– CJEU Upholds the Broad Scope of the Right of Access under the GDPR –
On 22nd June, the CJEU provided three important clarifications on the right of access to one’s data under the GDPR in its Pannki S. ruling. As a recap on the facts of the case from our report on the AG Opinion to the case, the applicant in the main case is an employee and a customer of a bank. He discovered that his customer data had been accessed by other employees of the bank. He then requested access to the identity of those employees, relying on the right of access to one’s data under Article 15 GDPR. After the request was refused and the applicant approached the domestic courts, several questions for preliminary ruling on Article 15 GDPR were referred to the CJEU. In the ruling, the CJEU provided the following clarifications on the scope of the right of access in the GDPR. First, on the temporal scope of applicability of Article 15 GDPR, the Court ruled that Article 15 GDPR applies to an access request which concerns the processing of personal data which took place before the date on which the GDPR became applicable, but where the access request was submitted after this date. Second, on the substance of the right, the CJEU largely agreed with the AG and established that ‘Article 15(1) of the GDPR must be interpreted as meaning that information relating to consultation operations carried out on a data subject’s personal data and concerning the dates and purposes of those operations constitutes information which that person has the right to obtain from the controller under that provision. On the other hand, that provision does not lay down such a right in respect of information relating to the identity of the employees of that controller who carried out those operations under its authority and in accordance with its instructions, unless that information is essential in order to enable the data subject effectively to exercise the rights conferred on him or her by that regulation and provided that the rights and freedoms of those employees are taken into account.’ Third, the CJEU decided that the fact that the controller was engaged in a regulated activity (in casu banking) and that the applicant was also an employee of the bank does not affect the scope of the right of access under Article 15 GDPR.
– ECtHR Rules on Wanted Persons Lists and Prosecutorial Authority ––
On 27th June, the ECtHR delivered its ruling in the case of Negru v. the Republic of Moldova. In terms of the facts, on 19th July 2008, the applicant was arrested on charges of document forgery, and, a few hours later, released. The applicant then left the country. Subsequently, the applicant was the subject of further allegations of criminal behaviour. Investigation into these accusations were then ‘suspended in the absence of an identified perpetrator’. Following this suspension, however, the ‘district prosecutor decided to bring charges against the applicant in her absence’ and, one day later, declared the applicant a wanted person. The applicant’s lawyer then noticed, quite by chance, on a police notice board, that the applicant had been indicted and was wanted. ‘A subsequent request by the lawyer to have access to the criminal file and to have the investigation in respect of the applicant discontinued was rejected by the police’. A request was also lodged with the ‘investigating judge…seeking to be provided with a copy of the criminal case file, and to have the investigation discontinued and the order to search for the applicant cancelled’. This request was also rejected, on the basis that ‘the prosecutor’s decisions to initiate a criminal investigation and to bring charges against the applicant were not subject to judicial review’, that ‘discontinuation of the criminal investigation was within the remit of the prosecutor and not of the investigating judge’ and that it ‘would be in breach of the confidentiality of the criminal investigation to provide the applicant with copies of the criminal file’. The judge also concluded that ‘the applicant had failed to substantiate any violation of her rights under Article 8 of the Convention’. The applicant then complained to the ECtHR that: ‘her inclusion on the list of wanted persons, in the absence of safeguards against abuse, was contrary to Article 8 of the Convention’. The ECtHR highlighted the significance, for an individual’s private life, of the posting of a photograph on a police notice board, and of being placed on a list of wanted persons. In this regard, focussing on the ‘in accordance with the law’ criterion, the ECtHR noted the authorities’ lack of effort to inform the applicant of charges prior to declaring the applicant wanted, and the lack of available avenues for legal recourse. Accordingly, the Court found that there had been a violation of Article 8 and offered the following summary of its reasoning: ‘in view of the lack of clarity of the procedures for the implementation of the existing rules and the flaws in their application…when declaring the applicant a wanted person the prosecutor enjoyed a discretion practically amounting to unfettered power, not being accompanied by a measure of protection against arbitrary interference…as required by the rule of law’. This is a short case and the decision, in light of the facts and the law, will likely surprise few.
– Fingerprints in EU Identity Cards: Green Light from the AG –
On 29th June, AG Medina advised the CJEU, in the case of RL v Landeshauptstadt Wiesbaden, that the inclusion of fingerprints in EU identity cards is compatible with Articles 7 and 8 CFREU. As to the facts of the case, the applicant in the main proceedings applied for a German ID card. Pursuant to a recently adopted EU Regulation (Regulation (EU) 2019/1157), he was required to provide his fingerprints to be stored on the chip of the ID card. After having refused to provide his fingerprints, he did not have an ID card issued and challenged the refusal of the authorities. Eventually, the domestic proceedings resulted in preliminary ruling questions to be referred to the CJEU, concerning the compatibility of the fingerprint requirement with Articles 7, 8 and 52 (1) CFREU and with the requirement for carrying out an impact assessment under Article 35 (10) GDPR. AG Medina suggested the following interpretation of the submitted questions. First, she argued that the prescribed data processing operations in Regulation 2019/1157 – namely ‘the collection of the fingerprints in itself’, ‘the definitive inclusion of those fingerprints on a highly secure storage medium in every identity card newly issued by Member States’, the storage of ‘biometric identifiers (…) for the purpose of the personalisation of identity cards’ until the card is collected by its holder, and the usage of the fingerprints ‘for the purposes of verifying the authenticity of the card and the identity of the holder’ – constitute interferences with the fundamental rights protected by Articles 7 and 8 CFREU. Second, as to the justification for the interference, AG Medina argued that the conditions of Article 52 (1) CFREU have been satisfied, referring often to the Schwarz judgment, for the following reasons: (1) the Regulation provides a proper legal basis for the interference; (2) the Regulation pursues an objective of general interest, namely facilitating the free movement of EU citizens by making the ID cards more secure; (3) the data processing operations prescribed by the Regulation are ‘appropriate, necessary and do not go beyond what is indispensable for achieving the main objective of that regulation’; and (4) the essence of the rights protected by Articles 7 and 8 CFREU is respected, because the Regulation ‘offers sufficient guarantees to prevent the processing of biometric identifiers, in particular digital fingerprints, from being misused or abused.’ Third, on the question whether the EU legislator should have performed an impact assessment pursuant to the GDPR before adopting Regulation 2019/1157, AG Medina advised the Court that ‘at no point does it result from the GDPR that the obligation to carry out an impact assessment, as is provided for in Article 35(1) thereof, is binding on the EU legislature, nor does that provision establish any criterion in relation to which, for instance, the validity of another secondary law norm of the European Union should be assessed.’
Over the past couple of weeks, the EDPB adopted several documents:
- ‘Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR)’;
- ‘Template Complaint form and Template Acknowledgement of receipt’ – concerning the submission of cross-border complaints by individuals and the handling of these complaints by DPAs;
- ‘EDPB Response to the European Ombudsman’s recommendation regarding case 201/2022/JK’;
- ‘EDPB Response to the European Ombudsman’s recommendation regarding joined cases 509/2022/JK and 1698/2022/JK’.
The documents are available on the EDPB’s website.