-CJEU: The Logic of Profiling Technologies Should be Transparent, Even Where Trade Secrets Are Concerned-
On 27th February, the CJEU ruled that profiling agencies should be transparent about the logic involved in profiling technologies and should disclose details about it at least to DPAs and courts, even where their trade secrets might be at stake, in CK v Magistrat der Stadt Wien. As to the facts of the case, the applicant in the main proceedings, CK, was refused the conclusion or extension of a contract with a mobile phone operator, which would have required a monthly fee of 10 Euros. The motivation was that CK did not have a satisfactory credit rating, as performed by a third party (D&B). CK requested transparency as to how her credit rating was performed on the basis of the right of access to her data (Article 15(1)(h) GDPR). Her access request was turned down on the grounds that the disclosure of information on the algorithmic assessment of her creditworthiness would breach the trade secrets of D&B. Thus, two sets of issues emerged from the case and reached the CJEU as a set of preliminary ruling questions: (1) how to interpret the requirement in Article 15(1)(h) GDPR that ‘meaningful information about the logic involved’ should be disclosed to the concerned data subject; and (2) how to balance the right of access to such information with the protection of trade secrets. With regard to the first question, the CJEU engaged in a contextual, purposive and linguistic examination of the requirement for providing ‘meaningful information about the logic involved’ in profiling technologies. Thus, it ruled that ‘the examination of the purposes of the GDPR and, in particular, those of Article 15(1)(h) thereof that the right to obtain ‘meaningful information about the logic involved’ in automated decision-making, within the meaning of that provision, must be understood as a right to an explanation of the procedure and principles actually applied in order to use, by automated means, the personal data of the data subject with a view to obtaining a specific result, such as a credit profile. In order to enable the data subject effectively to exercise the rights conferred on him or her by the GDPR and, in particular, Article 22(3) thereof, that explanation must be provided by means of relevant information and in a concise, transparent, intelligible and easily accessible form’. The CJEU suggested that in casu ‘the referring court could, inter alia, find that it is sufficiently transparent and intelligible to inform the data subject of the extent to which a variation in the personal data taken into account would have led to a different result’. It also ruled that the concept of ‘meaningful information’ should include an explanation of the differences between the profiling performed by D&B and the profiling performed by the telephone company and the different results they reached. In addition, the CJEU ruled that the data subject’s right to verify the accuracy of the data stems from the general provisions on the right of access, not specifically from Article 15(1)(h) GDPR. As to the second question, the CJEU ruled that ‘Article 15(1)(h) of the GDPR must be interpreted as meaning that, where the controller takes the view that the information to be provided to the data subject in accordance with that provision contains data of third parties protected by that regulation or trade secrets, within the meaning of point 1 of Article 2 of Directive 2016/943, that controller is required to provide the allegedly protected information to the competent supervisory authority or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access provided for in Article 15 of the GDPR’.
-CJEU Rules on Auxiliary Administrative Bodies as Controllers-
On 27th February, the CJEU ruled in the case of Amt der Tiroler Landesregierung v Datenschutzbehörde. In terms of the facts, the case concerned the activities of ‘the Office, an auxiliary administrative entity in the service of the Governor and the Provincial Government of Tyrol’, which ‘sent a ‘vaccination reminder letter’ to all adults residing in the Province of Tyrol who had not yet been vaccinated against that virus. For the purpose of identifying the addressees of those letters, the Office appointed two private companies, which conducted a cross-check of data in the central vaccination register and the patient index, which referred to their residential address’. One of the addressees of these letters filed a complaint before the DPA, alleging the unlawful processing of their data. The DPA concluded the activities of the Office in this context were unlawful, as it did not have the right to consult the vaccination index. The Office appealed against this decision before the local courts, eventually leading to proceedings before the Verwaltungsgerichtshof, which referred to the CJEU for certain clarifications of law. In this regard, the Court considered ‘whether Article 4(7) of the GDPR must be interpreted as meaning that it precludes national legislation which designates, as controller, an auxiliary administrative entity lacking legal personality and legal capacity…without specifying…the specific processing operations of personal data for which that entity is responsible or the purpose of those operations’ and ‘whether Article 4(7) of the GDPR must be interpreted as meaning that an entity designated as controller by national law…must actually decide on the purposes and means of the processing of personal data to be required to respond, as controller, to requests submitted to it by data subjects’. In relation to these questions, the Court concluded that Article 4(7) does not preclude ‘national legislation which designates, as controller, an auxiliary administrative entity lacking legal personality and legal capacity…without specifying, in a precise manner, the specific processing operations of personal data for which that entity is responsible or the purpose of those operations in so far as, first, such an entity is able to fulfil, in accordance with that national legislation, the obligations on a controller towards data subjects with respect to the protection of personal data and, second, that national legislation determines, explicitly or at least implicitly, the scope of the processing of personal data for which that entity is responsible’. The case, whilst dealing with a somewhat unusual arrangement of actors, is nevertheless interesting, in particular for the Court’s extended discussion of which entities might qualify as controllers, and the conditions under which this might happen.
-ECtHR Rules on Social Media Post concerning Police Officers-
On 25th February, the ECtHR ruled in the case of Toth and Crișan v. Romania. In terms of the facts, the applicants are Romanian police officers. A post about them – including text and photos – was made online on a facebook page, by someone who had had an altercation with the officers relating to the disposal of their household waste. The post led to a series of negative comments – and other negative events – concerning the applicants. The applicants thus complained to the local courts that the post ‘had defamed them and had affected their reputation and image because it had spread information which distorted reality, disseminated their photograph and the second applicant’s full name publicly to a wide audience without their consent and instigated and generated offensive third-party comments and threats’. Their complaint was dismissed, and then again in two subsequent appeals. In this regard, the applicants complained to the Court, under Article 8, that ‘when dismissing the proceedings…the domestic courts had failed to strike a fair balance between the competing interests at stake and to adequately protect their right to respect for their private life and reputation’. The Court found no violation of Article 8. In coming to its conclusion, the Court reiterated its general criteria for balancing Articles 8 and 10 – as well as making certain observations relevant to the case at hand, for example concerning use of the internet and social media. In this regard, the Court concluded that ‘the national courts conducted the required thorough balancing exercise between the competing rights at stake in conformity with the criteria laid down in the Court’s case‑law’, and, with ‘regard to the margin of appreciation available to the national authorities when weighing up divergent interests’, there was no reason for the Court to ‘substitute its view for that of the domestic courts’.
-AG De La Tour: Strict Requirements for Processing Biometric and Genetic Data for Law Enforcement Purposes-
On 27th February, AG De La Tour advised the CJEU to rule that national legislation should ensure that biometric and genetic data are processed for law enforcement purposes only where ‘strictly necessary’ and only so long as necessary, in JH v Policejní presidium. As to the facts of the case, the applicant in the main proceedings, JH, was subject to prosecution for breach of trust in public office. The Czech police ‘proceeded to take his fingerprints, perform a buccal smear on him from which it created a DNA profile, take photos of him, and draw up a description of him. It then recorded that information in the relevant Czech Police databases’. JH objected to the above processing and argued that it was not compatible with the respective provisions of the LED, especially Article 10 thereof. As a result, three questions were sent for preliminary ruling: (1) whether the requirement in Member State law to collect biometric and genetic data of all accused of having perpetrated an ‘intentional criminal offence’ was a limitation of the processing of this data to what is ‘strictly necessary’, as required by the LED; (2) what storage periods for biometric and genetic data are considered to be proportionate when the purpose of the processing is the prevention and investigation of criminal offences (i.e. a purpose which is not limited in time); and (3) what is the concept of ‘Member State law’ in the meaning of Articles 8(2) and 10 LED (‘Specifically, the referring court questions whether national case-law laying down the criteria for obtaining and retaining biometric and genetic data falls within that concept, and to what extent the minimum substantive and procedural conditions for obtaining, retaining and deleting such data must be laid down in Member State law by a provision of general application.’). AG De La Tour advised the CJEU to rule as follows. With regards to the first question, he advised the Court to rule that ‘Article 4(1)(c) and Article 6 of Directive 2016/680, in conjunction with Article 10 of that directive, must be interpreted as precluding national legislation which allows the collection of biometric and genetic data in respect of all persons suspected or accused of having committed an intentional criminal offence where that legislation does not provide for an obligation on the part of the competent authority to assess, in each specific case, the ‘strict necessity’ of the processing it has performed or is contemplating performing.’ As to the second question, he advised the CJEU to rule that ‘Article 4(1)(e), read in the light of Article 10, of Directive 2016/680 should be interpreted as not precluding national legislation that does not provide for a maximum period for the retention of biometric and genetic data, as long as that legislation provides for the review, at regular intervals, of the need to retain such data. Those provisions require, however, that such a review should be subject to strict procedural safeguards and ensure that such retention does not exceed a period that is strictly necessary in the light of the purposes for which those data are processed’. With regard to the third question, the AG focused on examining, in particular, Paragraph 65 of the Law on the Czech Police. He concluded that this provision is not specific enough as concerns the processing of biometric and genetic data and the case law analysing it cannot be a substitute for the safeguards which should be laid out in a generally applicable legal provision (‘Article 8(2) and Article 10 of Directive 2016/680 must be interpreted as precluding national case-law, even where it may qualify as ‘Member State law’ within the meaning of that directive, from being a substitute for a provision of general application that does not provide for a strict test in each specific case, conducted by the Police authorities, of the need to collect and to retain the biometric and genetic data of data subjects’).