Data Protection Insider, Issue 114

Data Protection Insider, Issue 114 - DPI 29 1

– ECtHR: Monaco in Breach of Article 8 ECHR for Extracting Too Much Data from a Lawyer’s Phone- 

On 6th June, the ECtHR ruled that Monaco had infringed Article 8 ECHR for failing to adequately protect the data on a lawyer’s phone when seeking to extract a certain recording from it in the case of Bersheda and Rybolovlev v. Monaco. As to the facts of the case, Ms Bersheda, a lawyer registered with the Swiss bar, was charged in Monaco with having secretly recorded a conversation of under 10 minutes with T.R. In the course of her defence, Ms Bersheda handed over her phone so that the recording in question could be examined. She had deleted other data from her phone with the help of an IT expert. The investigating judge in Monaco, however, overstepped his remit and ordered the examination of all the data that could be retrieved from the phone, including the deleted data (‘a “fishing expedition”’). On that basis, and bearing also in mind breach of professional secrecy, Ms Bersheda complained that the indiscriminate retrieval of data from her phone, and the fact that her complaint was rejected by the Monegasque courts breached her Article 8 ECHR rights. The Court first, confirmed that the above facts constituted an interference with Article 8 ECHR. Then, it ruled that the said interference had a legal basis in domestic law. However, the Court was not satisfied regarding how the law was implemented in the present case. It noted that ‘the investigating judge had not, from the outset, deployed a framework to protect legal professional privilege in the present case, especially when domestic law required guarantees for measures that were admittedly different but had comparable consequences, like searches and seizures.’ It also deplored the fact that the judicial authorities failed to adequately remedy the shortcomings of the investigations. Thus, it concluded that there had been an interference with Article 8 ECHR, because the interference was not ‘necessary in a democratic society’. Editorial note: The above summary is based on the English language version of the Press Release as the judgment is available only in French. The summary also does not cover the inadmissibility discussion in relation to one of the two applicants – Mr Rybolovlev.

– AG Medina Advises on Exceptions to Transparency in the GDPR –

On 6th June, AG Medina clarified the exception on transparency under Article 14(5)(c) GDPR in the case of Masdi. As to the facts of the case, the applicant in the main proceedings, UC, was issued with a vaccination certificate for COVID-19 by the Budapest Office. He complained that the Office did not provide him with the necessary information about the processing of his data, as required under the GDPR. The Office evoked the exception to transparency under Article 14(5)(c) GDPR and argued that the processing of the data was based on domestic law (Article 6(1)(e) and Article 9(2)(i) GDPR). The questions referred for preliminary ruling refer to the scope of the exception in Article 14(5)(c) GDPR and the powers of the national DPA when examining compliance with the exception in Article 14(5)(c) GDPR. AG Medina advised the CJEU to rule as follows. First, he argued that, as to the material scope of the exception, ‘the derogation from the obligation on the data controller to provide information to the data subject applies to all data which the controller has not

obtained from the data subject. It is not relevant, in that regard, whether the data are expressly obtained from another entity or if the data are generated by the controller in its own procedure’. As to the supervisory powers of DPAs, especially to examine the quality of the national law on which the processing is based, AG Medina distinguished the present case from Schrems, where the question arose as to whether DPAs may examine the validity of EU instruments. AG Medina concluded that ‘Article 77(1) of the GDPR must be interpreted as meaning that, in the context of a complaint procedure, the supervisory authority has the power to examine whether all the conditions laid down in Article 14(5)(c) of that regulation are complied with. More particularly, it has the power to examine the question whether Member State law, to which the controller is subject, provides appropriate measures to protect the data subject’s legitimate interests’. Considering whether national law must transpose security measures in order to be compliant with Article 14(5)(c) GDPR, AG Medina advised the Court that ‘Article 14(5)(c) of the GDPR must be interpreted as meaning that the ‘appropriate measures’ referred to in that provision do not require the national legislature to transpose the measures relating to the security of the data laid down in Article 32 of that regulation’.

– AG Opinion on Collection of Biometric and Genetic Data –

On 13th June, AG De La Tour published their Opinion on the case of V.S.. As to the facts of the case, the police wanted to record the photographic, dactyloscopic and genetic data of a suspect in a crime (V.S.), who, however, refused to provide the data. Following the refusal, the law enforcement authorities sought judicial authorisation in order to forcefully collect the biometric and genetic data. The national court, uncertain as regarded certain aspects of the law, submitted a set of questions to the CJEU, which the CJEU then dealt with in 2023 – Case C‑205/21. The national court, remaining uncertain regarding aspects of the relevant law following the CJEU’s decision – in particular concerning whether the Court should have access to the full case file in conducting its review, and as to the extent of review of the file necessary – thus submitted a second round of questions to the CJEU. The following questions were referred, in this second round, to the Court:

  • ‘Is the requirement of assessing “strict necessity” under Article 10 of Directive 2016/680…satisfied if it is carried out solely on the basis of the decision accusing the person and…her written refusal to have her biometric and genetic data collected, or is it necessary for the court to have…all the material in the file which, under national law, is made available to it’?
  • If the above is answered positively, then, ‘after having been provided with the case file, may the court in the context of the assessment of “strict necessity” pursuant to Article 10’ and ‘Article 6(a) of Directive 2016/680 also consider whether there are reasonable grounds to suspect that the accused has committed the criminal offence’?

In response, the AG concluded:

  • Article 10, ‘in conjunction with Article 4(1)(a) to (c) and Article 8(1) and (2)’ means ‘the assessment…of whether the creation of a police record is ‘strictly necessary’…must be carried out…by the authorities that are competent for the creation of that record, before they can…apply for authorisation of its mandatory creation’. Further, ‘it is not sufficient…that the assessment…be carried out, for the first time, by the court from which mandatory creation is sought, only in the even that the accused person has refused to consent to the creation of the police record and only in the light of one of the purposes allegedly pursued by the national legislation which forms the legal basis for that collection’.
  • ‘In the alternative’ Article 6(a) and Article 10 mean ‘that…review, by the court, of whether…collection of biometric and genetic data is ‘strictly necessary’ does not require…review as to whether the accusation…concerned is well founded’ or ‘the full disclosure of the case file, provided that the assessment of whether collection is ‘strictly necessary’…can be carried out in an effective manner on the sole basis of the decision designating the person…as an accused person’.

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply