner (hereinafter referred to as "e-privacy Directive '), since the privacy of individuals can be limited in this respect only for the purpose of ensuring public security, State defence and for the prevention, investigation, detection and prosecution and prosecution of criminal offences. The possibility of using traffic and location data by the police in search of a missing or wanted person can no longer, by definition, justify exemptions from privacy protection, as well as supervision by the Czech National Bank of the Capital Market. The appellant is convinced that the powers under the provisions of § 97 (3) (b) and (e) of Act No. 127 / 2005 Coll., on electronic communications and on the amendment of certain related laws (the Act on electronic communications), as amended, (hereinafter referred to as" ZEK') in conjunction with § 68 (2) and § 71 (a) of Act No. 273 / 2008 Coll., on the Police of the Czech Republic, (hereinafter referred to as "Police Act 'or" ZPol') are not in line with the legitimate objectives defined by the directive cited in question.
10. In the strict sense of the possibility to provide operational and localisation data to law enforcement authorities pursuant to § 97 (3) (a) of the SEK in conjunction with § 88a of Act No. 141 / 1961 Coll., on criminal proceedings of the Court (criminal order), as amended, (hereinafter referred to as "the criminal order '), the appellant of the measure does not consider that it is capable of meeting a legitimate objective - reducing crime and increasing its clarity. According to the appellant, the available police crime statistics for the period 2011- 2013 show that the possibility of using operational and localisation data does not affect either the frequency of the crime or its clarity - for serious crime, statistical conclusions are identical, as is demonstrated by foreign studies; the law enforcement authorities are able to provide the necessary evidence otherwise. Furthermore, the appellant points out that the monitoring of traffic and location data can be easily circumvented by means of various tools, such as the use of an anonymous prepaid SIM card, which is well aware, above all, of the perpetrators of serious crime. As a result, monitoring the communication of an entire society, which is not committed to crime, to protect against offenders who know how to technically avoid monitoring - the measure is also inappropriate in the proportionality test to achieve a legitimate objective. Moreover, it is clear that the data in question is used because they are not only required to clarify a particularly serious crime, but often serve as evidence in ordinary criminal proceedings.
11. (a) ZPol does not respect the contested legal regulation, according to the appellant, the conclusions of the appeal sp. zn. In some cases, the police have access to operational and localisation data without being authorised by the court and have no obligation to use the data or subsequently inform their subject (as in the case of wiretaps), so that the person concerned does not even know about the involvement in his constitutional rights.

III.

Active procedural legitimacy and management conditions
12. Under Article 64 (1) (b) of Act No. 182 / 1993 Coll., on the Constitutional Court, a group of at least 41 Members has the right to apply for annulment of the law or its individual provisions. Pursuant to Article 64 (2) (b) of Act No. 182 / 1993 Coll., on the Constitutional Court, as amended by Act No. 320 / 2002 Coll., a group of at least 25 Members may submit a motion to repeal another legislation or its individual provisions. The proposal in this case was made by a group of 58 Members and, in accordance with Article 64 (5) of Act No. 182 / 1993 Coll., on the Constitutional Court, as amended by Act No. 320 / 2002 Coll., it was accompanied by a signature document to which each of them individually confirmed that it was attached to the proposal. The applicant therefore fulfils the condition of active legitimacy.
13. The proposal contains all the legal requirements required and is admissible within the meaning of the provisions of Section 66 of Act No. 182 / 1993 Coll., on the Constitutional Court, as amended by Act No. 48 / 2002 Coll.; at the same time there is no reason to terminate the procedure under the provisions of Section 67 of the same Act.

IV.

Proceedings before the Constitutional Court
14. The Constitutional Court, pursuant to Article 69 of the Law on the Constitutional Court, also called on the Chamber of Deputies and the Senate of Parliament and the Ministry of Industry and Trade as parties to the proceedings and the Government, together with the Ombudsman, as interveners to the proceedings. The Constitutional Court requested comments on the proposal pursuant to Article 48 (2) of Act No. 182 / 1993 Coll., on the Constitutional Court, also the President of the Republic, the Ministry of Justice, the Supreme Prosecutor and the Office for the Protection of Personal Data.
15. The Ombudsman informed the Constitutional Court that she did not intervene. The statement of the President of the Republic does not contain any material (new) facts, which is why the Constitutional Court does not consider it necessary to recap them further.
(a) Parliament's observations
16. The Chamber of Deputies and the Senate merely described in their observations the course of the legislative process of adopting the contested regulation.
17. Government draft Act No. 273 / 2012 Coll., amending Act No. 127 / 2005 Coll., on Electronic Communications and amending certain related laws (the Act on Electronic Communications), as amended, and certain other laws, containing the contested versions of Sections 97 (3) and (4) of the ZEK and of Section 88a of the Code of Criminal Procedure, were distributed to Members as a print No 615 on 27 February 2012. The first reading of the draft law was carried out on 14 March 2012 and the committees subsequently recommended approving the draft law. The second reading passed the draft law on 14 June 2012. In a detailed debate, Mr Jaroslav Krupka, who, in § 97 (3) of the ZEK, proposed only a legislative-technical change - renumbering the footnotes in connection with the adoption of Act No. 142 / 2012 Coll., on the amendment of certain laws in connection with the introduction of basic registers. The bill was approved by the Chamber of Deputies as amended at third reading on 20 June 2012. The Chamber of Deputies referred the bill to the Senate on 26 June 2012, which approved it on the recommendation of all the committees concerned in the version adopted by the Chamber of Deputies as Senate Document No 383 on 18 July 2012. When negotiating in the Senate, the Minister for the Interior stressed that the regulation on the storage and use of traffic and localisation data was significantly tightening. The President of the Republic signed the law and was declared in the Collection of Laws on 22 August 2012.
18. Paragraph 88a of the Penal Code was further amended by Act No. 455 / 2016 Coll., amending Act No. 40 / 2009 Coll., the Penal Code, as amended, and other related laws, whose government proposal was circulated to Members as House Press No. 886 on 16 August 2016. The first reading of the draft law was made on 16 September 2016 and 19 October 2016, the Chamber of Deputies accepted the proposal in a special regime at first reading and subsequently forwarded it to the Senate on 4 November 2016. The Senate approved the proposal on the recommendation of the Constitutional Legal Committee, as adopted by the Chamber of Deputies as Senate Press No. 348 on 30 November 2016. The President of the Republic signed the Act and was declared in the Collection of Laws on 29 December 2016.
19. The Government's draft law on police, including the contested provisions of paragraphs 68 (2) and 71 (a), has been circulated to Members as Press No. 439 on 29 February 2008. The first reading of the draft law took place on 25 March 2008 and subsequently the committees recommended approving it as amended by them; in second reading, the draft law passed on 10th and 18th June 2008. In a detailed debate, nine Members spoke with their amendments. The draft law was approved as amended at third reading on 25 June 2008. The Chamber of Deputies referred the proposal to the Senate on 8 July 2008, which approved it on the recommendation of all the committees concerned in the version adopted by the Chamber of Deputies as Senate Document No 301 on 17 July 2008. The President of the Republic signed the Act and was declared in the Collection of Laws on 11 August 2008.
b) Expression of the Ministry of Industry and Trade
20. The Ministry of Industry and Trade, which issued the contested Decree No. 357 / 2012 Coll., on the retention, transfer and disposal of operating and localisation data (hereinafter referred to as the Order), considers the legislation to be balanced and satisfactory. In support of its opinion, the Ministry refers to the 2012 communication from the Office for Personal Data Protection, which, in the inter-ministerial comment procedure, identified the proposal for the relevant amendment to the Electronic Communications Act as appropriate in the light of the scope and details of the modification and the establishment of the right of a person to be informed of the processing of his personal data. The Ministry of Industry and Trade also stresses that the Czech Telecommunications Office and the Office for Personal Data Protection were actively involved in the drafting of the Decree drawn up in an agreement with the Ministry of Interior. The decree was created as a compromise between the needs of authorised entities, the technical possibilities of operators and the privacy requirements.
(c) Government observations
21. The Government ("the intervener") does not agree in its observations that the contested legislation does not respond to the relevant case law of the Court of Justice of the European Union and the Constitutional Court. According to the Government, the contested amendment to all complaints by the Constitutional Court was adequately addressed and could not be read against it. In relation to the judgments cited above in SDEU Digital Rights Ireland Ltd and Tele2 Sverige AB, the Government points out that neither of them was subject to review by the Czech legislation. Therefore, judgments could not constitute direct or indirect change for national legislation. The Government considers Czech legislation to be strict and consistent with the requirements of the Court of Justice of the European Union compared to other European countries.
22. In practice examples, the government demonstrates in which cases the clarification of crime would be impossible without the use of legally preserved traffic and location data. The Government argues that the Electronic Communications Act provides not only for the necessary range of stored data in terms of both quantity and time interval, which go beyond the data held by obliged entities for their own needs (e.g. service billing), but also for a uniform form of processing, without which access to the requested data would be difficult. The requirements for the security of stored traffic and location data contained in § 88 et seq. of the ZEK are also considered sufficient by the Government.
23. As regards Article 88a of the Code of Criminal Procedure and the appellant's objection to the overbroad definition of the term serious crime ("serious crime"), the Government states that European Union law ("EU") does not provide a specific definition and it is up to the Member States to interpret that concept. According to the Government, a number of restrictions and guarantees have been added to the effective wording of Section 88a of the Code of Criminal Procedure, which already reflect the requirements of both the Constitutional Court and the Court of Justice of the European Union and fulfil the claims for the protection of the fundamental rights in question. The Government adds that the construction of guarantees and restrictions is almost identical to the requirements for the use of wiretap and recording of telecommunications operations under § 88 of the Criminal Code, except for the upper limit of the criminal rate and the following exhaustive list of offences for which operational and localisation data can be used. The indispensable added value of the retention of the data in question lies in the detection of information on the telecommunications operation already carried out, so it is directed in contrast to § 88 of the Code of Criminal Procedure - it does not affect the content of the communication, which is another substantial difference. In the proportionality test, the Government considers that the provision quoted would have stood in all three steps.
24. Operating and localisation data represent an important "electronic trail," which plays an irreplaceable role and leads the police to take other effective measures to clarify the crime. In addition, according to the Government, the acquisition of traffic and location data saves third parties' rights, since on their basis, the police exclude possible suspects and assess that there is no longer a need to ask for explanations from more people, but only from relevant ones. The appellant's view that criminal offenders use mechanisms to ensure the confidentiality of communications and therefore the contested instrument cannot be considered as effective, the government does not share, but considers it to be an argument in favour of maintaining the obligation to maintain operational and localisation data and making it available to authorised entities under the conditions laid down.
25. On the alleged abuse of the contested institute, the government draws attention to the misinterpretation of statistics, which is caused by different methods of data processing by the Czech Telecommunications Office and the police. The conclusion on the massive detection of operational and localisation data by law enforcement authorities is rejected by the Government with reference to the graphs mentioned in the statement.
26. The government also considers the contested provisions of the Police Act to be satisfactory. According to Article 68 (2) of the Act, the police are entitled to request data in the event of a search for a wanted or missing person, which are the terms of the law defined. a number of conditions must be met cumulatively. The risk of abuse is minimal, legal regulation is set strictly and is supplemented by equally strict internal acts. The absence of judicial review is a defense of the need for a rapid response, as the health and life of the persons sought may be compromised. On Article 71 (a) of the ZPol on the prevention and detection of terrorist threats, the Government adds that, according to statistics, this is a low-use provision.
27. According to the Government, the right of the Czech National Bank to obtain operational and localisation data for the prosecution of administrative offences on the capital market section is based on and consistent with European legislation [Article 69 (2) (r) of Directive 2014 / 65 / EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directives 2002 / 92 / EC and 2011 / 61 / EU].
d) Expression of the Supreme Prosecutor's Office
28. The Supreme Prosecutor's Office focuses on the regulation of data retention in conjunction with Section 88a of the Criminal Code; It is of the opinion that even if the Constitutional Court had reached a conclusion on the unconstitutionality of § 97 (3) and (4) of the ZEK, § 88a of the Code of Criminal Procedure would have been sustainable and independent, as in the past. The provision cited under the Supreme Prosecutor's Office meets the requirements of the Court of Justice of the European Union as set out in Tele2 Sverige AB, since serious criminal activity is defined sufficiently strictly and other control mechanisms (in particular a reasoned court order) are also satisfactory. The High Prosecutor's Office is opposed to the appellant's claim that the widespread use of traffic and location data by law enforcement authorities does not affect the degree of clarity of crime. Access to data is, according to the Supreme Public Prosecutor's Office for Direction and Progress (speed and hence lower cost) of criminal proceedings; the fact that, over time, crime is increasingly sophisticated, is more often moved to and used by electronic communication platforms (including the Internet).
29. In the light of the SDEU judgments, The Attorney General finds that the law on police is insufficient because there is a lack of cross-compliance of police access prior to the agreement of an independent body deciding on a reasoned request and an obligation to inform the person concerned of access to the stored data. Paragraph 68 (2) ZPol, however, considers the Supreme Prosecutor's Office for Police to be very important.
(e) Expression of the Office for the Protection of Personal Data
30. In its observations, the Office for the Protection of Personal Data identified a proposal to repeal the contested provisions; considers that the criteria set out in the case-law of the SDEU are not taken into account in the Czech legislation. The Authority underlines the contribution of the Expert Group WP 29 [Working Party on the Protection of Individuals with regard to the Processing of Personal Data established on the basis of Article 29 of Directive 95 / 46 / EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (hereinafter "WP 29 ')], which already pointed out in 2001 the need for a balanced approach in terms of the protection of personal data as part of the fundamental rights and freedoms of individuals. Even then, WP 29 expressed concern about the increasing tendency to refer to the protection of personal data as an obstacle to the effective fight against terrorism and called for anti-terrorism measures not to reduce human rights standards.
31. In its observations, the Office for the Protection of Personal Data draws attention to the fact that the present case should also be seen in the light of effective Regulation (EU) 2016 / 679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95 / 46 / EC (General Data Protection Regulation), hereinafter referred to as "GDPR," which aims to strike a balance between the protection of fundamental rights and the development of communication technologies.
(f) Replication of the appellant
32. The Constitutional Court sent the above observations to the appellant's representatives for a reply. The appellant referred to the arguments put forward in the application for annulment of the provisions in question and did not consider it necessary to react further to the comments sent.
(g) Oral proceedings
33. The Constitutional Court ordered public oral hearing in accordance with Article 44 of the Law on the Constitutional Court, since it considered it necessary to carry out the taking of evidence by hearing information from the professional public and practitioners in accordance with Article 49 (1) of the same Act in order to clarify better the technical context and details of the issue. The oral hearing was convened by Mgr. Vanda Keller (representative of one of the largest operators on the market), doc. Dr. Radim Polčák, Ph.D. (Head of the Institute of Law and Technology of the Masaryk University of Law), Mgr. Karel Bachkovský (Head of the Department of Law and Security Policy of the Ministry of Interior), Dr. Tomáš Sokol (President of the Association of the Union of Defenders of the Czech Republic, p.), Chief Prosecutor of the Czech Republic, Dr. Lenka Bračkovský, and representatives of the police departments concerned (Colonel Vladimir Šibor, Director of the Department of Special Activities of the Service of the Criminal Police and Investigation Presidium of the Czech Republic; Col. Ing. Josef Mareš, Deputy Head of General Crime Department of the Regional Directorate of Police of the City of Prague; Colonel Mgr. Bc. František Habada, Head of the Operational Department of the Czech Police Presidium).
34. From the hearing of Mgr. Keller, the Constitutional Court found that law enforcement authorities in the past required operational and localisation data even without specific regulation of data retention, using only other legal means (Section 8 of the Criminal Code). For the company T-Mobile Czech Republic, a. s., the data according to § 97 (3) of the ZEK are kept separately, access to them is allowed under strict conditions; the costs of fulfilling this legal obligation shall be borne by the State. Data are most frequently requested for the first three months from the time of their creation. The operator shall keep operational and localisation data for its own needs (billing and complaint of services) (in a different than the contested decree of the specified scope, it does not need all) for two months. For marketing purposes, the data can only be stored on the basis of the customer's consent (in the case of T-Mobile Czech Republic, a. s., about 70% of the customers), the operator keeps it for six months. The repeal of the contested legislation would mean a state of considerable legal uncertainty for operators.
35. Interview doc. It was found that the contested legislation was not excluded from the European standard; it can be imagined that, for example, stricter requirements for the security of stored data will be set or access to them stepped up according to the severity of the crime (not six months flat-rate for all legal purposes). The absence of legislation on data retention in some States does not mean that the competent authorities do not use operational and localisation data to investigate crime in them, they are only obtained by other routes.
36. The reply of Mgr. Bachkovsky showed that, when preparing the proposal for the contested regulation, it was followed with the knowledge of the findings of the Constitutional Court sp. pl. ÚS 24 / 10 and sp. zn. According to him, the definition of criminal activity under Section 88a of the Code of Criminal Procedure is sufficiently strict; the use of operational and localisation data in criminal proceedings is irreplaceable. The use of Paragraph 68 (2) of the ZPol serves to protect the life and health of missing persons, the judicial review by nature makes no sense.
37. JUDr. Sokol stated during questioning that according to his practical experience the recording of traffic and location data is a marginal matter; concerns a small number of cases, its value is rather supportive, indirect, not incriminating evidence.
38. From the interrogation by JUDr. Hogwarts, the Constitutional Court found that, because of social and technological developments, the years 2008 and 2019 cannot be compared, new and more sophisticated forms of crime are created each year. From the annual idea of criminal matters, requests for the recording of telecommunications traffic relate to about 3% of cases. The record represents a more moderate measure and is often used as a "start-up" evidence which further directs law enforcement authorities to use the invasion of external funds (including wiretaps). When increasing the upper limit of the criminal rate in § 88a of the Code of Criminal Procedure, mandatory retention of data would not concern a number of offences, the investigation of which cannot be avoided without operational and localisation data (spreading of toxicomania, dangerous persecution, dangerous threats, hate crimes, spreading of alarm messages, child pornography). It's a new, modern footprint, an irreplaceable investigative method that has no adequate equivalent.
39. The reply of Colonel Ing. Šibor was found to process all requests under § 88a of the Code of Criminal Procedure and to conduct inquiries with operators exclusively in the Republic of the Republic of the Czech Republic. Requests are authorised, the queries made are archived and can be verified back, only through the Director of the Special Activities Unit. The listing of traffic and location data is less invasive than a wiretap, often preceded by a warrant. The report on telecommunications traffic (on "data held ') is evidence of an important but not unique nature and must be supported by other evidence. The activities of the Special Activities Unit are regularly monitored by the Commission of the Chamber of Deputies (Standing Commission on the Control of the Use of Wiretap and Recording of Telecommunications, Use of Tracking of Persons and Goods and Interruption of Electronic Communications) and by the Data Protection Office.
40. The interrogation of Colonel Ing. Bc. Mareš revealed that the record of traffic and location data is often used in the investigation of serious violent and property crimes. While violent crime has the advantage of having the perpetrator physically present at the scene at some point, property crime may not be the case, and then the law enforcement authorities often have no other than electronic clues. The recording of telecommunications traffic also helps to remove some of the people (recidivists) from the suspect list. In general, it is not possible to say whether a six-month period is necessary or superfluous, always depends on the circumstances of a particular case. At the time of the first intervention of the Constitutional Court in the data retention area, 2-3 murders in its district could remain unexplained due to the lack of operational and localisation data.
41. From the interrogation of Colonel Mgr. Bc. Habady Constitutional Court for Application § 68 par. 2 ZPol has found that his department manages a central communication system in which missing persons are entered through 14 regional emergency services. There is no abuse, the request for localization can be verified back. Moreover, the notifier is always personally confronted and "extracted" by police patrols, so he would change his mind about any misuse of the search. About half the time, a missing person is found exactly where their electronic device was located. This way, for example, it is possible to locate and avert suicide attempts in a timely manner.
42. The evidence provided resulted in the following conclusion on the facts: Operators have adapted to the contested legislation by creating new technical solutions, have not incurred their own costs and do not arise in connection with the processing of applications for access to traffic and location data, these costs are borne by the State. Access to data is exclusively through the Special Activities Unit, only the localization of electronic equipment can be obtained under the Police Act, not all operational and localisation data as in the case of requests under Section 88a of the Penal Code. The contested legislation is not outside the European standard. Just as technology develops the form of crime committed, only electronic clues are increasingly emerging from the perpetrators, so the investigative methods of recent years cannot be compared. No systemic failure has yet been detected in connection with the storage or making available of traffic and location data.

V.

