Legal Alert | Amendment of the regulation on access to metadata relating to electronic communications for criminal investigation purposes

On 5 February, Law 18/2024 (Law 18/2024), which entered into force the day after it was published, was published in the Official Gazette, and serves the following purposes:

1. Amendment of Law 32/2008 of 17 July (Law 32/2008), which regulates the retention and transmission of traffic and location data relating to natural persons and legal persons, as well as related data necessary to identify a subscriber or registered user, for the purposes of investigation, detection and prosecution of serious crimes by the competent authorities, in accordance with Constitutional Court Rulings 268/2022 of 19 April and 800/2023 of 4 December 2023; and
2. Amendment to the Law on the Organisation of the Court System, approved by Law 62/2013, of 26 August (Law 62/2013).

This Legal Alert aims to contextualise and highlight the main changes introduced in these two pieces of legislation.

I. Framework and Background

By means of Law 18/2024, lawmakers sought to respond to the problems raised by the Court of Justice of the European Union (CJEU) and the Constitutional Court (CC) regarding the admissibility of the retention of metadata resulting from communications – that is, traffic and location data – in view of the right to privacy and the protection of personal data.

The subject of metadata retention was initially regulated by European lawmakers through Directive 2006/24/EC of the European Parliament and of the Council of 15 March (Directive 2006/24/EC). This Directive, transposed into domestic law by Law 32/2008, established the obligation for Member States to take measures to ensure the retention of data for the purpose of investigating, detecting and prosecuting serious crimes.

Subsequently, the CJEU declared Directive 2006/24/EC invalid, in its Judgment of 8 April 2014, because it considered that access by the competent authorities to metadata allowed conclusions to be drawn about the private life of data subjects, which it held to be a disproportionate interference in their rights and freedoms.

In Portugal, by means of Judgment 268/2022 of 19 April, the Constitutional Court declared the rules allowing an indiscriminate collection of traffic data and which did not provide for notification to the data subject of access to the data by criminal investigation authorities to be unconstitutional with generally binding application.

The Assembly of the Republic (AR) then approved Decree 91/XV of 26 October 2023. By Judgment 800/2023 of 4 December 2023, in the context of the preventive constitutional review, the Constitutional Court again ruled for the unconstitutionality of rules relating to the retention of traffic and location data, since these remained general and undifferentiated, affecting data subjects about whom there was no suspicion of criminal activity.

Consequently, the AR sent a new proposal for legislative amendment to the President of the Republic, with the resulting legislation leading to the amendments detailed below.

II. Amendment to Law 32/2008

Law 32/2008 was fully republished, in an annex to Law 18/2024, and Articles 2, 4, 6, 7, 9, 15, 16 and 17 thereof were amended.

a) Retention period and rules

In its original wording, Article 6 of Law 32/2008 set forth that providers of electronic communications services should retain data relating to all the categories listed in Article 4(1) of the same Law 'for one year from the date of conclusion of the communication'.

With the entry into force of Law 18/2024, pursuant to Article 6(1) of Law 32/2008, the one-year retention period shall be maintained only for the following types of data: (i) data relating to the civil identification of subscribers or users of publicly available communications services or of a public communications network; (ii) other basic data; and (iii) IP protocol addresses assigned to the source of a connection.

For its part, in accordance with the new paragraphs^. 2 and 3 of the same article 6, traffic and location data can only be retained with a court order, which is urgent and must be issued within a maximum of 72 hours, after a request for this purpose. In order to safeguard the usefulness of this request for a court order, its submission must be immediately communicated by the Public Prosecutor's Office to the communications service providers, which must not delete the data in question until the final decision on their retention, pursuant to Article 6(4) of Law 32/2008.

The court decision to retain traffic and location data must be based on their necessity for the investigation, detection and prosecution of serious crimes. Accordingly, the setting and extension of the retention period must be limited to what is strictly necessary to achieve these purposes, and ceases as soon as the need for retention ends (cf. Article 6(5) of Law 32/2008).

b) Data protection and security

As regards the protection and security of data stored and in accordance with the provisions of Regulation (EU) No 679/2016 of the Parliament and of the Council of 27 April 2016 (GDPR), the new wording of Article 7(4) of Law 32/2008 means that the appropriate technical and organisational measures to ensure a level of data security must be applied by reference to a wide range of factors: 'the most advanced techniques, implementation costs and the nature, scope, context and purpose of the processing [and] the risks, of probability and varying seriousness, to the rights and freedoms of natural persons'. In addition, in the new paragraph 5 of the same article, Law 32/2008 establishes a set of criteria that should be considered when assessing the appropriate level of security.

c) Data transfers

With regard to data transfers, which must be authorised by an investigating judge, the new wording of Article 9(2) of Law 32/2008 now establishes that a court order can only be requested by the Public Prosecutor’s Office and no longer by the competent criminal police authority.

Article 9(7) now provides that the data subject is notified of the decision authorising such transfer within 10 days. Nevertheless, during the investigation phase, the investigating judge may delay such notification, at the request of the Public Prosecutor's Office, if it entails risks for the investigation, makes it difficult to discover the truth or endangers the life, physical or mental integrity or freedom of duly identified persons. In any event, notification of the data subject must take place as soon as the reason for the delay ceases to exist or, at the latest, within 10 days of the date on which the order to close the investigation is issued (cf. Article 9(8) of Law 32/2008).

Article 9(9) of Law 32/2008 also establishes that the transfer of data to authorities of other States may only take place within the scope of international judicial cooperation in criminal matters, if those States ensure the same level of protection of personal data as is in force in the territory of the European Union.

III. Amendment to Law 62/2013

With the entry into force of Law 18/2024, Law 62/2013 was amended in articles 47(4) and 54(4) under the headings "Organisation" and "Competence", both originally introduced by Framework Law 4/2017 of 25 August, respectively.

These amendments concern the attribution of jurisdiction to grant court orders for the retention of traffic and location data to specific bench of the criminal sections of the Supreme Court of Justice, in accordance with the provisions of the new Article 6(7) of Law 32/2008, introduced by Law 18/2024.