-CJEU:Fight Against Corruption Does Not Justify Access to Telecommunications Data-
On 7th September, in A.G. v Lietuvos Respublikos generalinė prokuratūra, the CJEU clarified that Article 15(1) e-Privacy Directive does not justify the further processing of telecommunications data accessed for the purposes of fighting serious crime in order to also fight corruption in the prosecutor’s office. As to the facts of the case, a prosecutor in Lithuania was suspected of misconduct in office, more precisely that ‘he had, when leading a pre-trial investigation, unlawfully provided information pertaining to that pre-trial investigation to the suspect and his lawyer.’ The suspicion was confirmed in a report, which was based on the processing of telecommunication data which had been obtained while the prosecution was investigating the crime in relation to which the prosecutor provided information to the suspect and his lawyer. As a result, the prosecutor was dismissed from office. The Lithuanian courts noted that the interception of the conversations, including those between the suspect and the prosecutor, were authorised by the local courts. However, they wondered whether Article 15(1) e-Privacy Directive, read in light of the Charter, must ‘be interpreted as prohibiting the competent public authorities from using data retained by providers of electronic communications services which may provide information on the data of, and communications made by, a user of a means of electronic communications, in investigations into corruption-related misconduct in office, irrespective of whether access to those data has been granted, in the particular case, for the purposes of combating serious crime and preventing serious threats to public security?’ In its answer, the CJEU briefly summarized its case law on Article 15(1) e-Privacy Directive and ruled that ‘(o)nce they have been retained and made available to the competent authorities for the purpose of combating serious crime, (telecommunications) data cannot be transmitted to other authorities and used in order to achieve objectives, such as, in the present case, combating corruption-related misconduct in office, which are of lesser importance in the hierarchy of objectives of public interest than the objective of combating serious crime and preventing serious threats to public security.’ Hence, it concluded that Article 15 (1) e-Privacy Directive precludes ‘the use, in connection with investigations into corruption-related misconduct in office, of personal data relating to electronic communications which have been retained, pursuant to a legislative measure adopted under that provision, by providers of electronic communications services and which have subsequently been made available, pursuant to that measure, to the competent authorities for the purpose of combating serious crime.’
On 7th September, the ECtHR ruled that the French legal system which seeks to protect the anonymity of sperm donors is not contrary to the right to know one’s origins in Gauvin-Fournis and Silliau v. France. As to the facts of the case, the two applicants learned from their parents that they had been conceived with the help of sperm donors. They wished to know the identity of their respective donors, as well as non-identifying information such as the age, profession, etc. of the donors. They submitted an application with the Bondy centre for gamete research and preservation (CECOS) to that effect in 2010. The applications were turned down on the basis of the applicable law at the material time which guaranteed the complete anonymity of sperm donors. The applicants claimed that the legal provisions interfered with their right to know their origins, as protected by Article 8 ECHR. In its ruling, the Court noted that the interference was due to the legal framework in France. It further observed that the framework changed on 1 September 2022, which included the right to know one’s origins also when the conception took place prior to this date. This was dependent, however, on the consent of the donors and the findability of the respective files. When examining the legal framework in France, the Court paid attention to the fact that ‘(e)ach bioethics law had been preceded by a public debate in the form of consultations in which all points of view had been considered and the interests and rights at stake had been weighed up as evenly as possible. In the Court’s opinion, the legislature had duly weighed up the interests and rights at stake after an informed and gradual process of reflection on the need to lift donor anonymity. Reiterating that there was no clear consensus on the issue of access to origins, merely a recent trend in favour so lifting donor anonymity, it considered that the legislature had acted within its discretion.’ As to the accessibility of non-identifiable information, the Court noted that, for medical purposes, such information was available to doctors when necessary. Finally, the Court noted that the new law of 2022 sought to strike a balance between the right to absolute anonymity guaranteed by previous law and the new trend of lifting this absolute anonymity. Hence, the Court concluded that there was no violation of Article 8 ECHR, because the French legislature had not overstepped its margin of appreciation and had fulfilled its positive obligations in protecting the applicants’ right under Article 8 ECHR. Editorial Note: The judgment is available only in French. The above story is based on the English summary available on the Court’s website.
https://hudoc.echr.coe.int/#{%22itemid%22:[%22002-14176%22]}
https://hudoc.echr.coe.int/eng-press#{%22itemid%22:[%22003-7735776-10702922%22]}
– CJEU Rules on Data Processing in EU Institutions –
On 6th September, the CJEU ruled in the case of JS v. European Data Protection Supervisor (EDPS). In terms of the facts of the case, the applicant, who had worked for the Single Resolution Board (SRB) but had subsequently resigned, made certain requests concerning the processing of their personal data to the SRB under Regulation 2018/1725 – concerning, for example, storage periods and data subject rights. Unhappy with the responses of the SRB, the applicant complained to the EDPB. The EDPS rejected the applicant’s complaint – the first decision – highlighting the legality of the processing undertaken by the SRB and limitations to the applicant’s rights in relation to this processing. Following a request for review, the EDPB then again rejected the applicant’s complaint – the second decision. The following forms of order were then sought before the Court: ‘The applicant claims that the Court should…annul the first contested decision and, so far as necessary, the second contested decision…order the EDPS to pay him the sum of EUR 20 000 in respect of the damage suffered…order the EDPS to pay the costs…The EDPS contends that the Court should:…dismiss the action as unfounded;…order the applicant to pay the costs.’ The Court dismissed the action and ordered the applicant to pay the costs. In dismissing the action, the Court highlighted the legitimacy of the EDPS position on the law in question, as well as the EDPB’s approach in dealing with the complaints – including concerning the time taken to assess the complaints and concerning choices not to exercise further powers of investigation. This is a lengthy, involved, and technical case, and will likely be of most interest to those dealing with data processing by EU institutions in the context of employment relationships. The case does however offer elements of interest for the wider data protection community,
not least with regards to its analysis of Regulation 2018/1725, and its discussion of the legitimacy of EDPS activity.