The judgment of the Court of Justice of the European Union (CJEU), from 7^th September and regarding case C-162/22, stated that Directive 2002/58/EC (Privacy and Electronic Communications) precludes the use of personal data collected to combat serious crime in the context of administrative investigations into corruption in the public sector.

In the case in question, the Supreme Administrative Court of Lithuania asked the CJEU for a preliminary ruling on the use of personal data relating to electronic communications, in particular traffic data and location data. Specifically, the court questioned the compatibility of the use of the respective data in separate and less serious criminal proceedings with the Directive, when that data was originally collected for the purpose of combating serious crime.

The CJEU reiterated that, for the purposes of combating serious crime, legislative measures may provide for:

• the targeted retention of traffic and location data which is limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion, for a period that is limited in time to what is strictly necessary, but which may be extended
• the general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a period that is limited in time to what is strictly necessary
• the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems 
• requirements for electronic communications services providers to undertake the expedited retention of traffic and location data in their possession, for a specified period, by means of a decision of the competent authority that is subject to effective judicial review.

However, only action to combat serious crime and measures to prevent serious threats to public security can justify serious interference with fundamental rights, in accordance with the principle of proportionality.

Consequently, the personal data in question, stored by service providers pursuant to a measure adopted under Article 15(1) of the Directive on privacy and electronic communications for the purpose of combating serious crime and made available to the competent authorities for the same purpose, cannot be transmitted to other authorities or used to combat corruption-related misconduct in office.

This due to the hierarchy of public interest objectives, in which combating corruption-related misconduct in office is of lesser importance than combating serious crime and preventing serious threats to public security.

Therefore, the CJEU judgement strengthens the protection of fundamental rights resulting from the EU data protection regime, reducing the cases in which investigating authorities can restrict these rights in the pursuit of criminal prosecution.