Data Protection Insider, Issue 77

– ECtHR Rules in Case on the Sale of Health Data

On 30th August, the ECtHR found a violation of Article 8 ECHR in the case of Y.G. v Russia concerning the selling of a database containing sensitive health data. As to the facts of the case, the applicant has HIV and hepatitis and this information is stored by the Moscow Centre for the Prevention and Control of AIDS. An acquaintance of the applicant purchased data from a data market and informed the applicant that his data, amongst the data of thousands of others, were available on that database in an identifiable form, including his names, address, criminal conviction and information that he has AIDS and hepatitis. The applicant and his legal representative also purchased the database from the market, which presumably purchased the data from different governmental authorities such as the Information Centre of the Moscow Department of the Interior. The applicant requested the Information Centre to explain why it possessed health information concerning him, to rectify the information on AIDS as he did not have AIDS and to remove the information on his hepatitis status as he had not consented to the disclosure of this information. The Information Centre denied that it possessed health data on the applicant. After having tried unsuccessfully to claim his rights in relation to the disclosure of his health data with the domestic authorities, the applicant complained to the ECtHR that ‘the law-enforcement authorities had unlawfully collected, stored and entered his health data in a database, and that they had failed to ensure the confidentiality of his data and to carry out an effective investigation into their disclosure.’ The Court examined the complaint under Article 8 ECHR. It found that irrespective of whether the governmental authorities had compiled the database which was sold, they had not taken the necessary measures to ensure the confidentiality of the applicant’s health data. In addition, the Court found it problematic that the authorities had refused to investigate his complaint, although the legal framework did allow for investigations of breaches into one’s private life. Thus, the Court concluded that the authorities had failed to fulfil their positive obligations under Article 8 ECHR.

The ECtHR Clarifies Data Accuracy and Storage Limits

On 8th September, the ECtHR rendered a judgment in the case of Drelon v France concerning the processing of personal data of persons who want to donate blood. As to the facts of the case, the applicant wanted to donate blood and was asked to fill out a form, especially as concerns his health status. One of the questions was whether he had had sex with another man. The applicant did not answer this question. On the basis of the answer sheet, the responsible person at the French blood donation service (EFS) entered into the system the information that the applicant was homosexual, which was one of the grounds under French law to exclude him from donating blood. The deadline for storing the said information in the system was 2278. The applicant complained that the EFS had collected and stored inferences about his sexual orientation in breach of Article 8 ECHR. The Court noted that the data collection and storage had a legal basis and pursued a legitimate purpose, namely ensuring blood safety. Then, it referred to the data protection provisions of Council of Europe Convention 108, especially on data accuracy and data storage. The Court noted that the information on the applicant’s sexual orientation was a mere presumption based on his refusal to answer the relevant question. Therefore, the standards of accuracy had not been complied with. Furthermore, the Court noted that the long data storage limits allowed the presumption to be ‘repeatedly’ held against the applicant and to exclude him from donating blood. The Court thus concluded there was a breach of Article 8 ECHR.

 

–  Advocate General Delivers Opinion on Relationship between Legal Fora

On 8th September, AG Jean Richard De La Tour delivered an Opinion in the case of BE v Nemzeti Adatvédelmi és Információszabadság Hatóság. The case concerns the efforts of BE to obtain copies of certain audio recordings which include responses to questions BE posed at a shareholder meeting. In this regard, BE started various proceedings before various legal fora – including a complaint to the data protection supervisory authority, an appeal against the negative decision of the supervisory authority before the referring court, and a parallel civil procedure against the controller. In this regard, the referring court posed the following three questions to the CJEU:

  1. ‘Must Articles 77(1) and 79(1) of [Regulation 2016/679] be interpreted as meaning that the administrative appeal provided for in Article 77 constitutes an instrument for the exercise of public rights, whereas the legal action provided for in Article 79 constitutes an instrument for the exercise of private rights? If so, does this support the inference that the supervisory authority, which is responsible for hearing and determining administrative appeals, has priority competence to determine the existence of an infringement?’
  2. ‘In the event that the data subject ― in whose opinion the processing of personal data relating to him has infringed Regulation 2016/679 ― simultaneously exercises his right to lodge a complaint under Article 77(1) of that regulation and his right to bring a legal action under Article 79(1) of the same regulation, may an interpretation in accordance with Article 47 of the Charter of Fundamental Rights be regarded as meaning: (a) that the supervisory authority and the court have an obligation to examine the existence of an infringement independently and may therefore even arrive at different outcomes; or (b) that the supervisory authority’s decision takes priority when it comes to the assessment as to whether an infringement has been committed, regard being had to the powers provided for in Article 51(1) of Regulation 2016/679 and those conferred by Article 58(2)(b) and (d) of that regulation?’
  3. ‘Must the independence of the supervisory authority, ensured by Articles 51(1) and 52(1) of Regulation 2016/679, be interpreted as meaning that that authority, when conducting and adjudicating upon complaint proceedings under Article 77, is independent of whatever ruling may be given by final judgment by the court having jurisdiction under Article 79, with the result that it may even adopt a different decision in respect of the same alleged infringement?’

