– CJEU Gives a Broad Reading on the Right to Copy of One’s Data –
On 26th October, the CJEU delivered a judgment in FT v DW, clarifying that the right to access one’s personal data under Article 15 GDPR may be exercised when access is sought beyond the purpose of verifying the accuracy of the data, and that the provision of a first copy of one’s medical data should be free of charge. As to the facts of the case, the applicant in the main proceedings (DW) received dental treatment by their dentist (FT). Since DW suspected that FT had committed errors in the treatment, DW requested a copy of the documents which FT possessed in relation to the treatment. FT agreed, provided that DW would bear the cost of the copies, as regulated by German law. DW objected to paying the costs, relying on Articles 12 and 15 GDPR, pursuant to which the first copy of one’s personal data should be free of charge. The national courts were uncertain about the interpretation of these two GDPR provisions, including also Article 23 GDPR, pursuant to which national law may impose restrictions on the exercise of data subject rights. Hence, the courts requested the CJEU to clarify the right of access, especially the right to a free copy, and the possible restrictions to it. In its judgment, the CJEU established the following three important clarifications on the right to access. (1) Neither ‘the wording of Article 12(5) of the GDPR nor that of Article 15(1) and (3) thereof make the provision, free of charge, of a first copy of personal data conditional upon data subjects putting forward reasons to justify their requests. Therefore, those provisions do not give the controller the possibility of demanding that reasons be given for the request for access submitted by the data subject.’ The Court furthermore ruled that the first sentence of Recital 63 GDPR cannot be evoked to restrict the scope of the right of access anchored in Article 15 GDPR. (2) As regards the possibility to restrict the right of access under Article 23(1)(i) GDPR (to protect the economic interests of controllers) by relying on national law adopted prior to the entry into force of the GDPR, the CJEU ruled that ‘a piece of national legislation adopted prior to the entry into force of that regulation is capable of falling within the scope of’ Article 23(1)(i) GDPR. ‘However, such a possibility does not permit the adoption of a piece of national legislation which, with a view to protecting the economic interests of the controller, makes the data subject bear the costs of a first copy of his or her personal data undergoing processing.’ And (3) on the question of the right to a copy, the CJEU largely repeated its stance in Österreichische Datenschutzbehörde and CRIF, where it held that the right to a copy of one’s data might require the provision of access to the documents containing the data where that is necessary for making the data intelligible. It added the following clarification with regards to medical data: ‘Regarding data relating to the health of the data subject, that right includes in any event the right to obtain a copy of the data in his or her medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided to him or her.’
– AG on Non-Material Damages when Personal Data are Stolen –
On 26th October, AG Collins delivered an Opinion in JU and SO v Scalable Capital GmbH, concerning the right to compensation for non-material damages when personal data get stolen. As to the facts of the case, the applicants in the main proceedings provided their personal data in the course of an investment on a trading platform maintained by Scalable Investment. Following a hack of the platform, their personal data were stolen and JU and SO requested compensation under Article 82 GDPR. The perpetrators of the hack are unknown and at the material time no damage had been established as a result of the leak – e.g. a misuse of the investors’ identity. The local courts were uncertain as to whether the theft of personal data constitutes identity theft and what compensation the concerned individuals are entitled to under the GDPR. In the Opinion, AG Collins advises the Court to rule that ‘the theft of personal data’ ‘alone does not constitute identity theft even if that theft may lead to future’ misuse ‘of that data. Identity theft requires an additional action or step with detrimental effects for the data subject that go beyond the theft of personal data.’ Nevertheless, AG Collins argued that individuals whose data have been stolen might be entitled to compensation for non-material damages under Article 82(1) GDPR even if no identity fraud has occurred, which should be assessed on a case-by-case basis, referring to the criteria set out in Österreichische Post.
– ECtHR Rules on Wiretaps and Safeguards –
On 26th October 2023, the ECtHR ruled in the case of Plechlo v. Slovakia. The case concerned ‘the tapping and recording of telephone conversations’. The applicant was ‘randomly a party, in the context of a criminal investigation which did not directly concern him’, to the tapped and recorded conversations. Recordings of the applicant were then later included in a file concerning a separate investigation, of which the applicant was a target. Before various national bodies, the applicant then complained unsuccessfully about the intercepted materials – the applicant complained about their inclusion, tried to have supplemental information attached to them, tried to access the original warrant, tried to have the lawfulness of the original warrant reviewed etc. As a result of this lack of success, in relation to Article 8 of the Convention, the applicant thus complained to the Court ‘about the tapping and recording of his telephone calls and the storage and use of the material obtained, as well as the alleged lack of safeguards in that respect.’ The Court found a violation, concluding that ‘the interference with the applicant’s right to respect for his private life and correspondence was not accompanied by adequate and effective guarantees against abuse. It was consequently not in accordance with the law for the purposes of Article 8 § 2.’ In reaching this conclusion, the Court highlighted the significance of procedural guarantees in relation to secret surveillance – noting emphatically, for example, that ‘in view of the risk that a system of secret surveillance for the protection of national security may undermine or even destroy democracy under the cloak of defending it, the Court must be satisfied that there exist guarantees against abuse which are adequate and effective’. In relation to the facts at hand, the Court then highlighted, in particular, that, as the applicant was a person randomly affected by the wiretap – as opposed to the target of the wiretap – there appeared to be little in the way of a legal framework safeguarding them against the risks of abuse. The decision in the case will likely be unsurprising to many, especially given the Court’s conclusion that the applicant did not effectively enjoy protection.