Data Protection Insider, Issue 75

CJEU Provides Guidance on the Processing of Sensitive Data

On 1st August, the CJEU delivered a judgment in the preliminary ruling case of OT v Vyriausioji tarnybinės etikos komisija concerning the publication of data online, including sensitive data. As to the facts of the case, the applicant (OT) was required by Lithuanian law to submit a declaration of private interests with the Chief Ethics Commission of Lithuania, because they held the post of a director in a company receiving public funding. The declaration is then published online, as required by law. The applicant argued that the publication of the declaration could reveal sensitive information about their private lives and those of their relatives and hence refused to submit it. To solve the dispute between the applicant and the Commission, the referring Lithuanian court sent two preliminary ruling questions concerning the interpretation of Articles 6 (1) (c), 6 (1) (e), Article 6 (3) and Article 9 GDPR (on the legal basis for the publication and on the protection of sensitive data, respectively) in light of Articles 7, 8 and 52 (1) CFR. As to the first question on Article 6 GDPR, the Court ruled that the publication of the declarations could fall under Article 6 (1) (c) GDPR, because the Chief Ethics Commission is obliged to publish the declarations by law. The Court noted that in addition to a legitimate legal basis, the publication has to fulfil the other requirements in Article 52 (1) CFR, since it constitutes an interference with the fundamental rights to privacy and data protection. Whereas the publication of the requested data pursued legitimate purposes, e.g. to fight corruption, the Court deemed that in casu the publication of all the required data was not strictly necessary for the purpose of transparency and preventing corruption. This is because, inter alia, the position of the applicant might not have called for such detailed public scrutiny and because the data minimisation principle seemed to have been breached when disclosing most of the filed data online. The publication of all the data was also not deemed to be proportionate, especially because of the possibility to derive (sensitive) information about the applicant and their relatives and because this information was made available to an unrestricted number of individuals, who might misuse the information. As to the second question on Article 9 GDPR, the Court ruled that the publication of the contested declarations could be deemed to constitute of processing of sensitive data in the meaning of Article 9 (1) GDPR, because it could reveal information about the individual’s sexual orientation, even where the sensitivity of the data may be only indirectly inferred. We note that this conclusion is not surprising bearing in mind the broad interpretation of the definition of sensitive data given by data protection authorities and academics. What we find interesting is that in the examination of the first question the Court did not dwell on the question of the respect for the essence of the examined fundamental rights, which is also one of the requirements of Article 52 (1) CFR.

 

Commission Publishes First Report on the Law Enforcement Directive

On 25th July, the Commission published its first report on the functioning and application of the Law Enforcement Directive (‘LED’). In the report, after the general remarks on the LED, the Commission focused on the following three main points: (i) the remaining issues related to the implementation of the LED into national law; (ii) lessons learned from the functioning and application of the LED so far; and (iii) further steps. With regards to the outstanding issues (i), the Commission noted the delayed and/or incorrect implementation of the LED in certain Member States. Incorrect, unclear or incomplete implementation was noted in relation to the scope of the LED; the powers of the supervisory authorities; the available judicial remedies; the definition of the data storage limits; the legal basis for the processing, including for sensitive data; safeguards related to automated decision-making; the rights of the data subjects; the requirements on distinction between the different categories of persons and types of information; and the logging of the data processing activities. As to the lessons learned (ii), the Commission focused on the increased exercise of data subject rights, including indirectly through the DPAs, and the use of the complaint mechanism under the LED; the enhanced awareness of the DPA staff as concerns the LED and data protection more generally; the improvements in data security but at the same time the divergences in data breach notifications; the limited resources made available to the DPAs; the fact that the DPAs are using their investigative, corrective and advisory powers and that in certain cases their decisions have been challenged, mostly by the data subjects; the initial work done by the EDPB to issue guidelines concerning the LED; the limited usage of the mutual assistance mechanism between the DPAs; and finally listed in detail all the work done in relation to international transfers, e.g. the adequacy decisions adopted under the LED by the Commission. As to the way forward (iii), the Commission mentions that ‘[a]t this stage, the focus should be on realising the full potential of the LED. In this context, and given the limited experience with these new rules, the Commission believes that it is too early to consider revising the LED.’ It made a series of recommendations for its future work on the LED, to the Member States, to the DPAs and the EDPB. The recommendations were made especially in relation to the legal framework, supporting the work of the DPAs and ensuring legally compliant international data transfers.

 

EDPS Publishes Two Opinions 

On 9th and 11th August, the EDPS published the following two Opinions, respectively:

‘Opinion 17/2022 on the Recommendation for a Council Decision authorising the opening of negotiations for the inclusion of provisions on cross-border data flows in the Agreement between the European Union and Japan for an Economic Partnership’; and

‘Opinion 18/2022 on the Proposal for a Regulation as regards conversion of the Farm Accountancy Data Network into a Farm Sustainability Data Network’.

The Opinions can be found

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply