Data Protection Insider, Issue 34

– ECtHR Rules on Archival Research and Privacy –

On 13th October the ECtHR handed down its decision in Gafiuc v. Romania. The case concerned a journalist who had been granted accreditation to conduct research in the Romanian Securitate archives – the archives of the Romanian Secret Police under the Communist Regime. Such access is granted only provided an individual is conducting research into the historical truth about the period. The journalist then went on to publish a series of articles including information on individuals who had collaborated with the regime in informing on sportspersons who had been under state surveillance. The journalist’s accreditation was subsequently withdrawn on the ground that they had illegitimately violated individuals’ privacy and that they had not acted in line with the original purposes of their research. The journalist appealed to the Court claiming the removal of accreditation illegitimately interfered with their Article 10 right to freedom of expression. The Court decided there was no infringement. In particular, the Court highlighted that the information published included information relating to the private sphere of sportspersons, which did not concern their athletic performance, which had not been published by the sportspersons concerned themselves, which was in general inaccessible to the public, which could not be effectively assessed and which could not be considered to serve the public interest. In this regard, the Court considered that the privacy interests involved outweighed the journalist’s Article 10 rights and that the removal of accreditation was legitimate. Whilst not ostensibly about the Article 8 right to privacy, the case is significant in relation to data protection in terms of its consideration of the privacy interests tied up with state archives. In this regard, the case takes its place among the range of case law dealing with the legitimate limitations on the access and use of Communist period archives.

 

Maris v Romania: Rectification Requests Not Always Recognised –

On 22nd October the ECtHR declared Maris’s application alleging a breach of Article 9 ECHR on freedom of religion inadmissible. Superficially, the case does not look relevant for data protection. When one looks deeper however, a different picture appears. According to the facts of the case, the applicant is a prisoner whose prison records indicate his religion to be “orthodox Christian.” Whilst he had requested that the records be amended to indicate his religion to be “Jewish”, the prison authorities had failed to correct the records. Accordingly, the applicant claimed a violation of his freedom of religion rights. The ECtHR concluded that the complaint was inadmissible, mainly because the applicant was never prevented from manifesting his religion or exercising and practising it. From a data protection perspective, it is interesting that the Court did not consider the relevance of the fact that the prisoner’s data had not been updated despite an explicit request. It seems the Court did not feel that the right to have one’s religion accurately reflected in official records related in any meaningful way to the ability to manifest one’s religion. This conclusion seems at least debatable given the very real form of manifestation of religion implied by state recording and recognition of one’s religious identity. It is also interesting that the case dealt with issues concerning rights to access and rectification whilst the case did not deal directly with Article 8. The data protection community tends to look at the Article 8 right to privacy as the locus for evaluating the ECtHR’s elaboration of fundamental rights connected to personal data processing. This case highlights that the locus of the ECtHR’s data protection thinking may, on occasion, lie elsewhere. It is possible, for example, that there are considerably more cases dealing with data access and rectification than those traditionally discussed, simply by virtue of the fact that these are not raised under Article 8. Finally, if a similar question would be raised under the GDPR/LED, it would be interesting to know what the courts and data protection supervisory authorities would deem to be adequate evidence of change of religious identity when requesting a rectification such as that in the Maris case.

 

– EDPB Holds 40th Plenary Session –

On 20th October the EDPB held its 40th Plenary Session. During the Session, the EDPB decided to establish a Coordinated Enforcement Framework (CEF), which provides “a structure for coordinating recurring annual activities by EDPB Supervisory Authorities (SAs).” The framework will ensure the coordination and flexibility of joint actions across the wide range of tasks and powers of the SAs – from awareness raising through investigations to enforcement actions. The EDPB also adopted the following documents:

  • A final version of the Guidelines on Data Protection by Design & Default after the public consultation on a draft version. As well as focusing on the requirements stemming from Article 25 GDPR, the Guidelines also focus on how to ensure compliance with the principles set out in Article 5 GDPR.
  • A letter in response to the Europäische Akademie für Informationsfreiheit und Datenschutz with regards to the data protection implications of Article 17 of the Copyright Directive – focusing, in particular, on upload filters.

The documents will be made available on the EDPB’s website following the standard linguistic, formatting and legal checks.

 

– Investigatory Division of Belgian DPA considers IAB TCF Problematic –

In the latest addition to the range of ongoing investigations into online behavioural advertising, the investigatory division of the Belgian DPA has concluded that the Internet Advertising Bureau’s (IAB) Transparency and Consent Framework (TCF) is not compatible with the requirements of the GDPR. The TCF was adopted by the IAB in 2018 as an effort to update the practices of online advertisers such that these would be compatible with the GDPR. Since then, the TCF has had wide uptake amongst companies operating in the online behavioural advertising space. The investigatory division of the Belgian DPA, however, according to TechCrunch, has published a preliminary report in which the TCF is highlighted as problematic for a number of reasons, including: that the TCF does not comply with fairness, transparency and accountability principles; that the TCF does not adhere to lawfulness of processing requirements; and that the TCF does not include sufficient conditions to legitimate the processing of sensitive personal data. The report also includes other problematic findings concerning the IAB’s internal data processing practices, including that the organisation has not met its obligation to appoint a DPO. The IAB has provided a response to the report disputing the findings – also linked below. The investigatory division’s report will now be taken forward by the litigation division which will now examine the case on its merits.

 

– ICO Adopts Guidelines on the Right of Access –

On 21st October the ICO released its Guidelines on the Data Subject Access Right (DSAR) to their own personal data under the GDPR. The Guidelines are addressed to large companies – specifically to their Data Protection Officers (DPOs) and staff members with data protection responsibilities. They focus on seven general topics: i) how to recognise an access request; ii) how to fulfil the requirements of Article 15 read in conjunction with Article 12 GDPR with regards to charging reasonable fees; iii) recognising manifestly ill-founded and excessive requests; iv) verifying the identity of the requesting individual; v) dealing with requests which concern multiple individuals’ personal data simultaneously; vi) the collaboration between joint controllers and the controller and processor(s) in responding to DSARs; vii) and the possibility for applying restrictions to DSARs under the GDPR and UK law. The Guidelines further pay special attention to access in relation to unstructured manual records, credit files, health data, educational data, and social work data. Finally, they discuss the possibility for administrative and judicial remedies. The ICO explicitly states that it constitutes a criminal offence to force someone to make an access request concerning their own data. We note that the present Guidelines are to be read together with prior Guidelines concerning the explainability of automated decisions and profiles from May 2020. This is because the present Guidelines do not delve into detail about how the right of access applies and is to be exercised in relation to automated decisions and profiles, whilst the topic is subject to much debate. In addition, we note that the Guidelines apply primarily to the GDPR and almost no attention is paid to the exercise of data subjects’ rights under the so-called “Police” Directive. Bearing in mind the sensitivity of processing in the law enforcement sector and the novelty of data protection legislation in this sector, such guidance would be welcome indeed.

 

– CJEU and Representative Organisations’ Standing –

Previously in Data Protection Insider, we reported on a case in front of the German Bundesgerichtshof BGH) involving Facebook and Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband e.V. We reported that the BGH had chosen to refer the case to the CJEU pending an answer to the following question: ‘Do…Article 80(1) and (2) and Article 84(1), of Regulation (EU) 2016/679 ( 1 ) preclude national rules which — alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the Regulation and the options for legal redress for data subjects — empower, on the one hand, competitors and, on the other, associations, entities and chambers entitled under national law, to bring proceedings for breaches of Regulation (EU) 2016/679, independently of the infringement of specific rights of individual data subjects and without being mandated to do so by a data subject, against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices or breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions?’ In an update to the case, on 26th October the Official Journal recorded that the case is now included in the official proceedings of the CJEU. The CJEU’s eventual decision looks likely to have significant ramifications for the ability to bring proceedings for violations of data protection law and the progression of the case should be followed with utmost interest.

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply