Criminal conviction based on emails from the defendant that were obtained from a third party’s email account.
This publication analyses the judgment dated 13 February 2025 handed down by the European Court of Human Rights (hereinafter, ‘ECHR’) in the case of Macharik v. Czech Republic, which upheld a claim for violation of fundamental rights enshrined in the European Convention on Human Rights (hereinafter, the ‘Convention’).
The resolution addresses a case in which, in the context of criminal proceedings, the District Court No. 3 in Prague, relying on the criminal procedural rules of the Czech Republic, issued a communications interception order, requesting a communications service provider to forward all messages received in the email inbox of a certain company, including all available information about the registered user of that inbox, as well as the content of all messages.
Among the information gathered by the service provider, several messages from the claimant were found that had been forwarded by a third suspect to the owner of the intercepted email account. This led to an investigation against the claimant, who requested on several occasions that her emails be removed from the criminal proceedings, as the order that had allowed the interception of her communications had no legal basis.
Admitting the validity of these messages and considering them sufficient evidence for the prosecution – since they were decisive in proving the fictitious nature of certain contracts and invoices that compromised the applicant – a conviction for tax fraud was handed down against the applicant before the ECHR, on the understanding that the judicial body that had issued the order was competent to do so and that the measure complied with the legal requirements, as the judicial authorities considered that the proportionality test had been duly carried out.
This ruling was appealed, with the convicted party arguing that the incriminating evidence had been brought into the proceedings unlawfully, insofar as, under national law, access to certain operational and location data was permitted, but in no case did the applicable legislation – the Electronic Communications Act – allow access to the content of the messages contained in the intercepted email. In accordance with this regulation, the appellant stated that communications service providers were not authorised to store the content of such messages.
Both the Court of Appeal and, subsequently, the Supreme Court dismissed the appeals, confirming in both cases the judgment handed down at first instance. Both courts found that, despite certain formal defects, the interception order had a legal basis, since (i) the interference had been proportionate to the nature of the criminal offence under investigation, (ii) it had been limited solely to the period corresponding to the commission of the offence, and (iii) only the information necessary for the investigation had been collected.
Having exhausted domestic remedies, the convicted person, under Article 34 of the Convention, lodged an application with the ECHR, alleging a violation of Articles 8 and 6.1 of the Convention.
In this regard, Article 8 of the Convention recognises the right of everyone to respect for their private life, home and correspondence, and adds that ‘there shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime (…)’.
According to the applicant, the order to intercept communications, which had already been challenged in domestic courts, had no legal basis since national regulations only allowed for the collection of communications data, but not the content of communications, and therefore the order was based on an erroneous legal basis.
In order to determine whether such a violation had occurred, the ECHR analysed two aspects: first, whether there had been interference and, second, whether that interference was justified.
In its judgment, the ECHR clearly accepts that interference occurred, understanding that, given that the measure had been applied to the email account of a company to which a third party had forwarded emails from the applicant, the latter had a clear and reasonable expectation that the privacy of her communications would be respected.
The interpretation made by the ECHR is particularly relevant in recognising that messages contained in professional emails, despite having a lesser degree of impact on the right to privacy, are considered ‘correspondence’ and, therefore, Article 8 of the Convention applies (Copland v. United Kingdom, No. 62617/00, 7 December 2006, Tena Arregui v. Spain no. 42541/18, 11 January 2024).
On the other hand, in order to determine whether such interference was justified, the case law of the ECHR requires not only a formal legal basis, but also the establishment of clear, adequate and sufficient safeguards to limit state discretion, prevent abuse and protect the individual from possible arbitrary actions.
Having analysed the internal regulations on which the order to intercept the emails was based, the ECHR understands that communication service providers were indeed not permitted to store the content of such messages.
In view of this, the ECHR ruled that the way in which the national courts interpreted and applied the legal provisions was inconsistent and demonstrated the lack of clarity of the regulatory framework, stating that the minimum standards of foreseeability and precision required by the Convention had not been met. The ECHR therefore considered that such interference was not justified, finding that Article 8 of the Convention had been violated.
