– The CJEU Confirms Its Stance on the Retention of Traffic and Location Data –
On 5th April, the CJEU rendered another judgment on the topic of the retention of traffic and location data and access to these data for law enforcement purposes in G.D. v Commissioner of An Garda Síochána and others. The six preliminary ruling questions originated in the challenge by a convict (G.D.) against the legality of the evidence collected on them by means of the processing of their traffic and location data. The six questions essentially come down to the question whether the data may be indiscriminately stored for law enforcement purposes by the electronic communications provider and under what conditions they may be accessed by the law enforcement authorities, as interpreted in light of Article 15(1) e-Privacy Directive and Articles 7, 8, 11 and 52(1) EU Charter of Fundamental Rights. In a first step, the Court confirmed its case law by stating that the e-Privacy Directive and the Charter preclude ‘the general and indiscriminate retention of traffic and location data’ ‘for the purposes of combating serious crime and for the prevention of serious threats to public security’. In addition, the Court summarized its case law in which it had established that Member States may require the storage of the data of the users of telecommunication services for law enforcement purposes in certain cases – including when the retention of the traffic and location data is targeted, when imposing quick freeze measures, and in relation to IP addresses and civil identity data – as long as there are measures implemented against abuse and adequate remedies available. Second, the Court ruled that the Irish provisions for assessing the access to the traffic and location data by the police for the purposes of fighting serious crime are incompatible with the Charter and the e-Privacy Directive, as they do not guarantee independent assessment. This is because the assessment is assigned to a police officer who only needs ‘to assess the suspicions that exist with respect to the persons concerned and the need for access to data that relate to them.’ The Court ruled that this problem could not be offset by the fact that the assessment decision is subject to subsequent judicial review. Third and finally, the Court ruled that the national court may not limit the temporal effects of a ruling of incompatibility of national law with EU law, but that it is up to national courts to decide on the validity of evidence, which might have been gathered in breach of the EU data retention provisions, in light of national procedural law.
– ECtHR Rules on Secret Surveillance in Disciplinary Proceedings –
On 29th March, the ECtHR examined the compatibility of the usage of secret surveillance measures for disciplinary purposes in Starkevic v Lithuania. As to the facts of the case, the applicant was a police officer who had tried to convince an arrested person to steal goods. The police authority initiated a criminal investigation into abuse of office, in the course of which it used secret surveillance measures which were authorised by a national court. The information gathered was subsequently re-used for the purposes of disciplinary proceedings, which led to the applicant’s dismissal. The applicant claimed that this re-usage violated his right to private life under Article 8 ECHR. In its ruling, the Court first confirmed that the re-usage of the materials, in principle, constituted an interference with Article 8 ECHR. As to the lawfulness of the interference, the Court found that both the interception itself and its re-usage in the ensuing disciplinary proceedings had a legal basis in domestic law. The application of the law was foreseeable to the applicant, who, based on his profession, was aware of the ethical and civil service regulations. The measure also pursued a legitimate purpose, namely the prevention of disorder and crime and ‘inasmuch as it concerned the matter of the applicant being suitable for service in the police, the rights of others.’ As to necessity and proportionality, the Court found that the measure was necessary, because of ‘the constitutional duty to properly investigate possible official misconduct and find the relevant officials liable where there is a basis to do so.’ As to proportionality, the Court noted that the whole procedure offered the applicant adequate procedural safeguards against abuse and that, although the criminal proceedings against the applicant had been discontinued and the related materials destroyed for data protection reasons, the domestic authorities were right in initiating the disciplinary proceedings, since the conduct of the applicant had discredited the name of an officer and eroded the trust in the police. Based on all of the above, the Court found that the contested interference with the applicant’s private life did not violate Article 8 ECHR.
– ECtHR Rules on Uploading Prisoner Correspondence onto Network –
On 29th March, the ECtHR delivered its ruling in the case of Nuh Uzun and Others v. Turkey. The case concerns prisoners ‘detained in various Turkish prisons in connection with alleged membership of a terrorist organisation, following the attempted military coup of 15 July 2016’. The prisoners complained to judicial authorities about the ‘practice of monitoring and/or systematically uploading their correspondence – both incoming and outgoing – onto the National Judicial Network Server (Ulusal Yargı Ağı Bilişim Sistemi – “UYAP”)’. These authorities, and subsequently the Constitutional Court, dismissed the claims. Accordingly, the applicant’s lodged appeals with the ECtHR on the basis of Article 8 – and in some cases also on the basis of Article 6 – of the ECHR. In relation to Article 8, the Court found a violation of the applicants’ rights. In this regard, the Court recognised that the uploading of correspondence constituted an interference with Article 8 and recognised further that: ‘Where personal data in particular were concerned it was essential to have clear, detailed rules governing the scope and application of such measures, together with minimum safeguards aimed at preserving the integrity and confidentiality of data and procedures for their destruction, in order to provide the persons concerned with sufficient guarantees’. However, none of the applicable legal provisions ‘contained any reference to the scanning or uploading of prisoners’ correspondence onto the UYAP server’. Rather, the justification for the activity ‘stemmed directly and specifically from an instruction issued by the Ministry of Justice’. ‘In the Court’s view, the documents…had…been internal unpublished documents containing instructions from the Ministry of Justice to prisons. As a matter of principle, they did not have binding force. Thus, texts of this kind, which were not issued under any rule-making powers, could not be regarded as “law” of sufficient “quality” for the purposes of the Court’s case-law, capable of affording adequate legal protection and the legal certainty necessary to prevent arbitrary interference by public authorities with the rights guaranteed by the Convention. Hence, the interference complained of could not be said to have been “in accordance with the law” within the meaning of Article 8 of the Convention’. The judgment is available only in French, a language the authors do not speak fluently. Accordingly, this report has been generated on the basis of the press release. We would advise anyone interested in the topic to read the full case.
– AG Pikamäe Delivers Opinion on the Purpose Limitation and Storage Limitation Principles –
On 31st March, AG Pikimäe issued his Opinion on the purpose limitation and limited storage principles in Digi Távközlési és Szolgáltató Kft. v. Nemzeti Adatvédelmi és Információszabadság Hatóság. As to the facts of the case, Digi is a provider of internet and TV services. Following a technical problem, in April 2018 Digi created a separate database containing about one third of the customer data it possesses for testing purposes. In September 2019, an ethical hacker hacked this test database and informed Digi of the hacking. Digi promptly notified the Hungarian DPA of the breach, which fined Digi for having violated the purpose limitation and storage limitation principles in Articles 5(1)(b) and (e) GDPR. Digi challenged the decision in front of a Hungarian court, which then sought guidance on the two principles by the CJEU. As to the purpose limitation principle, the AG observed that the purpose of creating the separate database for testing purposes could be seen as a different purpose from concluding a contract with the users and providing the agreed TV and/or internet services. However, he considered that the new purpose could be interpreted to be compatible with the original purpose, because the concerned data subjects could legitimately expect that the controller, in casu the service provider, might process their personal data in order to be able to provide the contracted services – e.g. by solving technical problems. As concerns the storage limitation principle, AG Pikimäe argued that the storage of the data on the separate test database was not justified after the technical problem was solved. It remains to be seen whether the Court will follow the AG’s interpretation. We note that the analysis of the purpose limitation principle in particular raises questions about how to draw the line between a new purpose which is compatible with the original purpose, and a purpose which is not.
– AG Pitruzzella Delivers Opinion on De-Referencing –
On 7th April, AG Pitruzzella delivered their Opinion on de-referencing in TU, RE v Google LLC. In essence, the case concerned the publication of articles and images of TU and RE in connection with ‘critical opinions…as to the reliability of the investment model of several…companies’. ‘[Certain relevant] articles…were displayed in the list of search results produced when the applicants’ first names and surnames were entered in the search engine operated by Google, both on their own and in conjunction with particular company names, and [one] article…was displayed when particular company names were entered…Google also displayed the photographs of the applicants contained in [one] article…as thumbnails in the overview of results of its image search.’ ‘The applicants requested the defendant, on the one hand, to de-reference the articles in question, which, in their view, contain[ed] a number of incorrect allegations and defamatory opinions based on false statements, and, on the other, to remove the thumbnails from the list of search results.’ In this regard, the Bundesgerichtshof referred two questions to the CJEU.
‘(1) Is it compatible with the data subject’s right to respect for private life…and to protection of personal data…if, within the context of the weighing-up of conflicting rights and interests…within the scope of the examination of his or her request for de-referencing brought against the data controller of an internet search engine…the national court…concentrates conclusively on the issue of whether the data subject could reasonably seek legal protection against the content provider…and thus at least provisional clarification on the question of the truth of the content displayed by the search engine data controller could be provided?
(2) In the case of a request for de-referencing made against the data controller of an internet search engine, which in a name search searches for photos of natural persons which third parties have introduced into the internet in connection with the person’s name, and which displays the photos which it has found in its list of search results as preview images (thumbnails), within the context of the weighing-up of the conflicting rights and interest…within the context of the weighing-up of the conflicting rights and interests…should the context of the original third-party publication be conclusively taken into account, even if the third-party website is linked by the search engine when the preview image is displayed but is not specifically named, and the resulting context is not shown with it by the internet search engine?’
In relation to the first question, the AG concluded that ‘it is not possible to concentrate conclusively on the issue of whether the data subject could reasonably seek legal protection against the content provider…. In the context of such a request, it is incumbent on the data subject to provide prima facie evidence of the false nature of the content…It is for the operator of the search engine to carry out the checks which fall within its specific capacities, contacting, where possible, the publisher of the referenced web page. Where the circumstances of the case so indicate in order to avoid irreparable harm to the data subject, the operator of the search engine will be able temporarily to suspend referencing, or to indicate, in the search results, that the truth of some of the information in the content to which the link in question relates is contested.’ In relation to the second question, the AG concluded that ‘Article 17(3)(a) [GDPR]…should be interpreted as meaning that, within the context of the weighing-up of conflicting rights and interests arising from…the Charter…, in connection with a request for de-referencing made to the operator of a search engine seeking to obtain the removal, from the results of an image search carried out on the basis of a natural person’s name, of photographs displayed in the form of thumbnails depicting that person, account should not be taken of the context of the publication on the internet in which those thumbnails originally appear.’ This is an interesting Opinion, worth reading not only for its conclusions, but also for certain distinctions it makes in relation to online processing by search engines, concerning, for example, types of personal data – for example the special status of pictures – and concerning different types of internet searches – for example differentiating image searches from other forms of search. We would highlight, however, that there is no guarantee that the Court will follow the AG’s Opinion or will rely on the distinctions made.
– Commission Calls for ‘Correct Transposition’ of GDPR and LED –
On 6th April, the Commission announced it had ‘decided to send letters of formal notice to Germany…Greece…Finland…and Sweden…for failing to fulfil their notification obligations under the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the Data Protection Law Enforcement Directive (Directive (EU) 2016/680)’. More specifically, the Commission observed: ‘Germany has not yet notified measures transposing the Directive in relation to the activities of the Federal Police. Greece has failed to correctly transpose provisions relating, among others, to the scope of application of the Law Enforcement Directive and the time limits for the storage of data. Finland and Sweden have failed to fulfil their obligations as regards the right to effective judicial remedy for data subjects in certain cases.’ The Member States now have two months to react and to ‘take the necessary measures to remedy the breach of EU law identified by the Commission’. If Member States do not react accordingly, the Commission may then take matters forward and proceed with the next step in the infringement procedure: the issue of a reasoned Opinion.