Impact Of Gdpr On Criminal Evidence Collection
The GDPR, effective since 2018, regulates the processing of personal data in the EU. Although criminal evidence collection by law-enforcement is primarily governed by the Law Enforcement Directive (Directive 2016/680), GDPR still heavily influences:
rules on data access
admissibility of evidence
proportionality requirements
retention and disclosure
rights of the accused
obligations of investigators
Because many criminal investigations involve private-sector data holders (telecom companies, banks, social networks), GDPR’s principles apply indirectly but significantly.
Core GDPR Principles Affecting Criminal Evidence
Purpose Limitation
Data collected by companies cannot be given to police unless there is a lawful basis.
Data Minimization
Only necessary data may be requested.
Proportionality & Necessity
Law-enforcement requests must be justified.
Transparency & Rights of Individuals
Access and deletion rights may be limited in investigations but must be justified.
Accountability
Public authorities must maintain records, justify requests, and ensure secure handling.
Important Case Laws Illustrating GDPR’s Impact on Criminal Evidence Collection
1. Digital Rights Ireland v. Ireland (CJEU, 2014)
(Although pre-GDPR, its principles are fully incorporated into the GDPR and subsequent cases.)
Facts
EU Data Retention Directive required telecom providers to store traffic and location data of all users.
Challenged for violating privacy.
Legal Issue
Whether mass retention of metadata is proportionate for crime-fighting goals.
Judgment
Court struck down the Directive.
Held that mass, indiscriminate data retention violates fundamental rights and cannot be used as evidence ground unless based on limited, proportionate retention.
Impact
Led GDPR lawmakers to adopt strong proportionality rules.
Limited blanket retention that police relied on for criminal investigations.
Evidence collected through indiscriminate retention risks inadmissibility.
2. Tele2 Sverige AB v. Post-och telestyrelsen and Watson (CJEU, 2016)
Facts
Challenges to national laws requiring telecom data retention for police access.
Legal Issue
Whether states may impose broad data-retention obligations on private companies.
Judgment
Court held that only targeted retention for serious crimes is lawful.
Access must be subject to:
prior judicial approval
strict necessity tests
Impact
GDPR-aligned principles restrict police from obtaining telecom data without meeting strict standards.
Criminal evidence obtained without proportional review may be challenged in court.
3. Ministerio Fiscal (CJEU, 2019)
Facts
Police requested mobile phone data to identify theft suspects.
Data requested was not highly sensitive (just subscriber ID).
Issue
Whether minimal intrusion data—like subscriber information—requires strict judicial oversight.
Judgment
For non-sensitive, minimal data, strict prior judicial authorization is not always required if intrusion is low.
Impact
Clarified that GDPR allows flexibility when collecting low-level data.
Helps police obtain basic evidence more efficiently, provided proportionality is respected.
4. La Quadrature du Net (CJEU, 2020)
Facts
Challenged national surveillance and data retention systems in France and Belgium.
Legal Issue
Whether national security or anti-crime reasons justify bulk data storage.
Judgment
Court reaffirmed:
No general and indiscriminate data retention, except temporary emergency situations.
Access by law enforcement must strictly comply with proportionality.
Impact
Criminal prosecutors cannot rely on evidence from blanket surveillance systems.
Forced EU countries to revise criminal data access laws and police practices.
5. Prokuratuur (Estonia) (CJEU, 2021)
Facts
Police accessed retained telecom data for criminal investigations without judicial authorization.
Issue
Whether prosecutors may authorize access to retained telecom data.
Judgment
Access must be granted by a court or independent administrative body.
Prosecutors are not sufficiently independent for authorization.
Impact
Strengthened procedural safeguards.
Many EU states revised police evidence-gathering procedures.
Evidence collected without independent oversight risks being excluded.
6. H.K. v. Prokuratuur (CJEU, 2021)
Facts
Data collected for serious crime investigations was later used for minor offences.
Legal Issue
Can data collected for one purpose be used for another?
Judgment
Use of retained data must be limited to the purpose for which it was collected.
Using it for minor crimes violates GDPR-inspired principles of purpose limitation.
Impact
Prevents police from reusing large datasets for unrelated investigations.
Protects defendants from unlawful evidence repurposing.
7. Bundesrepublik Deutschland v. SpaceNet AG (CJEU, 2022)
Facts
German law demanded broad, preventive data retention by telecom firms.
Legal Issue
Whether a member state can compel telecom data retention to assist criminal investigations.
Judgment
Reaffirmed that general preventive data retention is unlawful under EU law.
Only targeted, situation-based retention permissible.
Impact
Further restricted European law enforcement’s ability to request mass datasets.
Ensures GDPR principles of minimal data processing in criminal matters.
Overall Impact of GDPR on Criminal Evidence Collection
Positive Impacts
1. Enhanced Protection of Fundamental Rights
Reduced arbitrary surveillance.
More independence and judicial oversight required for data requests.
2. Better Data Governance by Police
Logs, privacy assessments, and data retention controls mandatory.
Increased accountability in evidence handling.
3. Clear Limitations for Private Companies
Telecom and digital service providers cannot hand over data unless GDPR conditions are met.
Prevents excessive data disclosure to authorities.
Challenging Impacts
1. Investigative Limitations for Serious Crimes
Restrictions on metadata retention make it harder to:
track organized crime
trace communications
identify suspects after long periods
2. Increased Litigation Over Evidence Admissibility
Defense lawyers challenge evidence obtained without proper GDPR compliance.
Courts sometimes exclude unlawfully obtained data.
3. Tension Between Public Safety and Privacy
States argue for broader powers due to terrorism or cybercrime threats.
GDPR and CJEU decisions largely favour privacy.
Conclusion
The GDPR has had a significant, transformative impact on criminal evidence collection across Europe. It:
limits indiscriminate data retention
mandates judicial supervision
protects privacy and proportionality
guides courts in assessing evidence admissibility
The case laws show the evolution from broad data access for law enforcement to a tightly regulated, rights-respecting model in which the police must balance investigation needs with privacy protections.
RELATED Blog
comments