The Court of Justice of the European Union (hereinafter, ‘CJEU’) has also ruled in this regard, whose case law on the mass storage of telecommunications data has evolved, establishing strict limits on the obligations to retain or make this type of data publicly available. Thus, the CJEU annulled Directive 2006/24/EC because it imposed a general and indiscriminate obligation to retain the communications data of all users without differentiating or limiting the purpose for which such data was stored, which constituted a serious and disproportionate interference with the fundamental rights to respect for private life and data protection enshrined in the Charter of Fundamental Rights of the EU.
The CJEU understands that national legislation requiring the general and indiscriminate retention of location data is contrary to EU law.
The conclusion reached by the CJEU is that the mass and indiscriminate retention of telecommunications data cannot be justified solely for the purposes of combating crime or general security, but that data retention must be clearly justified – complying with the requirements of suitability and necessity in relation to the objective pursued –, limited in time and subject to judicial controls (among others, TELE2 SVERIGE A.B. and WATSON and Digital Rights Ireland).
On the other hand, the judgment analysed resolves the invocation of the fundamental right set out in Article 6.1 of the Convention, which recognises the right to a fair trial and to have any case heard by an impartial tribunal. According to the ECHR, this issue must be analysed by considering whether the proceedings as a whole were fair, examining whether the applicant was given the opportunity in domestic proceedings to challenge the authenticity of the evidence and to oppose its use.
The ECHR concludes that, given that the applicant had the opportunity to oppose the use of the evidence obtained, there was no violation of the aforementioned Article 6 of the Convention.
As will be analysed below, the above is particularly relevant in the context of domestic investigations.
Firstly, because the legal regime for obtaining information stored on a seized personal computer is not the same as that for obtaining information stored on telecommunications servers, although both are based on the principles of legality, necessity, proportionality and judicial control.
In the case of a personal computer, there is a specific interference linked to the content existing and stored on the device, which normally affects the right to privacy enshrined in Article 18.1 of the Spanish Constitution (hereinafter, SC).
However, in the case of obtaining data held by third-party telecommunications service providers (communication content, traffic data associated with a specific communication process), the interference usually affects the right to secrecy of communications set out in Article 18.3 of the Spanish Constitution – although sometimes, depending on the type of data, it only affects the right to privacy under Article 18.1 of the Spanish Constitution—and on the protection of personal data (Article 18.4 of the Spanish Constitution) because the data is generated in the context of a communication and is not previously stored files. In this regard, the aforementioned case law of the CJEU applies.
On the other hand, given that telecommunications servers lack the legitimacy to store data indiscriminately and indefinitely, the perspective of the right to privacy and data protection leads us to consider how long a company can retain the telecommunications data that its employees maintain through the use of ICT devices made available to them for work purposes.
In this regard, neither the General Data Protection Regulation at European level nor the Organic Law on Personal Data Protection and Guarantee of Digital Rights (hereinafter LOPDGDD) at national level establish a specific time limit, but rather stipulate that data must be retained ‘for no longer than is necessary for the purposes of processing’ and that there is an obligation to block or delete data when it is no longer necessary. Therefore, the retention of data from electronic devices must be assessed on a case-by-case basis and in accordance with the purposes for which such data are retained.
What national and international regulations do establish is the need to justify the data retention period, for which the company must be able to explain what specific data it retains, for what purpose it is retained, and for how long it is retained.
In conclusion, both the information collected by communications service providers and the information stored on personal electronic devices constitute an important source of evidence in both internal investigations and legal proceedings, although it should be noted that their validity under the case law of the ECHR and the CJEU is limited.
In this regard, the Macharik v. Czech Republic judgment sends a clear message: access to emails is one of the most intrusive forms of interference in private life and therefore requires a particularly strict standard of foreseeability, proportionality and judicial control.