– CJEU Strengthens the Role of DPAs in ‘Indirect Access’ Cases under the LED –
On 16th November, the CJEU delivered its judgment in Ligue des droits humains ASBL, BA v Organe de contrôle de l’information policière, in which it boosted the decision-making powers of DPAs when evoked to exercise the rights of the data subjects against law enforcement authorities on their behalf, i.e. indirectly. As we summarized the facts of the case on 22.06.2023: ‘a Belgian individual applied for a security clearance before taking up a job. The Belgian National Security Authority refused to issue him this certificate on the grounds that he had participated previously in demonstrations. In order to challenge the refusal, the applicant in the main proceedings requested access to the information as to which authorities had entered the data in the respective police records and access to the personal data entered in these records. The access was refused under the Belgian law implementing the LED (‘LPD’), because under this law individuals may not receive any access to the data processed by the law enforcement authorities and any additional information about the processing of their data. They may only request the supervisory authority to check the lawfulness of the processing and to receive only information that the necessary checks have been carried out. By contrast, under the LED individuals should have direct access to the data and only where it is restricted in individual cases, should the right of access be exercised via the supervisory authority which should provide ‘at least’ information that the necessary checks have been carried out (Article 17 (3) LED). During the legal proceedings in Belgium, the following two questions were sent for preliminary ruling: (1) may the answer by the supervisory authority that the necessary checks have been carried out be challenged in court? and (2) is Article 17 LED compatible with the requirement for independence of the data protection supervisory authorities and the fundamental right to effective judicial remedies under the Charter (Article 8(3) and Article 47 Charter respectively)?’ In response to the first question, the Court held that when a DPA informs a data subject of the result of the verification of the legality of the data processing by the controller, it adopts a ‘legally binding’ decision which may be challenged in court, i.e. individuals enjoy the right to effective remedies against such decisions. As to the second question, the CJEU ruled that, in principle, the validity of Article 17 LED as such is not called into question when examined on the basis of Article 52(1) CFREU (restrictions on fundamental rights, including independent supervision under the fundamental right to data protection and the right to effective remedies). The CJEU also ruled, however, that national implementations of Article 17(3) LED should grant DPAs the discretion to communicate more information to data subjects, on a case-by-case basis and following a ‘confidential dialogue’ with the controller, than the information that the necessary verifications have taken place. We interpret the latter to suggest that the Belgian implementing provisions on Article 17 LED might be incompatible with EU law.
– CJEU Rules on Vehicle Identification Numbers –
On 9th November 2023, the CJEU ruled in the case of Gesamtverband Autoteile-Handel eV v Scania CV AB. In terms of the facts, the case concerned the legal obligation of the defendant – a manufacturer of heavy goods vehicles – to provide information related to its vehicles, including Vehicle Identification Numbers (VINs), in an accessible form. The core of the case dealt with issues largely removed from data protection law. One question concerning data protection, however, was referred to the Court: ‘Does Article 61(1) of Regulation [2018/858] constitute, for vehicle manufacturers, a legal obligation within the meaning of Article 6(1)(c) of the GDPR which justifies the disclosure of VINs or information linked to VINs to independent operators as other controllers within the meaning of point 7 of Article 4 of the GDPR?’ – for reference, Article 61(1) of Regulation 2018/858 concerns the obligation on manufacturers to provide ‘to independent operators unrestricted, standardised and non-discriminatory access to vehicle OBD information, diagnostic and other equipment, tools including the complete references, and available downloads, of the applicable software and vehicle repair and maintenance information’ as well as the obligation to provide this information ‘in an easily accessible manner in the form of machine-readable and electronically processable datasets’. The Court eventually concluded that ‘Article 61(1) of Regulation 2018/858…must be interpreted as meaning that it establishes a ‘legal obligation’, within the meaning of Article 6(1)(c) of’ the GDPR ‘on car manufacturers, to make the VINs of the vehicles which they manufacture available to independent operators, as ‘controllers’, within the meaning of Article 4(7) of that regulation’. Perhaps more interesting than this final conclusion, however, are the Court’s considerations of whether VINs constitute personal data. The Court decided that VINs need not constitute personal data, but could constitute personal data. The Court stated, in this regard: ‘where independent operators may reasonably have at their disposal the means enabling them to link a VIN to an identified or identifiable natural person, which it is for the referring court to determine, that VIN constitutes personal data for them…and, indirectly, for the vehicle manufacturers making it available, even if the VIN is not, in itself, personal data for them, and is not personal data for them in particular where the vehicle to which the VIN has been assigned does not belong to a natural person’. The Court thus seems to confirm previous case-law in recognising the possibility that data may be anonymous to one controller, whilst being personal data to another. The judgment, however, does not offer any further clarification.
– ECtHR Rules on Lawyer-Client Confidentiality –
On 14th November, the ECtHR ruled in the case of Canavcı and Others v. Türkiye. In terms of the facts, the case concerned individuals who had been arrested in connection with the attempted coup d’état in Turkey in 2016. Following their arrest, decisions were made to monitor and record meetings with their lawyers. In two cases, decisions were made by Public Prosecutors’ Offices, and in one case apparently by some other party. In each case, the legal justification offered was emergency legislation enacted after the coup. The applicants complained before national instances regarding infringements of their rights – including rights to privacy and to a fair trial. These applications were, however, largely unsuccessful. Accordingly, the defendants complained to the ECtHR: ‘that the monitoring by an officer of their lawyers’ visits and the recording of those meetings by means of technical devices had contravened their right to confidential communication with their lawyers, in breach of their right to respect for their private life under Article 8 of the Convention. Relying on Article 13 of the Convention, they also complained of a lack of an effective domestic remedy in that respect’. In light of the law and the complaints, the ECtHR decided it would be ‘appropriate to examine the facts complained of solely from the standpoint of Article 8’. In this regard, the Court found a violation of Article 8. The Court highlighted ‘that a person’s communication with a lawyer in the context of legal assistance falls within the scope of private life since the purpose of such interaction is to allow an individual to make informed decisions about his or her life’. The Court thus also recognised an interference resulting from the monitoring of meetings between clients and lawyers. Regarding the case in which a decision to monitor was made without the involvement of the Public Prosecutor’s Office, the Court found this lack of involvement already constituted grounds to find that ‘the interference was not “in accordance with the law”’. With regard to the cases in which Public Prosecutors’ Offices had been involved, the Court considered: ‘that the discretion enjoyed by the public prosecutors in imposing restrictions on the applicants’ communication with their lawyers was not subject to any conditions, that the scope of that discretion and the manner of its exercise were not defined and that no other specific guarantees were provided in that regard. This being so’ the Court ‘considers that, in the circumstances of the present case, the adoption of the impugned measures against the applicants, which were enforced for a limited period during the state of emergency, was liable to be arbitrary and incompatible with the requirement of lawfulness’. Whilst the Court recognised the need for leeway in relation to states facing public emergencies, it considered that, in this case, ‘the absence of any safeguards against arbitrariness and abuse in’ the relevant national emergency legislation ‘cannot be regarded as having been justified by the respondent State’s derogation of 21 July 2016 under Article 15 of the Convention’.