Referral C-427/25 (Uffida, 26 Jun 2025)

May Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, 1 as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, 2 read in the light of Articles 7, 8, 11 and 52 of the Charter of Fundamental Rights of the European Union, and in the framework of the new rules on electronic evidence (Articles 3, 5 of Regulation 2023/1543), 3 be interpreted as meaning that access by public authorities to electronic data consisting of log files that record a user logging in to and out of a system or an application with the associated IP addresses and time stamps (and thus relating to a specified period), where the sole aim is to identify the perpetrator of an offence – for the purposes of the prevention, investigation, detection and prosecution of offences – constitutes interference with the fundamental rights of the data subjects, which (unlike in the case of traffic and geolocation data) is not serious enough to have to limit that access to the prevention of serious crime, and may instead extend to all criminal offences?

In the alternative, where the Court considers that access to log files (consisting of records of a user logging in to and out of a system or an application with the associated IP addresses and time stamps), even where the sole aim is to identify the perpetrator of a criminal offence, could constitute serious interference with the fundamental rights of the data subjects, as enshrined in the Charter of Fundamental Rights, may Article 15 of Directive 2002/58/EU be interpreted as meaning that the need to investigate and prosecute criminal offences committed online – where the perpetrator can only be identified by accessing electronic data such as log files, and given that the internet is typically anonymous – is capable of justifying access to the personal data processed by service providers (including traffic and location data), regardless of the ‘seriousness’ of those offences, as defined by the Member States, and if so may national legislation which provides for this be considered appropriate, proportionate to the intended purpose and necessary within a democratic society, including with regard to safeguarding the right to confidentiality and the identity of the victims of such offences?