Data Protection Insider, Issue 122

Data Protection Insider, Issue 122 - DPI 14

-ECtHR: Bosnia and Herzegovina Does Not Respect Legal professional Privilege-

On 5th November, the ECtHR ruled that the legal framework in Bosnia and Herzegovina does not offer adequate protection for the confidentiality of lawyers’ correspondence in the case of Neziric v. Bosnia and Herzegovina. As to the facts of the case, the applicant was a lawyer. Upon the order of an investigating judge, his phone was seized and its exterior and content examined in the framework of investigating a crime in which the applicant and third parties were allegedly involved. The applicant claimed that the examination of the phone was in breach of his right to private life under Article 8 ECHR. The Court noted that it was not disputed that the search and seizure of the phone constituted an interference with the right to ‘correspondence’ in Article 8 ECHR and that it had a basis in domestic law. The Court focused on the question of whether domestic law offered sufficient safeguards against abuse. The Court discussed, in particular, two shortcomings with the domestic law in terms of legal professional privilege: (1) the actual examination of the content of the phone was not carried out in the presence of a member of the Bar Association or the applicant himself and (2) ‘as to the sifting and separating of privileged data, the Court observes that the domestic law does not seem to contain any specific procedure or safeguards to address the examination of electronic data carriers and prevent communication covered by legal professional privilege from being compromised’. Thus, the Court concluded that ‘the domestic legislation lacked the appropriate procedural safeguards to protect data covered by legal professional privilege. That notwithstanding, the Court has no basis on which to decide whether or not lawyer-client confidentiality was actually compromised in the case at hand. In the Court’s view, however, the lack of procedural guarantees relating specifically to the protection of legal professional privilege already fell short of the requirements flowing from the criterion that any interference must be in accordance with the law within the meaning of Article 8 § 2 of the Convention’.

-Updates from the EDPB-

In the past two weeks, the EDPB published the following significant documents:

  • 11th November 2024: ‘Opinion 23/2024 on the draft decision of the Irish Supervisory Authority regarding the Controller Binding Corporate Rules of the Aptiv Group’;
  • 7th November 2024: ‘EDPB response to NATO/SHAPE’ – concerning transfers and IOs;
  • 4th November 2024: ‘Statement 5/2024 on the Recommendations of the High-Level Group on Access to Data for Effective Law Enforcement’.

Adoption of Cyber Resilience Act-

On 10th October, the Council adopted the Cyber Resilience Act. According to the Council: ‘The new regulation aims to fill the gaps, clarify the links, and make the existing cybersecurity legislative framework more coherent, ensuring that products with digital components, for example ‘Internet of Things’ (IoT) products, are made secure throughout the supply chain and throughout their lifecycle.’ The law ‘introduces EU-wide cybersecurity requirements for the design, development, production and making available on the market of hardware and software products, to avoid overlapping requirements stemming from different pieces of legislation in EU member states’. It will also ‘allow consumers to take cybersecurity into account when selecting and using products that contain digital elements, making it easier for them to identify hardware and software products with the proper cybersecurity features’. Moving forward, ‘the…act will be signed by the presidents of the Council and of the European Parliament and published in the EU’s official journal in the coming weeks. The new regulation will enter into force twenty days after this publication and will apply 36 months after its entry into force with some provisions to apply at an earlier stage’. We recognise the Act was adopted outside the time-frame for this DPI. The volume of CJEU cases decided in periods covered by previous issues left little space for this story. We nevertheless felt this might be of interest to our readers, however, and this led us to the decision to shift coverage to this issue.

 

 

 

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply