-CJEU: Law Enforcement Authorities Must Assess the ‘Strict Necessity’ of Biometric and Genetic Data Processing-
On 28th November, the CJEU ruled that law enforcement authorities must assess the ‘strict necessity’ of the processing of biometric and DNA data, and that this assessment may not be generally substituted by a court assessment of the ‘strict necessity’ in a case clarifying V.S. v Ministerstvo na vatreshnite raboti I (the present case being V.S. v Ministerstvo na vatreshnite raboti II). As to the facts of the case, V.S. was placed on the list of suspects under investigation into a VAT crime. She refused to provide her fingerprint and DNA data, whose collection is envisaged as regards all suspects in all crimes under Bulgarian law. The Bulgarian courts had previously sought clarification on how to interpret several provisions of the LED as concerns the requirement in Article 10 LED in conjunction with Articles 4(1) (a)-(c) and 8(1) and (2) LED on the ‘strict necessity’ of processing sensitive data. The domestic courts, however, were not sure how to interpret the Court’s ruling in V.S. v Ministerstvo na vatreshnite raboti I and sought further clarification on that point – it was left with the impression that where the law enforcement authorities had not performed the ‘strict necessity’ test which is not mandated by Bulgarian law, then the domestic courts should perform this assessment on the basis of very little information submitted by the law enforcement authorities seeking authorisation for the forceful collection of the said sensitive data. In the present ruling the Court clarified that the requirement in Article 10 LED on the ‘strict necessity’ of the processing of biometric and genetic data has to be assessed by the law enforcement authorities which intend to process the data, and that this assessment should not be replaced by a strict necessity assessment carried out by the domestic court from which the concerned law enforcement authorities seek authorisation. Editors’ Note: at the time of writing the above summary, the judgment was available only in in Bulgarian and French.
-CJEU Rules on Transparency of Processing-
On 28th November, the CJEU ruled in the case of Nemzeti Adatvédelmi és Információszabadság Hatóság v UC. As to the facts of the case, the applicant in the main proceedings, UC, was issued with a vaccination certificate for COVID-19 by the Budapest Office. He complained that the Office did not provide him with the necessary information about the processing of his data, as required under the GDPR. The Office evoked the exception to transparency under Article 14(5)(c) GDPR and argued that the processing of the data was based on domestic law (Article 6(1)(e) and Article 9(2)(i) GDPR). In this regard, the following questions were referred to the CJEU:
- Does Article 14(5)(c), in light of Article 14(1) and Recital 62, mean the exception in Article 14(5)(c) does not extend to controller-generated data ‘but rather only to data which the controller has…obtained from another person?’
- If Article 14(5)(c) does apply to controller-generated data, does ‘the right to lodge a complaint…in Article 77(1)’ mean ‘a natural person who alleges an infringement of the obligation to provide information’ can ‘request an examination of whether Member State law provides appropriate measures to protect the data subject’s legitimate interests, in accordance with Article 14(5)(c)?’
- If the answer to the above is yes, does Article 14(5)(c) mean ‘the “appropriate measures” referred to in that provision require the national legislature to transpose…the measures relating to the security of data…in Article 32?’
In this regard, the Court concluded:
- Article 14(5)(c) means the ‘exception to the controller’s obligation to provide information to the data subject…concerns all personal data, without distinction, that have not been collected by the controller directly from the data subject, whether those data have been obtained by the controller…or whether they have been generated by the controller’.
- Article 14(5)(c) and Article 77(1) mean that, ‘in a complaint procedure, the supervisory authority is competent to verify whether the Member State law…provides appropriate measures to protect the data subject’s legitimate interests, for the purposes of…the exception…in Article 14(5)(c). That verification does not however cover the appropriateness of the measures which the controller is required to implement, under Article 32…, in order to guarantee the security of processing.’
There is much of significance and interest in this case. For instance, the Court’s observations relating to the scope of information to be provided under Article 14, and this Article’s relationship with Article 13, are well worth reading, as are its observations on the scope of supervisory authority powers. Equally of interest – albeit for perhaps a more limited group – are the Court’s remarks regarding textualism and purposivism in its interpretative approach, as well as its remarks relating to the distinction between the concepts of data and information in the different language versions of the GDPR.
-ECtHR: Hungary Does Not Protect Journalists’ Secret Communications-
On 28th November, the ECtHR ruled that journalists in Hungary do not have adequate safeguards to challenge the secret surveillance measures they are allegedly subject to, in Csikós v. Hungary. As to the facts of the case, the applicant is a journalist who had contact with a police officer who provided her with information regarding a murder case on which they were working. The officer was placed under surveillance on 6th November 2015, following a judicial warrant, on suspicion of bribery, and aiding and abetting crime. In the following weeks, criminal proceedings for disclosing secret information to the journalist were initiated against him. In the course of the proceedings the journalist discovered that her conversations from 3-6 November 2015 had been tapped – i.e. prior to the surveillance of the police officer. The journalist submitted several complaints with different authorities in Hungary, essentially trying to obtain information as to whether her phone had been indeed tapped and to complain about the lawfulness of the tapping, especially as concerns the secrecy of her journalistic sources – following the fact that her contacts within the police had been removed from their posts following the publication of her article. The complaints were unsuccessful. Her complaint to the ECtHR was examined under Articles 8 and 10 ECHR. The Court noted that it cannot rule on whether the domestic authorities actually tapped her phone and whether the tapping fulfilled the conditions of Article 8(2) ECHR on the interference with the right to the secrecy of correspondence. It decided to examine the question of whether the journalist could effectively complain about the alleged tapping and whether it was judicially authorized. In this regard, the Court ruled that Hungarian law does not envisage subsequent notification of surveillance measures, which is a hindrance to discovering whether such measures had been implemented in respect of the applicant. It further observed that: it ‘does not appear either that the applicant had access to an independent and impartial body with jurisdiction to examine any complaint of unlawful interception, independently of a notification that such interception had taken place.’ The Court thus concluded that it ‘thus does not find that adequate procedural safeguards were in place for the applicant to challenge the alleged use of secret surveillance against her with a view to discovering her journalistic sources.’ It thus found a violation of Articles 8 and 10 ECHR.