Data Protection Insider, Issue 57

–  ML. v Slovakia: Post-Mortem Privacy Protection

On 14th October, the ECtHR examined the balance between the freedom of speech interests of the Slovak newspapers which had been publishing articles about the sexual abuse convictions by a deceased priest and the private life interests of the priest and his mother in M.L. v Slovakia. As to the facts of the case, the priest had been convicted two times – of sexual abuse and of disorderly behaviour – and had spent the said convictions. Two years after his death, local newspapers published articles about the sexual behaviour of the priest and made allegations about his death. The mother of the priest sought unsuccessfully remedies on national level against the newspapers. In her complaint to the ECtHR, she complained that the dismissal of her case in Slovakia breached her private life interests as protected by Article 8 ECHR. The ECtHR ruled that the domestic courts had not struck a fair balance between the two competing human rights for the following three reasons. First, the Court reminded that individuals do not lose entirely the protection provided by Article 8 ECHR, even if they have been criminally convicted. In casu, the contested articles had been published after imposing the criminal convictions and after they had been spent by the priest. Second, the articles contained not only facts drawn from the criminal files, but contained unverified, sensational statements. These ‘distorted facts and the expressions used must have been upsetting for the applicant and (…) they were of such a nature as to be capable of considerably and directly affecting her feelings as a mother of a deceased son as well as her private life and identity, the reputation of her deceased son being a part and parcel thereof’. Third, building on the above, the Court concluded that ‘as well as being rather provocative and sensationalist, the articles in question could hardly be considered as having made a contribution to a debate of general interest.’ We note that the case is interesting from many perspectives, including because it concerns the question of the right to post-mortem private life protection and because it demonstrates the link between the protection of private life and personal data of one individual and the private life protection of their relatives.

 

– EDPB Adopts Revised Guidelines on Restrictions under Article 23 –

On 13th October, the EDPB adopted ‘Guidelines 10/2020 on restrictions under Article 23 GDPR: Version 2.0’. The Guidelines were adopted at the 56th Plenary session following a public consultation concerning the original version of the Guidelines, which were adopted in December 2020. According to the EDPS: ‘The guidelines aim to recall the conditions surrounding the use of such restrictions by Member States or the EU legislator in light of the Charter of Fundamental Rights and the GDPR. They provide a thorough analysis of the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights after the restrictions are lifted, and the consequences of infringements of Art. 23 GDPR. Additionally, the guidelines analyse how the legislative measures setting out the restrictions need to meet the foreseeability requirement and examine the grounds for the restrictions listed by Art. 23(1) GDPR, and the obligations and rights which may be restricted.’ There is apparently no easy way to see how the consultation proceeded, its outcomes, or what has been changed from the original Guidelines in consequence. This information would be welcome. Such information might, for example, provide insight as to which forms of arguments were taken on board, and which were not.

 

– EDPB Agenda for 56th Plenary –

On 13th October, the EDPB held its 56th Plenary. In particular, the EDPB considered:

  • ‘Consistency mechanism and Guidelines’
  • ‘Guidelines on Restrictions under Art. 23 GDPR (following public consultation)’
  • ‘Guidelines on children’s data – request for mandate’

  • ‘Current Focus of the EDPB Members’
  • ‘Proposal on coordinated action of the EDPB’

The agenda is available online. Further detailed information about the outcomes of the meeting is still – at the time of writing – forthcoming.

 

– European Parliament Uncritical of Europol’s Mandate Expansion –

On 21 October, the European Parliamentvotedto support the extension of Europol’s mandate in order to allow it to exchange personal data with private actors, gather and analyse large quantities of data and to develop AI tools for fighting serious crime, including in the framework of R&D projects. With this vote the Parliament adopted its position on two proposals by the Commission which seek to update the Europol Regulation and the Schengen Information System (SIS) legal basis, allowing Europol to enter law enforcement related alerts directly into SIS. Computerweekly reports that this development has been criticized by NGOs, because it essentially contradicts a vote by the European Parliament earlier this month which called for banning mass biometric surveillance and predicting criminal behaviour. They criticize the EP’s position on the proposed changes to Europol’s mandate, because the adopted position does not guarantee enough accountability and oversight over Europol’s increased technical capabilities. With the Parliament’s mandate now adopted, it can now proceed to the negotiations with the Council on the finalisation of the update of Europol’s Regulation and the SIS legal basis.

 

– Does the EU Disregard Human Rights Abroad? –

According to Euractiv, a number of NGOs, amongst which Privacy International, have filed a complaint with the European Ombudsman against several EU agencies and bodies, amongst which Frontex, for ‘contributing to the development of ‘surveillance’ capacities in third countries without considering fundamental rights and data protection’. The NGOs claim that these capacities were developed as a result of projects aiming at the training, financing and provision of technologies to law enforcement authorities in a number of Third Countries. The surveillance capacities include the establishment of biometric identification techniques and ‘gathering intelligence online, wiretapping techniques, and decrypting intercepted messages.’ The NGOs are concerned that according to the Commission, for EU Trust Fund Projects it is not obliged to carry out a data protection impact assessment.

From Privacy International’s website it becomes clear that on 19th October they have also sent a letter to the EDPS, in which they inform the EDPS of the complaint submitted to the Ombudsman, asking the EDPS to examine on his own initiative the compliance of the offered trainings with the data protection obligations of the EU agencies and bodies under the applicable data protection rules (Regulation 2018/1725), including on carrying out a data protection impact assessment.

 

– Controversy following Irish DPA’s Facebook Decision –

The Irish DPC recently announced its decision to fine Facebook between 28 and 36 million EUR for violations of the GDPR connected with transparency. According to Politico, however, this decision has been received with some concern by privacy advocates and other DPAs. Concerns emerge, in particular, around the assertion of the Irish DPC that it was not in the position to judge Facebook’s argument that its data processing is legitimated, under the GDPR, on the basis of a contract with users, as opposed to on the basis of users’ consent. Other DPAs now have the possibility to provide input in relation to the DPC’s decision. It is too early to say what will come from this process. It will, however, certainly be interesting to follow how DPAs formally respond to the decision and how the decision concerning Facebook’s practices, and the resulting fine, changes as a result.

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply