Data Protection Insider, Issue 117

Data Protection Insider, Issue 117 - DPI 1

AG de la Tour: High Number of Complaints Does Not Make Them Automatically ‘Excessive’-

On 5th September, AG de la Tour advised the Court to rule that a high number of complaints, submitted over a short period of time does not automatically make them ‘excessive’ in Österreichische Datenschutzbehörde. As to the facts of the case, a data subject (FT), submitted to the Austrian Data Protection Commission 77 complaints within about 20 months, concerning the failure of different controllers to respond to their access requests within one month, as prescribed by the GDPR. The Commission refused to react, claiming that the complaints were ‘excessive’ and constituted a huge burden for the Commission. Eventually, the case reached the Austrian courts, which wondered whether the Commission could rely on Article 54(7) GDPR, which ‘offers the supervisory authorities, when confronted with requests which are manifestly unfounded or excessive, in particular because of their repetitive character, the possibility of charging a reasonable fee based on the administrative costs or of refusing to act on those requests.’ Three concrete questions were formulated on the basis of Article 54(7) GDPR: (1) whether the concept of ‘requests’ covers also ‘complaints’; (2) whether a high number of complaints makes them ‘excessive’ and (3) whether a data protection authority may choose between charging a fee and refusing to act on a complaint in case of ‘excessive’ or ‘manifestly unfounded’ requests. With respect to the first question, AG de la Tour suggested that the concept of requests should be interpreted to cover also complaints. As to the second question, he argued that a high number of requests may not in itself classify them as excessive, especially where such a key data subject right as the right of access to one’s data is concerned and where the complaints concern the failure of different controllers to respond to the data subject’s access requests. He also recalled that it is for the data protection authority to prove that the complaints are excessive and that challenging the resources of the data protection authority is not a convincing argument. With regard to the third question, he argued that the GDPR does not set out a priority between charging a fee and refusing to act on a complaint. Thus, he suggested, a data protection authority should decide on a case-by-case basis which option to make use of: ‘a supervisory authority may consider it appropriate, in the light of the relevant circumstances and with a view to halting an abusive practice which is liable to hamper its proper functioning, to charge a reasonable fee based on the administrative costs of the additional workload created by excessive complaints. The dissuasive effect of that option may lead the authority to prefer it over an immediate refusal to act on such complaints. (…) I would add that the principle of proportionality and the objective of ensuring a high level of protection of personal data should also predispose supervisory authorities to charge a reasonable fee based on the administrative costs before refusing to act on such complaints, given that the former measure is less harmful to the rights of data subjects under the GDPR’.

-ECtHR Considers the need for Judicial Authorisation in Mobile Telephone Searches-

On the 5th of September, the ECtHR decided in the case of Mukhtarli v. Azerbaijan and Georgia. In terms of the facts, the case essentially concerned the alleged abduction of the plaintiff, his extradition to Azerbaijan from Georgia, and his detention in Azerbaijan. Whilst in detention in Azerbaijan, the plaintiff’s mobile phone, on the order of the investigator, was thoroughly searched. Following a series of unsuccessful complaints at national level regarding the legality of this search, the plaintiff appealed to the ECtHR. In this regard, the plaintiff complained to the ECtHR that their Article 8 rights were violated by virtue of ‘the search of the contents of his mobile telephone by the investigating authorities’ in Azerbaijan – other complaints, relating to other Articles were also brought, which will not be considered in this summary. In this regard, the Court decided that the investigating authorities’ search had not been in accordance with the law. They highlighted, in particular, the fact that the search had been conducted as part of an ‘investigation’ which did not, under national law, require advance judicial authorisation. The Court highlighted ‘that a search of the contents of a mobile telephone – which constitutes a measure seriously interfering with a person’s private life and correspondence – cannot be in compliance with Article 8 of the Convention if it is left to an investigator’s unfettered discretion; Article 8 requires the issuance of a warrant by an independent body when interference with the privacy of a person is at stake.’ Whilst the Court did recognise certain circumstances – for example concerning the authorities need to act expediently in specific cases – in which such authorisation might not be strictly necessary, the Court considered that none of these applied in the present case.

-ECtHR Considers the Monitoring of Documents Exchanged between Prisoners and Lawyers-

On the 3rd of September, the ECtHR, sitting as a Committee, decided, in a brief judgment, the case Hallaçoğlu v. Türkiye. In terms of the facts, the case essentially concerned the monitoring, by prison authorities, of documents exchanged between a prisoner and their lawyer during meetings in prison. The monitoring of these documents was argued to be legitimated in national law under ‘section 59(5) of Law no. 5275 on the enforcement of sentences and preventive measures…as amended by Article 6 of Emergency Legislative Decree no. 676 adopted in the framework of the state of emergency declared in the aftermath of the attempted coup d’état’. In this regard, the plaintiff complained to the ECtHR that ‘the impugned measure of monitoring the documents exchanged with his lawyer had constituted a breach of his right to respect for his private life under Article 8 of the Convention.’ The Court found a violation. The Court, recalling the decision and the logic in the prior case of Mehmet Demir, highlighted that: the ‘Court has already concluded that the interpretation and application by the domestic courts of the impugned legislation was wide and vague and that such an extensive interpretation and application of the relevant domestic provision did not comply with the Convention requirements of foreseeability and thus lawfulness.’

-ECtHR Considers Data Retention in Russia-

On 5th of September, the ECtHR, sitting as a Committee, decided, in a brief judgment, the case of Vorobyev and Others v. Russia. The case essentially concerned the ‘statutory requirement for Internet communications providers to store the content of all Internet communications and related communications data, and to submit those data to law‑enforcement authorities or security services at their request together with information necessary to decrypt electronic messages if they were encrypted’. Th applicants thus complained to the ECtHR regarding the violation of their Article 8 rights implied by this requirement – other complaints were also made, which will not be considered in this summary. The Court reiterated that it had ‘earlier found that the contested legislation providing for the retention of all Internet communications of all users, the security services’ direct access to the data stored without adequate safeguards against abuse and the requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society. In so far as this legislation permits the public authorities to have access, on a generalised basis and without sufficient safeguards, to the content of electronic communications, it impairs the very essence of the right to respect for private life under Article 8 of the Convention’. The Court then further highlighted that, in relation ‘to its case-law on the subject, the Court considers that in the instant case the continuous storage of the applicants’ Internet communications and related communications data by their Internet communications providers, the authorities’ potential access to these data and the obligation to decrypt them if they are encrypted, pursuant to the domestic law, violated the applicants’ Article 8 rights’. Given the current political situation, we wonder how such judgments from the ECtHR are now received in Russia, and how this might impact the response to the judgment.

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply