– ECtHR Rules on Production and Publication of Police Information –
On 28th June, the ECtHR ruled in the case of M.D. and Others v. Spain. In essence, the case concerned a manifesto, signed in 2014 by the applicants – amongst others – who were serving judges, ‘in which they set out their legal opinion in favour of the possibility of exercising the Catalan people’s so-called “right to decide”, within the framework of the Spanish Constitution and international law.’ An article on the manifesto was then published by a national newspaper in which photos and other personal data on the applicants was published, which ‘in the applicants’ opinion, had been extracted from their respective entries in the database of the Spanish police’. It then came to light that a police report on the manifesto, including the applicants’ personal data, had also been produced. The applicants launched a series of proceedings concerning the manifesto and their personal data in front of national judicial bodies. None of these were successful. In this regard: ‘The applicants complained [to the ECtHR] that Article 8 of the Convention had been violated, firstly given that the police, without any legal justification, had created a report on each applicant (as signatories to the above-mentioned manifesto) using photographs taken from the police ID database, and secondly, since that report had been leaked to the press; lastly, they complained about the publication of their photographs in the newspaper’. The Court found a violation of Article 8. In relation to the police report, the Court found that: ‘there is no domestic legal provision that would justify the drawing by police of a report on citizens when there were no indications that they could have committed a crime or were involved in the preparatory steps necessary for the commission of a crime…[and accordingly] since the interference with the applicants’ private life was not in accordance with any domestic law, and the public authorities have used the personal data for a purpose other than that which justified their collection, the Court concludes that the mere existence of the police report in issue, which was drafted in respect of individuals whose behaviour did not imply any criminal activity, amounts to a violation of Article 8.’ In relation to the leak to the press, the Court found that there was an insufficient investigation carried out as: ‘for a sufficient investigation to be carried out, it was necessary for the investigators to have obtained a statement from the person who had been the direct addressee of the report and who had been responsible for the persons who had accessed the police ID database and collected the data and photographs of the applicants since, regardless of his criminal or disciplinary responsibility, his testimony would have aided the identification of those responsible for the criminal acts in question.’ In this regard, the Court concluded that: ‘the failure of the judicial bodies involved to carry out certain investigative measures which would most likely have been useful for the investigation into the facts of the case and which were susceptible of remedying the interference with the applicants’ rights must be considered to constitute a failure by the respondent State to comply with its positive obligations under Article 8 of the Convention’.
– EDPB EDPS Joint Opinion on EHDS Proposal –
On 12th July, the EDPB and EDPS published their ‘EDPB-EDPS Joint Opinion 03/2022 on the Proposal for a Regulation on the European Health Data Space’. The Opinion starts by offering general comments – including concerning the relationship between the proposal and data protection law. The Opinion then goes into more detail on the proposal and includes section specific comments. These encompass comments on: ‘General provisions (Chapter I)’ – including the concern that many definitions are ‘very broad and open to interpretation, which in turn may lead to legal uncertainty’; ‘Primary use of electronic health data (Chapter II)’ – including suggesting ‘introducing a mandatory consultation of and a duty of cooperation with DPAs with regard to the assessment of complaints as well as the implementation of the Proposal whenever data protection aspects are involved’; ‘Ehr systems and wellness applications (Chapter III)’ – including proposing ‘excluding from the scope of Chapter IV of Proposal wellness applications and other digital applications’; ‘Secondary use of electronic health data (Chapter IV)’ – including highlighting ‘the lack of clarity as to what step in the procedure foreseen in the Proposal with regards to secondary use of electronic health data may the health data access bodies disregard [certain] requirements [concerning consent] set out in national law’; ‘Additional actions (Chapter V)’ – including observing that ‘Article 63 of the Proposal should impose on controllers and processors established in the EU processing personal electronic health data within the scope of the Proposal an obligation to store this data in the EU’; ‘European governance and coordination (Chapter VI)’ – including considering that ‘their representatives should be permanent members of the EHDS Board (thus not only potentially invited) and should participate to all discussions on personal data protection issues’; ‘Delegation and Committee (Chapter VII)’ – including noting that ‘the criteria envisaged by Article 5(2)(b) of the Proposal to guide the Commission in deciding the priority categories of electronic health data to be added to the list established in Article 5(1) of the Proposal seem vague and should be further delimited’; and ‘Miscellaneous (Chapter VIII)’ – including considering that ‘in line with previous comments on the self-certification of EHR systems, the periods for evaluation and review established under Article 70 of the Proposal are too long to ensure the proper implementation in time’. The Opinion is detailed and will be highly interesting to all concerned with, or tracking the process of, the EHDS.
– EDPB Intensifies Cooperation on Cross-Border Cases of ‘Strategic Importance’ –
On 14th July, presented its next steps towards enhanced cooperation on strategic cross-border cases. First, ‘the EDPB adopted a set of criteria to assess whether a cross-border case may qualify as a case of “strategic importance” for closer cooperation’, referring to the Vienna Statement of Enforcement Cooperation adopted in April 2022. Second and third, the EDPB detailed the steps to be followed when a case of ‘strategic importance’, i.e. a one-stop-shop case, is identified and picked its first three cases to pilot this new approach. The new initiative should result in a better enforcement of the GDPR. A case of strategic importance should meet one or more of the following criteria:
‘a structural or recurring problem in several Member States, in particular where the case concerns a general legal issue with regards to the interpretation, application or enforcement of the GDPR;
a case related to the intersection of data protection and other legal fields;
and a case which affects a large number of data subjects in several Member States;
a case involving a large number of complaints in several Member States;
a case concerning a fundamental issue falling within the scope of the EDPB strategy;
a case where the GDPR implies that a high risk can be assumed, such as:
the processing of special categories of data;
processing regarding vulnerable people such as minors;
Situations where a data protection impact assessment (DPIA) is required.’
Any DPA may propose a case of strategic importance, but the cases will be selected by the EDPB. The cooperation on the cases will comply with Chapter VII GDPR.
– EDPS Publishes Opinion on Financial Rules Concerning the EU Budget and Data Protection –
On 7th July, the EDPS published his ‘Opinion 14/2022 on the Proposal for a Regulation of the European Parliament and of the Council on the financial rules applicable to the general budget of the Union (recast)’. The Proposal concerns the better monitoring of the direct or indirect recipients of EU funds, including through more digitalisation and personal data processing. The EDPS expresses caution with respect to data protection in relation to the following three main aspects, which the EDPS invites the legislator to address. First, the envisaged data-mining and risk-scoring activities risk undermining the definition of the categories and sources of data, as well as their quality, while in addition, the roles of the entities which will access the data for (risk) analysis purposes need to be more clearly defined. Second, the Proposal needs to clarify what IT System is going to be used and what safeguards will be embedded into this system. Third, the Proposal should define how long personal data may be stored in the system and processed through data-mining and risk-scoring techniques.
– EDPB Publishes Coordinated Supervision Committee Working Programme 2022-2024 –
On 6th July, the EDPB published its 2022-2024 Working Programme for the Coordinated Supervision Committee (CSC). The CSC is responsible for supervising the EU large-scale migration and law enforcement databases and EU bodies such as Europol, Eurojust and the European Public Prosecutor’s Office. The CSC is composed of the national DPAs and the EDPS. The document is split into two parts: the working methods of the CSC; and its planned activities. As to the working methods, the CSC elects a coordinator and a deputy coordinator. It will convene ‘al least twice a year’. It has a dedicated mailbox and seeks exchanges with relevant stakeholders. As to the planned activities, ‘[t]his work programme has selected the data subjects’ rights as a key-area of activity.’ Furthermore, it will work towards coordinated audits and inspections between the DPAs and the EDPS. It will focus also on establishing ‘a common understanding between its participating authorities on their respective scope of
supervision, applicable legal basis, and the areas where they need to cooperate and coordinate’ and on drafting the CSC’s work on the supervision of the databases and bodies which it is supposed to supervise. Ad hoc activities may be added to its work.
On 12th July, the EDPB held its 67th Plenary meeting. In the course of the meeting, the following significant issues were discussed:
‘Consistency mechanism, Guidelines and EDPB RoP’: ‘EDPB-EDPS Joint Opinion on the Proposal for a Regulation on the European Health Data Space’ – see also above.
‘Current Focus of the EDPB Members’: ‘The EU House of Data Protection – request for mandate’.
‘BTLE ESG’: ‘Police Cooperation Code – request for mandate’.
‘ENF ESG’: ‘Substantive questions from the CEF members and possible approaches’.
‘ENF ESG’: ‘Strategic cases – criteria, process and selection of pilot cases’.
‘ITS ESG’: ‘Statement on personal data transfers to the Russian Federation’.
‘Coordinated Supervision Committee’: ‘Update on the work of the Coordinated Supervision Committee – information’ – see also above.
‘Secretariat’: ‘Engagement with NGOs’.
At the time of writing, certain adopted documents are already available on the EDPB website. We would presume that an announcement concerning all adopted documents will be made shortly. We would also presume that any adopted documents not yet published – should there be any – will be made available on the EDPB website in due course.