Review of the procedure for the adoption of the contested rules
43. The Constitutional Court, in terms of § 68 paragraph 2 of Act No. 182 / 1993 Coll., on the Constitutional Court, as amended by Act No. 48 / 2002 Coll., examined whether the contested provisions of the Act on Electronic Communications, the Criminal Code and the Police Act were adopted and issued within the limits of the Constitution established competence and in the prescribed manner. It concluded that there is no blame on the legislator in this respect - neither the parties nor the interveners indicate any deficits in the legislative process. For the sake of clarity, the Constitutional Court refers to a summary of the legislative process in Parliament's observations.
44. The decree was issued by the Ministry of Industry and Trade. The powers of ministries to legislate for the implementation of the law arise from Article 79 (3) of the Constitution, but are materially conditional on the existence of explicit legal authorisation and its limits. In the present case, the contested provision § 97 (4) of the ZEK is authorised - the material condition for the issue of the statutory act is fulfilled. The decree was signed by the Minister of Industry and Trade and properly published in the Collection of Laws with effect from 1 November 2012.

VI.

Meritorious review of the proposal
45. Having examined the formal elements of the proposal, the imputability of the process of adopting the contested legislation and the evidence carried out, the Constitutional Court examined the appellant's objections to the contested legislation in substance and reached the following conclusions.
(a) General considerations
Right to privacy, information self-determination and communication freedom
46. The storage of traffic and location data directly affects the constitutionally guaranteed right of privacy within the meaning of Article 10 (2) and (3), Article 13 of the Charter and Article 8 of the Convention. Privacy is one of the core elements of individual freedom, which is among the most important values of liberal democracy, and its protection is reflected in many different aspects, as evidenced by the comprehensive establishment of this fundamental right in several different provisions of the Charter. In the present case, it is more specifically the so-called right to information self-determination (Article 10 (3) of the Charter) and the freedom of communication (Article 13 of the Charter). The right to information self-determination shall protect individuals from unauthorised collection, disclosure or other misuse of personal data. Communication freedom shall be protected by letters and messages, whether kept in private or sent by post, submitted by telephone, telegraph or other means.
47. The Constitutional Court has set out in detail the general bases on the right to privacy and the admissibility of the restriction of that right in favour of the constitutionally and insurmountable public interest already in the above-mentioned finding, Pl. ÚS 24 / 10, to which the Constitutional Court refers in particular in paragraphs 26 to 40. In short, the Constitutional Court has explained in particular that, by its nature and importance, the right to information self-determination is among the fundamental human rights and freedoms, because, along with the freedom of personal, freedom in the spatial dimension (home) and communication, it completes the individual's personality, whose individual integrity as a necessary condition of dignity and the development of human life must be respected and consistently protected. Respect and protection of this sphere are guaranteed by constitutional order, as it is an expression of respect for human rights and freedoms (Article 1 (1) of the Constitution).
48. It is clear from the settled case law of the Constitutional Court, in particular in relation to the issue of telephone wiretaps, that the protection of the right to respect for private life within the meaning of Articles 10 (3) and 13 The documents relate not only to the actual content of the messages submitted by the phone, but also to the data on the call numbers, the date and time of the call, the duration of the call, in the case of mobile telephony and the base stations providing the call [cf. This information on ongoing electronic communication is composed of operational and localisation data.
49. Through the information collected, although the communication content is not stored (unlike the wiretap), it is possible to compile a detailed record of the movement of the individual and his personal and communication profile (personal links, environment, social status, political orientation, medical condition or sexual orientation). Every user of a mobile phone and computer, almost every citizen of the Czech Republic, is an individual. Moreover, in the case of internet services, the threshold between traffic data and content itself is very thin, sometimes barely identifiable.
50. The so-called "metadata" of communication (i.e. everything except content) can in fact be much more valuable and, in fact, "dangerous" than knowledge of the content of communication itself, as it is machine-readable and analysed; the results of such processing can then be judged by the future behaviour of the individual. On the contrary, the content can in fact be "unofficial" - if the communication participants do not want it to be understood, they communicate by means of a hint or a pre-agreed code. Therefore, the collection and storage of traffic and location data also constitute a significant interference with the right to privacy and deserve a similar level of safeguards against abuse as the content of the communication itself. It is therefore necessary to include, within the scope of the protection of the fundamental right to respect for private life, not only the protection of the content of the messages provided by telephone or communications via so-called public networks, but also operational and localisation data on them (cf. sp. zn. Pl. ÚS 24 / 10).
51. The fundamental right can only be limited by law and only to the extent necessary under the conditions of a democratic rule of law, while maintaining guarantees of protection of the individual against public opinion. In particular, the limitation of fundamental rights must be in line with the requirements of the rule of law and meet the requirements based on the proportionality test - in cases of conflicts of fundamental rights or freedoms with a public interest or with other fundamental rights or freedoms, the purpose (objective) of intervention in relation to the resources used must be assessed, with the proportionality principle being the criterion for assessment (in the wider sense). The legislation in question must be precise, clear in its wording and sufficiently predictable to provide the potentially affected individuals with sufficient information on the circumstances and conditions under which the public authority is entitled to intervene in their privacy (Article 2 (2) of the Charter) and, where appropriate, to adjust their behaviour in order to avoid conflict with the restrictive standard (Article 2 (3) of the Charter). The powers conferred on the competent authorities, the manner and rules for their implementation must also be strictly defined in order to protect individuals against arbitrary interference.
52. The assessment of the admissibility of the intervention under the principle of proportionality (in the wider sense) includes three criteria. The first is the assessment of the eligibility of the purpose (or suitability) - whether a specific measure is in any way capable of achieving the intended objective of protecting another fundamental right or public good. In addition, the need is assessed in the second step - it is examined whether the most respectful of basic law was used when selecting funds. Finally, proportionality (in the narrower sense) is assessed, i.e. whether the injury to the fundamental right is disproportionate in relation to the intended objective. Therefore, measures limiting fundamental human rights and freedoms must not, if they are to conflict with a fundamental right or freedom of public interest, exceed, by their negative consequences, the positives which constitute a public interest in the measures taken [cf. sp. zn.
EU law and the Court of Justice of the European Union
53. Czech Republic pursuant to Article 1 (2) The Constitution shall respect its obligations under international law. Union law penetrates the Czech legal order through Article 10a of the Constitution, on the basis of which the Czech legislator transferred part of its powers to the Union legislator. The relationship between the constitutional order of the Czech Republic and Union law, including the case-law of the SDEU, has undergone some developments during which the Constitutional Court has had more opportunity to comment in the past.
54. Content of Article 1 (2) The Constitution in relation to European Union law was interpreted by the Constitutional Court in such a way that domestic legislation, including the Constitution, is to be interpreted in line with the principles of European integration and cooperation between the Union institutions and the institutions of a Member State. If there are several interpretations of the provisions of the constitutional order and only some of them lead to a commitment taken over by the Czech Republic in connection with its membership in the European Union, it is necessary to choose a Euroconformal interpretation to support the implementation of the commitment rather than an interpretation which makes it impossible to implement [see sp. zn. In other words, in an area falling within the scope of EU law, it interprets constitutional law taking into account the principles arising from Union law [mutatis mutandis, see also the find sp. zn. All this applies while maintaining the limit, which is the so-called material core of constitutional order, that is to say, the essential essentials of the democratic rule of law within the meaning of Article 9 (2) of the Constitution [see the find sp. zn. While Union law is not a reference criterion for assessing the constitutionality of a national law, it cannot in itself lead to the deregulation of the law, yet it is necessary to take account of Union law and the case law of the SDEU when interpreting constitutional law.
55. The issue of data retention falls within the scope of Union law, as seen by the European legislator's efforts to establish a single framework for national legislation. The Data Retention Directive on the basis of which the contested legislation was adopted has been declared invalid by the Court of Justice of the European Union and the new European regulation has not yet been adopted. This has created a legislative space released by the annulment of the Data Retention Directive, which the Member States (i.e. the Czech Republic) can fill - because it is an area of competence shared by them with the EU (not the exclusive competence of the EU) - to the extent that the EU has not implemented it or has ceased to implement it effectively (Article 2 (2) of the Treaty on the Functioning of the European Union); When filling the released legislative space, the legislature of the Member State carrying out the reasons for the judgment of the SDEU, which invalidated the Union rules in question (namely Digital Rights Ireland Ltd).
(b) Precaselaw
56. The contested legislation of the Act on Electronic Communications and the Criminal Code was adopted in response to the above-mentioned derogatory findings of the Constitutional Court. The Court of Justice of the European Union also delivered the abovementioned judgments in Digital Rights Ireland Ltd and Tele2 Sverige AB.
57. The first of the above mentioned findings sp. zn. Pl. ÚS 24 / 10 of 22 March 2011 annulled the provisions of § 97 (3) and (4) of the ZEK, in the then version, and Decree No. 485 / 2005 Coll., on the scope of the operational and localisation data, the retention period and the form and manner of their transmission to the authorities entitled to use them. The Constitutional Court applied the case-law of the European Court of Human Rights (hereinafter referred to as "the ECHR ') relating to the use of wiretaps (in particular, the Malone judgment against UK No 8691 / 79 of 2.8.1984) and reiterated its regulatory requirements allowing interference with the right to private life by public authorities. The European Court of Human Rights considers it necessary to define at legal level clear rules governing the scope of the application of restrictive measures, to lay down minimum requirements for the length and manner of storage of the information obtained, for its use and for third parties' access to it and to establish procedures for the protection of data confidentiality and for its destruction; all so that individuals have sufficient safeguards to protect against their abuse. Paragraph 97 (3) of the ZEK, in its original version, did not clearly and accurately define the range of authorised authorities, the purpose of providing operational and localisation data and the conditions for their use, even in the light of the specific provisions referred to in the contested standard. The Constitutional Court also criticised the absence of clear and detailed rules containing minimum requirements for the security of stored data (avoiding third-party access, establishing procedures to protect confidentiality and integrity of data, the procedures for their destruction) and safeguards against the risk of their misuse.
58. A few months later, the Constitutional Court, following the finding of sp. zn. Pl. ÚS 24 / 10, annulled the finding of sp. zn. Pl. ÚS 24 / 11 of 20. 12. 2011 for the vagueness and uncertainty also of § 88a of the Penal Code. The proportionality test did not fulfil the second criterion of necessity, since the vague and broad wording of the purpose ("clarification of facts relevant to criminal proceedings') made it possible to request and use data essentially in any context of any criminal proceedings. According to the Constitutional Court, that deficiency could not be bridged by a constitutional interpretation. The Constitutional Court has not found a reason for which the scope of the legal guarantees should be different when using the instruments under Section 88 of the Penal Code (wiretaps - future telecommunications operation, including the content of communication) and Section 88a of the Penal Code (operational and localisation data - in the past the telecommunications operation without the content of communication), since in both cases the intensity of interference with the right to privacy is comparable. In addition to the requirements laid down for the legislation in question in the sp. zn.
59. Court of Justice of the European Union Ltd, of 8.4.2014, declared the Data Retention Directive invalid for a conflict with Article 7 (respect for private and family life) and Article 8 (protection of personal data) of the EU Charter of Fundamental Rights. Although the directive was capable of achieving the objective pursued (harmonisation of data retention in the field of combating serious crime), neither could it in itself justify that measures relating to all electronic means of communication and consisting of the retention of data of almost the entire European population be considered necessary. The Court of Justice of the European Union has made a requirement for a targeted link between the data stored and the risk to public security (data relating to a specific period, a geographical area or a circle of certain persons which may be involved in any way in serious crime, or persons who may contribute to the fight against serious crime through the storage of their data for other reasons).
60. Subsequently, by Tele2 Sverige AB of 21 December 2016, the Court of Justice of the European Union answered the questions referred for a preliminary ruling by the United Kingdom and Sweden concerning the interpretation of Article 15 (1) of the Directive in connection with the annulment of the Data Retention Directive and the consequences of this on national legislation of the Member States. Pursuant to Article 15 (1) of the ePrivacy Directive, Member States may adopt legislative measures limiting the scope of the protection of personal data within the meaning of the Directive where restrictions in a democratic society are necessary, proportionate and proportionate to ensure national security (i.e. national security), defence, public security and the prevention, investigation, detection and prosecution of criminal offences or the prevention of unauthorised use of an electronic communication system. The Court of Justice of the European Union has stated that the provision cited allowing Member States to exempt themselves from the rules on the provision of personal data must be interpreted strictly - a situation in which an exemption becomes a rule, as is the case in the case of the bulk and not selective retention of large amounts of data. According to the SDEU, national legislation must effectively define the relationship between the data to be stored and the purpose pursued, i.e. allow for an effective definition of the scope of the measures (a range of public figures whose data may show at least an indirect link with or contribute to combating serious crime and preventing serious threats to public security).
61. The next judgment in Case C-207 / 16 of 2 October 2018 (Ministerio Fiscal) of the SDEU partially mitigated the strict tone of access to traffic and location data; the data retention principle itself was not expressed here. On the preliminary question to the Spanish Court on the interpretation of the same provision as in the previous case - Article 15 of the e-privacy directive - he noted that disclosure of data, such as the name, surname and address of the holders of SIM cards activated in a stolen mobile phone, does not, in order to identify them to public authorities, interfere with the fundamental rights of those holders enshrined in Articles 7 and 8 of the EU Charter of Fundamental Rights in such a way that access to them should be limited only to the fight against serious crime.
62. Recently, the European Court of Human Rights has also had an opportunity to recap its case law relating to listening and to comment on the retention date. In its judgment of 13 September 2018, Complaints No 58170 / 13, 62322 / 14 and 24960 / 15 (Big Brother Watch against the United Kingdom), in connection with the provision of communication data, noted a breach not only of Article 8 of the Convention guaranteeing respect for private life but also of Article 10 of the Convention which guarantees freedom of expression. In particular, the infringement of Article 8 of the Convention was seen in the request for data on several telephone numbers by the investigating authorities, the purpose of which was to reveal the journalist's information source (not the objective of the defined public interest) and which was not subject to prior approval by a court or an independent administrative authority. In these two aspects, according to the conclusions of the ESLP, the practice of the authorities concerned and the legislation in force in Great Britain did not meet the requirements of the SDEU case-law presented. In the absence of specific legislation providing for stricter protection of the use of traffic and localisation data in relation to the protection of freedom of the press (the activity of journalists), the Court also saw violations of freedom of expression in the light of Article 10 of the Convention.
(c) Constitutional review of the contested rules
63. The issues discussed need to be divided into two planes, which seem to be independent of each other, but in fact, from the point of view of constitutional review, they are joined vessels.
64. First, it is necessary to answer the question whether, in the light of the fundamental rights set out above, it is at all permissible for the data of the contested scope to be collected and stored in a general, unaddressed and preventive manner (Sections 97 (3) and (4) of the ZEK and the Decree) - the legal obligation to collect and store traffic and location data as such must therefore be examined.
65. Secondly, in the event of a positive answer to the first question, it is necessary to address the question of the appropriate definition of the range of authorities authorised to access the data collected in connection with the determination of legitimate objectives to be met by the use of operational and localisation data, including the establishment of legal conditions and guarantees of protection to minimise interference in the fundamental rights of individuals [§ 97 (3) of the ZEK, § 88a of the Code of Criminal Procedure and § 68 (2) and § 71 of the letters of law. a) ZPol.
66. The Constitutional Court took into account the arguments of the parties concerned, assessed the evidence, subsequently carried out a proportionality test and concluded that the current date retention adjustment met the requirements laid down in the cited earlier case-law of the Constitutional Court and could be applied in a constitutional manner, in such a way that the rights of individuals guaranteed by Articles 10 and 13 of the Charter could be investigated as far as possible. The proposal was therefore rejected for the reasons set out below.
Affected legislation
67. Paragraph 97 (3) and (4) of the ZEK, as amended by Act No 287 / 2018 Coll., reads:
Monitoring and recording of messages
§ 97
...
(3) A legal or natural person providing a public communications network or providing a publicly available electronic communications service shall retain for a period of 6 months the operational and localisation data generated or processed in the provision of its public communications networks and in the provision of its publicly available electronic communications services. Operational and localisation data relating to unsuccessful call attempts shall be kept by a legal or natural person providing a public communications network or providing a publicly available electronic communications service only if such data are generated or processed while being stored or recorded. At the same time, the legal or natural person shall be required to ensure that the content of the messages is not retained in compliance with the obligation under the first and second sentences and are kept in such a way that they are further transmitted. The legal or natural person who stores the operational and localisation data shall, upon request, be obliged to provide it without delay
(a) law enforcement authorities for the purposes and subject to compliance with the conditions laid down in specific legislation;
(b) The police of the Czech Republic for the purposes of an ongoing search for a specific wanted or missing person, identification of a person of unknown identity or identity of the corpse found, prevention or detection of specific terrorist threats or screening of a protected person, and subject to the conditions laid down by specific legislation;
(c) a security information service for the purposes and subject to the conditions laid down in a specific legislation;
(d) Military intelligence for the purposes and subject to compliance with the conditions laid down in specific legislation;
(e) The Czech National Bank for the purposes and subject to compliance with the conditions laid down by the special legislation.
At the end of the period referred to in the first sentence, the legal or natural person keeping the operational and localisation data shall be obliged to dispose of them unless they have been provided to the authorities authorised to use them under a specific law or otherwise provided for by that law (§ 90).
(4) In particular, the operational and localisation data referred to in paragraph 3 shall be those resulting in the tracing and identification of the source and the addressee of the communication, as well as data leading to the identification of the date, time, manner and duration of the communication. The scope of the operational and localisation data retained in accordance with paragraph 3, the form and manner in which they are to be transmitted to the authorities authorised to use pursuant to specific legislation and the manner in which they are to be disposed of shall be laid down in the implementing legislation.
...
68. It does not consider that it is necessary to provide a declaration by the Constitutional Court for its scope; For the purpose of justifying the finding, a brief recap of its wording shall be sufficient to specify the type of data retained. According to Section 2 of the Decree, these are in particular the phone numbers of the communication participants, the date and time of commencing the communication (sending the message), the length of the communication, the IMSI (international identifier of the public mobile communications network participant allocated by the operator) and the mobile device identifier of the communication participants. In particular, in the case of Internet services, the type of connection, user identification, the date and time of Internet connection, the identification of the access point, the IP address and, for electronic communications services, the data on the connection to the e-mail box, sending and receiving of mail, including the addresses of shippers and recipients shall be kept. In addition, the Decree regulates the details of the process of providing stored data to the competent authorities and their liquidation after the legal period has expired.
69. Paragraph 88a of the Penal Code reads:
§ 88a
(1) It is necessary for the purposes of criminal proceedings conducted for a criminal offence, for which the law provides for a criminal offence with a maximum criminal rate of at least three years, for a criminal offence of secret reports (§ 182 of the Criminal Code), for a criminal offence of fraud (§ 209 of the Criminal Code), for a criminal offence of a criminal offence (§ 231 of the Criminal Code), for a criminal offence of dangerous crime (§ 364 of the Criminal Code), for a criminal offence of criminal prosecution (§ 365 of the Criminal Code), for a criminal offence of fraud (§ 357 of the Criminal Code), for a criminal offence of fraud (§ 357 of the Criminal Code). An order for the detection of telecommunications traffic data shall be issued in writing and justified, including a specific reference to the declared international agreement in the event of criminal proceedings for an offence committed by that international agreement. If an application is made to a specific user, the order must indicate its identity if known.
(2) A public prosecutor or police authority whose decision has been final and, if known, in proceedings before a court, the President of the Chamber of the Court of First Instance after the final decision has been taken shall inform the person of the user referred to in paragraph 1 of the information ordered on telecommunications operations, if known. The information shall include a reference to the court which issued the order for the identification of the telecommunications traffic data and an indication of the period covered by the order. The information shall include an instruction on the right to file, within six months of the date of receipt of this information to the Supreme Court, a proposal for a review of the legality of the telecommunications information order. The President of the Chamber of the Court of First Instance shall submit the information without delay after the final termination of the case, the prosecutor whose decision has been final shall submit the information without delay after the expiry of the period for the review of his decision by the High Representative of the Court of First Instance pursuant to Article 174a and the police authority whose decision has been final shall submit the information without delay after the expiry of the period for review by the Prosecutor of his decision pursuant to Article 174 (2) (e).
(3) The information referred to in paragraph 2 shall not be filed by the President of the Chamber, a prosecutor or a police authority in a criminal proceedings for which the law provides for a maximum sentence of imprisonment of at least eight years, committed by an organised group, in proceedings for an offence for the benefit of an organised criminal group, in proceedings for a criminal offence involving an organised criminal group (§ 361 of the Criminal Code), in proceedings for a criminal offence involving a terrorist group (§ 312a of the Criminal Code), or in the event that more than one person has been involved in the commission of an offence and in respect of at least one of them has not yet been a threat to the safety of the State, life, health, rights or freedoms of persons, or freedoms of persons against the person to whom the information is being disclosed, or where such information could be misled to the purpose of such criminal proceedings, or other criminal proceedings, or could have been punishable.
(4) The order referred to in paragraph 1 shall not be required if the communication device user to whom the data on the telecommunications operation carried out is authorised to provide the data.
70. Paragraphs 68 (2) and 71 (a) of the ZPol read:
§ 68
Search for persons and objects
...
(2) The police may request, for the purposes of an ongoing search for a specific wanted or missing person and for the purpose of identifying a person of unknown identity or identity of found cadaver, the provision of operating and localisation data from a legal or natural person providing a public communications network or providing a publicly available electronic communications service in a manner that allows remote and continuous access, unless otherwise provided by other legislation. The information shall be provided in the form and to the extent provided for by other legislation.
...
§ 71
In order to prevent and detect specific terrorist threats, the police department responsible for combating terrorism may, to the extent necessary, request:
(a) legal or natural persons providing a public communications network or providing a publicly available electronic communications service, in a way that allows remote and continuous access, unless otherwise provided for by other legislation; the information shall be provided in the form and to the extent provided for by other legislation;
...
Principle of data retention
71. First of all, according to the Constitutional Court, the question of the admissibility of the legally regulated principle of the retention of operational and localisation data by private entities, as such, should be addressed in the light of the limitations of the fundamental rights in question. Restrictions on the personal integrity and privacy of persons by public authority are allowed by the Charter only in exceptional cases - if this is necessary in a democratic society, if the purpose pursued by the public interest cannot be achieved otherwise and if it is acceptable from the point of view of legal existence and compliance with effective and specific safeguards against appetites.
72. Now the contested provisions of § 97 (3) and (4) of the ZEK and § 88a of the Code of Criminal Procedure were adopted by Act No. 273 / 2012 Coll. with effect from 1 October 2012 in response to the finding of sp. zn. The Constitutional Court, in its cited finding that the earlier wording of § 97 (3) and (4) of the ZEK was annulled, concluded that the general, preventive collection and storage of data was an intervention in the right to privacy and information self-determination so intense that it was necessary to lay as strict a standard as possible in order to meet the above requirements of the admissibility of intervention - the earlier legislation of the Electronic Communications Act in this respect, according to the Constitutional Court. The Constitutional Court, in an already cited finding as obiter dictum, expressed doubts as to the necessity and proportionality of the instrument itself for the comprehensive and preventive collection of metadata of all electronic communications in terms of the intensity of intervention in the private sphere of a significant number of individuals, as well as the fact that sensitive data are concentrated in the hands of private persons - operators (i.e. providers of Internet services and telephone and mobile communications).
73. The legislature responded to the complaints of the Constitutional Court by shortening the period of storage of operating and localisation data to six months, explicitly listing the entities authorised to request stored data, including the purposes for which authorised entities may request data, adding the legal definition of operating and localisation data, and again referring in detail to the implementing regulation (the contested decree).
74. In the meantime, the Data Retention Directive was annulled by SDEU Digital Rights Ireland, on the basis of which the Data Retention principle was introduced into the Czech legal order (see paragraph 59). In response to this judgment, the Member States then referred to the Court of Justice of the European Union for a preliminary ruling on the conformity of national arrangements for the storage and handling of traffic and location data with the Privacy and Electronic Communications Directive, of which Tele 2 Sverige AB is the principal (see paragraph 60). According to that caselaw, the Court of Justice of the European Union found the principle of general and comprehensive collection of all data on all electronic communications carried out contradictory to Article 15 (1) of the ePrivacy Directive, namely Article 7 and 8 of the Charter of Fundamental Rights of the European Union guaranteeing the protection of privacy and personal data. At European level, however, there is no political consensus on the form of unified data retention regulation, as demonstrated by the fact that since the annulment of the Data Retention Directive by Digital Rights Ireland, a new regulation has not yet been proposed to replace that directive. There are therefore various legislative approaches at the level of national legislation.
75. For an idea of possible alternatives, the Constitutional Court at this point gives examples of the geographically and historically closest, i.e. neighbouring countries. In Germany, following the intervention of the Federal Constitutional Court [finding of 2.3.2010 sp. zn. 1 BvR 256 / 08 (BVerfGE 125, 260- 385)], new and largely restrictive data retention legislation was adopted. Newly defined categories of traffic data can only be stored for 10 weeks, location data only four weeks. In addition, categories of data which must not be stored at all are defined (in addition to the content of the communication, for example, data on visited websites and e-mail services); In addition, a "data freeze 'mechanism was introduced (collection of future telecommunications traffic data by a specific suspect at the initiative of the criminal authority). In Slovakia, the legislator, following the intervention of the Constitutional Court there (the finding of 29 April 2015 sp. zn. PL. ÚS 10 / 2014), has abandoned the principle of data retention and instead introduced a mechanism of" data freeze', which is similar in time to eavesdropping because it does not make data back to the past accessible. In Austria, following the intervention of the Constitutional Court (see the finding of 27 June 2014, sp. zn. G 47 / 2012 and others), the new legislation has not yet been adopted as there is no political agreement on the solution to this issue. It is only in Poland that legislation can now be found freer in terms of individual privacy and more benevolent in order to protect the security of the state and its citizens; the time limit for the retention of metadata is not provided for by law and prior judicial consent is not required, the court is only sent statistics on the data obtained at half-yearly intervals. This regulation is now (also for the second time) under review by the Polish Constitutional Tribunal on the Ombudsman's proposal.
76. The Constitutional Court is now returning to the assessment of the admissibility of the data retention principle as such, and notes that, if it was reluctant to express explicitly the inadequacy of the principle in 2011, the more so it cannot reach such a conclusion today. Since the last decision on information technology developments, individuals have been making significant progress, using electronic communications services more and more frequently, data on telecommunications traffic are generated, exist and are operators (private entities with which customers have entered into private law contracts) for a certain period of time (provision of services provided, their subsequent billing, complaints, etc.); In addition, most customers agree to the processing of their data beyond what is necessary for the provision of the requested service (for marketing purposes). It is thus an undeniable fact that individual electronic communication data will always be collected in some form, even without data retention (i.e. without a legal obligation to "detain" them), otherwise electronic communication would not be possible at all.
77. In other words, operational and localisation data on electronic communications carried out are not stored solely for the purpose of the statutory obligation laid down, are and will be stored for the purpose of ensuring the implementation of these services, their billing and handling of any complaints without legal obligation (to a more or less identical extent, for a more or less identical period). As indicated, for example, by the doc's statement The Polish authorities, the absence of a legally established data retention principle in a particular Member State, do not mean that public authorities do not work with traffic and localisation data, only through other routes - it cannot be guaranteed that these alternative routes are less invasive from the point of view of interference with the right to privacy than under the legislation using the data retention principle.
78. Therefore, the Constitutional Court logically addressed the possibility of "less evil 'and concluded that, from the point of view of transparency of public authorities' procedures, as well as the control of interference with individual privacy, a clear, precise and sufficiently strictly defined legal framework of the data retention principle (see below) rather than the" legislative shadow 'in which operators would otherwise move both in the storage of operational and localisation data and in the public authorities (particularly law enforcement authorities) in order to gain access to them. It is wrong to think that abandoning the data retention principle eliminates the risk of misuse of data.
79. It could appear that, in its present position as a defender of constitutionality, the Constitutional Court, paradoxically, provides the privacy of an individual with a lower level of protection than the Court of Justice of the European Union, whose primary duty is not to protect fundamental rights and which makes reference to privacy protection to the principle of data retention and priori (generally) negative. However, the opposite is true - particularly with reference to the requirement of predictability, clarity and rigour of legislation affecting the right to privacy. The Constitutional Court, by its approach, protects individuals' privacy more than if, by its intervention, it created space to find other, alternative and less transparent ways to access the metadata of electronic communications. The rejection of the data retention principle would not result in a situation in which operational and localisation data would not be generated and stored and used (at least by law enforcement authorities); The result, on the other hand, would be the loss of the public limits and control over the scope of storage of traffic and localisation data, over the means of security and through their making available. The responsibility for handling traffic and location data by public authorities would then de facto be transferred from the State to operators (private persons), which would be an unacceptable situation under the rule of law.
80. The Constitutional Court cannot ignore the above-mentioned social and technological developments that have occurred since its last decision on the matter. Interhuman communication is increasingly shifting its centre of gravity into the telecommunications and electronic services environment. In the current situation, it would therefore be unwise to prevent the State as a carrier of a number of tasks to fulfil the public interests (in particular, the security of the State, the protection of the health and property of the population) in order to have access to data which may be a valuable source of important information under appropriately set conditions. The principle of data retention as such is therefore not rejected by the Constitutional Court without further ado (as in the reasons for the finding sp. zn. Pl. ÚS 24 / 10); Moreover, the legislator imposes an obligation on operators to collect real-time traffic data under the Convention on Computer Crime, published under No 104 / 2013 Coll.
81. Against the very existence of the data retention principle, the applicant objects, inter alia, to a claim of professional secrecy (lawyers, social workers, telephone advisers). This claim could be attributed provided that the purpose for which operational and localisation data can be requested was not sufficiently defined and the conditions for access to it, including guarantees of the persons concerned against the arbitrage of the authorised authorities, were not appropriately set (see below). However, disproportionate interference in the privacy of persons bound by confidentiality obligations cannot be seen in the secure storage of electronic communications data without subsequent disclosure to the competent authority. In the case of a request for access to data on confidentiality of protected electronic communications - and not only when, but in principle always - it is up to the applicant authorities (in particular courts) to decide, according to the specific circumstances of the case, whether to outweigh the interest in achieving the objective pursued by the use of operational and localisation data (for the fulfilment of a particular public interest) and therefore to make the data available, or to outweigh the interest in the protection of the privacy and secrecy of the circumstances of the communication, and in such a case to refuse access to operational and localisation data.
82. The Constitutional Court, in view of the above, did not find the grounds for complying with the proposal solely for the fundamental reason that the collection of operational and localisation data on the communication carried out on a whole scale and unaddressed basis would be disproportionate in relation to the protection of privacy and priori. Therefore, if, in the subsequent proportionality test, the conditions for the storage and access to traffic data and location data are found to be sufficiently stringent and balancing the restrictions on the right to privacy provided for in Article 10 (2) and (3) in conjunction with Article 13 of the Charter, the Constitutional Court does not find it possible to comply with the application.
Conditions for storage of traffic and location data
Purpose of storage and making operational and localisation data available
83. In the first step of the proportionality test, it is necessary to examine whether the legal regulation pursues a legitimate objective and whether the regulation resulting from the interference with the fundamental right is capable of achieving the stated objective. The purpose of the modification of the retention date cannot be inferred from the wording of § 97 (3) of the ZEK itself, but only in combination with § 88a (1) of the Criminal Code and other provisions referred to in the determination of the authority of individual authorities. At the same time, in order to define the objective of the contested legislation, it is necessary to take into account who has legitimate access to the stored data, as this fact is bound to the purpose for which the competent authorities may request access.
84. The aim of the collection of operational and localisation data is, according to the explanatory report, their subsequent use for the detection of the selected crime (§ 88a (1) of the Criminal Code), the search for persons missing or lost (§ 68 (2) of the ZPol), for the fight against terrorism [§ 71 (a) of the ZPol], for the activities of intelligence services (acquisition, collection and evaluation of information relevant to the protection of the constitutional establishment, major economic interests, security and defence of the Czech Republic - see § 2 of Act No. 153 / 1994 Coll., on the intelligence services of the Czech Republic) and for the supervision of the capital market (§ 8 of the Act No. 15 / 1998 Coll., on supervision and amendment of other laws, as amended).
85. All of these objectives pursue a strong public interest (protection of the safety and health of the population, the economic interests of the state) and can be considered legitimate as such. The information obtained by those authorised authorities from requested operational and localisation data is undoubtedly eligible to move them forward in their activities and direct them one step closer to fulfilling that purpose, be it (in simple and figuratively speaking) to clarifying crime, finding a lost senior or averting terrorist threat.
86. Furthermore, the question of necessity, i.e. the need to restrict the right to privacy in relation to the objective pursued, must be addressed. The Constitutional Court examined whether there were more moderate and less invasive means which were also capable of achieving the stated objective and concluded that the use of operational and localisation data had no real equivalent - there were no means to compare the instrument under examination. Although the Constitutional Court compares the use of operational and localisation data in criminal proceedings in several locations of this and earlier findings in terms of the intensity of interference in individual privacy for wiretap, this is not the same. While wiretap regulations allow the suspect to be monitored in the future, operational and localisation data allow the authorised authorities to obtain information about an action that has already taken place - such information will otherwise not be accessed by the authorised authorities. Equally appropriate would be an analogy to the monitoring of persons and objects under Paragraph 158d of the Penal Code, since even here, the competent authority obtains as much information as possible on the movement and communication of the person under observation in real time but not in the past. For these reasons, even the above-mentioned "data freeze 'mechanism (point 75), which some States (e.g. Slovakia) have replaced or severely restricted the data retention principle by supplementing the" data freeze' mechanism (e.g. Germany), cannot be regarded as an adequate and less invasive replacement - even here, the authorised authority gains access only to the data following the issuing of the relevant order and not to past data. Therefore, since there is no means of obtaining the same knowledge as can be calculated from operational and localisation data, it is not possible to end the second step of the proportionality test, as it also complies with the contested legislation.
87. The Constitutional Court has therefore shifted its focus to the final step of the proportionality test, which is to measure - proportionality of the limitation of the fundamental right to privacy in favour of the objectives pursued, meeting the public interest in a narrower sense. It must be answered whether the public interest in question is important enough to justify the extent of the limitation of the right to privacy by monitoring the electronic communications of almost the entire Czech population for six months' stocks by commercial entities, whether the contested legislation could restrict the interference with the right to privacy more, i.e. whether the legal setting of conditions is sufficient, and whether it provides sufficient guarantees against the abuse of this important instrument to offset the restrictions.
88. The Constitutional Court focused on the partial problems which, in summary, affect the assessment of the proportionality of the contested regulation in the narrower sense. In particular, it is necessary to address the legal period during which mandatory data are kept. In addition, it is necessary to resolve whether the range of authorities authorised to access the data retained is too widely set (in relation to the objective and conditions under which they can obtain the data). Finally, it is important whether individuals are provided with sufficient means of protecting against the misuse of stored data (both from the point of view of the security of stored data and unauthorised access to it, as well as the tools of the individual's procedural defence in case of suspicion that its data has actually been misused).
Duration of storage of traffic and location data
89. In relation to the period of six months during which the operational and localisation data referred to in § 97 (3) of the ZEK are kept, the Constitutional Court concluded that its length constitutes the most moderate option of the options laid down in the Data Retention Directive, which was still in force at the time the contested legislation was adopted. However, it must be asked whether the six-month period in today's conditions is appropriate. It has been established from the interview of an informed operator that the maximum period for which the operator needs to store the metadata for its own needs does not exceed two months. At the same time, however, the operator keeps the selected data (to an extent not identical to the scope laid down by law) for marketing purposes even for six months on the basis of the consent granted by the customer. In the above-mentioned consent regime, e.g. T- Mobile Czech Republic, a. s., currently records about 70% of customers.
90. In particular, in the context of criminal investigations, it is necessary to distinguish here that data are required in principle in a dual way. Either the authorised authority has data at its disposal to a specific user (number of its mobile line, fixed lines, IP address, IMEI, etc.), and in this case it is interested in the listing of voice or data services - contacts, activity, or movement of the user (his phone, computer, etc.), or does not know these data, but has information where the interest user moved or where the offence was committed. In the latter case, the authorised authority is particularly interested in data from individual BTS (cells) stations, which, for example, determine which mobile phones were connected to the cell at the time.
91. From the statement of Col. Ing. Šibor at the public oral hearing, the Constitutional Court found that most of the questions relate to the statements of BTS stations which are not older than a few days; older questions about this type of listing are not even technically possible. Furthermore, the statement by Colonel Ing. Bc. Mareš showed that, in the case of statements of voice or data services of a particular user, the law enforcement authority generally uses the maximum possible range of six months. Information obtained from a single telecom traffic statement is often provided with additional information enabling, for example, the detection of a network of perpetrators or organised groups. Therefore, without taking into account the specific facts of the case under investigation, it is not possible to adopt a general conclusion as to the extent to which the information obtained for the entire period of six months in order to fulfil the purpose pursued is necessary or useful - it can only be concluded that, in the case of knowledge of the identification data of a particular user, the competent authorities use the maximum period allowed by law. However, since the frequency of queries on base stations is many times higher than those on specific subscriber numbers or mobile devices, it is concluded from the point of view of the total sum of all queries that most of the required data is not more than three months old (see also Mgr. Keller's statement).
92. Although operating and localisation data over three months are used only to a limited extent, according to the Constitutional Court, it cannot be concluded that older metadata would not be necessary and useful and therefore disproportionate to the objective pursued in specific cases (in particular in the application of § 88a of the Penal Code). In response to the finding of sp. zn. Pl. ÚS 24 / 10, the legislator chose the six-month retention period as the shortest possible according to the data retention directive still in force. If the Constitutional Court did not accept that the data retention principle was unconstitutional in itself, and it was not demonstrated in the proceedings before the Constitutional Court that the stored data were not used or, on the contrary, used, i.e. the right to privacy by the competent authorities was not investigated, it cannot be concluded that the retention period thus set is disproportionate. There is never the only right solution to regulate a certain area of social relations legally. Certainly, from the point of view of minimising interference in the privacy of telecommunications users, it is possible to imagine a stricter regulation, e.g. - as stated by the doc. The Polish authorities - to distinguish and step up access to traffic and location data according to the objective pursued by the competent authority and from this derived real need to obtain just as old data (cf. Belgium, Germany). However, it is up to the legislator what solution they will choose when adjusting the storage and access times for traffic and location data. It is not for the Constitutional Court to intervene in its legislative power to save individual privacy in such a way that data retention rules correspond to the real need for the use of operational and localisation data.
Security of stored traffic and location data
93. In addition, legislation which saves the right to privacy should be required to lay down clear and detailed rules to ensure data retention and safeguards against misuse (unauthorised or arbitrary access). In particular, in the case of data retention, the quantity of data on all electronic communications users is concentrated with private entities and therefore the legislator must be strict twice as much. It should be made clear that operational and localisation data must be stored safely and must not serve the marketing purposes of mandatory entities without the express consent of clients within the meaning of the applicable data protection arrangements. At the same time, however, the dynamic development of information technology causes the legislator to always be a few steps behind; Therefore, it may even be of benefit if data security is formulated more generally at the legal level and if technical details are left to the implementing regulation, which may respond more flexibly and operationally to changes in practice.
94. The security of stored data includes § 87 et seq. of the ZEK (which represent the implementation of the e-privacy directive) together with the general provisions for the protection of personal data - GDPR (subject to Article 95 defining the relationship between the regulation and the e-privacy directive) and the transposition Act No. 110 / 2019 Coll., on the processing of personal data. Although the above section of the Electronic Communications Act governing data security was not contested, the Constitutional Court cannot resign from the assessment of this aspect, since the method of securing the preserved (provided) traffic and localisation data is closely linked to the review of the adequacy of the data retention principle and therefore the constitutionality of the contested provisions of § 97 (3) and (4) of the ZEK.
95. In general, it can be concluded that the level of security of traffic and location data is not lower than the level of security of other data processed under the Electronic Communications Act - see Section 88a of the ZEK (supplemented by the contested provisions by Act No 273 / 2012 Coll. in response to the finding of the sp. zn. The Act imposes an obligation on operators to secure stored traffic and location data and also provides for a mechanism for reviewing and monitoring compliance by independent institutions. In particular, as a data processor, the operator is obliged: to ensure the technical and organisational safety of the service provided and to process the internal technical regulations [§ 88 (1) (b) in conjunction with § 89 ZEK] to ensure the protection of data and the confidentiality of communications (including the confidentiality of communications related to traffic and location data); inform the communication participants of the risk of a breach of the security of services, the protection of personal data and the confidentiality of communications [§ 88 (1) (c) ZEK]; establish internal procedures for handling users' requests for access to their personal data [§ 88 (1) (d) ZEK]; inform the Data Protection Office about personal data breaches, including how to deal with them and keep records of such cases (§ 88 (4) to (7) ZEK); do not process traffic and location data for marketing purposes without the consent of the person concerned (§ 90 (6) ZEK); limit to the minimum necessary both the extent of the data stored and the range of persons (authorised staff) authorised to access and process stored data (Section 90 (9) and Section 91 (4) of the SEK); maintain confidentiality regarding the request and the provision of data pursuant to § 97 (3) of the SEK (§ 97 (8) of the SEK); keep records of cases of making operational and localisation data available and report it regularly to the Czech Telecommunications Office (§ 97 (10) and (11) ZEK).
96. Infringement by the operator of any of the above obligations is an offence [see in particular § 118 (12) (a), (d) and (14) (b) to (h), (k), (z), (aa), (ae) and (15) ZEK], for which a penalty of up to CZK 50 000 or up to 10% of the net turnover [§ 118 (23) (c) ZEK] is in danger of committing infringements under the Electronic Communications Act. The Czech Telecommunications Authority is responsible for dealing with infringements under this law, which has a number of other supervisory powers in relation to operators. Compliance with the general provisions on the protection of personal data when processing by operators is also subject to supervision by the Data Retention Office (§ 87 (3), § 88 (4) to (7) of the SIS).
97. As is clear from that list, according to the Constitutional Court, there are a number of safeguards against the misuse of stored data in the legal system, the level of security of the collected data is sufficient; Thus, that aspect of the issue under examination does not constitute an unconstitutional inadequacy of the contested data retention regulation (in particular § 97 (3) and (4) of the ZEK and the Decree). The conditions for access to the requested data by the authorised authorities (see below) and the fact that the authorised authorities have no database of data in which they can search at all.
Conditions for access to traffic and location data
98. Paragraph 97 (3) of the ZEK contains a exhaustive list of authorities authorised to access traffic and location data. In conjunction with the specific provisions governing the activities of the competent authorities, the purpose for which the authorities may request operational and localisation data is always specified. The conditions under which the competent authorities may obtain access are further regulated by these specific provisions, some of which have been contested by the present proposal, and others. The Constitutional Court examined the proportionality of the interference with the right to privacy only by applying the contested legislation.
Use of traffic and location data in criminal proceedings
99. According to § 97 (3) of the ZEK, in conjunction with § 88a (1) of the Criminal Code, law enforcement authorities may request operational and localisation data in connection with the prosecution of criminal offences punishable by criminal penalties with a maximum criminal rate of at least three years and other specifically listed offences that are more punishable (primarily related to "computer crime ').
100. The Constitutional Court has already stated in the sp. zn. The Constitutional Court also criticised the legislature for an unjustified deviation, contradictory to its case law, compared to the eavesdropping institute. In the finding of sp. zn. On the contrary, it is always necessary to consider whether, given the importance of the object of a particular crime to be committed, the interest in prosecuting it outweighs the right of the individual to decide for himself whether and to whom to access his personal data. It is up to the legislator to determine in the case of which offences the public interest prevails, taking into account the seriousness of the offences in its decision, similar to, for example, the setting of criminal rates. It remains to be said that the same principles are based on the limitation of the possibility of issuing a warrant for the wiretap and recording of telecommunications traffic under Paragraph 88 (1) of the Criminal Code only on criminal proceedings for a particularly serious crime or for any other intentional offence which the declared international treaty obliges... "
101. A positive shift can be noted in this respect. The current legislation no longer deals with the indefinite term 'clarifying crime', but offers a specific list of offences. The chosen categorisation of the intervener as the petitioner of the draft law No. 273 / 2012 Coll., to which the contested legislation has been brought into the legal order, states: "As regards the category of intentional offences for which the law provides for a custodial sentence of at least three years, the law of the institution of the detention is based by analogy, i.e. the seriousness of the offence is derived from the possibility of taking a person into custody. If, for offences with that criminal rate, a person is allowed to be taken into custody, the most invasive means of criminal law leading to the removal of his or her personal freedom, then it is appropriate for such a category of criminal offences to be able to obtain operational and localisation data under Section 88a of the Criminal Code. ';
102. The Constitutional Court maintains that the obligation to store and supply operational and localisation data must be seen as an intervention with an intensity comparable to the wiretap regulation and therefore also treated as an intervention. Therefore, that optics should not be perceived as a reasonable restriction on the right to privacy by the general collection of operational and localisation data "into stock 'and the use of these data for around 90% of the facts of the offences covered by Article 88a (1) of the Criminal Code. However, it was found in the proceedings before the Constitutional Court that earlier methods of committing (and thus clarifying) crime without the use of electronic communications services are now difficult to imagine. If new forms of crime and electronic communications services are still being used to do so, the Constitutional Court does not place the weight on the statistics on the clarity of crime from 2010- 2014 presented by the appellant for this reason alone - the years mentioned cannot be compared with 2019 in terms of the forms of crime and investigative methods used to detect it (see the statement by JUDr. Bradačová). However, the statistics presented do not have an indicative value for any other reason either: in their case, it is merely a question of how many cases of criminal investigation have been closed in the year in question, i.e. clarified; In this respect, a number of factors have an impact and a clear correlation between the availability or unavailability of operational and localisation data, the selected investigation methods and their success, according to the Constitutional Court, cannot be demonstrated. Therefore, it cannot be concluded whether or not law enforcement authorities can circumvent the data retention principle without using operational and localisation data.
103. Similarly, statistics showing the number of requests for telecommunications extracts made by the appellant to support the allegation of abuse of traffic and location data in criminal proceedings are inconclusive. The difference between the output of statistics processed independently by the Czech Telecommunications Office and the police with different outputs can be explained by a different methodology, as explained by the intervener in her observations. While the Czech Telecommunications Office records every query made on each operator, the police report the number of requests according to the number of cases for which they were made. In one case, the police have to make several questions, both in terms of time (e.g. the BTS station's statement covering a period of 12 hours requires four questions) and in terms of the addressee of the query (it is not possible to estimate in advance which operator holds the relevant data for the police), as was the result, in particular, of the statement by JUDr. Bradačová and Colonel Šibor. The use of traffic and location data by law enforcement authorities in proceedings before the Constitutional Court has not been demonstrated.
104. The statements of the informed persons have repeatedly shown that the absence of data retention principle does not mean that operational and localisation data are not used in criminal investigations. In its absence, law enforcement authorities are merely choosing other available means, which leads the Constitutional Court to conclude that the lack of data retention means, on the one hand, less transparency of the process of investigating authorities and, paradoxically, a higher risk of misuse of data available to the operator on the telecommunications operation carried out. It should be pointed out that all criminal investigation methods constitute (greater or lesser) interference with the privacy of the persons under investigation; The question therefore remains whether, even in the absence of the data retention principle, the fundamental rights of the individual are actually being investigated, if the investigating authorities choose alternative methods. In other words, it cannot be guaranteed that individual privacy is more investigated by the legislator's failure to adopt the data retention principle, as it is possible that, in the event of unavailability of operational and localisation data, the investigating authority will choose an external investigative method to protect privacy (it will always find some legal way to procure the necessary data).
105. Nor does the appellant's argument that the use of traffic and location data is an inefficient tool, because criminals are aware of their actions and can avoid electronic clues. The investigation of crime and the relationship between investigators and perpetrators is characterised by the fact that investigators should, as far as possible, be a step ahead of the perpetrators and their methods so that they can effectively detect the crime, which applies in full to all investigative methods and there is perhaps no one that the perpetrators would not try to circumvent. However, this is not an argument to reject a particular investigative method as inefficient or inefficient (without further).
106. However, the Court of Justice of the European Union considers that the use of traffic and location data in the context of the detection of crime is a legitimate objective only of investigating "serious crime '- this concept does not define and leaves room for discretion to the Member States (in the context of data retention exemplary mention organised crime and terrorism). Although the concept of serious crime contained in the contested provision of Paragraph 88a (1) of the Code of Criminal Procedure is broad, in view of the results of the evidence, the Constitutional Court finds it appropriate. It was not demonstrated in the proceeding that the use of traffic and location data as a method of investigation was unnecessary or used. The statement by JUDr. Hodáčová showed that the annual idea of criminal matters covered 3% of the cases for the recording of telecommunications traffic, which was indirectly confirmed by JUDr. Sokol from the Defence Union. At the same time, with regard to social and technological developments, more and more crime (not only cyber) is being committed through or through electronic communications services - where investigators have previously found traces of" in mud, "they now find in particular electronic traces. The scope of the contested § 88a of the Code of Criminal Procedure can therefore be justified from the point of view of the Constitutional Court by the need for rapid and effective detection and clarification of that crime. In the case of the inclusion of a taxa list of offences committed to a large extent in the virtual environment of electronic equipment, it is clear that, without access to operational and localisation data, this kind of criminality (cybercrime) would be virtually untouchable and that a State whose task is to ensure the safety and prosecution of crime would become" toothless' in this regard.
107. The contested regulation may also be considered appropriate from the point of view of procedural safeguards against any misuse of that competence by law enforcement authorities. Paragraph 88a (1) expressly requests that its application be used only if "it is not possible to achieve the intended purpose otherwise or would otherwise be significantly impeded ', thereby respecting the requirement of minimising interference with the fundamental law. In order to request operational and localisation data, the consent of the court (in the preparatory procedure for a proposal from the prosecutor) should be given and the court order should be duly justified under the provision cited. The individual concerned therefore has a guarantee that the right to request its telecommunications data will be assessed by an independent judicial authority and that the request will not be complied with in the event of unjustified application. They consider a similar guarantee, in line with the Constitutional Court, to be at the heart of both SDEU and ESLP in their decision-making activities (see the decisions cited above in paragraphs 57- 62).
108. In order to ensure that safeguards against misuse of stored data can be effective, there must be tools for the retrospective verification of the legitimacy of the access obtained to specific operational and localisation data. Therefore, another measure balancing the intensity of interference in the individual's privacy in favour of the public interest pursued is, in § 88a (2) of the Code of Criminal Procedure (with the exception of justified cases provided for in paragraph 3 of that provision), the regulated obligation for the competent authority to inform the individuals concerned of the acquisition of its operational and localisation data. With the information obtained, the individual may then contact the Supreme Court to examine the compliance of law enforcement authorities with the law; the individual is therefore endowed with an effective means of defence against any indiscretions of the public authority. There was no evidence of systemic failure in the proceedings before the Constitutional Court in this respect.
109. In that part of the review, the Constitutional Court concludes, in the light of the above, that the regulation contained in Section 88a of the Code of Criminal Procedure is, in view of proportionality, an intervention in the right to privacy of the person whose data are sought by the criminal authority, acceptable in all respects - as far as criminal activity is concerned, the rigour of the conditions of access to the data requested and the procedural guarantees available to the person concerned in his defence.
Use of traffic and location data under the Police Act
110. The contested provisions of the Police Act have been part of the rule of law since its entry into force, that is, since 1 January 2009, and have not been subject to review by the Constitutional Court (contrary to the other provisions under appeal). Operating and localisation data under the Police Act may be used for existing (contested) legislation in the event of a search for a specific wanted or missing person and for the purpose of identifying the identity of the person unknown or the identity of the body found (§ 68 (2) ZPol) or in the context of the fight against terrorism [§ 71 (a) ZPol]. The scope of those authorisations is assessed by the Constitutional Court as appropriate to the objective pursued. However, the law does not provide for the control of an independent authority (court) over the access of police to stored data, as generally required by the Constitutional Court for the use of operational and localisation data, but also by the SDEU and the ESLP, which could indicate that guarantees against abuse and the possibility of defending an individual's possible arbitrage are not satisfactorily addressed in terms of proportionality, and therefore the interference with the right to privacy is not sufficiently balanced. It should be noted, however, that the Constitutional Court has so far had the opportunity to comment on the adequacy of the legislation governing access to stored traffic and location data only in the context of criminal proceedings, which it also adapted to its arguments; However, the grounds for the police law are different from those of the criminal investigation.
111. In the exercise of its activities, the police are, on the one hand, bound by the Police Act (in particular, Sections 2 and 11 of the ZPol), and, on the other hand, by internal acts of procedure [here, in particular, by binding order of Police President No 215 / 2008, laying down certain detailed conditions and procedures for the processing of personal data (on the protection of personal data), by binding order of Police President No 109 / 2009, by operational centres, by binding order of Police President No 186 / 2011, by law on the monitoring and recording of telecommunications traffic and data on the implementation of the Police President No 53 / 2015, by binding order of the Czech Police Order of the Czech Republic, by binding order of Police President No 66 / 2014, by police President's Information System (Criminal Procedure), and by binding order of Police President No 53 / 2015, on the search].
112. The search for persons shall be organised by the police using means of search; The search is a formalised process that cannot be initiated without a specific initiative. In order to be able to request the location data in the "search" regime of § 68 of Act No. 273 / 2008 Coll., on the Police of the Czech Republic, as amended, without right, it would first be necessary to incorrectly initiate the search for a specific person. However, this procedure has specific hierarchical rules laid down by the abovementioned internal management acts and is subject to internal control activities. Localisation data may be requested by the operator only for the purpose of searching for a specific wanted or missing person (legally defined terms - see below) and for the purpose of identifying a person of unknown identity or identity found dead only through the Special Activities Unit or the Operational Centre of the Police Presidium upon request approved by the direct supervisor and the head of the relevant department. When the search is initiated, an electronic file shall be created in which the request for listing the location data is based. All procedures are documented and verifiable retrospectively (with the possibility of incurring consequences in case of suspected misuse of requested data). Thus, there cannot be a situation in practice in which one particular policeman, without the help of others, would be able to obtain arbitrarily localized data from the person concerned. There was no evidence of systemic failure in the proceedings before the Constitutional Court in this respect (see the statement of Colonel Habada).
113. According to Section 111 (c) of the ZPol, a person within the meaning of the Police Act is a natural person who is subject to any of the legal reasons for limiting his or her personal freedom, whose place of residence is unknown and who has been put under a police investigation; the conditions must be fulfilled cumulatively in order to enable a particular person to be identified as such in order to activate the related procedures under the Police Act. As a general rule, the person sought avoids, for some reason, the performance of his or her duties under the law or judgment (according to the intervener's observations, most of them are convicted persons who have not entered into prison).
114. The missing person is then referred to in point (d) of the same provision as a natural person who can reasonably be believed to be in danger of his or her life or health, his or her whereabouts are unknown and has been put under a police investigation. A missing person is presumed to be at risk in some way, and her situation is urgent. The actions of the police are carried out in the order of hours (minutes) and generally in favour of the person concerned (or in order to achieve other legitimate interests such as tracing the child with whom one of the parents is hiding). The Constitutional Court, in particular after taking evidence, testified to the intervener's argument, namely concerns about the consequences of a time delay in the event of the need to obtain judicial consent. The Court of Justice of the European Union also states in Tele 2 Sverige AB that the guarantees of access to data free of libel (proper justification of the request and review of an independent body) are required, except in cases of urgency (paragraph 120).
115. Another element balancing the interference in privacy is the obligation in criminal proceedings to further inform the persons concerned that their data have been provided (see Section 88a (2) of the Criminal Code). However, the argument that the determination of that obligation in the terms of Paragraph 68 (2) ZPol seemed absurd, because the wanted and found person will learn about the processing of his data by the police precisely by being found by the police. In addition, in the scheme of § 68 of Act No. 273 / 2008 Coll., on the Police of the Czech Republic, as amended, only localisation data relating to the determination of the time and place of residence of the person to be sought can be requested and obtained (§ 68 (4) of the ZPol). Thus, the scope of the data to which the police may have access under this provision is significantly limited by law in comparison with the Code of Criminal Procedure.
116. Guarantees of an individual before abuse of jurisdiction pursuant to Paragraph 68 (2) ZPol thus constitutes, on the one hand, an internal control activity and sanctions resulting from a potential perpetrator of an infringement, either in the level of service or in the level of criminal law, and, on the other hand, an individual has the possibility of resisting an illegal search (and thus the unauthorised request for localisation data) by an action for protection against illegal interference in the administrative justice system (§ 82 et seq., Act No 150 / 2002 Coll., the administrative court order, as amended), if the search was not initiated in criminal proceedings.
117. Even in cases of aversion of an acute terrorist threat [specifically contested provision § 71 (a) of the ZPol], the law does not require the prior consent of the court or its subsequent control to access the authorised authority. The explanatory memorandum states that the acquisition of knowledge according to § 71 points. (a) ZPol shall be close to and responsible for intelligence activities and shall only be a unit dealing with the prevention and detection of terrorism. In this exceptional case, the absence of judicial supervision may be justified by both the timelimit which may be bound by the competent police authority when applying that provision and by the secret nature of its activities. Therefore, the Constitutional Court does not find the intensity of private intervention justifying its derogatory statement even here. The lack of an obligation to inform the person concerned of access to its operational and localisation data may, in view of the sensitivity and seriousness of the activities carried out by the police authorities in the detection of terrorist threats, also be addressed (as in the case of intelligence activities or criminal proceedings, subject to the conditions laid down in Section 88a (3) of the Criminal Code).
Further use of traffic and location data
118. The other competent authorities appointed by § 97 (3) of the ZEK are the Security Information Service, Military Intelligence and the Czech National Bank. Since the special legislation referred to in § 97 (3) of the ZEK was not contested and which is closely related to the review of the proportionality of this authorisation and the conditions under which those authorities can obtain access to traffic and location data (§ 6 to 10 of Act No. 154 / 1994 Coll., on the Security Information Service, as amended; § 7 to 10 of Act No. 289 / 2005 Coll., on Military Intelligence, as amended by Act No. 273 / 2012 Coll.; § 8 of Act No. 15 / 1998 Coll., on capital market supervision and amending and supplementing other laws, as amended), the Constitutional Court at this point does not have to assess the proportionality of the regulation in relation to those public authorities.
119. In general, if the objective pursued by the granting of this authorisation is legitimate (see paragraphs 83- 85 above), if the specific rules set out in the conditions for access to traffic and location data, as well as guarantees of effective protection of the individual, and if they are to be borne in the spirit of the conclusions of this finding, there is no basis for the fact that § 97 (3) of the ZEK refers, inter alia, to the authorities referred to in the preceding paragraph.
Implementing Regulation
120. In order to implement all the legal mechanisms described above, the Ministry of Industry and Trade has adopted a decree which is also challenged by the appellant. The previous implementing regulation was repealed primarily by the finding of sp. zn. Pl. ÚS 24 / 10 because the legal arrangements for which it was intended to be implemented were abolished without the Constitutional Court having expressed more detail on the content of Decree No. 485 / 2005 Coll., on the scope of the operating and localisation data, the retention period and the form and manner in which it was transmitted to the authorities authorised to use them.
121. Decree No 357 / 2012 Coll. regulates, in accordance with the legal authorisation contained in § 97 (4) of the SEK, the scope of the stored traffic and location data, the form and manner of their transmission to the competent authorities and the manner in which they are disposed of. Thus, the contested decree does not deviate from the legal limits. The Constitutional Court further assessed the contents of the Order in the spirit of the above conclusions and concluded that the Order does not go beyond the limits of the Constitution (like the contested legal regulation). The decree constitutes a typical sublegal law of a technical nature which does not impose any new, statutory obligations on the addressees (see and contrario the reservation of the law under Article 4 (1) of the Charter). From the perspective of the Constitutional Court, now effective legal regulation is more detailed and more stringent, fulfilling the requirements of the sp. zn. The terms of operating data and localisation data are defined by law (see Sections 90 and 91 in conjunction with Section 97 (4) of the ZEK), the Decree merely specifies their legal content (Sections 1 and 2 of the Decree). The same conclusion can be reached with regard to the adjustment of the data transmission arrangements (Section 3 and Annex). The provision of Section 4 of the Decree finally specifies the obligation for operators to dispose of retained data after the retention period, as provided for in Section 97 (3), last sentence, of the ZEK. In a situation where the Constitutional Court does not consider the contested legislation to be non-discriminatory, it has no reason to comply with this point in the present proposal.

