– CJEU Rules on Purpose Limitation and Storage Limitation –
On 20th October, the CJEU delivered its judgment in the case of Digi Távközlési és Szolgáltató Kft. v Nemzeti Adatvédelmi és Információszabadság Hatóság. As to the facts of the case, Digi is a provider of internet and TV services. Following a technical problem, in April 2018 Digi created a separate database containing about one third of the customer data it possesses for testing purposes. In September 2019, an ethical hacker hacked this test database and informed Digi of the hacking. Digi promptly notified the Hungarian DPA of the breach, which fined Digi for having violated the purpose limitation and storage limitation principles in Articles 5(1)(b) and (e) GDPR. Digi challenged the decision in front of a Hungarian court which asked the following two questions concerning the principles to the CJEU:
- ‘Must the concept of “purpose limitation” as defined in Article 5(1)(b) (mean) that…(storing personal data) which were otherwise collected and stored for a limited legitimate purpose [in a parallel database) is consistent with that concept or (not)?’
- ‘(If) the answer to the first question (is negative) is the fact that the controller stores…personal data which were otherwise collected and stored for a limited legitimate purpose (in a parallel database) compatible with…“storage limitation?’
In this regard, the Court concluded that:
- ‘'(P)urpose limitation’…does not preclude the controller from collecting and storing (personal data) in a (parallel) database set up for testing and error correction purposes…if that further processing is compatible with the specific purposes for which the personal data were originally collected, which must be assessed in the light of the criteria set out in Art. 6(4)…and…the circumstances of the…case.
- ‘'(S)torage limitation’…precludes the controller from storing (personal data) in a (parallel) database set up for the purposes of testing and rectifying errors…for longer than…necessary for the performance of…tests and…rectification of…errors.’
The conclusions of the Court will likely be unsurprising for many in the data protection community and, unfortunately, the Court did not take the opportunity to address certain of the more pressing questions relating to the interpretation of purpose limitation and storage limitation – i.e. as to the nature of the legal ground necessary to legitimate secondary use. Nevertheless, the judgment is welcome in offering further clarification on two key principles in data protection law and is interesting in certain of the observations made – for example concerning the scope of the concept of ‘purpose’ and as to the rationale behind the provisions on compatibility. Unfortunately, at the time of writing, the judgment was not available in English. The author has thus relied on another language version. The author cannot, however, rule out the possibility that errors were made in translation. Accordingly, the author urges all readers interested in the decision to consult the primary materials themselves.
– CJEU Rules on Elections and Video Recordings –
On 20th October, the CJEU ruled in the case of Komisia za zashtita na lichnite danni, Tsentralna izbiratelna komisia v Koalitsia „Demokratichna Bulgaria – Obedinenie“. In essence, the case concerned the legitimacy of guidelines, adopted by the Bulgarian DPA, concerning video recording in the context of elections, which were then challenged before the national courts. In this regard, the referring national court asked posed six questions to the CJEU, which the CJEU bundled into two sets of considerations:
- ‘(W)hether Article 2(2)(a) of the GDPR must be interpreted as meaning that the processing of personal data in connection with the implementation of elections in a Member State are excluded from the scope of the GDPR(?)’
- ‘(W)hether Article 6(1)(e) and Article 58 of the GDPR…preclude the adoption by the competent authorities of a Member State of an administrative measure of general application restricting or, where appropriate, prohibiting videotaping of the counting of votes at polling stations during elections(?)’
In this regard, the CJEU concluded:
- ‘Article 2(2)(a) of the GDPR must be interpreted as meaning that the processing of personal data in connection with the organization of elections in a Member State does not fall outside the scope of the Regulation.’
- ‘Article 6(1)(e) and Article 58 of the GDPR…do not preclude the adoption of an administrative act of general application by the competent authorities of a Member State concerning videotaping of vote counting at polling stations during elections.’
This is an interesting case both as concerns subject matter – elections, democratic process etc. – but also as concerns certain of the more specific technical deliberations of the Court – e.g. regarding the use of Directive 95/46 in interpreting the GDPR, and regarding the powers of national DPAs. The case is thus well worth reading. Unfortunately, at the time of writing, the judgment was not available in English. The author has thus relied on another language version. The author cannot, however, rule out the possibility that errors were made in translation. Accordingly, the author urges all readers interested in the decision to consult the primary materials themselves.
