Data Protection Insider, Issue 121

Data Protection Insider, Issue 121 - DPI 13

-ECtHR: Russian ‘Foreign Agents’ Legislation Breaches Various Article 8 Rights-

On 22nd October, the ECtHR ruled that the Russian Act on ‘foreign agents’ severely restricts different aspects of the concerned individuals’ private lives in breach of Article 8 ECHR in the case of Kobaliya and Others v Russia. As to the facts of the case, as of 2012, the Russian legislature enacted provisions which, amongst others, allowed the designation of individuals – e.g. lawyers, NGO staff members, journalists and activists – as ‘foreign agents’ if they distributed materials or received funding from foreign entities. The personal data of such individuals, including ‘full names, pseudonyms, previous names, dates of birth, taxpayer identification numbers, social security numbers and the grounds for their inclusion in the (foreign agents) register’, was published by the Ministry of Justice. The publication of the data resulted not only in stigmatising the concerned individuals. Further measures such as enhanced (financial) reporting obligations, limitations on the public to which the individuals could distribute their materials and the obligation to mark their materials as ‘foreign agent’ resulted in further limitations of their Article 8 ECHR rights, of which the applicants complained. The ECtHR ruled that the various measures clearly constitute an interference with Article 8 ECHR. The Court decided to ‘proceed on the assumption that the interference pursued the stated legitimate aims of protecting national security and preventing disorder by increasing public awareness of the applicants’ “foreign agent” designation.’ It did not examine the ‘quality of the law’ requirement, as the Russian government did not make any submissions on that point. The Court thus examined directly the necessity requirement. It noted that the designation as a ‘foreign agent’ was ‘misleading’ as no evidence was adduced that they indeed acted in the interest of foreign entities and the criteria for the designation were unjustifiably broad. According to the Court, the designation of individuals as ‘foreign agents’ under these circumstances did not pursue any public interest and no measures were taken to protect the personal data published. Furthermore, the reporting obligations on their expenditures, including their day-to-day transactions with friends and family, were too intrusive, especially bearing in mind the fact that it was not proven that the individuals had received foreign funding. Lastly, there were wide-ranging restrictions ‘on the exercise of a profession, access to elected office and civil service, or the prohibition on teaching and writing for children’. The Court noted that it had previously found that less severe restrictions constituted a breach of Article 8 ECHR and thus the above restrictions are, a fortiori, a breach of Article 8 ECHR. Thus, the Court found the analysed legislative measures incompatible with Article 8 ECHR. Editorial note: The above summary does not include complaints under Article 10 and 11 ECHR in the case.

-Updates from the EDPB-

In the past two weeks, the EDPB published the following significant document:

  • 21 October 2024: ‘Report on Article 36 alerts of Schengen Information System decision’.

On 4th November, the EDPB held its 98th Plenary Meeting, at which the following significant issues, amongst others, were discussed:

  • ‘Request for mandate on best practices relating to Art. 64(2) GDPR opinions’;
  • ‘Update of the Strategic Cases Process Guide’;
  • ‘Reply to the letter from NATO dated 29 April 2024’;
  • ‘Request for mandate regarding Guidelines on the use of biometrics for physical access control’;
  • ‘EDPB report on the first review of the European Commission Implementing Decision on the adequate protection of personal data under the EU-U.S. Data Privacy Framework’;
  • ‘Reply to letter from AI Office on EDPB statement on the role of DPAs in the AI Act framework’;
  • ‘Statement on the Recommendations of the High-Level Group on Access to Data for Effective Law Enforcement’;
  • ‘Audited Descriptions of Consumer Profiling Techniques provided to the EDPB pursuant to Art. 15 Digital Markets Act (DMA)’.

At the time of writing, further information regarding the plenary, and the issues discussed, was not yet available on the EDPB website.

-Council of Europe Framework Convention on AI-

On 5th September 2024, the Council of Europe opened up its ‘Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law’ for signature. According to the Council of Europe: ‘The Framework Convention complements existing international standards on human rights, democracy and the rule of law, and aims to fill any legal gaps that may result from rapid technological advances. In order to stand the test of time, the Framework Convention does not regulate technology and is essentially technology-neutral.’ The Framework includes: a set of fundamental principles with which activities ‘within the lifecycle of AI systems must comply’; remedies, ‘procedural rights, and safeguards’ – including concerning transparency; and risk, ‘and impact management requirements’ – including regarding human rights, democracy, and rule of law impact assessments. The Convention covers both public and private actors. We recognise the Convention was opened for signature outside the time-frame for this DPI. The volume of CJEU cases decided in the period covered by previous issues left little space for this story. We nevertheless felt this might be of interest to our readers, however, and this led us to the decision to shift coverage to this issue.

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply