-CJEU: Public Registers Have to Rectify Incorrect Gender Data Without Proof of Gender Reassignment Surgery-
On 13th March, the CJEU held that an asylum register has to rectify the gender data of a refugee without requiring proof of gender reassignment surgery, in VP v Országos Idegenrendészeti Főigazgatóság (Deldits). As to the facts of the case, the applicant in the main proceedings was an Iranian refugee in Hungary, who was born female but identified as male, i.e. was transgender, and based their refugee claim on their transgender identity. To support their claim, they produced certificates from a psychiatrist and a gynaecologist. VP was granted refugee status based on that claim. However, they were still registered as female in Hungary’s asylum register. VP applied for the rectification from ‘female’ to ‘male’ on the basis of Article 16 GDPR (the right to rectification). The application was turned down because ‘(i) VP had not proved that they had undergone gender reassignment surgery, and (ii) the certificates provided established only VP’s transgender identity’. The dispute resulted in the following questions: (1) does a Member State have to rectify the gender of a person in its asylum register? and (2) is the rectification dependent on the production of evidence of a gender reassignment surgery, as required by administrative practice? As to the first question, the CJEU first recalled, inter alia, that the accuracy of the personal data processed has to be assessed in light of the purpose of the processing. It then concluded, in casu, that if the purpose of the processing of the gender data in the asylum register was to identify the concerned individual, then the correct data would be the lived gender and not the gender assigned at birth, especially in light of the fact that Hungary granted VP refugee status on the basis of their transgender claim. Then the Court established that, in casu, no derogations to the right to rectification apply, concluding, inter alia, that: ‘a Member State cannot rely on the absence, in its national law, of a procedure for the legal recognition of transgender identity in order to limit the right to rectification.’ As to the second question, the CJEU first established that ‘Article 16 of the GDPR does not specify which evidence may be required by a controller in order to establish the inaccuracy of the personal data which a natural person seeks to have rectified’. Then the Court recalled that any restriction to the right to rectification has to comply with Article 23 GDPR. It noted that the requirement for gender reassignment surgery is only an administrative practice, but it is not set out in law as required by Article 23 GDPR. Second, the CJEU established that such a requirement is not compatible with the fundamental rights to personal integrity and private life as anchored in the CFREU and as interpreted in light of the corresponding provisions of the ECHR and ECtHR case law. Third, it ruled that the requirement is not necessary and proportionate in light of the purpose of the data processing.
-ECtHR: Domestic Authorities Must Examine Complaints About Illegal Publications of One’s Data-
On 11th March, the ECtHR ruled that States have a positive obligation to investigate complaints about illegal publications of photos and videos of individuals on social networks, in Aytaj Ahmadova v. Azerbaijan. As to the facts of the case, the applicant (Ahmadova) was a journalist in Baku, working for a media outlet. She was detained by the organized crime department and questioned about the workings of the media outlet. In the course of the investigations her laptop was seized and never returned to her. Ahmadova’s family photos and videos were published on different fake Facebook accounts with insulting comments made to them. Ahmadova claimed that she had stored this content solely on her laptop and therefore it could have been only the State that had published them on Facebook. Her complaints in Azerbaijan against the illegal publication of the videos and photos remained unsuccessful, although domestic law criminalizes publications such as those at issue in the case. Thus, Ahmadova submitted an Article 8 ECHR complaint with the ECtHR, namely that the publications interfered with her right to private life and that the domestic authorities did not examine her complaints. The ECtHR first decided that the complaint should be examined within the framework of the positive obligations of States to protect the private lives of individuals. This was so especially because, due to the lack of investigations on national level, it was not established who actually published the contested materials on Facebook and whether this could be attributed to the State. Then it moved on to examine whether the State lived up to its positive obligations and concluded that this was not the case: ‘Having regard to the seriousness of the applicant’s allegation, and the method of protection actually chosen by the domestic authorities, the Court considers that practical and effective protection of the applicant required that effective steps be taken with a view to clarifying the circumstances of the case and identifying and, if appropriate, prosecuting the perpetrators of the acts complained of’. Thus, it ruled that Article 8 ECHR had been breached.
-ECtHR considers Searches and Seizures in the context of Banking-
On 18th March, the ECtHR ruled in the case of BRD – Groupe Société Générale S.A. v. Romania. In terms of the facts, the case concerned searches and seizures carried out at the applicant company. Two types of searches were carried out. One by the Competition Council investigating breaches of banking regulations – the applicant being a bank – and one by the police investigating potential criminal activity by certain of the applicant’s employees.
Accordingly, the applicant company complained to the ECtHR that ‘the inspection and the searches conducted on its premises and the electronic searches of its computers had breached its right to private life, home and correspondence’ under Article 8 – further complaints under Articles 6 and 13 were recategorized by the Court as falling within the complaint under Article 8. In this regard, the Court considered the Competition Act proceedings and the criminal proceedings separately. The Court concluded there had been no violation of Article 8 in relation to the Competition Act proceedings, but that there had been a violation in relation to certain instances of seizure and in relation to ‘the electronic search carried out in the second set of criminal proceedings’. In coming to its decision in relation to the Competition Act proceedings – after finding that certain aspects of the plaintiff’s claim, related to the confidentiality and return of documents, were not admissible by virtue of a failure to exhaust domestic remedies – the Court focussed on the question of whether the interference was necessary in a democratic society. The Court considered, in this regard, that at ‘the relevant time…adequate safeguards were enshrined in Romanian law’, including, for example, that ‘unannounced inspections could take place by decision of the president of the Council in cases where investigations had been opened by decision of the plenary and could be carried out only in the presence of representatives of the company concerned’. In coming to its decision in relation to the criminal proceedings, the Court again focussed on the question of whether the interference was necessary in a democratic society. This time, however, concluding that ‘the available safeguards…failed to ensure effective protection of the applicant company’s right to respect for its home and correspondence’. The Court highlighted, in this regard, for example, the absence of ‘any meaningful judicial review’ as well as ‘the duration of the criminal investigation’.
-Advocate General Delivers Opinion on the Consequences of Unlawful Processing and Data Subject Rights-
On the 20th March, Advocate General Campos Sánchez-Bordona delivered their Opinion in the case of IP v Quirin Privatbank AG. In terms of the facts, the case concerned a recruitment procedure conduced by the defendant via the Xing online platform. As part of this procedure, a message intended for the defendant was sent to a third party. The defendant then ‘brought an action before the Landgericht (Regional Court, Germany) seeking an order that Quirin refrain in future from processing, either by itself or through third parties, his personal data relating to the selection process’ if ‘that processing occurs as it did in the message’ in question ‘sent via the Xing portal’ and ‘claimed non-material damages of at least EUR 2 500’. Following a series of appeals at national level, the Bundesgerichtshof referred six questions to the CJEU for a preliminary ruling, three of which were considered by the Advocate General:
- If ‘where unlawful processing of personal data has already taken place for the purposes of the GDPR, the data subject may, under Articles 17 or 18, or any other provision of the GDPR, require the controller to cease and desist’ to prevent ‘further unlawful onward transfer of those data if the data subject does not request the controller to erase the data’?
- Does the data subject’s right to ‘require the controller to refrain from the unlawful processing of personal data, similar to that previously carried out’ depend ‘on the existence of a risk of recurrence and, if so, if that risk is ‘presumed … by reason of the existing infringement of the GDPR’?
- ‘Assuming…that the data subject has a right to demand, through the courts, the abstention from any further unlawful processing of his personal data, similar to that previously carried out’ does ‘in assessing the amount of non-material damage to be compensated, the fact that the data subject concerned has a right to obtain’ an order to desist ‘in addition to the right to compensation’ mean this can ‘be taken into account as reducing the claim’?
In this regard, the Advocate General concluded that:
- ‘In accordance with Articles 5(1)(a) and 6(1), together with Article 79(1), of Regulation 2016/679, a data subject whose personal data have been unlawfully disclosed by the controller has the right to bring an action for an order that the controller desist, in future, from any further unlawful onward transfers of those data, similar to the transfers already carried out’.
- ‘It is for national law…to lay down rules governing the conditions for bringing an action for an order to desist against the controller for processing of the personal data. For those purposes, there is nothing to prevent the requirement of proof of the risk of recurrence or, where appropriate, the establishment of a (rebuttable) presumption of that risk, resulting from the existence of a previous infringement’.
- ‘Under Article 82(1) of Regulation 2016/679, in assessing the amount of non-material damage which is to be compensated, the fact that, in addition to the right to compensation, the data subject is also entitled to require that the controller desist, in future, from any other unlawful processing similar to that already carried out is not a mitigating circumstance’.