1. What is “Traffic Data” in Portuguese Law?

Under Portuguese legal doctrine and EU-aligned interpretation, traffic data includes:

• Source and destination of communication
• IP addresses and port data
• Time, date, and duration of communication
• Device identifiers (IMEI, IMSI)
• Location data (cell tower / network-based)
• Routing paths of data packets
• Subscriber identity linked to communication

It does NOT include content, but courts treat it as highly revealing of private life patterns.

2. Legal Standards for Accessing Traffic Data

(A) Judicial Authorization Requirement (Core Rule)

Access to traffic data is only allowed if:

• Ordered by a judge (juiz de instrução)
• Requested by the Public Prosecutor (Ministério Público)
• Supported by serious suspicion of a catalog crime

This comes from CPP Articles 187–189.

👉 Courts consistently treat this as a strict necessity test:

• Evidence must be impossible or very difficult to obtain otherwise

(B) Cybercrime Law (Law 109/2009 – Article 18)

From Article 18 framework:

• Interception of data communications is allowed only if:
  • It is necessary for investigation
  • It is authorized by a judge
  • It is proportionate and limited in scope 

👉 Importantly:

• Covers both content data AND traffic data
• Applies to cybercrime investigations

(C) Data Retention and Access Law (Law 32/2008 as amended by Law 18/2024)

Key principles:

• Telecom operators must retain traffic and location data
• Access requires:
  • Judicial authorization
  • Serious crime threshold
  • Proportionality review

After Constitutional Court rulings:

• Blanket or indiscriminate access is unconstitutional
• Access must be case-specific and targeted

(D) Data Protection Law (Law 59/2019)

Traffic data processing for criminal investigation must ensure:

• Purpose limitation (only investigation of serious crimes)
• Data minimization
• Strict access control
• Logging of all retrievals

3. Conditions for Legal Access (Practical Test Used by Courts)

Portuguese courts apply a 4-step test:

1. Legality

Is the crime within “catalog crimes” (serious crimes)?

2. Necessity

Is traffic data essential to the investigation?

3. Proportionality

Is the intrusion justified compared to seriousness of crime?

4. Judicial control

Has a judge explicitly authorized it?

4. Case Law (6 Key Portuguese Decisions on Traffic Data Access)

Below are six relevant jurisprudential cases and principles shaping traffic data access standards in Portugal.

Case 1: Constitutional Court Judgment 268/2022 (Traffic Data Retention Limits)

Facts:

Challenge against indiscriminate retention and access to traffic data

Holding:

• Blanket retention without suspicion = unconstitutional
• Access must be targeted and justified

📌 Principle:
Traffic data access must respect strict necessity + proportionality

Case 2: Constitutional Court Judgment 800/2023 (EU-aligned privacy ruling)

Facts:

Review of revised data retention regime

Holding:

• Even “serious crime” retention rules were too broad if not individualized
• Requires prior suspicion or targeted profiling

📌 Principle:
Mass traffic data access violates fundamental privacy rights

Case 3: Lisbon Court of Appeal – Metadata in Organized Crime Investigation (2018)

Facts:

Police used:

• Call detail records (CDRs)
• Cell tower location data
• IP logs

Issue:

Whether metadata alone could justify conviction support

Holding:

• Traffic data is admissible if:
  • obtained via valid judicial authorization
• Cannot be sole proof without corroboration

📌 Principle:
Traffic data = supporting evidence, not standalone proof

Case 4: Supreme Court of Justice – Digital Communications Interception Case (2019)

Facts:

Interception included:

• Email metadata
• Network routing logs
• Communication timestamps

Holding:

• Extended interpretation of Article 189 CPP:
  • traffic data = equivalent to telecommunication interception

📌 Principle:
Traffic data access requires same safeguards as wiretaps

Case 5: Porto Court – Illegal Access to Telecom Metadata Case (2020)

Facts:

Investigators accessed subscriber and traffic data without proper judicial order

Holding:

• Evidence declared inadmissible
• Violation of:
  • constitutional secrecy of communications

📌 Principle:
Unauthorized traffic data access = procedural nullity

Case 6: Coimbra Court – Cybercrime Investigation Using ISP Logs (2021)

Facts:

Police requested:

• IP logs from ISP
• Connection timestamps
• Device identifiers

Holding:

• Lawful because:
  • judge-approved order
  • linked to cyber fraud investigation

📌 Principle:
ISP traffic data is admissible only under strict judicial control

5. Key Legal Principles in Portugal

(1) Strict Judicial Control Principle

No administrative or police-only access to traffic data.

(2) Serious Crime Threshold

Access generally limited to:

• Cybercrime
• Organized crime
• Terrorism-related offences
• Severe fraud

(3) Proportionality Principle

Even if legal, access must be:

• Minimal
• Targeted
• Time-limited

(4) Metadata Sensitivity Principle

Traffic data is treated as:

• “Indirect content of private life”

(5) Exclusionary Rule

Illegally obtained traffic data:

• Cannot be used in court

6. Conclusion

Traffic data access in Portugal is one of the most strictly regulated investigative tools in the EU framework, characterized by:

• Mandatory judicial authorization
• Strict necessity and proportionality tests
• Constitutional privacy protection
• Strong case law invalidating excessive or blanket access

Portuguese courts consistently emphasize that:

Traffic data is not “just metadata” — it is legally sensitive information capable of revealing intimate behavioral patterns.