Defence Law – Constitutional/Political Regime governing National Defence Nacional
The Republic’s Intelligence System;
Democratic state governed by the rule of law;
Highly organised crime;
Access to metadata;
Right to the privacy of personal life;
Right to safety and security.
RULING No. 403/15
27 of August of 2015
In a prior review case the Constitutional Court pronounced the unconstitutionality of a norm contained in an Assembly of the Republic Decree that approved the legal regime governing the Portuguese Republic’s Intelligence System (SIRP). This norm would have allowed intelligence officers from the Security Information Service (SIS) and the Strategic and Defence Information Service (SIED) to access certain types of data, for certain purposes and subject to certain conditions. The data were traffic, localisation and other communications-related data needed to identify the service subscriber or user or find and identify the source, destination, date, time, duration and type of communication, as well as to identify the telecommunications equipment or its location. The purposes had to be linked to: safeguarding Portugal’s independence and interests and the domestic and external security of the Portuguese State; guaranteeing the conditions needed to ensure citizens’ safety and security and the full and proper functioning of the country’s democratic institutions; and/or activities appropriate to the prevention of sabotage, espionage, terrorism, highly organised transnational crime or acts that could change or destroy the democratic state based on the rule of law established in the Constitution. The conditions were that the use of these means had to be necessary, appropriate and proportionate in a democratic society; and that a prior request setting out the grounds for the use had to be sent to a Prior Control Commission (CCP), which obligatorily had to authorise it in advance.
The Court took the view that this norm was in breach of the constitutional precept which prohibits the public authorities from engaging in any form of intrusion into communications, other than in the cases provided for in criminal procedural law.
In the past the Constitutional Court had already considered the protection of traffic data equivalent to that of content data. Its jurisprudence is that the fact that traffic data (direction, recipient, place, time, duration) identify, or make it possible to identify, a communication means that the information about the latter which they contain is important enough to warrant protecting their confidentiality. The Court recalled that on several occasions the Court of Justice of the European Union has emphasised the gravity of the intrusion caused if traffic data are stored without limits. On the question of whether the mandatory prior control by the CCP was equivalent to the control that exists in criminal proceedings, thereby enabling this case to benefit from the exception which the norm that prohibits intrusion into telecommunications allows in criminal matters, the Court said that the prohibitive norm is a general one, whereas the permissive norm is exceptional. Sacrificing the right to the inviolability of private communications constitutes a restriction on the constitutional content of that fundamental right and the scope of the protection it provides. This is permissible when there are very important reasons imposed by the criminal investigation linked to criminal proceedings, but not otherwise.
A constitutional norm that enshrines a right subject to the possibility that the ordinary law can restrict the right allows the ordinary legislator to impose limits on the scope of the protection guaranteed by the Constitution (the part of the overall norm that authorises a restriction), but simultaneously recognises and guarantees a certain protective scope on which the legislator cannot encroach when the right is a fundamental one (the part of the overall norm that guarantees the core right).
By defining the field of application of the ordinary law which restricts the right to the inviolability of communications as “matters related to criminal procedure”, the Constitution says that the ordinary legislator is authorised to impose restrictions, but that that authorisation is only valid with regard to criminal procedural matters. Even if one were able to consider in abstract terms that there are other matters in which the value ‘security’ surpasses the values underlying the right to the inviolability of communications, the Constitution does not allow it.
When the constitutional legislator decided to authorise the public authorities to intrude into means of communication, but only in criminal procedural matters, it sought to ensure that access to those means in order to safeguard the values ‘justice’ and ‘security’ would be achieved via a procedural instrument that also protects peoples’ fundamental rights. Even though the goal might be to provide preventative penal protection to very important legal assets, it is not legitimate to expand the scope of the restriction on the right that is permitted by the constitutional norm.
he President of the Republic asked the Constitutional Court to conduct a prior review of a norm contained in an Assembly of the Republic Decree approving the Portuguese Republic’s Intelligence System (SIRP). The norm would have allowed intelligence officers from the SIS and SIED security services to access ‘traffic data’ under certain conditions. One of the objectives of the Decree of the Assembly of the Republic containing the norm was to adapt the regime governing SIRP to current information and security requirements; and the regime governing access to data stored by telecommunications operators is designed to pursue goals linked to the prevention of phenomena like terrorism, espionage, sabotage and highly organised crime.
The idea was not to access the contents of communications (written or voice), but to be able to obtain authorisation to ask the entities that are legitimately responsible for treating the data (base, localisation and traffic) for access to them. These are metadata, or “data about data”, in that they concern the circumstances under which communications took place, and not the latter’s actual contents.
There is a broad range of national, European and international legal regulations on data access. Access to data on actual or attempted communications can undermine the fundamental rights of the persons involved in the act of communication. Even without access to the content, the cross-referencing of traffic data can provide a profile of the person in question. In its jurisprudence the Constitutional Court recognises that private communications, including their content and the circumstances in which they take place, are a means by which it is possible to manifest aspects of people’s private lives that fall within the scope of the protection which the Constitution affords to the privacy of personal life.
The right to communicational self-determination protects the personal sphere against public and private intrusions, and the Constitution in turn protects that right by making communications inviolable. Interlocutors are entitled not to have third parties intervene in either their communications, or the accompanying circumstances. This is a guarantee that must be available prima facie to all private communications, regardless of whether or not they concern the parties’ intimacy. Technological progress has increased the possibilities of intrusion. From a privacy point of view, it is necessary to ensure that communication at a distance between private parties takes place as though they were face-to-face. Given that the interaction between people who are physically distant from one another must be mediated by a third party – a communications provider – both the latter and the state are also required to guarantee the integrity and confidentiality of communications systems.
There is a broad consensus in both doctrine and case law that traffic data should be included in the concept of communications that are constitutionally relevant to the prohibition on intrusion.
Widening the constitutional exception that allows the public authorities to intrude into telecommunications in the cases provided for in criminal procedural law would imply both expanding the scope of application of the restriction on the right to inviolability, and reducing the guarantee that only a judge can authorise such interventions by relegating the control of acts that affect fundamental rights to a merely administrative entity.
The Court concluded that the exceptions referred to in the constitutional precept are limited to matters regarding criminal proceedings. This is the only restriction on the right to the inviolability of communications which the Constitution authorises, and there can be no other interpretation that would make it possible to extend the restriction for other purposes. As such, the Court pronounced the norm before it unconstitutional.
The original rapporteur dissented from the Ruling and was accordingly replaced in that role. He sustained his views in a very extensive opinion. Another Justice concurred with the decision, but disagreed with the grounds for it.
In the view of the concurring Justice there is no absolute restriction on the exceptions to the constitutional precept, such as to mean that the authorities can only intrude into telecommunications in matters related to criminal proceedings. If such a restriction did exist (and unless the Constitution itself were to be revised), the security services could never intercept so-called traffic data. She argued that the understanding that such a restriction does exist is so narrow that it would preclude any solution to situations like the one in the present case – situations involving difficult problems of collisions between different fundamental rights (the right to freedom and the right to security) or different constitutional values, in which both sides of the conflict are intensely axiologically charged: on the one hand, the value ‘freedom’; on the other, the value ‘defence of the democratic constitutional order’. In her opinion the existence of intelligence services in an order in which the state is democratic and based on the rule of law is justified by the need to safeguard collective and individual legal assets to which constitutional axiology attributes a place that is no less important than that of the assets protected by criminalising penal norms. However, she considered that if the legislator wanted to include the possibility of intercepting telecommunications traffic data in the system of competences pertaining to the security services (SIRP, SIS and SIED), it would have to make the circumstances in which this access was legitimate as clear and precise as possible, in such a way as not to leave the administration free to weigh up the need for intervention without any legal limits. In her view the norm in the present case did not do this, and this was the reason she considered the norm to be unconstitutional.
The dissenting Justice argued that the norm before the Court was in conformity with the Constitution. He said that the issue here was the promotion of security as a constitutional value – as a form of active protection of the democratic model. He considered that the text of the Constitution serves as a ‘social contract’, with explicit and implicit self-defence clauses which construct the content of a function of ‘protecting the Constitution’ that not only legitimises a penal form of protection, but also what one might call an ‘administrative protection’ as well. He also said that the need for an authorisation from the CCP represented a concrete mechanism for controlling the need, appropriateness and proportionality of data interceptions, as required by the Constitution; and that in the particular context of the work of SIRP this procedure would have played a part whose axiological proximity to that of the judge in criminal proceedings would have made it equivalent to the latter’s role.
See Rulings of the Constitutional Court of Portugal nos. 198/85 (30-10-1985); 128/92 (01-04-1992); 355/97 (07-05-1997); 407/97 (21-05-1997); 241/02 (29-05-2002); 368/02 (25-09-2002); 306/03 (25-06-2003); 442/07 (14-08-2007); 70/08 (31-01-2008); 230/08 (21-04-2008); and 486/09 (28-09-2009).
Opinions of the Consultative Council of the Public Prosecutors’ Office (CC-PR), Complementary Opinion no. 16/94 of 26/10/1995; and Opinion 21/00 of 16/06/2000.
Opinion of the National Data Protection Commission (CNPD) no. 29/98 of 16/04/1998,
Judgement of the Court of Justice of the European Union of 08/04/2014, Digital Rights Ireland Ltd., Joined Cases nos. C-293/12 and C-594/12, declaring the Data Retention Directive 2004/26/EC invalid.
Judgement of the European Court of Human Rights of 06/06/2006, in Segerstedt-Wiberg and others v. Sweden, application no. 62332/2000; Judgement of 16/02/2000, in Amann v. Switzerland 95, application no. 27798/95; Judgement of 30/07/1998, in Valenzuela v. Spain, application no. 27671/95); and Judgement of 18/02/2003 in Prado Bugallo v. Spain, application no. 58496/00).
Federal Constitutional Court of Germany: BVerfG, 1 BvR 256/08 of 02.03.2010, Rn. (1-345); and ECLI:DE:BVerfG:2013:rs20130424.1bvr121507
Constitutional Court of Spain: Decision no. 49/99 of 5 April 1999; and Decision no. 184/2003 of 23 October 2003.
Judgement of the Supreme Court of Israel of 6 September 1999, Association for Civil Rights in Israel v. The General Security Service (1999): Concerning the Legality of the General Security Service’s Interrogation Methods, 38, I.L.M. 1471 (1999).