VII.

Summary
Zobrazit všechna ustanovení (214)

Sign in for notes, favorites and notifications

Register Free Sign In
Rating:

Comments 0

To write comments, please sign in.

Regulation Information

CitationThe Constitutional Court found no 161 / 2019 Coll., on the application for annulment of § 97 paragraphs 3 and 4 of Act No. 127 / 2005 Coll., on electronic communications and on the amendment of certain related laws (Act on Electronic Communications), as amended, § 88a of Act No. 141 / 1961 Coll., on criminal proceedings (Criminal Code), as amended, § 68 paragraph 2 and § 71 paragraph (a) of Act No. 273 / 2008 Coll., on the Police of the Czech Republic, and Decree No. 357 / 2012 Coll., on the retention, transfer and destruction of operational and localisation data
Regulation TypeThe Constitutional Tribunal found
Author-
CollectionCode of Laws
Date of Promulgation27.06.2019
Effective from-
Effective until-
Status Valid
Legal Areas: Security Information, Data, Data Culture Judicial and Public Prosecutor's Office Administrative law Telecommunications, Communications, Mail Constitutional (state) law
The regulation text is for informational purposes only.

Partner Websites

Založení s.r.o. Virtual offices and company formation
MojeDatovka.cz Data box database and search
ČeskéFirmy.online Czech company directory and reviews
Favorites
Browsing History
This website uses cookies to ensure proper functionality, analyze traffic and display advertising. More information
Cookie Settings

Choose which cookie categories you want to allow.