In response the AG concluded:

  1. ‘Article 78(1)…read in conjunction with Article 47 of the Charter…must be interpreted as meaning that the court called upon to rule on appeal against a supervisory authority decision where a subject seeks remedies provided in Article 77(1) and Article 79(1)…is not bound by the decision of another court concerning the latter provision regarding the existence…of a breach of rights.’
  2. ‘Articles 77(1) and 79(1) of Regulation No 2016/679 must be interpreted as meaning that the remedies provided may be pursued in parallel without one having priority over the other’.
  3. ‘In the absence of a rule of Union law on the interaction of the remedies provided for in Articles 77 to 79 of Regulation 2016/679, it is for the Member States, in accordance with the principle of procedural autonomy and taking into account both the objective of ensuring a high and uniform level of protection of the rights conferred by this Regulation, and the right to an effective judicial remedy enshrined in Article 47 of the Charter, to establish at national level the mechanisms necessary for the interaction of those remedies in order to avoid the risk of conflicting decisions on the same processing of personal data in the same Member State.

As always, it remains to be seen whether, and to what degree, the Court will follow the AG’s Opinion. Unfortunately, at the time of writing, the Opinion was not available in English. The author has thus relied on another language version. The author cannot, however, rule out the possibility that errors were made in translation. Accordingly, the author urges all readers interested in the decision to consult the primary materials themselves.

 

EDPS Issues Opinion on Data Protection for Substances of Human Origin

On 7th September, the EDPS issued ‘Opinion 19/2022 on the Proposal for a Regulation on standards of quality and safety for substances of human origin intended for human application and repealing Directives 2002/98/EC and 2004/23/EC’. In his Opinion, the EDPS noted that the Proposed Regulation seeks to set up a centralized EU SoHO Platform which will be ‘established, managed and maintained by the Commission in order to facilitate the exchange of information concerning SoHO activities in the Union’. In view of the higher risks which centralized (health) platforms pose, the EDPS made specific recommendations in order to ensure the protection of the personal data of donors, recipients and offspring of human tissue in the framework of the personal data processing envisaged by the Proposal. Briefly put, the EDPS recommended that the Regulation should: (1) make a clear distinction between consent to donate tissue and informed consent under the GDPR; (2) regulate more precisely the purposes for re-using the collected personal data; (3) clarify whether the ECDC (European Centre for Disease Prevention and Control) will process personal data in the framework of the platform and what its responsibilities will be; (4) regulate the maximum data storage limits; (5) clarify all the instances in which personal data will be processed, as well as the necessity and proportionality of the said processing; and (6) clarify the risks related to certain of the envisaged data processing operations.  

 

– Agenda for the 69th EDPB Meeting

On 12th September, the EDPB held its 69th meeting. The agenda included several significant items, for example:

  • ‘Art. 64 Opinion on EuroPriSe certification criteria’.
  • ‘Inclusive language in EDPB documents’.
  • ‘The European House of Data Protection – discussion’.
  • ‘Statement on EU Police Cooperation Code’.
  • ‘Open letter on EDPB budget proposal for 2023’.

We imagine any significant outcomes from the meeting – including any adopted documents – will be published on the EDPB website following the meeting.

 

Irish DPC Fines Instagram 405 Million Euros

 

According to Reuters, the Irish DPC has decided to fine Instagram 405 million Euros. The decision follows an investigation, which began as far back as 2020, concerning the company’s processing of children’s data. More specifically, the investigation concerned the operation of business accounts by children, and the publication of their phone numbers and e-mail addresses. More information on the fine should be made public soon. According to Reuters, Meta, Instagram’s parent company, plans to appeal the fine. Given the profile of the company involved, the size of the fine, and the fact that the fine relates to children’s privacy, we feel this is a story which is worth following with interest.

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply