1.

This reference for a preliminary ruling raises the question whether, in essence, personal data obtained in a criminal investigation may subsequently be used in disciplinary proceedings of an administrative nature against a public official.

2.

The answer to that question affords the Court of Justice a further opportunity to rule on the scope of Directive 2002/58/EC, ( 2 ) on the one hand, and the scope of Directive (EU) 2016/680 ( 3 ) and Regulation (EU) 2016/679, ( 4 ) on the other.

3.

As regards Directive 2002/58, the Court has delivered a consistent line of decisions concerning when and under what conditions Member States may restrict the scope of the rights and obligations established by that directive. ( 5 )

4.

Article 1 (‘Scope and aim’) provides:

‘1.   This Directive provides for the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community.

2.   The provisions of this Directive particularise and complement Directive 95/46/EC [ ( 6 )] for the purposes mentioned in paragraph 1. Moreover, they provide for protection of the legitimate interests of subscribers who are legal persons.

3.   This Directive shall not apply to activities which fall outside the scope of the [TFEU], such as those covered by Titles V and VI of the Treaty on European Union [(TEU)], and in any case to activities concerning public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the activities of the State in areas of criminal law.’

5.

Article 5 (‘Confidentiality of the communications’) provides, in paragraph 1 thereof:

‘Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality.’

6.

Article 15 (‘Application of certain provisions of Directive 95/46/EC’) states:

‘1.   Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) [TEU].

…

2.   The provisions of Chapter III on judicial remedies, liability and sanctions of Directive 95/46/EC shall apply with regard to national provisions adopted pursuant to this Directive and with regard to the individual rights derived from this Directive.

…’

7.

Article 2 (‘Material scope’) provides:

‘1.   This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

2.   This Regulation does not apply to the processing of personal data:

…

…’

8.

Article 5 (‘Principles relating to processing of personal data’) provides:

‘1.   Personal data shall be:

…

…’

9.

Article 6 (‘Lawfulness of processing’) reads as follows:

‘1.   Processing shall be lawful only if and to the extent that at least one of the following applies:

…

…

3.   The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

…

4.   Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

…’

10.

Article 1 (‘Subject-matter and objectives’) provides, in paragraph 1 thereof:

‘1.   This Directive lays down the rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’

11.

Article 2 (‘Scope’) states, in paragraph 1 thereof:

‘This Directive applies to the processing of personal data by competent authorities for the purposes set out in Article 1(1).’

12.

Under Article 4 (‘Principles relating to processing of personal data’):

‘1.   Member States shall provide for personal data to be:

…

…

2.   Processing by the same or another controller for any of the purposes set out in Article 1(1) other than that for which the personal data are collected shall be permitted in so far as:

…’

13.

Article 9 (‘Specific processing conditions’) provides, in paragraph 1 thereof:

‘Personal data collected by competent authorities for the purposes set out in Article 1(1) shall not be processed for purposes other than those set out in Article 1(1) unless such processing is authorised by Union or Member State law. Where personal data are processed for such other purposes, [the GDPR] shall apply unless the processing is carried out in an activity which falls outside the scope of Union law.’

14.

Article 65(2) requires providers of electronic communications services to retain the data listed in Annex 1 to that law and, where appropriate, to make those data available to the competent authorities for use in combating serious crime. ( 8 )

15.

Under Article 77(1), providers of electronic communications services must allow the competent authorities access to information which is lawfully in their possession and is necessary, inter alia, for the prevention, detection and prosecution of criminal offences.

16.

In accordance with Article 77(4), where there is a reasoned court order or other legal basis established by law, providers of electronic communications services must make it technically possible, in particular for criminal investigation bodies and pre-trial investigation bodies, in accordance with the detailed rules laid down in criminal procedural legislation, to monitor the content of communications transmitted over electronic communications networks.

17.

