– ECtHR Rules on Publication and Destruction of Information Obtained via Covert Surveillance –
On 22nd February, the ECtHR ruled in the case of Kaczmarek v. Poland. In terms of the facts, the applicant is the wife of a Polish politician. In 2007, an anti-corruption investigation was launched in relation to the Ministry of Agriculture. The investigation failed, and the applicant’s husband was implicated as having warned the Minister. An investigation was then launched into the hampering of the previous investigation. In the course of this later investigation, the applicant’s husband was a subject of covert surveillance, and, as a result, the applicant’s calls were monitored. In a subsequent press conference, hosted by Deputy Prosecutor Generals, information obtained using covert measures was made public – including information relating to the applicant. The applicant brought civil claims against one of the Deputy Prosecutor Generals before national courts about this disclosure, but these complaints were unsuccessful. Following this, in 2010, the applicant requested the covertly collected information concerning her be destroyed. Following a lengthy process, she was unsuccessful. Accordingly, the applicant complained to the ECtHR, relying on Article 8, that ‘her personal data and material which had been gathered in the covert surveillance operation had been made public during a press conference and that the authorities’ response had not been adequate’ as well as about ‘the retention of the material gathered during the surveillance operation.’ The Court found a violation. In relation to the disclosure in the press conference, the Court highlighted – particularly in light of the fact the provisions on which disclosure was argued to be based did not obviously relate to publication of personal information – that ‘a recording of a phone conversation of the person who was not subjected to the investigation went beyond the scope of the empowerment vested in the prosecuting authorities by’ the relevant provisions. In relation to the destruction of information collected via covert surveillance, the Court highlighted ‘the lack of sufficient clarity in the legal framework at the time of the events…and the absence of procedural guarantees relating specifically to the destruction of the applicant’s communications.
– ECtHR Rules on Surveillance and Encryption –
On 13th February, the ECtHR ruled in the case of Podchasov v. Russia. In terms of the facts, the applicant was a user of the Telegram application. Under Russian law, Telegram is obliged to store information on communications for one year, and the content of communications for six months. Russian law also requires that, under certain conditions, this information must be provided to law enforcement authorities, as well as any supplemental information necessary to decrypt encrypted data. The Russian security services requested this information from Telegram in related to several users ‘who were suspected of terrorism-related activities’. Telegram refused, asserting that providing the required information would mean creating a backdoor to its encryption. The applicant, along with others, also ‘challenged the disclosure order before’ national courts, arguing that ‘the provision of encryption keys as required by the’ security services ‘would enable the decryption of the communications of all users’ and that it ‘would therefore breach their right to respect for their private life and for the privacy of their communications.’ Challenges at national level, however, were unsuccessful. In light of the above, the applicant, relying on Article 8 of the Convention, complained to the ECtHR ‘about the statutory requirement for’ internet communications organisations ‘to store the content of all Internet communications and related communications data, and to submit those data to law-enforcement authorities or security services at their request together with information necessary to decrypt electronic messages if they were encrypted’. The Court found a violation, and concluded that: ‘the contested legislation providing for the retention of all Internet communications of all users, the security services’ direct access to the data stored without adequate safeguards against abuse and the requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society.’ The Court went on to say that, in ‘so far as this legislation permits the public authorities to have access, on a generalised basis and without sufficient safeguards, to the content of electronic communications, it impairs the very essence of the right to respect for private life under Article 8 of the Convention’ and that Russia had overstepped its margin of appreciation. Whilst the whole case is interesting and worth reading – particularly for anyone following the data retention, and state-surveillance, discussions – it is the section on encryption, and the Court’s strong stance, which is perhaps most eye-catching.
– AG Offers Opinion on the Sale of Databases of Personal Data –
On 22nd February, AG Pikamäe delivered their Opinion in the case of I. sp. z o. o. v M.W. In terms of the facts, the case concerns the member of a board of a company, which is in a debt relationship to another company. In the case the former company does not have assets with which to pay its debts, the latter company may be able to claim directly from the member of the board. In legal proceedings relating to this issue, the member of the board claims there are assets which might be sold: amongst which, databases of personal data. The referring Court, however, was uncertain as to the legality of transferring these databases – not least as the data subjects in the databases had not given their consent to the further transfer of their data. In this regard, the following question was referred to the CJEU: ‘Should Article 5(1)(a) of’ the GDPR ‘in conjunction with Article 6(1)(a), (c) and (e)’ and ‘Article 6(3)…be interpreted as precluding a provision of national law that permits the sale, in enforcement proceedings, of a database, within the meaning of Article 1(2) of Directive’ 96/9 – Database Directive – ‘which contains personal data, if the data subject did not consent to such a sale?’ The AG came to the conclusion that: ‘Point (e)…of Article 6(1), Article 6(3) and the first sentence of Article 6(4)…must be interpreted as meaning that it does not preclude a provision of national law that permits the sale, by a court enforcement officer, in enforcement proceedings, of a database which contains personal data, if the data subjects did not consent to such a sale, provided that the processing carried out by that court enforcement officer with regard to those data constitutes a necessary and proportionate measure in a democratic society to ensure the enforcement of a civil law claim.’ There is much to mull over in this Opinion, including observations as to how the purpose limitation principle should be understood, how exceptions to the principle might be interpreted – including concerning Recital 50 – and regarding the possibility of the sale of personal data. As always, however, it remains to be seen whether, and to which extent, the Court will follow the Opinion.