Criminal offences that are not particularly serious may justify access to personal data retained by providers of electronic communications services. Such access must not, however, constitute a serious infringement of privacy.
The CJEU concluded that access to data for the purpose of identifying the owners of SIM cards activated with a stolen mobile telephone, such as their surnames, forenames and, if need be, addresses constitutes an interference with their fundamental rights enshrined in the Charter. Nevertheless, the Court ruled that such interference is not sufficiently serious to entail access being restricted, in the area of prevention, investigation, detection and prosecution of criminal offences, to the objective of fighting serious crime (as allowed under the ePrivacy Directive).
The case stems from the Spanish police's request to access personal data in the context of an investigation of the robbery of a wallet and mobile telephone. The police requested that the investigating magistrate in charge of the case grant them access to data identifying the users of telephone numbers activated with the stolen telephone during a period of 12 days as from the date of the robbery.
Read more at https://curia.europa.eu/jcms/upload/docs/application/pdf/2018-10/cp180141en.pdf