Under point 1 of Article 6(3), if the conditions laid down in the LCI are met and subject to prior authorisation from the public prosecutor’s office or a court, criminal investigation bodies ( 10 ) may collect information from providers of electronic communications services.

18.

Under Article 8(1) and (3), criminal investigation bodies are to act as soon as information comes to light concerning the preparation or commission of a very serious, serious or less serious criminal offence and, if the investigation reveals the existence of a criminal offence, a pre-trial investigation is to be initiated immediately.

19.

Point 5 of Article 19(1) provides that information from criminal investigation operations may be used in the situations referred to in paragraphs 3 and 4 of that article and in other situations provided for by law.

20.

In accordance with Article 19(3), information relating to acts having the characteristics of a corruption-related offence may be declassified, with the agreement of the public prosecutor’s office, and used in the investigation of disciplinary misconduct or misconduct in office.

21.

Article 154 (‘Monitoring, recording and retention of information transmitted over electronic communications networks’) provides, in paragraph 1 thereof, that an investigator may, by decision of an investigating judge taken at the request of the public prosecutor’s office, listen to, record and store conversations transmitted over electronic communications networks if there is reason to believe that data may be obtained concerning a very serious or serious offence that is being prepared, is being committed or has already been committed, or concerning a less serious or non-serious offence.

22.

Article 177 (‘Non-disclosure of pre-trial investigation data’) provides, in paragraph 1 thereof, that investigation data are confidential and, until the case is examined by a court, may be disclosed only with the authorisation of the public prosecutor’s office and in so far as such disclosure is justified. ( 12 )

23.

The Lietuvos Respublikos generalinė prokuratūra (Prosecutor General’s Office of the Republic of Lithuania; ‘the Prosecutor General’s Office’) initiated an internal investigation into the actions of A.G., who at the time was a public prosecutor in an Apygardos prokuratūra (Regional Public Prosecutor’s Office), in the light of evidence of misconduct in office.

24.

The Commission of the Prosecutor General’s Office found that A.G. had engaged in misconduct in office and proposed that the disciplinary measure of dismissal from service be imposed on him.

25.

The evidence of misconduct took the form of information, obtained in the administrative proceedings, deriving from the actions of the criminal information services, the explanations of other officials and of the appellant in the main proceedings, and the findings of two pre-trial investigations.

26.

In particular, there was evidence of telephone communications between A.G. and a suspect’s lawyer, in a pre-trial investigation conducted by A.G. concerning cases in which that lawyer had acted as defence counsel. ( 13 )

27.

The monitoring and recording of information transmitted over electronic communications networks had been authorised by court orders.

28.

The Prosecutor General imposed the penalty of dismissal from service on A.G., who brought an action before the Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius, Lithuania) seeking annulment of the penalty.

29.

That action was dismissed by judgment of 16 July 2021 on the ground that, in the view of the court of first instance, the actions of the criminal information services had been lawful, as had the use, in the disciplinary proceedings, of the data obtained by those services.

30.

A.G lodged an appeal against the first-instance judgment before the Lietuvos vyriausiasis administracinis teismas (Supreme Administrative Court of Lithuania), which has submitted the following question to the Court of Justice for a preliminary ruling:

‘Must Article 15(1) of [Directive 2002/58] …, read in conjunction with Articles 7, 8, 11 and 52(1) of the Charter of Fundamental Rights of the European Union [(the Charter)], be interpreted as prohibiting the competent public authorities from using data retained by providers of electronic communications services which may provide information on the data of, and communications made by, a user of a means of electronic communications, in investigations into corruption-related misconduct in office, irrespective of whether access to those data has been granted, in the particular case, for the purposes of combating serious crime and preventing serious threats to public security?’

31.

The request for a preliminary ruling was received at the Court on 3 March 2022.

32.

A.G., the Czech, Estonian, Hungarian, Italian and Lithuanian Governments, Ireland and the European Commission submitted written observations.

33.

