– ECtHR Rules on Disclosure of Correspondence in Algirdas Butkevičius v. Lithuania –
On 14th June, the ECtHR ruled in the case of Algirdas Butkevičius v. Lithuania. The case concerned the recording of a telephone conversation between Mr. Butkevičius – at the material time Prime Minister of Lithuania – and the Mayor of a town concerning official matters. This recording was initially made in relation to a specific criminal investigation of political corruption. The recording was then passed to the Lithuanian Parliament’s Anti-Corruption Commission as also relevant to certain of their investigations. The Commission then held a public hearing in which the recording was discussed. A journalist present at these hearings subsequently published an article, including extracts of the recording, in relation to possible crimes and ethics violations. The story was ‘republished by the biggest news portals in the country, as well as aired on television channels’. Following a lack of success before domestic courts, the applicant appealed to the ECtHR, claiming ‘that the release into the public domain of transcripts of an intercepted telephone call between him and a mayor had amounted to a breach of Article 8 of the Convention.’ The Court found no violation. In doing so, the Court highlighted again that ‘Article 8 of the Convention “protects a right to personal development, and the right to establish and develop relationships with other human beings and the outside world”. The notion of “private life” does not exclude in principle activities of a professional or business nature.”’ The Court found in the case, however, that the interference was in accordance with the law, followed a legitimate aim, and was necessary. In relation to necessity, the Court highlighted both the suitability of the national authorities’ approach and reasoning – including concerning limitations on privacy in relation to official function – and the lack of demonstration of sufficiently serious consequences suffered by the applicant: ‘even if his reputation among his colleagues was affected by the disclosure of his telephone conversation, there are no factual grounds, let alone evidence, which he has put forward that would indicate that such an effect was so substantial as to have constituted a disproportionate interference with his rights guaranteed by Article 8 of the Convention.’
– A Broad Reading of the Right to Access: AG Pitruzzella’s Opinion in RW v Österreichische Post AG –
On 9th June, AG Pitruzzella advised the CJEU that the right to access to one’s data should be read broadly to include the list of exact list of recipients of the applicant’s data in RW v Österreichische Post AG. As to the facts of the case, in exercise of their right of access to their personal data, the applicant requested from the controller, the Austrian postal services, to disclose to them the list of entities to whom their personal data had been disclosed. The controller restricted the answer to listing the categories of recipients. The postal services argued that the wording of Article 15(1)(c) GDPR – ‘the recipients or categories of recipients’ – allowed them to choose to disclose only the categories of recipients. The applicant challenged that interpretation and the question reached the CJEU via the preliminary ruling procedure. AG Pitruzzella interpreted Article 15(1)(c) GDPR to mean that the controller does not have a choice between disclosing the full list of recipients or only the categories of recipients, inter alia because that would contradict the transparency principle and the purpose of the right of access, which is to verify the lawfulness of the data processing – e.g. of the data transfer. Furthermore, he argued that, as the holder of the right of access to one’s data, the data subject should be able to request the full list to be disclosed where the list is available – i.e. where the data disclosure has taken place. Referring to Article 12(5) GDPR, AG Pitruzzella recalled that restrictions on the right of access could be imposed – e.g. where the request is ‘manifestly unfounded or excessive’. However, the controller has the burden of proof to demonstrate that such provisions are indeed applicable. We note that the Opinion is convincing and would lead to more transparency. It remains to be seen whether the CJEU will follow the AG’s advice.
On 16th June, the EDPB adopted the following two documents:
‘[G]uidelines on certification as a tool for [international] transfers’. See below for more information.
‘[D]ispute resolution decision on the basis of Art. 65 GDPR’. The case concerns a complaint against Accor SA regarding the right to object to marketing emails and the right of access to personal data. The binding decision resolves the objections raised again the draft decision of the Lead Supervisory Authority (LSA), which is, in casu, the CNIL.
The documents will be published shortly on the EDPB website.
– EDPB Publish Guidelines on Certification as a Tool for Transfers –
On 16th June, the EDPB announced the adoption of ‘guidelines on certification as a tool for transfers’. According to the EDPB: ‘The main purpose of these guidelines is to provide further clarification on the practical use of this transfer tool.’ In terms of content, the EDPB observe that: ‘The guidelines are composed of four parts, each focusing on specific aspects regarding certification as a tool for transfers, such as the purpose, scope and the different actors involved; implementing guidance on accreditation requirements for certification bodies; specific certification criteria for the purpose of demonstrating the existence of appropriate safeguards for transfers; and the binding and enforceable commitments to be implemented.’ In terms of the relationship between the Guidelines and other EDPB materials, the EDPB note that: ‘The guidelines complement guidelines 1/2018 on certification, which provide more general guidance on certification.’ At the time of writing, the Guidelines are not yet publicly available. They will be made available on the EDPB website, however, as soon as the requisite ‘legal, linguistic and formatting checks’ have been completed. The Guidelines will then be open for public consultation until the end of September. The Guidelines will doubtless be of high interest for the data protection community – dealing, as they do, with two fascinating and dynamic aspects of the area of law: certification, and transfers.
– CNIL Strict on Google Analytics –
According to Euractiv, referring to a Q&A communication on the CNIL’s website, the use of Google Analytics would not be legal without a new EU-US data transfer agreement – even if Google Analytics would be reconfigured. The CNIL reportedly clarified that ‘“[e]ven in the absence of a transfer, the use of solutions proposed by companies subject to non-European jurisdictions is likely to pose difficulties in terms of access to data”’. The article highlighted that CNIL was also not satisfied with the proposal to encrypt and anonymize the data, because, with all the personal data Google collects through its other services, re-identification of the data could not be excluded and the fact that Google Analytics stores the encryption keys means that encryption cannot be effective. According to the article, the CNIL recommends, currently, consent as the only basis for the data transfer. However, the article highlights the CNIL find this problematic, too, because ‘this is no “permanent and long-term solution” as this exemption only applies to non-systematic transfers.’ The article observes CNIL recognises that a potential solution could be ‘using a proxy to avoid any direct contact between the devices of internet users and Google servers’, but also that CNIL considers this might be difficult and costly to implement in practice. The article makes reference to the recent announcements by the European Commission that a new data transfer agreement is in the making, but also recalls that there seems to be no concrete proposal on the table yet.
– EDPB Response on the Interplay between PSD2 and GDPR –
On 22nd May, the EDPB issued a response to a letter, sent on 31st January, dealing with concerns ‘regarding the Guidelines 06/2020 on the interplay of the Second Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR) adopted on 17 July 2020.’ Whilst the EDPB does not elaborate on, or appear to engage extensively with, the substance of the concerns in the original letter, the Board highlights the significant consultation process behind the adoption of the Guidelines – in which certain views which reflect ‘the concerns raised in [the] letter’ were expressed – and thus further highlights that it ‘considers it is not necessary to revise [the] Guidelines for the moment.’ The Board then observes that: ‘payment service providers can turn to their national supervisory authorities if they require more information and clarifications on these Guidelines.’ The Board finally highlights ‘the possibility for the payment sector to prepare and submit, in accordance with Article 40 of the GDPR, a code of conduct for approval by their national supervisory authority… Such a code of conduct would specify the application of the GDPR in relation to the processing of personal data by payment service providers, in the context of services that fall under the PSD2, and provide further solutions and legal certainty for the sector’. The EDPB response is most likely to be of relevance to those with a specific interest in data protection and PSD2.