– CJEU: Parliamentary Committees Supervising National Security Authorities Are Subject to the GDPR –
On 16th January, the CJEU ruled in Österrreichische Datenschutzbehörde v WK that parliamentary committees which supervise national security authorities should comply with the GDPR. As to the facts of the case, the applicant in the main proceedings, WK, was heard as a witness by a Parliamentary Committee which was set up to investigate whether there had been political influence over the Austrian National Security Authority. WK requested anonymity. However, the minutes of the hearing were published online by the Austrian Parliament, including WK’s full first and family name. WK submitted a complaint to the Austrian Data Protection Authority (DPA), which was rejected, because the DPA argued that it, as a part of the executive, is not authorized to exercise supervisory powers over the legislature. Eventually, the dispute reached the CJEU with the following three questions: (1) may a DPA scrutinise parliamentary committees?; (2) if yes, may it scrutinise those parliamentary committees which supervise national security authorities?; and (3) may the DPA set up under the GDPR perform the scrutiny, i.e. do its supervisory powers arise directly from the GDPR? With regard to question (1), the CJEU answered in the affirmative, arguing that ‘the exception to the scope of the GDPR provided for in Article 2(2)(a) of that regulation refers only to categories of activities which, by their nature, fall outside the scope of Union law, and not to categories of persons, depending on whether they are private or public in nature, or, where the controller is an official authority, to the fact that its tasks and duties fall directly and exclusively within the scope of a given public power, without that power being connected with an activity which in any event falls outside the scope of Union law’. As to question (2), the CJEU established that ‘the activities of a committee of inquiry set up by the parliament of a Member State in the exercise of its power of scrutiny over the executive, the purpose of which is to investigate the activities of a police State-protection authority on account of a suspicion of political influence over that authority, cannot, as such, be regarded as activities concerning national security which fall outside the scope of Union law’. It clarified that should, in the course of the inquiry, data related to national security be processed, then Member States may make use of Article 23 GDPR – on restrictions to the data protection principles and rights – including in order to protect national security. Finally, with regard to question (3), the CJEU ruled that when, ‘within the framework of its discretion, a Member State has chosen to establish a single supervisory authority, it cannot rely on provisions of national law, be they constitutional in nature, in order to exclude the processing of personal data coming within the scope of the GDPR from the supervision of that authority’. Hence, the GDPR is to be interpreted as conferring directly upon the DPA supervisory powers as established under national law.
– ECtHR Rules on the Publication of HIV Status Data –
On 23rd January, the ECtHR ruled in the case of O.G. and Others v. Greece. In terms of the facts as they concern data protection, the case involved two sets of arrests of women on suspicion of illegal prostitution. Each set of arrested women were tested for HIV. In relation to women who were tested positive for HIV, the prosecutor initiated criminal proceedings for a range of offenses – including offenses related to the infliction of bodily harm, and offenses related to prostitution. The prosecutor also authorised the disclosure of the photos and names of the women, the reasons proceedings had been brought against them, and their HIV status. In certain cases, the information was then the subject of media coverage. In one case, a false name was given, and the uninvolved person also had their name published. In certain cases, whilst the women attempted to have the order legitimating the disclosure of their information overturned, they were not successful. The uninvolved person did manage, after several attempts, to have their name corrected in the file. This person, however, claims that this was not notified to her, and that her name was not corrected in the case-file itself. Whilst, in certain cases, an appeal was lodged with the DPA, this was dismissed. The applicants complain that the prosecutor did not justify the publication of their data, that there was no consideration of the proportionality of publication, that other alternative and less-invasive measures should have been considered, and that the publication of HIV status was in any case unwarranted. The Court decided, drawing on its ruling in Margari, that there had been a violation of Article 8. The Court decided that the disclosure was of a particularly sensitive nature, that the prosecutor had indeed failed to consider less invasive measures – for example a more general disclosure geographically limited to the region where the applicants were arrested – and that the prosecutor did not consider the specific circumstances of the applicants or the impact the disclosure might have on them. In its judgment, the Court also highlighted the lack of possibility for the applicants to be heard by the prosecutor before the dissemination of their information, as well as their limited possibilities of appeal. Unfortunately, at the time of writing, the case was only available in French. As none of the authors is fluent in French, an electronic translation was used to produce this report. We cannot guarantee that there were no mistakes in this translation, or that these mistakes were not replicated in this report. Accordingly, we urge all interested readers to consult the primary materials themselves.
On 25th January, AG Richard De La Tour advised the CJEU to rule that not complying with the information obligations of the controller could constitute an infringement of the GDPR which can be subject to representative action under Article 80(2) GDPR in Meta Platforms Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.. As to the facts of the case, the Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (‘Federal Union‘) wanted to submit a complaint as a representative action under Article 80(2) GDPR against Meta Platforms for not properly informing its users about the processing of their personal data according to Articles 12 and 13 GDPR before obtaining their consent for the processing of their data in the framework of the games offered in the app centre of Meta Platforms Ireland. Unsure about the scope of the provision, the German Federal Court of Justice asked the CJEU whether ‘the representative action that has been brought by the Federal Union fulfils the condition laid down in Article 80(2) of the GDPR, namely that the entity that has brought that action must consider that the rights of a data subject under that regulation have been infringed ‘as a result of the processing’ of personal data’. In his analysis, the AG examined the concept of ‘processing’ and ‘as a result of the processing’. He argued that the information obligation does not constitute ‘processing’, but is one of the conditions for the lawfulness of the processing, as it forms one of the conditions for the validity of consent (one of the possible legal bases for data processing). In addition, the right to information is one of the rights of the data subjects. Because the right to information precedes the stage where the data are actually processed, it can be considered that not properly informing data subjects about the processing of their data can still constitute an infringement which resulted from the processing: ‘It follows that the requirement according to which an entity can bring a representative action under Article 80(2) of the GDPR if it considers that the rights of a data subject provided for in that regulation have been infringed ‘as a result of the processing’ does not, in my view, require that that entity invoke the infringement of such rights which results from a data processing operation within the meaning of point 2 of Article 4 of that regulation, and which is therefore subsequent to such an operation. It is sufficient for it to note the existence of a link between the processing of personal data and the infringement of rights protected by the GDPR’. The AG continues by stating that it ‘is therefore irrelevant in this case that the Federal Union is invoking the infringement of an information obligation regardless of whether or not a data subject clicks on the ‘Play now’ button in the App Center, since such an obligation, in so far as it is liable to affect the conditions of lawfulness of the processing resulting from the activation of that button, is indisputably linked to that processing.