A.G., the French, Hungarian and Lithuanian Governments, Ireland and the Commission were present at the hearing held on 2 February 2023.

34.

The referring court is an administrative court with jurisdiction to review decisions of an administrative nature. That is also the nature of the decision adopted by the Prosecutor General, who imposed the penalty of dismissal from service on an official of a Regional Public Prosecutor’s Office for acts constituting misconduct.

35.

The main proceedings do not therefore concern decisions of the criminal courts. Although such decisions coexist alongside the (disciplinary) administrative proceedings which led to the official’s dismissal, ( 14 ) it should be noted that the dispute relates only to the matter of dismissal.

36.

That being so, it is apparent from the order for reference that the facts of the dispute, which lay the foundations for the question referred for a preliminary ruling, are somewhat imprecise.

37.

As the Czech Government and the Commission have pointed out, it is not possible to establish with certainty, on the basis of the order for reference, whether the competent authorities: (a) approached providers of electronic communications services in order to obtain the data at issue; or (b) obtained those data themselves directly.

38.

That is by no means a trivial matter. It is decisive for identifying which EU legislation is relevant for answering the question referred for a preliminary ruling. Depending on how events transpired, it would be necessary to apply:

39.

In the second scenario, the protection of personal data would be governed by national law, subject to the application of Directive 2016/680. ( 15 ) Accordingly, by focusing on Directive 2002/58, the approach taken in the question referred for a preliminary ruling is skewed.

40.

The Hungarian Government – convinced that the personal data were obtained by telephone tapping carried out by the criminal information services – questions the admissibility of the reference for a preliminary ruling, as Directive 2002/58 would thus be inapplicable.

41.

The Commission, however, takes the following view.

42.

I agree with the Commission’s approach, which, moreover, is the only approach capable of assuaging the (justified) misgivings caused by the order for reference’s admissibility.

43.

If the question referred is thus construed, the relevance of Directive 2002/58 to the answer thereto:

44.

According to the referring court, the following matters are relevant to the proceedings on which it has to adjudicate:

45.

Everything therefore seems to suggest that, aside from the possible presence of personal data the processing of which could not fall within the scope of Directive 2002/58 (but could fall within the scope of Directive 2016/680), the investigation leading to the imposition of the penalty made use of personal data collected from providers of electronic communications services.

46.

The Court must limit its answer to the referring court’s request as formulated by it. It will therefore be necessary to determine whether the personal data obtained and processed under Article 15(1) of Directive 2002/58 in a criminal investigation may subsequently be used in (administrative) proceedings of a disciplinary nature against a public official.

47.

Having thus delimited the terms of the reference for a preliminary ruling, the corollary of the above is that the following matters fall outside its scope.

48.

In short, the considerations set out below on the substance of the case will have to leave aside the interpretation of Directive 2016/680. ( 21 ) Those considerations will be confined, as regards Directive 2002/58, to the use of personal data obtained under that directive by means of processing operations the original lawfulness of which must be presumed, inasmuch as it is not disputed in the main proceedings.

49.

It is apparent from the first sentence of Article 15(1) of Directive 2002/58 that Member States may adopt a measure derogating from the principle of confidentiality enshrined in Article 5(1) of that directive where it is ‘necessary, appropriate and proportionate … within a democratic society’ and is ‘strictly’ proportionate to the intended purpose. ( 22 )

50.

In particular, whether Member States may justify a limitation on the rights and obligations laid down in Articles 5, 6 and 9 of Directive 2002/58 must be assessed in the light of the seriousness of the interference entailed by such a limitation and by verifying that the importance of the public interest objective pursued by that limitation is proportionate to that seriousness. ( 23 )

51.

‘In order to satisfy the requirement of proportionality, the national legislation must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose personal data are affected have sufficient guarantees that those data will be effectively protected against the risk of abuse. That legislation must be legally binding under domestic law and, in particular, must indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted …’. ( 24 )

52.

As regards the public interest objectives that may justify a measure taken pursuant to Article 15(1) of Directive 2002/58, in accordance with the principle of proportionality, there is a hierarchy of objectives based on their respective importance: the importance of the objective pursued by such a measure must be proportionate to the seriousness of the interference. ( 25 )

53.

In that hierarchy of objectives, safeguarding national security, read in the light of Article 4(2) TEU, ranks higher than safeguarding the other interests referred to in Article 15(1) of Directive 2002/58, namely defence, public security and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system. The objective of combating crime in general, even serious crime, and of safeguarding public security, falls within that second category. ( 26 )

54.

It follows from that categorisation of objectives that:

55.

According to the referring court, the data at issue were obtained by means of serious interferences with the rights guaranteed by Articles 7, 8 and 11 of the Charter. ( 29 )

56.

The question here, I repeat, is not whether the collection of those data was initially lawful, that is to say, whether the interference was sufficiently justified in the light of the seriousness of the criminal offence targeted.

57.

The referring court has taken a view on those two points (seriousness of the interference and seriousness of the offence) in terms which are not disputed in the main proceedings and are therefore not relevant to the reference for a preliminary ruling.

58.

What matters at this juncture, according to the referring court, is whether those data: (a) may also be used in subsequent investigations aimed at combating crime in general (assuming that that concept covers the conduct to which the disciplinary measure at issue relates); or (b) may be used only in investigations aimed at combating serious crime.

59.

The Czech Government and Ireland have examined whether or not the conduct at issue before the referring court should be classified as a ‘serious offence’ and have concluded that it should.

60.

In my view, however, this is a matter on which the Court need not rule because the classification of the conduct is a matter for the referring court.

61.

The referring court states that, if the use of data obtained by means of a serious interference with fundamental rights can be justified only in connection with combating serious crime and preventing serious threats to public security, such data cannot be used in investigations into corruption-related disciplinary offences, ( 30 ) in other words, in investigations such as the one at issue here.

62.

Based on that assessment, what needs to be ascertained is whether disciplinary offences in respect of which action is to be taken using certain personal data must be qualitatively equivalent, as regards their seriousness, to the offences which justified the collection of those data. ( 31 )

63.

At the hearing, the Lithuanian Government acknowledged that the public prosecutor had been dismissed for professional misconduct. Whether that misconduct (leaking information about a pre-trial investigation) may be equated with a serious criminal offence or whether it presents a serious risk to the safeguarding of public security depends on a number of factors which only the referring court is in a position to verify. ( 32 )

64.

During the hearing, numerous references were made to combating corruption, as the phenomenon underlying conduct such as that at issue here. Any debate on that point would require considerable fine-tuning, in the interests of the exactitude demanded of all expressions of the State’s power to punish. It would be necessary to determine, for instance, whether the term ‘corruption’ is used in a generic sense or whether it refers to a specific type of conduct within which, in the abstract, it would perhaps be unreasonable to include mere breach of the duty of secrecy without a corresponding advantage in favour of the official. ( 33 )

65.

In any event, if the referring court were to take the view that the professional misconduct punished in this case is less serious than the criminal offence whose investigation justified the measure taken under Article 15 of Directive 2002/58, the answer to the question referred for a preliminary ruling would be apparent from the following findings of the Court.

66.

Accordingly, in that respect, a kind of principle of equivalence applies between, on the one hand, the public interest objectives justifying the collection of personal data and, on the other, those warranting the subsequent use of those data. The only exception to that principle is, as I have just mentioned, where the importance of the objective pursued by access is greater than that of the objective which justified retention.

67.

Any other interpretation would effectively distort the system of safeguards under Directive 2002/58. The rights safeguarded could be seriously interfered with outside of the situations provided for in Article 15 and the conditions determined by the case-law of the Court.

68.

