On March 22, 2011 the Constitutional Court panel consisting of Justices Stanislav Balík, František Duchoň, Vlasta Formánková, Vojen Güttler, Pavel Holländer, Vladimír Kůrka, Dagmar Lastovecká, Jan Musil, Jiří Nykodým, Pavel Rychetský, Miloslav Výborný and Eliška Wagnerová (judge-rapporteur) ruled on the petition filed by a group of Deputies of the Chamber of Deputies of the Parliament of the Czech Republic represented by Marek Benda, with their registered seat at Praha 1, Sněmovní 4, seeking to have the Section 97 Article 3 and 4 of the Act No. 127/2005 Coll., on Electronic Communications and Amendment of related Acts (Act on Electronic Communications) in their latest wording annulled and seeking to have the Decree No.  485/2005 Coll., on the Extent of Traffic and Location Data, Period of Time for which such Data are Retained and Manner in which they are Submitted to Bodies Authorised to Use the Data annulled, in the proceedings with the Chamber of Deputies of the Parliament of the Czech Republic and the Senate of the Parliament of the Czech Republic as parties to the proceedings, as follows:

Provision Section 97 para. 3 and 4 of Act No. 127/2005 Coll., on Electronic Communications and Amendment of related Acts (Act on Electronic Communications) in their latest wording and the Decree No. 485/2005 Coll., on the Extent of Traffic and Location Data, Period of  Time for which such Data are Retained and Manner in which they are Submitted to Bodies Authorised to Use the Data, are annulled as of the day on which this judgment is delivered  within the Collection of Laws.
 

 

REASONING

I.
Summary of the Petition

1. The Group of 51 Deputies of the Chamber of Deputies of the Parliament of the Czech Republic  sought in their petition filed with the Constitutional Court of the Czech Republic on March 26, 2010 to have the Section 97 Article 3 and 4 of the ActNo. 127/2005 Coll., on Electronic Communications and Amendment of related Acts (Act  on Electronic Communications) in their latest wording  (hereafter only as “the contested provisions) annulled and sought to have the Decree No. 485/2005 Coll., on the Extent of Traffic and Location Data, Period of Time for which such Data are Retained and Manner in which they are Submitted to Bodies Authorised to Use the Data (hereafter only as “the contested decree ” or jointly hereafter only as “the contested legislation”).

2. Although the petition complied with all formal requirements pursuant to Article 87 par. 1 Letter a) of the Constitution of the Czech Republic and to Section 64 para. 1 Letter b) of Act No. 182/1993 Coll., on the Constitutional Court in its latest wording (hereafter only as  Constitutional Court Act) the Constitutional Court recognises the need to emphasise that the act of petition seeking annulment of law or its individual provisions pursuant to Articles 87 para. 1 Letter a) of the Constitution of the Czech Republic submitted by the group of Deputies of the Chamber of Deputies of the Parliament of the Czech Republic or by Senators pursuant to Section 64 para. 1 Letter b) of the Constitutional Court Act represents, inter alia, a representation of a constitutionally guaranteed principle of the protection of minorities (Article 6 of the Constitution of the Czech Republic) and primarily serves as one of the instruments of protection of parliamentary minority (the opposition) against a pertinent arbitrariness (or wilfulness) in decisions adopted by a parliamentary majority within the law-making process based on the principle of majority decision-making  [see the report of the Venice Commission CDL-AD(2010)025 "Report on the Role of the Opposition in a Democratic Parliament" dated November 15, 2010 that includes the right enabling the parliamentary opposition to seek a constitutional review of majority decisions (laws) among the most fundamental rights conferred on parliamentary opposition.] In other words, a qualified submission to impartial and independent Constitutional Court frequently represents the final option of how the parliamentary minority may protect itself against pertinent arbitrariness in the decision-making of the parliamentary majority since the representatives of the parliamentary oppositions commonly represent a group outnumbered in the Parliament and thus have at their disposal no effective means through which such a majority decision (issuance of a normative legislative act) within the law-making process may be modified or reversed. Contrary to that the representatives of a parliamentary majority principally have such effective means at their disposal and should they be in doubt regarding rectitude, validity or even constitutionality of the decisions made (or having been made) they are not only entitled but directly obliged to make use of such means for the above mentioned purpose (see the oath pursuant to Article 23 par. 3 of the Constitution of the Czech Republic). The instrument of submission to the Constitutional Court seeking to have a law or its individual provisions annulled pursuant to Article 87 para. 1 Letter a) of the Constitution of the Czech Republic thus by no means serves as an instrument of obtaining a certain kind of “expert testimonial” or an expert report of the Constitutional Court on a decision adopted by a parliamentary majority nor as an instrumental application which represents a manifestation of political or even pre-election campaign transferred from the Parliament to the Constitutional Court. In this particular case the group of complainants not only consisted mainly of representatives of the political parties who at present participate and at the time of the submission participated in the exercise of government power and who had and continue to have the majority in the Chamber of Deputies of the Parliament of the Czech Republic required to amend the contested legislation, furthermore, and the Constitutional Court cannot omit a critical comment on this issue, most of them through their participation in the process of law-making by their affirmative (!) vote directly enabled adoption of the contested legislation. The Constitutional Court would in the future in such instances of its (mis)use have to be forced to dismiss submissions filed under such circumstances.

3. The complainants themselves summarised their objections by alleging that retention and use of traffic and location data on telecommunications services to the extent in which it is defined by the contested provisions and the contested decree represent an in-proportionate  interference with the fundamental rights set forth by the Charter of Fundamental Rights and Freedoms (hereafter only as “the Charter”) and in the Convention for the Protection of Fundamental Rights and Fundamental Freedoms (hereafter only as “the Charter), specifically interference with the fundamental rights conferred by Article 7 par. 1, Article 2 and 3 and Article 13 of the Charter and Article 8 of the Convention. Complainants maintain the above interference may further be perceived as a breach of essential requirements for a democratic  state governed by the rule of law among which the principle of proportionality may be included pursuant to Article 4 Section 4 of the Charter. The complainants have supported their reasoning by the following arguments:

I. A) Retention of Data on Communication as Interference with Private Life
4. The content of the contested provisions is an imposition upon natural and legal persons providing the public telecommunications network or publicly accessible service of electronic communications  (thus mainly the telephone operators and internet service providers) of a duty to retain the traffic and location data (tens of data) on entire telephone and facsimile communications, entire communications via e-mail and SMS, data on accession of websites and data regarding use of certain internet services specified by the contested decree for the period of 6 to 12 months. They are further obliged to provide the above specified data upon request to the authorised bodies. The complainants maintain that the above specified data undoubtedly fall within the scope of the protection pursuant to Article 8 of the Convention. They have relied on a number of judgments of the European Court for Human Rights (hereafter only as “the ECHR) and judgments of the Constitutional Court.

5. The complainants assume that interference with fundamental rights cannot be interpreted merely as an immediate interference (such as for instance familiarisation with the retained data) but also such measures of government bodies that represent a substantial threat to restricting the fundamental rights which may occur at any moment. Retention of traffic and location data cannot be but deemed to represent such a kind of interference since such data are continuously retained and are at the disposal of government bodies and such bodies may both request and use the data pursuant the applicable regulations. Retention of the above specified set of data is thus accompanied by a latent threat of further immediate interference of government bodies. Moreover, the fact that the traffic and location data are not retained by the state itself but that the use is made of private persons providing telecommunications services cannot be disregarded since the risk of potential misuse of the retained data by a great number of private persons actively involved in the area of telecommunications services is higher than in retention of such data by the state. One of the fundamental requirements of ECHR arrived at through interpretation of the condition of legitimate background for state interference with private life is the predictability and availability of such legitimate background. The reasons are represented by the legitimate and logical requirement of the individuals being in advance familiar with and aware of circumstances under which the state may exceptionally interfere with their private lives and thus enabling the individuals to amend their actions accordingly so as to avoid such interference. The flat nature of retention of traffic and location data, however, restricts and/or prevents such an option.

6. The complainants assume that both the objectives and the probable and anticipated benefit resulting from the obligation to retain the traffic and location data is greatly disproportionate to the related interference with the fundamental rights of concerned individuals. Thus, pursuant to Article 8 par. 2  of the Convention  they opted for the evaluation of the proportionality of the material measure in which they assessed the aspect of the significance and the extent of the interference with the fundamental rights of individuals, in the present case mainly with the right to privacy, they further assessed the aspect of legitimacy of the objective which is to be attained through restriction of fundamental rights and they assessed the aspect of the benefit of such interference. Last but not least they focused on the application of the measure in the view of threats represented thereof, mainly the threat of misuse of the retained data.
 

7. The complainants mainly pointed out that the introduction of the obligation to retain traffic and location data represents a substantial interference with the right to privacy since such data lend themselves to a broad number of options in which they may be used and in combination with other data may give rise to serious consequences affecting the private lives of the concerned persons. The obligation to maintain the traffic  and location data to such an extent  practically results in exclusion of the existence of uncontrolled and unmonitored telecommunications which must be considered as an exceptionally intense interference with the privacy of all persons using telecommunications means (telephony, use of Internet services) currently not only used for the purposes of communications among individuals but also affecting a wide spectrum of everyday activities (shopping, banking operations, education, medicine and others). The retained data may thus be used to deduce a wide range of other data (in a number of cases such data are extremely sensitive) on a concerned individual and their privacy. In a number of cases the identity of the addressee of a telephone call or e-mail may reveal a sensitive data on the sender (in the instances when the addressee might be a medical specialist), similarly the internet sites accessed may provide information on the attitudes, opinions and beliefs  as well as on the medical condition and sexual orientation of the concerned person. Equally, a great amount of information may be obtained from location data on movements of mobile telephony (or rather the owner of such a device) mainly in combination with location of movements of other cellular phones (data on who encountered whom, at what time and at what location etc.). Based on the retained data a communication profile as well as movement profile of an individual may be elaborated to obtain not only data on the past activities of such an individual but also to accurately predict future activities of such an individual with a high probability which represents a significant interference with the right to protection of privacy and correspondence of individuals.
 

9. The complainants further questioned in their petition the legitimacy of the objective to be attained by the contested legislation. The Government explanatory report on Provision Section 97 of Act on Electronic Communications implies that the purpose of Provision Section 97 is to face the increasing risks and ensure the security and defence of the Czech Republic while not providing any more detailed explanation. The complainants assume that pursuant to Article 8 par. 2 of the Charter the interference with privacy is permissible in relation to combating criminal activities solely when applied to prevention of criminal activities. “Preventive general retention of telecommunications data not based upon an existence of a concrete and specific reason is mainly aimed at the past and may thus serve the purpose of clarification of criminal offences having been previously committed.” (pg. 13). Thus the complainants assume that interference with privacy for the purposes of clarification of a previously committed criminal offence is contrary to Article 8 of the Charter. Furthermore the data are retained without any concrete and specific probable cause. Such a view adopted by the contested provisions implies that every individual is considered a suspect with no specific circumstances providing legitimate grounds for such suspicion and such an approach is not permissible in a state governed by the rule of law. The applicants equally pointed out (referring to specific foreign cases) the fact that evaluation of data on telecommunications services includes a threat of misinterpretation of such data and subsequently leads to suspicion and allegation directed against an innocent person. The identity of the person who engaged in communications might be mistaken for instance for the identity of the person who concluded the contract with the telephone services operator or with the Internet provider.

10. The complainants maintain that neither the entities submitting the Bill prior to the enactment of the Law nor the  relevant bodies of state administration provided information concerning the number and kind of instances in which, prior to the enactment of the  legislation which leads to  extensive  increase in the quantity of retained data and the possible access to such data, the investigation, detection and prosecution of serious criminal offences failed due to lack of access to the required data based on the fact that such data were no longer available. Equally, the fact whether the imposition of the duty to retain all data on telephone and electronic communications shall result in (or has already resulted in), compared to former provisions, a genuine improvement of investigation, in detection and prosecution of serious criminal offences as well in prevention of threats, in an increase of the percentage of resolved criminal offences and in a reduction of criminal activities is not established. Furthermore, the issue is how old the data requested by the relevant administrative and law enforcement bodies are and to what extent it is necessary to retain the traffic and location data for the period of six months and longer. Interference with privacy may paradoxically more frequently affect persons who do not participate in criminal activities of felonious and serious nature than persons who engage in such activities and thus are they increasingly interested in adopting anonymous ways of communication. The complainants assume that retention of data may assist in attaining the desired objectives to a lesser extent and in cases of lesser importance and thus a long term positive effect on the reduction of criminal activities cannot be anticipated in connection with use of telecommunications services.

I. D) Threat of Misuse of Retained Data
10. Complainants maintain that equally the risk of unlawful use and misuse of the retained data realistically exists since with such a great number of companies providing telecommunications services (mainly mobile cellular communications and Internet communication) adequate security of the retained traffic and location data cannot be anticipated. It is thus necessary to test the realistic and technically available options of the use of such data. The complainants state the contested legislation fails to provide both the conditions under which the data is to be retained and the conditions for use of such data by the authorised bodies, moreover, it provides no guarantees of protection against misuse to individuals. The contested legislation thus aids extensive use of relevant databases both in the amount of data withdrawn from such databases and in the number of entities entitled to use such data as well as in the extent of purposes for which such data will be used. The complainants maintain that the threat of misuse of traffic and location data by third parties is genuine. The entities who might misuse such data frequently include employees of companies or government bodies that process the data as well as other persons (e.g. so-called hackers).

I. E) Preliminary Questions Referred to the European Court of Justice
11. The applicants conclude their petition  by expressing their conviction that although the contested legislation represents national legislation to which  criteria of constitutional order of the Czech Republic shall be applied it simultaneously represents an issue originating from community law, specifically from the transposition of the 2006/24/EC Directive of the European Parliament and the Council   (hereafter only as “the Directive on data retention”) into the legal order of the Czech Republic. The complainants proposed on the above mentioned grounds to the Constitutional Court of the Czech Republic for its consideration the possibility of referral to the European Court of Justice pursuant to Article 234 of the Treaty on European Community  of a preliminary question regarding the validity or lack thereof of the Directive on data retention itself since a significant risk exists that the relevant Directive transposed into the Czech legal order through the contested provisions and the contested decree is contrary to European Community law .  
 

II. Summary of Opinions of Parties to the Proceedings
 

12. The Constitutional Court pursuant to Section 42 para. 4 a Section 69 of the Act on Constitutional Court sent the relevant petition seeking to have the contested provisions and the contested decree revoked to the Chamber of Deputies and the Senate of the Chamber of Deputies of the Parliament of the Czech Republic as well as to the Public Defender of Rights.

13. The Chamber of Deputies of the Parliament of the Czech Republic represented by its   Chairman, Ing. M. Vlček in its opinion dated April 26, 2010 described in detail the procedure of the enactment of the Bill by which the Act on Electronic Communications No. 127/2005 Coll. is amended and on amendment of certain related Laws (Act on Electronic Communications) in its latest wording on the basis of which the contested provisions were established as part of the Act No. 127/2005 Coll. on Electronic Communications (for more detail see part VI. of this Judgment). It further noted regarding the content of the government proposal that in its explanatory report the government had expressly stated the proposed Bill was in compliance with the constitutional order and the legal order of the Czech Republic and is not contrary to any of the international treaties the Czech Republic is bound by. The Chamber of Deputies of the Parliament of the Czech Republic perceived and approached the Bill on the grounds of the above. It is thus upon the Constitutional Court to assess the constitutionality of the contested provisions.

14. The Senate of the Parliament (Senát Parlamentu) of the Czech Republic represented by its Chairman MUDr. P. Sobotka in its opinion dated April 28, 2010 after having extensively summarised the argumentation of the applicants  contained in the assessed petition described the procedure of enactment of the relevant Bill by the Senate (for more detail see part IV of this Judgment). It further noted, regarding the hearing of the Bill, that the Bill was introduced to the Committee on Economy, Agriculture and Transport, as well as to the Standing Senate Commission on Media and later to the Plenary Session  of the Senate as another amendment in response to the obligation of the Czech Republic to transpose the relevant Directive of EC  within our legal order. On the matter of obligation of the telecommunications operators, internet providers and other entities active in the field of electronic communications to retain location and traffic data for the minimum period of 6 months  the submitter emphasised that “the present case did not under any circumstances represent an instance comparable to surveillance and monitoring since the content of the individual phone calls or email messages are not retained and since the internet services are also concerned (...) and solely location and traffic data, in other words technical data are retained.” The Senate accepted the above fact in its hearing of the concerned Bill and upon recommendation of the Committee and the Standing Senate Commission on Media  approved the Bill in the wording accepted by the Chamber of Deputies. It is thus upon the Constitutional Court to assess the petition seeking to have the concerned provisions of Act on Electronic Communications revoked and issue a final decision.

15. JUDr. Otakar Motejl, the Public Defender of Rights in his opinion dated April 12, 2010   stated that after consideration of the submitted petition he does not endorse the arguments of the petition and thus waives his right to participate in the proceedings on annulment of the contested decree before the Constitutional Court.


III.
Refrainment from Oral Hearing

16. Pursuant to provisions Section 44 para. 2 of Act on the Constitutional Court the Constitutional Court may upon consent of the parties to the proceedings refrain from an oral hearing if further clarification of the matter cannot be expected from such a hearing. Pursuant to the above provision the Constitutional Court requested an opinion from the parties to the proceedings regarding their consent to refrain from an oral hearing. The complainants and the Senate of the Chamber of Deputies of the Parliament of the Czech Republic granted their consent. The Chamber of Deputies of the Parliament of the Czech Republic failed to respond within the time constraint determined by the Court. Thus in the present case the Court was able to refrain from listing an oral hearing in the present matter.


IV.
Constitutional Conformity of Procedure by which the Contested Provisions of Law were Enacted and Statutory Conditions of the Adopted Decree

17. In proceedings on annulment of statutes pursuant to  Article 87 par. 1 Letter a) of the Constitution of the Czech Republic pursuant to provision Section 68 par. 2 of the Act on the Constitutional Court, the Constitutional Court is to primarily test whether the concerned Act was enacted and issued  in the constitutionally prescribed manner [regarding the algorithm of the review  in proceedings on control over statutory norms see leg 61 of the Constitutional Court Judgment Pl. ÚS 77/06 dated February 15, 2007 (N 30/44 SbNU 349; 37/2007 Coll.)]. In the instances of statutory instruments, mainly the ministerial decrees,   the Constitutional Court pursuant to Section 68 par. 2 of the Act on Constitutional Court assesses whether they were  enacted and published within the authority and scope defined by the Constitution of the Czech Republic (Article 79 par. 3 of the Constitution of the Czech Republic), it is whether they were not published "ultra vires".

18. The Constitutional Court found, based on the opinions of both of the Chambers of the Parliament of the Czech Republic, the attached enclosures and documents accessible via electronic channels (resolutions and publications accessible in the digital library and on the web sites of the Chamber of Deputies and the Senate and on  www.psp.cz a www.senat.cz) as follows: The contested provisions Section 97 para. 3 and 4 were included within the Act No. 127/2005 Coll., on Electronic Communications pursuant to Act No.  247/2008 Coll., by which the Act No.  127/2005 Coll., on Electronic Communications and on Amendment on  Certain Related Acts (Act on Electronic Communications) was amended. The Bill of the above Act was submitted to the Chamber of Deputies by the Government of the Czech Republic on January 16, 2008 while the hearing of the Bill was proposed in such a manner as to enable the Chamber of Deputies to grant its approval within the First Reading. The Deputies were sent the Bill on January 18, 2008 as an official document of the Chamber of Deputies No. 398/0 - Amendment of the Act on Electronic Communications - EU. In the first reading on January 30, 2008 at the 27th meeting the 1. Chamber of Deputies failed to pass the Bill within the hearing in a manner requested for the approval of the Bill in the First Reading. The Bill was subsequently referred to the Economy Committee, Legislative and Constitutional Committee and the Security Committee (resolution No. 593). The relevant committees heard and discussed the Bill and their resolutions as well as the proposed amendments were delivered to the Deputies as communications notices No. 398/1, 398/2 and 398/3. The amendments proposed by the Security Committee were the only ones related to the contested provision Section 97 para. 3 (the third and the fifth sentence). The second reading of the Bill was conducted at the 28th assembly of the Chamber of Deputies on March 20, and 25, 2008. The Bill underwent a general and detailed debate in the course of which the proposed amendments were submitted by individual Deputies (proposed amendment by Z. Bebarová-Rujbrová, by K. Jacques and J. Klas) regarding the contested provisions (section 97 para. 3 the third and the fifth sentence and section 97 para. 4). The submitted proposals of amendments were processed as notice 398/4, sent to the Deputies on March 25, 2008. The third reading was conducted on April 23, 2008 at the 30th assembly of the Chamber of Deputies. The amendments proposed to the contested provisions section 97 para. 3 and 4 were not adopted. The Bill of the Act was enacted in the wording of further adopted amendments (resolution No. 736) upon consent by the Chamber of Deputies when 89 of the 176 Deputies present voted in favour of the Bill, 21 voted against the Bill and 66 abstained from the vote. (vote No.44).

19. The Chamber of Deputies passed the relevant Bill on to the Senate on May 19, 2008. The Organisation Committee of the Senate determined the Bill as the Senate Communication Document No. 247 to be discussed by the Committee for Economy, Agriculture and Transport.   The Bill was further discussed by the Standing Senate Commission on Media. On its meeting on May 28, 2008 the Committee adopted a resolution No. 270 in which it recommended to the Senate to approve the Bill. The Standing Senate Commission on Media equally recommended that the Senate approve the Bill (resolution No. 22 of June 4, 2008). The Senate discussed the Bill on June 5, 2008 at its 14th meeting (6th term of the Senate) and adopted Resolution No. 402 on the Bill by which it approved the Bill in the wording referred to the Senate by the Chamber of Deputies. 38 Senators of the 52 present voted in favour of the Resolution, 2 voted against and 12 abstained from the vote (vote No. 29).

20. The Act was delivered to the President of the Czech Republic for signature on June 11, 2008   and the President signed the Act on June 25, 2008. The approved Act was delivered to the Prime Minister of the Czech Republic on June 30, 2008 for signature. The Act was published on July 4, 2008 in the Collection of Laws in Section 78 under No. 247/2008 Coll. coming into force on September 1, 2008.

21. The contested decree No. 485/2005 Coll., on the Extent of Traffic and Location Data, Period of Time for which such Data are Retained and the Manner in which they are Submitted to Bodies Authorised to Use the Data was published by the Ministry of Informatics of the Czech Republic. The authority of the ministries to issue legal regulations on implementation of law is conferred by Article 79 par. 3 of the Constitution of the Czech Republic. It is, however, materially conditioned by the existence of an express authorisation and its restrictions. In this particular case the contested section 97 of the para. 4 of Act No. 127/2005 Coll., on Electronic Communications, represents such a type of authorisation. The decree was signed by the Minister of Informatics  and duly published in part 169 under the number 458/2005 of the Collection of Laws with the date of enforceability identical with the date of its publication, that is December 15, 2005.

22. The Constitutional Court finds that both the Act no. 247/2008 Coll., by which the contested provisions were inserted into Act No.. 127/2005 Coll., on Electronic Communications and the contested decree No. 485/2005 Coll., were enacted constitutionally.


V.
Wording of the Contested Provisions and the Contested Decree

23. The contested provisions section 97 para. 3 and 4 of Act No. 127/2005 Coll., on Electronic Communications and Amendment of related Acts (Act on Electronic Communications, in its latest wording read as follows:
 

Section 97
(3)    A legal entities or natural person providing public communications network or providing publicly accessible services of electronic communications is obliged to retain traffic and location data generated or processed within the provision of public telecommunications networks and provision of publicly available services of electronic communications 37b). Legal entities and natural persons providing public communications networks or providing publicly available services of electronic communications are obliged to retain traffic and location data regarding unsuccessful call attempts  solely under the circumstances when such data is generated and processed and simultaneously retained or recorded.  Legal entities and natural persons retaining traffic and location data pursuant the first and the second sentences are obliged to immediately upon request provide such data to the bodies authorised to request such data as set forth by special regulations. Simultaneously such a person is obliged to ensure that the content of the messages and communications is not retained with the data described pursuant to the first and the second sentence. The period for which the data are retained must not be shorter than 6 months and longer than 12 months. Upon expiration of the above period the person retaining the data pursuant to the first and the second sentences is obliged to destroy the data should they have not been provided to the bodies authorised to request such data pursuant to special regulation or unless set forth otherwise by this Act. (Section 90).
 
(4)    The extent of traffic and location data retained pursuant to para. 3, the period for which the data are retained pursuant to paragraph 3 and the form and manner in which they are to be submitted to the bodies authorised to use such data upon request pursuant to special regulation is to be set forth by a statutory instrument.

_________________
37b) The Directive 2006/24/EC of the European Parliament and of the Council of March 15, 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.

24. The contested decree No. 485/2005 Coll., on the Extent of Traffic and Location Data, the Period of Time for which they are Retained and the Form and Manner in which they are Submitted to the Bodies Authorised to Use them reads as follows:  

485/2005 Coll.
DECREE
dated December 7, 2005

The Extent of Traffic and Location Data, Period of Time for which such Data are Retained and Manner in which they are Submitted to Bodies Authorised to Use the Data

The Ministry of Informatics in cooperation with the Ministry of Interior shall  pursuant to Section 150 para. 3 of Act No. 127/2005 Coll., on Electronic Communications and Amendment of related Acts (Act on Electronic Communications) in the wording of Act No. 290/2005 Coll. and Act No.  361/2005 Coll, (hereafter only as “the Act”) set forth for implementation of Section 97 para. 3 of the Act:

Section 1
For the purposes of this Decree the following terms are understood to mean as follows:
a) BTS station as the base station of public mobile telephone network,
 
b) StartBTS station as the base station of a public mobile telephone network within which a subscriber is allocated upon commencement of the communication,
 
c) StopBTS station as the base station of a public mobile telephone network within which a subscriber is allocated upon cessation of the communication
 
d) IMEI number as the international identification number of the mobile telephone device,
 
e) MSISDN number as the subscriber’s number within the public mobile telephone network,
 
f) IMSI number as an international public mobile telephone network subscriber identity,
 
g) the destination as determination of foreign network operator,
 
h) URI identifier as uniformed resource identifier,
 
i) code of the legal entities or natural persons providing the public communications network or providing publicly available services of electronic communications as the serial number of the licence in the register of business entities pursuant to Section 14 of the Act.

Section 2
Extent of the Retained Traffic and Location Data
(1) A legal entities or natural person providing public communications network or providing publicly available services of electronic communications (hereafter only as "the provider") provides the traffic and location data defined by this Decree (here after only as “the data”) to the body authorised to request such data (hereafter only as the authorised body).
 
(2) In electronic communications networks with circuit switching and fixed connection the following data are retained:
a) data on occurred communication specifying the type of communications, telephone numbers of the caller subscriber and the called subscriber or the identifier of public telephone telephone card, date and time of commencement of communication, length of communication and if appropriate data on the state of communication,
 
b) data on all public telephone including their telephone numbers, registration number, geographical coordinates and express description of their location.  
 
(3) In public mobile telephone electronic communications the following data is retained:
a) data on occurred communication specifying the type of communication, telephone numbers of the caller subscriber and the called subscriber, date and time of commencement of communication, length of communication, IMEI number, StartBTS station number, StopBTS station number if appropriate, the destination and additional information,
 
b) data on mutual relations among MSISDN and IMEI numbers jointly used in networks, BTS station, IMEI number identification, enabling calls without the use of a SIM card to the “112” emergency number, IP addresses of terminals enabling dispatch of SMS messages via an Internet network, date and time of credit recharge in prepaid services, numbers of recharge vouchers for a specific telephone number of subscriber and the telephone number of subscriber for a specific recharge voucher,
 
c) data on all BTS stations including their number, geographical coordinates, azimuth angle of aerial routing and express description of BTS station location.  

(4) In the case of electronic communications networks with packet switching, the data on communication are stored as follows:
a) In the case of services accessing a network: connection type, user account identifier, service user equipment identifier, date and time of connection opening, date and time of connection closing, interest identifiers (e.g. IP address or port number), event status (e.g. success, failure, or regular or extraordinary connection closing), and volume of transferred data (downloaded and uploaded);
 
b) In case of services accessing electronic mail boxes: user equipment identifier, user account, message identifier on the mail server, date and time of communication opening, sender’s electronic mail address, receivers’ electronic mail addresses, electronic mail protocol identifier, volume of transferred data, and information on using encrypted communication;
 
c) In the case of services of transferring electronic mail messages: user equipment identifier, electronic mail server identifier, date and time of communication opening, sender’s electronic mail address, receivers’ electronic mail addresses, electronic mail protocol identifier, volume of transferred data, and information on using encrypted communication;
 
d) In the case of server services: user equipment identifier, user account identifier, data and time of request for service, all server identifiers (in particular, IP address or full domain name FQDN),  URI or service type identifiers requested, additional URI or service identifiers parameters, used services, volume of transferred data, and method and status of request for service;
 
e) In the case of other electronic communications services (such as chat rooms, UseNet, instant messaging, and IP telephony in particular): all communicating parties’ identifiers, transfer protocol, data and time of communication opening, date and time of communication closing, used services, and volume of transferred data.

Section 3
Manner of handing over retained data
(1) The competent public authority shall apply for provision of the retained data by means of a specific contact point . The data pursuant to Section 2, para. 3, letter c) shall be handed over on a monthly basis in its current state as to the handover date.
 

(2) Preferentially, communication between the contact points of the operator and the competent authority shall take place in a manner allowing remote access. If possible, applications and data shall be submitted in the electronic form of data files. Only generally available technologies and communication protocols shall be used for the communication purposes between the individual contact points so that the solution is not associated with a particular producer or supplier.
 
(3) Unless the manner allowing remote access cannot be used for the communication purpose, or provided that using remote access is not efficient, the application or data may be submitted in a documentary form or in the form of data files on a portable medium.
 
(4) For the purposes of verifying the authenticity of the application and submitted data the following shall be used:
a) Certified electronic signature based on a qualified certificate issued by an officially accredited  provider of certification services; the format of a cryptographic standard with public key PKCS#7 shall be used for the purposes of signature creation and verification;
 
b) A covering letter in the documentary form containing the application reference or serial number, file name, date, time and manner of submission, and possibly also a check sum or standard file hash (e.g. SHA-1) and the authorised person’s signature;
 
c) A letter in the documentary form containing the reference number and the authorised person’s signature, or
 
d) In case of applications and data already submitted in electronic form and covering a certain period, usually one week, where no other authentication means has been used, a letter in the documentary form containing the reference number and the authorised person’s signature, sent post facto.
 
(5) Data on communication taking place before a certain identifier for a certain period of time shall be submitted by the provider to the competent authority as:
 
a) records of fixed line communications in the case of data pursuant to Section 2, para. 2, letter a);
b) records of mobile communications in the case of data pursuant to Section 2, para. 3, letter a);
c) records of data communication in the case of data pursuant to Section 2, para. 4.
 
(6) Records in compliance with Paragraph 5 shall be submitted to the competent authority in the form of a structured text file, preferentially coded according to character sets CP-1250, UTF-8 or ISO 8859-2. The file shall be processed separately for every individual telephone number or any other identifier included in the application. The names of files for submission shall be structured following the convention included in the Annex.
 
(7) The file shall be introduced with a uniform header and shall be of a fixed structure defined for a specific network or service type or application type. Individual lines in the file shall be arranged chronologically, unless stated otherwise in the application. The records in compliance with Paragraph 5 shall be closed with the word “End” on the last line.
 
(8) On every line, individual data shall be separated with a semi-colon (code 0059 of the character set) or tabulator (code 0009 of the character set); the last entry shall be closed with the CRLF character (code 0013 and 0010 of the character set). On condition that some data are not requested or may not be demonstrably ascertainable given the specific technology, its place within the structure shall remain empty.
 
(9) In the case of entries containing more values, individual values shall be separated by character "|" (code 0166 of the character set). On condition that the submitted data contain a character equal to any of the afore-mentioned separators or character " (code 0092 of the character set), it shall be preceded with character " (e.g. "", "", or "\").

(10) In well-reasoned cases and following the approval of the competent authority and the operator, it is possible to use a file format, name and structure different from the description included in paragraphs 6 to 9.
 
Section 4
Length of data retention
(1) The data shall be retained for the period of 6 months, unless stated otherwise in paragraph 2.
(2) The data referred to in Part 3, sections 3.3.4.5 and 3.3.4.6 of the Annex shall be retained for the period of 3 months.
 
Section 5
Effectiveness     
The Decree hereof shall come into effect upon its publication date, with the exception of Section 4, para 2. and Part 2 of the Annex, both coming into force on 1 December 2006.

Minister:
Ing. Bérová (signature)
-------
1) Section 11 of Act No. 227/2000 Coll., on Electronic Signature, as amended.


VI.
Reference for a Preliminary Ruling

25. Above all, the Constitutional Court had to assess the petition filed by the complainants to submit to the European Court of Justice, in compliance with Article 234 of the EC Treaty, a reference for a preliminary ruling concerning the (in)validity of the Data Retention Directive, since there is a significant risk that the Data Retention Directive, on its own, which has been implemented into the Czech legal system by means of the contested provisions and contested Decree, is inconsistent with the EC law. . In this respect, the Constitutional Court points out that even after the accession of the Czech Republic to the EU (since 1 May 2004), the norms and standards of Czech constitutional order have remained the reference framework for review performed by the Constitutional Court, since the role of the Constitutional Court lies in protecting constitutionality (Article 83 of the Constitution of the Czech Republic) in both aspects, i.e. the protection of the objective constitutional law, and subjective (i.e. fundamental) rights. The Community law is not part of the constitutional order, and therefore the Constitutional Court is not competent to interpret it. Despite this, the Constitutional Court cannot entirely overlook the impact of the Community law on the formation, application and interpretation of national law, all the more so in the field of law where the creation, operation and aim of its provisions is bound up with community law  [cf. the relevant Judgments  of the Constitutional Court file reference Pl. ÚS 50/04 issued on 8 March 2006 (N 50/40 SbNU 443; 154/2006 Sb.), file reference Pl. ÚS 36/05 issued on 16 January 2007 (N 8/44 SbNU 83; 57/2007 Sb.), or file reference II. ÚS 1009/08 issued on 8 January 2009 (N 6/52 SbNU 57)]. The content of the Data Retention Directive, however, provides the Czech Republic with sufficient space to implement it in conformity with the constitutional order, since its individual provisions in fact only define the obligation to retain data. For the transposition purposes  the objective defined by the corresponding Directive must be met, yet in case of specific laws and bye-laws concerning data retention and handling, including security measures and misuse prevention, it is necessary to follow the constitutional standard based on the Czech constitutional order as interpreted by the Constitutional Court. The reason for this is the fact that the particular implementation form, i.e. the challenged provisions of the relevant laws and bye-laws, is an expression of the will of the Czech legislature or, which may vary to some extent as far as the choice of relevant means is concerned, while observing the Directive’s objective, yet when making such choice, the legislature was at the same time bound to the constitutional order.


VII.
Framework of Reference for Assessment of the Petition

VII. A) Right to respect of private life and right to informational self-determination
26. Section 1, para. 1 of the Constitution of the Czech Republic provides for a normative principle of a democratic rule of law state. The notion of the rule of law is essentially based and conditioned by respecting the fundamental rights and freedoms of an individual which is, as an attribute of the selected rule of law state expressly stipulated in the constitutional provision referred to above. This constitutional provision serves as a basis for the materially perceived legal statehood, characterised by the respect of the state authorities to the individual’s free (autonomous) sphere delineated by fundamental rights and freedoms, while the state authorities essentially do not interfere with this sphere, or possibly interventions only take place in cases reasoned by a collision with other fundamental rights or public interest, approved in a constitutionally prescribed manner and unambiguously defined by law, and on condition that the intervention anticipated by law is proportional both with respect to the objectives to be attained and the extent of the restriction of the fundamental right or freedom.

27. The notion of privacy tends to be commonly associated with Western culture, and even more precisely, with an Anglo-American cultural idea embedded in the political philosophy of liberalism. Obviously, it is not a generally shared notion, both with respect to the emphasis on the importance of privacy, and to the extent of what should fall within the protection of privacy. Different cultures have developed various ideas as to the scope of privacy to which individuals  are entitled, and in what contexts. Yet even in 1928, Judge Brandeis assessed privacy in his subsequently often quoted dissenting opinion (in relation to the case of Olmstead v. United States 438, 478, 1928) as follows: “The makers of our Constitution undertook to secure conditions favorable to the pursuit of happiness.. [...] They conferred, as against the Government, the right to be “let alone” - the most comprehensive or most extensive  of rights, and the right most valued by civilized men.." And therefore, the right of privacy, previously not expressly stipulated, has developed over time into one of the essential structural elements of the American Constitution, providing the individual with autonomy; yet its exercise has been repetitively battled for within the US Supreme Court.

28. Apart from the request to respect one’s own life, physical, psychological and spiritual integrity, personal freedom, and possession, the request to respect the autonomous life setup has become a core human right claim for individual autonomy, which has a formative importance to European national catalogues of human (fundamental) rights, as well as to their subsequent  regional and universal pendants. Yet even original European national catalogues of fundamental rights did not expressly include the right of privacy or private life itself, which may be substantiated by wordings of national Constitutions as approved in the 1940s or 1950s (e.g. the Constitution of the Federal Republic of Germany, not to mention the one of Austria, the Constitution of Denmark, Finland, as well as France, Ireland, Italy, and other countries). The requests to respect privacy and its protection are actually closely related to the development of technical and technological possibilities, obviously increasing the potential of the state to threaten freedom.

29. As the Constitutional Court held in its judgment  (file reference II. ÚS 2048/09 issued on 2 November 2009, (available in the electronic decision database on nalus.usoud.cz) : "In liberal democratic states, the fundamental right of undisturbed private life (Article 10, para. 2 of the Charter) enjoys very specific respect and protection.” The primary function of the right of respecting private life is to provide space for development and self-realisation of the individual personality. Apart from the traditional definition of privacy in its space dimension (protection of the home in a broader sense) and, in connection with the autonomous existence and public authority, undisturbed creation of social relationships (in a marriage, family or society), the right to respecting private life also includes the guarantee of self-determination in the sense of primary decision-making of an individual about themselves. In other words, the right to privacy also guarantees the right of an individual to decide, at their own discretion, whether and to what extent, how and under what circumstances the facts and information concerning their personal privacy should be made accessible to other entities. This aspect of the right to privacy takes the form of the right to informational self-determination, expressly guaranteed in Article 10, para. 3 of the Charter [cf. the Judgments of the Constitutional Court, file reference IV. ÚS 23/05 issued on 17 July 2007 (N 111/46 SbNU 41) or file reference I. ÚS 705/06 issued on 1 December 2008 (N 207/51 SbNU 577), or possibly the Decision of the Federal Constitutional Court of Germany issued on 15 December 1983, BVerfGE 65, 1 (Volkszählungsurteil) or issued on 4 April 2006, BVerfGE 115, 320 (Rasterfahndungurteil II)].

30. In the quoted Decision BVerfGE 65, 1, the Federal Constitutional Court of Germany, when asked to assess the constitutionality of the provisions concerning gathering and storing data for the purposes of a census (Volkszählung) stated, among other things, that in modern society, characterised also by a substantial increase of information and data, the protection of an individual against uncontrolled gathering, storing, using and publishing data concerning their personality and privacy must be provided within a more general right to privacy, guaranteed by the Constitution. Unless the individual enjoys the guarantee of controlling and checking the content and extent of information and data provided by them to be published, stored or used for other than the original purposes; unless they are provided with the possibility to recognise and assess the credibility of their potential communication partner and adapt their action accordingly, then  their rights and freedoms are unavoidably restricted or even suppressed, and consequently, it is no longer possible to perceive such a society as free and democratic. The right to informational self-determination (informationelle Selbstbestimmung) is thus a necessary condition not only for free development and self-realisation of an individual, but also for establishing free and democratic communication rules. To put it simply, under the circumstance of an omniscient and omnipresent state and public authority, the freedom of expression, the right of privacy and the right of the free choice of behaviour and acting become virtually non-existent and illusionary.

31. The Charter does not guarantee the right to respect for private life in a single all-encompassing article (as is the case of Article 8 of the Convention). On the contrary, the protection of the individual private sphere in the Charter is distributed and complemented with other aspects of the right to privacy declared in various sections of the Charter (e.g. Article 7 para. 1, Article 10, Article 12, and Article 13 of the Charter). Similarly, the right itself to informational self-determination may be derived from Article 10, para. 3 of the Charter, providing the individual with the guarantee of the right to protection against unauthorised gathering, publishing or any other misuse of information concerning their person, in association with Article 13 of the Charter, protecting the confidentiality of letters or the confidentiality of other papers or records, whether privately kept or sent by post or transferred by telephone, telegraph or any other similar equipments or means. Nevertheless, the “fragmentation” of the legal provisions concerning the aspects of the individual’s privacy cannot be overestimated, while the list contained in the Charter and concerning what needs to be ranked under the “umbrella” of the right to privacy or private life cannot be deemed exhaustive and ultimate. When interpreting the individual fundamental rights depicting the right to privacy in its various dimensions as stipulated in the Charter, it is necessary to respect the purpose of the generally understood and dynamically developing right to privacy as a whole, i.e. it is necessary to consider the right to private life in its integrity at the given time.  For this reason, the right to informational self-determination, guaranteed in Article 10, para. 3 and Article 13 of the Charter, must also be interpreted particularly in connection with the rights guaranteed in Articles 7, 8, 10, and 12 of the Charter. Due to its character and importance, the right to informational self-determination thus falls within the fundamental human rights and freedoms, since it contributes to establishing, together with personal freedom, freedom in the spatial dimension (dwelling), communication freedom, and certainly other constitutionally guaranteed fundamental rights, the personal sphere of the individual, whose individual integrity, as an absolutely essential condition of dignified existence of the individual and the development of human life as a whole, must be respected and protected in a consistent manner.  For this reason, the respect to and the protection of this sphere is justly guaranteed by the constitutional order , since - when considered from a relatively different perspective - it is an expression of respect to the human and citizen rights and freedoms (Article 1 of the Constitution of the Czech Republic).

32. The established case law of the Constitutional Court, mainly in relation to the issues of telephone call interception, clearly indicates that the protection of the right to the respect of private life taking the form of the right to informational self-determination in the sense of Article 10, para. 3 and Article 13 of the Charter applies to not only the content of messages transferred over the telephone, but also to the data on the numbers called, date and time of the telephone call, its length, and in case of mobile telephony, to the base stations allowing the telephone call connection [cf. e.g. the Judgment  file reference II. ÚS 502/2000 issued on 22 January 2001 (N 11/21 SbNU 83) - “The privacy of every individual is worthy of fundamental (constitutional) protection not only in relation as to the content of the transferred messages but also as to the afore-mentioned data”. It may thus be stated that Article 13 of the Charter also provides for the protection of confidentiality of numbers call and other related data, such as date and time of the phone call, its length, and in case of mobile telephony, the identification of the base stations allowing the telephone call connection. [...] Such data represent an inseparable part of  communication taking place over the telephone”; or similar judgments file reference IV. ÚS 78/01 issued on 27 August 2001 (N 123/23 SbNU 197), file reference I. ÚS 191/05 issued on 13 September 2006 (N 161/42 SbNU 327), or file reference II. ÚS 789/06 issued on 27 September  2007 (N 150/46 SbNU 489)].

33. In the quoted Judgments, the Constitutional Court also followed the case law of the ECHR [particularly the judgment issued in the case of Malone v. UK (no. 8691/79 issued on 2 August  1984)], which - following Article 8 of the Convention, guaranteeing the right to respect for private and family life, as well as the home and correspondence, also concluded the right to informational self-determination, emphasising on a number of occasions that data collection and retention concerning an individual’s private life fall within the scope of Article 8 of the Convention, since the term “private life” must not be interpreted in a restrictive manner. This facet of the right to privacy thus also consumes the right to protection against monitoring, surveillance and pursuit performed by public authorities, also in public areas and places accessible to the public. Furthermore, there is no fundamental reason allowing the exclusion of professional, business or social activities from the term of private life [cf. the Judgment in the case of Niemietz v. Germany (no. 13710/88) issued on 16 December 1992]. As stated by the ECHR, such extensive interpretation of the term of “private life” is in accordance with the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (drawn up by the Council of Europe on 28 January 1981 and coming into force in the Czech Republic from 1 November 2001, published under No. 115/2001 of the Collection of International Treaties),  whose objective is “to secure in the territory of each Party for every individual (...) respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him (Article 1), whereas it is defined as any information relating to an identified or identifiable individual” (Article 2).  [cf. the Judgment in the case of Amman v. Switzerland (no. 27798/95) issued on 16 February 2000 and the appropriate quoted case law].

34. In its judgments relating to the respect for private life pursuant to Article 8 of the Convention, the ECHR defined as infringement of individual privacy, among others, infringements in the form of monitoring data, the content of correspondence and telephone call interception [cf. the Judgment in the case of Klass and others v. Germany (no. 5029/71) issued on 6 September 1978, the Judgment in the case of Leander v. Sweden (no. 9248/81) issued on 26 March 1987, the Judgment in the case of Kruslin v. France (no.11801/85) issued on 24 April 1990, or the Judgment in the case of Kopp v. Switzerland (no. 23224/94) issued on 25 March 1998], monitoring the telephone numbers of the persons making a telephone call [cf.  the Judgment in the case of P. G. and J. H. v. UK (no. 44787/98) issued on 25 September 2001], collecting data on telephone connection (compared to the Judgment in the case of Amman v. Switzerland, referred to above), or storing the data on individuals’ DNA in defendants’ databases   [cf. the Judgment in the case of S. and Marper v. UK (no. 30562/04 and 30566/04) issued on 4 December 2008]. In the Judgment in the case of Rotaru v. Romania (no. 28341/95) issued on 2 May 2000, the ECHR followed the right to private life taking the form of the right to informational self-determination, while inferring a positive obligation of the State to dispose of the data collected about the individual and relating to their private sphere.  

35. A similar approach may also be observed in the judgments  of foreign constitutional courts. For instance, the afore-mentioned Federal Constitutional Court of Germany, by means of the right to informational self-determination, guarantees the protection of not only the content of the transferred information but also the external circumstances under which such transfers take place, i.e. the place, time, participants, type and manner of communication, since the knowledge of the communication circumstances may - in association with other data - indicate the communication content itself, and by means of examining and analysing the data, it is possible to restore the individual profiles of participants to the communication in question. (cf. e.g. the Judgment issued on 27 July 2005, BVerfGE 113, 348 (Vorbeugende Telekommunikationsüberwachung) or the Decision issued on 27 February 2008, BVerfGE 120, 274 (Grundrecht auf Computerschutz).

VII. B) Admissibility of the Infringement of the Right to Informational Self-determination
36. In general, the primary objective of the legal regulation concerning the global and preventive collection and retention of traffic and location data on electronic communications is considered to be the protection against security threats and the need to arrange for the accessibility of such data for the purposes of preventing, revealing, investigating and prosecuting  serious criminal offences by the public authority. As already pointed out by the Constitutional Court on a number of occasions, prosecuting criminal offences and punishing the offenders rightfully is a constitutionally approvable public interest, whose substance lies in transferring the liability for prosecuting the most serious violations of fundamental rights and freedoms committed by individuals and legal entities onto the State. On condition that the criminal law allows for exercising the public interest to prosecute criminal activity by means of robust tools the use of which results in serious limitations of the personal integrity and fundamental rights and freedoms of an individual, then when applied, constitutional limits have to be respected. Restrictions imposed on personal integrity and individual privacy (i.e. breaching the respect towards them) may only be applied as an absolute exception, provided it is deemed necessary in a democratic society, unless it is possible to meet the purpose pursued by the public interest in any other way and if it is acceptable from the perspective of the legal existence and respecting effective and specific guarantees against arbitrariness. Essential presumptions of a due process  require that the individual be provided with sufficient guarantee against the potential abuse of power by the public authorities. Such an essential guarantee consists of the relevant legal regulations and existence of the effective means of monitoring adherence to it, represented by, above all,  the supervision of the most intense infringements of the fundamental rights and freedoms of individuals performed by an independent and impartial court, since it is the courts’ obligation to provide the protection of individuals’ fundamental rights and freedoms (Article 4 of the Constitution of the Czech Republic) [cf. the Judgment file reference I. ÚS 631/05 issued on 7 November 2006 (N 205/43 SbNU 289) and file reference Pl. ÚS 3/09 issued on 8 June 2010 (219/2010 Sb., available in the electronic database of Decisions on nalus.usoud.cz)] .

37. In its judgments, the conditions outlined above have been specified by the Constitutional Court when assessing the admissibility of the intervention of the public authority to individual privacy taking the form of telecommunication operation interception [cf. e.g. the quoted Judgments file reference II. ÚS 502/2000, file reference IV. ÚS 78/01, file reference I. ÚS 191/05, or file reference I. ÚS 3038/07 issued on 29 February 2008 (N 46/48 SbNU 549)]. The infringement of the individual’s fundamental right to privacy in the form of the right to informational self-determination in the sense of Article 10, para. 3 and Article 13 of the Charter, due to the prevention of and protection against criminal activity is thus possible only by means of imperative legal regulations which have to conform to, above all, the rights arising from the principle of the legal state (rule of law state) and which meet the requirements arising from the proportionality test when, in the case of a conflict between the fundamental rights and freedoms with the public interest or any other fundamental rights and freedoms, the purpose (objective) of such infringement must be assessed in relation to the means applied, whereas it is the proportionality principle (in a broader sense) that provides the standard for such assessment. The wording of such legal regulations must be precise and unambiguous, while also being sufficiently predictable so that it provides potentially affected individuals with sufficient information on the circumstances and conditions under which the public authority is entitled to interfere with their privacy and so that they can act accordingly in order to avoid conflict with the restricting norm. Moreover, the powers granted to the relevant authorities, as well as the manner and the rules of application, must be strictly defined so that individuals are provided with protection against arbitrary infringements. From the perspective of the proportionality principle (in a broader sense), assessing the admissibility of the infringement in question includes three criteria. The first one lies in assessing the eligibility of fulfilling the purpose (or appropriateness as well), where it is determined whether the specific measure itself is capable of achieving the intended purpose, being the protection of another fundamental right or public interest. The second criterion consists in assessing the necessity, i.e. examining whether, upon selecting the appropriate means, the one being most considerate of the fundamental right has been opted for. And finally, it is necessary to assess the adequacy (in a narrower sense), i.e. whether the prejudice to the fundamental right is not disproportionate in relation to the intended purpose, which means that the measures imposing a restriction on fundamental rights and freedoms must not, in case of a collision of the fundamental right or freedom with public interest, exceed (through their negative consequences) the positive aspects represented by the public interest in these measures. [cf. the Judgment file reference Pl. ÚS 3/02 issued on 13 August 2002 (N 105/27 SbNU 177; 405/2002 Sb.)].

38. In case of applying criminal law tools restricting the individual’s fundamental rights and freedoms, the essential requirement of court protection of fundamental rights takes the form of the need to issue a court order and its sufficient reasoning. This must conform both to the requirements stipulated by the law, and, in particular, to the constitutional principles on which the legal regulation is based or which limit its interpretation in return, since the application of such regulation represents an exceptional infringement of the fundamental rights and freedoms of every individual. “A court order concerning telecommunication operation interception and retention may only be issued in a properly initiated criminal procedure relating to the criminal activity expressly defined by the law, at the same time being supported by relevant indications based on which a reasoned suspicion that such criminal offence has been committed can be drawn. The order must be individualised in relation to the specific individual using the telephone station. And finally, the court order must, at least to a minimal extent, indicate which facts important to the criminal procedure should be discovered in this way and on what such conclusions are based.” (cf. quoted Judgments of the Constitutional Court, file reference II. ÚS 789/06 or file reference I. ÚS 3038/07).

39. A similar approach may also be found in the ECHR judgments. In accordance with Article 8, para. 2 of the Convention, defining the constitutional limits of the restrictions imposed on fundamental rights and freedoms of individuals, guaranteed by Article 8, para. 1 of the Convention, and when examining every individual case, the ECHR mainly assesses whether the  alleged infringement or restriction of the fundamental rights or freedoms may be ranked under the scope of the protection included in Article 8 of the Convention. In the case of an affirmative answer, i.e. provided that the infringement of the right to privacy performed by the public authority took place pursuant to the law which must be accessible and sufficiently predictable, that is expressed with a high level of precision so that it enables the individual to act accordingly if necessary (cf. Malone v. UK, Amman v. Switzerland, or Rotaru v. Romania). The level of precision required in the national legal regulations, which under no circumstances may comprise all possible outcomes, depends, to a large extent, on the content of the examined text, the areas which it is supposed to cover, and the number and status of the persons to whom it is addressed   [Hassan and Tchaouch v. Bulgaria (no. 30985/96, 39023/97) issued on 26 October 2000]. In the sense of Article 8, para. 2 of the Convention, the examined infringement of the fundamental rights and freedoms, as guaranteed in Article 8, para. 1 of the Convention, must also be deemed necessary within a democratic society, following the purpose approved by the Convention (e.g. the protection of life or health, national or public security, protection of rights and freedoms of others or morals, preventing unrest or crime, or the interest in economic prosperity of the country), which must be relevant and reasoned in an appropriate manner. For the purposes of examining the accordance of the legal regulation with the Convention, it also has to provide adequate protection against arbitrariness, in the sense of Article 13 of the Convention, and consequently, to define with sufficient clarity the scope and manner of exercise of the powers granted to the relevant public authorities (cf. Kruslin v. France or S. and Marper v. UK). in other words,  acts representing an obvious infringement of the fundamental right to private life must not  occur beyond any immediate (preventive or subsequent) judicial control [cf. e.g. the Judgment in the case of Camenzind v. Switzerland (no. 21353/93) issued on 16 December 1997].

40. The requirements of the legal regulations allowing the infringement of the right to private life have been specified in more detail by the ECHR in the decisions mentioned above and concerning the assessment of the admissibility of such infringements exercised by the public authority and taking the form of telephone call interception, secret surveillance, or collecting information and data from the individual’s private (personal) sphere. The ECHR emphasised that it is, above all, necessary to define clear and detailed rules governing the scope and use of such measures, to determine the minimum requirements concerning the length, mode of retention of the obtained information and data, their use, or the access of third parties, and to establish procedures leading to the integrity and confidentiality of the data, as well as the mode in which the data will be disposed of, so that individuals are provided with sufficient guarantee covering the risk of misuse and arbitrariness. The necessity to be provided with such guarantee grows even higher in the case of the protection of data subject to automatic processing, particularly if the data are due to be used for law enforcement purposes and in the situation when the available technologies are becoming ever more complicated. National law, in particular, must guarantee that the collected data are truly relevant, not being excessive in relation to the purpose for which they were obtained and that they are retained in the form allowing the identification of the persons for the period not exceeding the necessary extent in order to achieve the purpose for which they were obtained [cf. Preamble and Article 5 of the Convention on the Protection of Data and Principle No. 7 of the Recommendations of the Committee of Ministers No. R(87)15, adopted on 17 September 1987 and concerning the regulation and use of personal data in the police sector, quoted pursuant to the Judgment in the case of Weber and Saravia v. Germany (no. 54934/00) issued on 29 June 2006 or Liberty and others v. UK (no. 58243/00) issued on 1 July  2008].


VIII. Legal review

VIII. A) So-called Data Retention
41. As already mentioned by the Constitutional Court, the contested provisions of Section 97, para. 3 and 4 have become part of Act No. 127/2005 Coll., on Electronic Communications, on the basis of Act No. 247/2008 Coll., amending Act No. 127/2005 Coll., on Electronic Communications and on amendments to other related acts (Act on Electronic Communications), as amended. According to the explanatory report, the amendment was adopted for the purposes of implementing “several articles” of the Directive of the European Parliament and Council 2006/24/EC, issued on 15 March 2006, on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, “which have not yet been implemented or have only been implemented in part into our legal system, since the Data Retention Directive has already been transposed into our legal system. [...] In some respects, the legal regulations in force are broader than those contained in the Data Retention Directive.”  As a matter of fact, the issues of traffic and location data retention have been treated in the Czech legal system, yet in a modified form, upon adopting Act No. 127/2005 Coll., on Electronic Communications, coming into force on 1 May 2005, and upon adopting the contested Decree of the Ministry of Information Technologies No. 485/2005 Coll., on the extent of traffic and location data, time of its storage and the form and method of its disclosure to the bodies authorised to use it, coming into force on 15 December 2005. In the Czech Republic, the Data Retention Directive, under preparation in the EU at that time, was in fact implemented in advance, while the wording of the challenged provisions, already following the requirements laid down by the Data Retention Directive, merely represents a precision of the duty to retain the traffic and location data and to provide it, without any undue delay, to the public bodies authorised to request it. Despite this, the contested Decree of the Ministry of Information Technology has not been amended, which results in the fact that the extent of the retained data, falling under the control of the contested legislation, clearly and obviously remains beyond the extent anticipated by the relevant Data Retention Directive.

42. In accordance with the contested provisions of Section 97, para. 3, sentences one and two of the Electronic Communications Act, the legal entity or natural person operating a public communications network or providing a publicly available electronic communications services is obliged to retain the traffic and location data generated or processed when operating a public communications network or providing publicly available electronic communications services, including the data on unsuccessful call attempts, on condition that such data are generated  or processed and at the same time, retained or recorded. Pursuant to Section 90 of the Electronic Communications Act, the traffic data are deemed as “any data processed for the purposes of transferring or charging for the message through an electronic communications network.” Pursuant to Section 91 of the mentioned Act, the location data are defined as “any data processed in the electronic communications network determining the geographical position of the terminal of the user of a publicly available electronic communications service.” Pursuant to the contested provisions of Section 97, para. 4, it is the implementing regulations (i.e. the contested Decree No. 485/2005 Coll.) that were entrusted with the specification and the content itself of the traffic and location data, the retention period, and the form and manner of transferring it on to the relevant authorities.

43. Specifically, in the case of fixed network telephone line services and mobile communications services, operators are obliged to collect practically all accessible data on realised phone calls, as well as  their unsuccessful call attempts if recorded (referred to as “pings”). The data include, in particular, the information on the type of realised communication, telephone numbers of the person calling and the person called, date and time of commencing and ending the communication, identification of the base station providing the telephone call at the moment of making the connection, identification of the pay-as-you-go telephone card or the public telephone box, and in case of mobile communication, also the data on the unique code identifying every mobile telephony used in the GSM network (IMEI), its position and movement, even if no communication takes place (it is enough when the telephone is switched on), numbers of top-up cards and their association to the relevant telephone number, the connection between a mobile device and all inserted SIM cards, etc. Even higher volumes and extent of data to be retained pursuant to the contested Decree relate to so-called public networks working on the principle of packet switching and the associated services, i.e. most typically the Internet. In the case of using it, the contested legislation provides for the data retention concerning mainly the access to the network (e.g. time, place and length of connection, data on users and their user accounts, identifiers of the computer and the server accessed, IP address, full domain name, volume of transferred data, etc.), as well as the data relating to the access to electronic mailboxes and the transfer of electronic mail messages (in this case, almost all data are retained, except the content of the messages itself, i.e. including address identification, volume of transferred data, etc.), and last but not least, the data on the server and other services [e.g. entered URL address, request type, data on using chat rooms, UseNet, instant messaging (e.g. ICQ), and IP telephony, including the identification of the communicating parties and length and service used (e.g. file transfer or transaction)]. In the case of an Internet connection and email communication, what is monitored and retained beyond the scope of the Data Retention Directive in question is the volume of transferred data, information on applied encryption, method and status of requests to the service and their realisation, as well as information on sending SMS messages from Internet gateways and other “interest identifiers”. In the case of telephony and beyond the scope of the Data Retention Directive, the challenged legal regulation requires the retention of data on the identification of the pay-as-you-go card, public telephone box, numbers of top-up cards and their association with the telephone numbers, or the relations between the mobile devices and inserted SIM cards.

44. Although the prescribed obligation to retain traffic and location data does not apply to the content of individual messages (see Article 1, para. 2 of the Data Retention Directive and the contested provisions of Section 97, para. 3, sentence 4), the data on the users, addresses, precise time, dates, places, and forms of telecommunication connection, provided that monitoring takes place over an extended period of time and when combined together, allows compiling detailed information on social or political membership, as well as personal interests, inclinations or weaknesses of individual persons. As for the statement of the Senate, as summarised above, the opinion of the bill propose that “under no circumstances may this case be compared to interception, since the content of the telephone calls or email messages is not retained” must be regarded as absolutely erroneous, for even on the basis of such data, it is possible to draw sufficient content-related conclusions falling within the scope of the individual’s private (personality) sphere. With a degree of certainty of up to 90%, the data allow deducing, for instance whom, how often and even at what times the individual contacts, who their closest acquaintances, friends or work colleagues are, or what activities and at what times they engage in [cf. the study performed by the Massachusetts Institute of Technology (MIT), Relationship Inference, available on reality.media.mit.edu/dyads.php] . Collecting and retaining location and traffic data thus also represents a significant infringement of the right to privacy, and for this reason, it is necessary that the scope of the protection of the fundamental right to respect of private life taking the form of the right to informational self-determination (in the sense of Article 10, para. 3 and Article 13 of the Charter) should include not only the protection of the contents of the messages transferred via telephone communication or communication via so-called public networks, but also the traffic and location data related to them.

VIII. B) Assessing the Contested Legislation from the Perspective of Constitutional Law Requirements
45. The Constitutional Court was thus invited to assess whether the challenged legal regulation concerning the issues of global and preventive collection and retention of determined traffic and location data on electronic communications (so-called data retention) complies with the constitutional requirements outlined above and allows an infringement of the individual’s right to privacy in the form of the right to informational self-determination (in the sense of Article 10, para. 3 and Article 13 of the Charter). Furthermore, with regards to the intensity of such infringement, which in the given case is accentuated by the fact that it affects large and unpredictable numbers of communication participants, since it concerns global and preventive collection and retention of the data in question, the most stringent measures possible have to be applied to meeting the above-mentioned requirements. The Constitutional Court reached the conclusion that the contested legislation does not by far comply with the outlined constitutional law requirements for a number of reasons.

46. The contested provisions of Section 97, para. 3, sentence three of the Electronic Communications Act contain only vague and non-specific determination of duties laid upon legal entities or natural persons retaining the location and traffic data in the above-mentioned scope and extent “to disclose them, upon request, to the relevant authorities pursuant to a special legal regulation without any undue delay.” Although in Section 3, the contested Decree specifies fulfilling the duty towards the competent authorities in individual cases, i.e. it provides a relatively detailed definition of the manner in which the data are handed over, communication mode (electronic), format, programmes used, codes, etc., the wording of the challenged provision of Section 97, para. 3 of the Electronic Communications Act, or even the explanatory report do not specifically imply, in the perspective of the Constitutional Court, the competent authorities or the special legal regulations. With respect to the wording of the provisions of Section 97, para. 1 of the Electronic Communications Act, imposing on legal entities or natural persons operating a public communications network or providing publicly available electronic communications services the duty to provide, at the expense of the complainant, to establish and provide an interface to their network at specific points allowing the connection of an interception terminal, it may only be expected that also in the case of the duty to transmit retained location and traffic data, the law anticipates the same competent authorities and similar special legal regulations addressed to the authorities responsible for criminal proceedings, probably pursuant to Section 88 of the Criminal Procedure Code, the Security Information Service (www.bis.cz) in accordance with Sections 6 - 8a of Act No. 154/1994 Coll., on the Security Information Service, and Military Intelligence in accordance with Sections 9 and 10 of Act No. 289/2005 Coll. and on Military Intelligence. The existing legal regulations allowing for a massive infringement of fundamental rights thus do not comply with the requirements concerning the certainty and clarity  from the perspective of the state governed by the rule of law  (see Section 37 above).

47. Furthermore, the purpose under which the traffic and location data are provided to the competent authorities has not been defined clearly and precisely, which precludes assessing the challenged legal regulation from the perspective of its actual necessity (whereas it is undoubtedly capable of meeting the purpose, or it is capable of achieving the goal as determined by the Directive - see below). While the Data Retention Directive, referred to above, was adopted in order to harmonise the regulations applied in the Member States and relating to the duties and obligations of publicly available electronic communications services or public communications networks, concerning traffic and location data retention necessary to identify participants or registered users with the aim “to ensure that those data are available for the purpose of the investigation, detection and prosecution of serious crime” (although it fails to specify the criminal offence in more detail), the contested legislation, let alone the provisions of Section 88a, para. 1 of the Criminal Procedure Code, determining the conditions under which the retained data may be used for the purpose of a criminal procedure, does not contain any such restrictions. In compliance with the legal regulation in question, the possibility to use the retained data in a criminal procedure has not been associated by the legislature with a reasonable suspicion of committing a serious crime. Similarly, the duty of the bodies responsible for criminal proceedings to inform, though subsequently, the affected (monitored) person about this fact has not at all been included in the legal regulation, which mean that it fails to meet the claims arising from the second step of the proportionality test, i.e. the need when selecting the appropriate means, since the above clearly demonstrates that the means the most considerate of the fundamental right to informational self-determination has not been used.

48. The Constitutional Court does not perceive the manner in which the range of public authorities is (not) defined, as well as the manner (not) defining the purpose for which they are allowed to request the retained data, as sufficient and predictable. Although in compliance with the provisions of Section 88a, para. 1 of the Criminal Procedure Code, as referred to above, the use of retained data is subject to court review, taking the form of a permit issued by the presiding judge (and by the judge within the preliminary procedure), it was the legislature’s primary liability to define, with more precision and clarity, both the presumptions and condition of the data use, and the extent of use in the challenged provisions or in the provisions of Section 88a, para. 1 of the Criminal Procedure Code, replacing the absolutely non-specific definition of the conditions determining the use of the retained data “on realised telecommunication operations” for the purposes of “discovering the facts important for the criminal proceedings”. With respect to the seriousness and extent of the infringement of the right to privacy in the form of the right to informational self-determination (in the sense of Article 10, para. 3 and Article 13 of the Charter), represented by the use of the retained data, the legislature limited the possibility to use the retained data only for the purposes of criminal proceedings prosecuting serious crime and only in the case that such an objective cannot be achieved using any other means. In fact, this is anticipated not only by the Data Retention Directive, referred to above, but also by the provisions of Section 88, para. 1 of the Criminal Procedure Code, defining the conditions for enacting interception and records of telecommunication operation (“on condition that criminal proceedings related to serious crime have been initiated”), from which the afore-mentioned legal regulation included in the provisions of Section 88a of the Criminal Procedure Code as a whole (despite the legal opinions of the Constitutional Court expressed in the quoted Judgments file reference II. ÚS 502/2000 or file reference IV. ÚS 78/01) deviates without any due reason, providing for the legal regulation in obvious contradiction to the opinions of the Constitutional Court.

49. The absence of proper legal regulation, i.e. in full compliance with the Constitution, as  demonstrated by the statistical data has in fact resulted in the situation that the instrument in the form of requesting and using the retained data (including the data on attempted phone calls which are not treated in the Criminal Procedure Code at all), has also been used (or overused) by the bodies responsible for criminal proceedings for the purposes of investigating common (i.e. less serious) crime. For instance, in accordance with the “Report on the Security Situation in the Czech Republic in 2008”, the total number of criminal offences recorded in the territory of the Czech Republic amounted to 343,799 (out of which 127,906 offences were detected), while at the same time, the number of requests to provided the traffic and location data made by the competent public authorities reached 131,560 (cf. the corresponding Report of the EU Commission, entitled “The Evaluation of Directive 2006/24/EC and National Measures to Combat Criminal Misuse and Anonymous Use of Electronic Data”, having requested the official data from the Czech side, whereas the responses of the Czech Republic in the questionnaire dated on 30 September 2009 are available on www.dataretention2010.net/docs.jsp).  ; Unofficial data show that subsequently, in the period from January to October 2009 only, there were 121,839 requests for providing traffic and location data (cf. Herczeg, J.: Constitutional Limits of Telecommunication Operation Monitoring: Conflict between Security and Freedom. Bar Bulletin, Vol. 5/2010, pp. 29).

50. In the view of the Constitutional Court, the legal regulation contested by the applicant fails to define sufficiently, or fails to define at all, unambiguous and detailed rules containing minimum requirements concerning the security of the retained data, in particular, taking the form of restricting third-party access, the procedure of maintaining data integrity and credibility, or the removal procedure. Furthermore, the contested regulation does not provide individuals with sufficient guarantees against the risk of data abuse and arbitrariness. As for the examined case of global and preventive collection and retention of data on electronic communications, the need to have such guarantees available is becoming even more important to the individual owing to the current enormous and fast-moving development and occurrence of new and more complex information technologies, systems and communication tools, which unavoidably results in the borders between private and public space being blurred to the benefit of the public sphere, since in the virtual environment of information technologies and electronic communications (in the so-called cyberspace), every single minute, especially owing to the development of the Internet and mobile communication, thousands or even millions of items of data and information are recorded, collected and virtually made accessible, interfering with the private (personality) sphere of the individual, yet if asked, they would probably be reluctant to knowingly let someone else in.

51. Under no circumstances may the stipulation of the duty imposed on legal entities or natural persons to secure that “the content of message should not be retained together with the defined data” (Section 97, para. 3, sentence four) or the duty to “eliminate them upon the expiration of the period unless they have been provided to the competent authorities in compliance with a special legal regulation or unless stated otherwise within the Act (Section 90)” (Section 97, para. 3, sentence six) be deemed by the Constitutional Court as providing sufficient, unambiguous, detailed and appropriated guarantees. The retention period itself, “no shorter than 6 months and longer than 12 months”, the expiration of which determines the obligation to remove the data, can also be deemed as ambiguous and totally insufficient with respect to the extent and sensitivity of the retained data. None of these obligations is provided, in more detail, with the rules and specific procedures for how to meet them; the requirements concerning the security of the retained data have not been defined in a stringent manner; it is not sufficiently clear how the data are handled, either by legal entities or natural persons collecting and retaining the location and traffic data, or by the competent public authorities when requested; and the manner in which the data are removed has not been specifically determined either. Similarly, the liability or possible sanctions for failure to comply with such duties, including the absence of the possibility for the individuals affected to seek efficient protection against potential misuse, arbitrariness or failure to comply with the relevant duties have not been defined either. Supervision provided by the Office for Personal Data Protection, as anticipated in the Electronic Communications Act (Section 87 and further), “over observing the duties and obligations when processing personal data” or the corresponding instruments of its activities and monitoring cannot be considered as an adequate and effective means of protecting the fundamental rights of the individuals affected, since they do not control the instrument by themselves [see the Judgment file reference Pl. ÚS 15/01 issued on 31 October 2001 (N 164/24 SbNU 201; 424/2001 Coll.) where appropriate]. As a consequence, the actions referred to above, constituting an obvious infringement of the fundamental right to privacy in the form of the right to informational self-determination (in the sense of Article 10, para. 3 and Article 13 of the Charter) and due to the legal regulation being considered as insufficient and failing to meet the afore-mentioned constitutional requirements, occur beyond the scope or reach of any immediate (yet subsequent)   review, particularly a judicial one, the necessity of which has also been expressed by the ECHR in the Decision concerning the case of Camenzind v. Switzerland, referred to above.

52. Similar conclusions have also been drawn by Constitutional Courts in other European countries when examining the constitutionality of legal regulations implementing the afore-mentioned Data Retention Directive. For instance, in its Decision issued on 2 March 2010 (1 BvR 256/08, 1 BvR 263/08, 1 BvR 586/08), the Federal Constitutional Court of Germany, held that the contested legislation concerning the issues of preventive data retention  (Vorratsdatenspeicherung) (in the sense of Sections 113a and 113b of  Telekommunikationsgesetz) and their use within criminal proceedings (in the sense of Section 100g, para. 1 of Strafprozessordnung) was unconstitutional due to a contradiction with Article 10, para 1. of the Constitution protecting the inviolability of correspondence, mail and telecommunications. The Federal Constitutional Court of Germany held that the challenged legal regulation failed to comply with the requirements arising from the proportionality principle, requiring - among other things - that the legal regulation concerning data retention should correspond to the seriousness of the infringement of individuals’ fundamental rights.   Specifically, the contested legislation failed to provide a sufficient definition regarding the purpose of the use of the data, failed to guarantee their sufficient security, and last but not least failed to provide the individual with sufficient, adequate and effective guarantees against the risk of misuse, mainly in the form of judicial review. The federal legislation was invited to comply with these requirements pursuant to Article 73, para. 1, clause 7 of the Constitution. Similar conclusions were also adopted by the Constitutional Court of Romania in its Decision issued on 8 October 2009 (No. 1258), declaring the relevant legal regulation as unconstitutional, since it failed to define the purpose of use of such an instrument, its wording remained too vague without specifying, in more detail, the powers and obligations of the competent public authorities, and failed to provide the individuals affected with sufficient protection against misuse due to the absence of judicial review (the unofficial English translation of the Decision is available on www.legi-internet.ro/english/jurisprudenta-it-romania/decizii-it/romanianconstitutional-court-decision-regarding-data-retention.html) . Similar approaches were also taken by the Supreme Court of Bulgaria in its Decision issued on 11 December 2008 (information available on www.edri.org/edri-gram/number6.24/bulgarian-administrative-case-data-retention ) and the Supreme Court of Cyprus in its Decision issued on 1 February 2011 (information available on www.edri.org/edrigram/number9.3/data-retention-un-lawful-cyprus) . According to the information of the Constitutional Court, the legal regulations implementing the afore-mentioned Data Retention Directive are currently being examined in Poland and Hungary. The necessity to provide, in a manner as stringent as possible, the guarantees and instruments for protecting the fundamental rights of individual when handling their personal data generated in course of electronic communications was also emphasised by the European Court of Justice in its preliminary ruling issued on 9 November 2010 concerning the joint case of Volker und Markus Schecke GbR GbR and Hartmut Eifert v. Land Hessen (C-92/09 a C-93/09).

53. With respect to the above, the Constitutional Court holds that the challenged provisions of Section 97, para. 3 and 4 of Act No. 127/2005 Coll., on Electronic Communications and on Amendments to Certain Related Acts (Electronic Communications Act), as amended, and the contested Decree No. 485/2005 Coll., on the extent of traffic and location data, time of its storage and the form and method of its disclosure to the bodies authorised to use it, cannot be deemed as constitutionally conforming, since they are in obvious contradiction to the afore-mentioned constitutional limits, for they fail to meet the requirements arising from the rule of law state principles and are in collision with the requirements concerning the restrictions imposed on the fundamental right to privacy in the form of the right to information self-determination in the sense of Article 10, para. 3 and Article 13 of the Charter, based on the proportionality principle.

54. Beyond the scope of the above, the Constitutional Court needs to emphasise that the deficiencies, as described above and leading to a repeal of the contested provisions, have not been observed in the special legal provisions indirectly referred to in the challenged provisions of Section 97, para. 3 of the Electronic Communications Act. According to the Constitutional Court, it is mainly the afore-mentioned provisions of Section 88a of the Criminal Procedure Code regarding the conditions of using retained data on telecommunications for the purposes of criminal proceedings that fails, by far, to comply with the limits and requirements described above, and therefore it also seems unconstitutional from the Constitutional Court’s perspective. Nevertheless, due to the fact that it was not contested by the applicant in the petition, the Constitutional Court deems necessary to invite the legislature to consider amending, as a consequence of repealing the challenged provisions, Section 88a of the Criminal Procedure Code so that it complies with the constitutional order.

VIII. C) Obiter dictum
55. Taking the form of an obiter dictum only, the Constitutional Court maintains that it is aware of the fact that owing to the development of modern information technologies and communication means, new and more sophisticated ways of commitment of crime occur, which need to be addressed accordingly. Nonetheless, the Constitutional Court expresses its doubts whether the very instrument of global and preventive retention of location and traffic data on almost all electronic communications may be deemed necessary and adequate from the perspective of the intensity of the intervention to the private sphere of an indefinite number of participants to electronic communications. Within the European context, such opinion is not at all rare, since the Data Retention Directive has faced substantial criticism since its coming into force, both from the Member States (e.g. the governments of Ireland, the Netherlands, Austria or Sweden have been hesitating to implement it or have not implemented it yet, whereas the latter two have done so despite a publicly announced warning of the Commission to initiate proceedings with the European Court of Justice), and from legislators in the European Parliament, the European Data Protection Supervisor (see the data retention conference conclusions held by the Commission in Brussels on 3 December 2010, available on www.dataretention2010.net/docs.jsp) , or the Data Protection Working Group established in accordance with Article 29 of Directive 95/46/EC (cf. its statements available on ec.europa.eu/justice/policies/privacy/workinggroup/wpdocs/index_en.htm) , as well as from non-governmental organisations (such as Statewatch, European Digital Rights or Arbeitskreis Vorratsdatenspeicherung - AK Vorrat). All the bodies mentioned above have sought to put the location and traffic data with more adequate instruments (e.g. so-called data freezing allowing the monitoring and retention of necessary and certain data relating to the specific participant to communication selected in advance, provided certain conditions are met), or they have sought its amendments, mainly in the form of providing the individuals affected with sufficient guarantees and means of protection, as well as applying more restrictions on retained data security against threats of third-party leaks and misuse.

56. Similarly, the Constitutional Court expressed its doubts when also examining whether the instrument of global and preventive retention of traffic and location data may be deemed, from the perspective of the original purpose (i.e. protection against security threats and prevention of serious crime) as an effective tool, mainly due to the existence of so-called anonymous SIM cards, which are beyond the extent of retained location and traffic data as anticipated within the contested legislation and which, according to reports of the Police of the Czech Republic, are used for the purposes of commitment of criminal offences up to a level of 70% (cf. “Czech Police in bid to ban anonymous SIMs, operators protest”, iDNES.cz, 18 March 2010). In this respect, it is possible to refer to the analysis of the Federal Investigation Bureau of Germany, dated 26 January 2011, which - on the basis of comparing data before and after adopting the legal regulation in question - concluded that using the instrument of global and preventive retention of location and traffic data produced only negligible effect in reducing the number of serious crimes or the level of their detection (the analysis and the specific statistic data are available on www.vorratsdatenspeicherung.de/content/view/426/79/lang,de/) . Similar conclusions may also be drawn when glancing at the statistic summaries of crimes committed in the territory of the Czech Republic, e.g. the comparison of statistic data in the period of 2008 - 2010 (available on www.policie.cz/clanek/statisticke-prehledy-kriminality-650295.aspx) .

57. Last but not least, the Constitutional Court would like to express its doubts whether it is at all desirable that private persons (service providers in the area of the Internet, telephone and mobile communication, i.e. in particular, mobile operators and commercial enterprises providing Internet access) should be entitled to retain all data on the communication provided by them, as well as on customers to whom services are provided (i.e. data going beyond the extent of data which they are obliged to retain in accordance with the contested legislation), or that they should be allowed to dispose of them freely for the purposes of collecting debts or developing their business or marketing activities. The Constitutional Court perceives such a situation as undesirable mainly due to the fact that the Electronic Communications Act or any other legal regulations do not specify or define this competence and its purpose in further detail; the rights and duties have not been defined in a sufficient and precise manner, as well as the extent of retained data, the length and manner of retention, and the requirements concerning the data security or review mechanisms have not been specified in further detail, either.

58. With respect to the above, the Constitutional Court held, in accordance with Section 70 para. 1 of the Constitutional Court Act that the contested provisions of Section 97, para. 3 and 4 of Act No. 127/2005 Coll., on Electronic Communications and on Amendments to Certain Related Acts (Electronic Communications Act), as amended, and the contested Decree No. 485/2005 Coll., on the extent of traffic and location data, time of its storage and the form and method of its disclosure to the bodies authorised to use it, should be abolished on the day of publishing the Judgment hereof in the Collection of Laws (Section 58, para 1. of the Constitutional Court Act).

59. General courts will have to engage in examining, in each and every individual case, the application of the already requested data for the purposes of criminal proceedings from the perspective of the proportionality of the infringement of the right to privacy. Above all, courts will have to consider the seriousness of the crime committed upon the act against which criminal proceedings have been initiated and in which the requested data should be used.

Notice: No Appeal against Decisions of the Constitutional Court is permissible. (Section 54, para. 2 of the Constitutional Court Act)

Brno, 22 March 2011

Pavel Rychetský
Chief Justice of the Constitutional Court