In particular, the protection of the right to confidentiality of communications may be legitimately removed only on the basis of the specific public interest objective pursued by such removal. That is why the legitimacy of access to retained data must be assessed on a case-by-case basis, whereby the seriousness of the interference is weighed against the importance of the public interest objective pursued by that interference.

69.

What cannot be accepted is an interpretation of Directive 2002/58 according to which the grant of access in a first scenario where such access is properly justified clears the way for subsequent access (in actual fact, reuse of the data obtained) based on a lower-ranking objective than the objective pursued in the first scenario.

70.

In that connection, the requirements for initial access (including the requirements established by the Court as regards authorisation of such access) ( 36 ) are capable of being applied to the subsequent use of the same data by other authorities.

71.

I have set out above what I consider to be the most appropriate way of answering the request for a preliminary ruling as it is worded, that is to say, by providing the referring court with an interpretation of Directive 2002/58, as sought by it.

72.

If the data at issue in this case had been obtained not on the basis of Article 15(1) of Directive 2002/58 but directly by the criminal information services of the Member State in criminal proceedings, the situation would be different.

73.

In those circumstances, the provisions of national law would come into play, subject to the application of Directive 2016/680 as regards the processing of personal data obtained in a criminal investigation. I have assumed that the actions of the criminal information services in cases like the present one fall within the scope of Directive 2016/680. That was confirmed at the hearing.

74.

As I explained in my Opinion in Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of processing personal data – Criminal investigation), ( 37 )‘the GDPR and Directive 2016/680 form a cohesive system in which:

75.

I made the following observations in that Opinion. ( 39 )

76.

In view of how the Court has interpreted Article 4(2) of Directive 2016/680, ( 41 ) it would be difficult to accept that personal data collected in criminal proceedings could be used for the same purpose in subsequent disciplinary proceedings against a public official.

77.

I should point out, however, that under Article 4(2) of Directive 2016/680, ‘processing by the same or another controller for any of the purposes set out in Article 1(1) other than that for which the personal data are collected shall be permitted in so far as:

78.

It is on the basis of that premiss that the referring court will have to examine whether or not the (different) purpose of the further processing is among the purposes laid down in Article 1(1) of Directive 2016/680.

79.

The first of the two requirements established by that provision will be met only if the Member State law takes the form of legislation ( 42 ) governing the circumstances in which the controller is permitted to process personal data. That legislation must, moreover, contain binding rules that are clear and precise. ( 43 )

80.

However, that is, of course, a matter for the referring court to determine, after examining Article 177 of the CCP, Article 19(3) of the LCI and the Recommendations of the Prosecutor General’s Office. ( 44 ) On the basis of those factors, the referring court will have to gauge the extent to which national law allows information obtained in criminal proceedings to be used, subject to certain conditions, in an investigation into disciplinary offences. In that determination, the findings set out in the ECtHR judgment in Adomaitis may prove useful. ( 45 )

81.

As regards the second requirement, the referring court will have to assess whether, in the data processing at issue in this case, the interference was necessary and proportionate. ( 46 )

82.

Again, the guidance provided in the ECtHR judgment in Adomaitis may assist in that assessment.

83.

Under Article 9(1) of Directive 2016/680, personal data collected by competent authorities for the purposes set out in Article 1(1) thereof may be processed for purposes other than those set out in Article 1(1) if such processing is authorised by EU or Member State law. In those circumstances, the GDPR will apply unless the processing is carried out in the course of an activity which falls outside the scope of EU law. ( 49 )

84.

If the referring court considers Article 4(2) of Directive 2016/680 to be inapplicable, it will have to have recourse to the GDPR. In accordance with the GDPR, it will have to determine whether, in addition to the legal basis, at least one of the conditions for lawful processing of personal data listed exhaustively in Article 6(1) thereof is met.

85.

In the light of the foregoing considerations, I propose that the Court of Justice give the following reply to the Lietuvos vyriausiasis administracinis teismas (Supreme Administrative Court of Lithuania):