– ECtHR Rules on Racial Profiling during Police Identity Checks –
On 18th October, the ECtHR rendered two judgements concerning the question of discrimination against individuals who were subject to a police identity check on a train in Germany (Basu v. Germany) and on the street in Spain (Muhammad v. Spain). Both applicants complained that ‘the identity check had been carried out because of…dark skin colour, and thus in a discriminatory manner, and that the authorities had failed to investigate sufficiently…allegations of racial profiling.’ They had both submitted complaints with the local courts, reaching up to the respective constitutional courts, which were not successful, and thus each filed a complaint with the ECtHR. The Court noted that the applicants had an ‘arguable claim that he or she may have been targeted on account of specific physical or ethnic characteristics’, which was enough to trigger the applicability of Article 8 ECHR. This was enough to also trigger the applicability of Article 14 ECHR. It follows from this that ‘the authorities’ duty to investigate the existence of a possible link between racist attitudes and a State agent’s act is to be considered as implicit in their responsibilities under Article 14 of the Convention also when examined in conjunction with Article 8.’ In Basu v Germany, the Court ruled that there had been a violation of Article 14 ECHR, taken together with Article 8 ECHR, because the domestic authorities – both the police authority where the controlling police officers were employed and the courts – had failed to effectively investigate the applicant’s claim for racial profiling. Because of this failure, ‘the Court [was] unable to make a finding as to whether the applicant was subjected to the identity check on account of his ethnic origin.’ In Muhammad v. Spain, the Court ruled that the respondent State had taken the necessary steps to investigate the applicant’s complaint and that there was therefore no violation of the Convention in this respect. As to ‘the complaint concerning the allegedly discriminatory grounds for the police check and the arrest of the applicant’, the Court found no violation of the Convention on that ground, either. This is, because, amongst others, ‘[t]he Court sees no reason to depart from the domestic courts’ conclusion that the applicant’s attitude, and not his ethnicity, was what caused the police officers to stop him and to identify him. It was only his refusal to show proof of his identity that caused his detention in order to be identified at the police premises, as provided by the applicable law.’ We would like to bring these two cases to our readers’ attention, because, in the words of Judge Pavli who issued a Partly Dissenting Opinion in Basu v. Germany, ‘of the ground-breaking nature’ of the two judgments, as ‘these are the first cases in which the Court has considered allegations of racial profiling in police identity checks in a public space.’ He regretfully points out that neither of the two judgments answers the question ‘what exactly is it that Article 14 prohibits when it comes to profiling by State agents?’ There are also concurring and dissenting opinions Muhammad v. Spain. We also note that the rulings might have implications for discussions on AI profiling based on personal data.
– AG Delivers Opinion on Covert Surveillance Measures –
On 13th October 2022, AG Collins delivered their Opinion in the case of HYA and Others. The case essentially concerns the authorisation of surveillance by a national court, in criminal proceedings, by using a generic template which did ‘not include an individualised statement of…reasons for…issue’. In this regard, the referring court asked the following questions:
- ‘Is a practice of national courts in criminal proceedings [authorising monitoring] of telephone conversations…[via] a pre-drafted, generic text template…which [states], without any individualisation, that…statutory provisions have been complied with compatible with Article 15(1) of Directive 2002/58…Article 5(1) and recital 11?’
- ‘If not, is it contrary to EU law if…national law is interpreted as meaning that information obtained…is used to prove the charges brought?’
With regard to the questions, the AG considered that:
- ‘Article 47 of the Charter…and Article 15(1) of Directive 2002/58/EC…Article 5(1) and recital 11…do not preclude the practice [in question]…provided that the reasons for the authorisation can be…ascertained and…challenged…by reading the authorisation and the application…side by side’.
- ‘Article 47 of the Charter and Article 15(1) of Directive 2002/58…Article 5(1) and recital 11… [mean] a national court:’ i) in relation to unlawfully obtained evidence ‘cannot…remedy that irregularity by [adducing] reasons retrospectively, save in duly justified cases of urgency’; ii) ‘must determine the admissibility of [such] evidence…in accordance with…national law…to respect…the general principles of EU law…and…the right to a fair hearing…in…the Charter…and…the [ECtHR]’; and iii) ‘must exclude evidence obtained in breach of those provisions…where a party…is not in a position to comment…on that evidence, the evidence pertains to a technical field…the judges have no knowledge [of] and that evidence is likely to [significantly] influence…findings of fact.’
As always, it remains to be seen whether the Court follows the AG’s position. The Opinion will doubtless be of interest for all those engaged with questions of surveillance.
– EDPS Issues Opinion on the Council of Europe’s Convention on AI –
On 13th October, the EDPS published ‘Opinion 20/2022 on the Recommendation for a Council Decision authorising the opening of negotiations on behalf of the European Union for a Council of Europe convention on artificial intelligence, human rights, democracy and the rule of law’. The EDPS stresses that he ‘supports the opening of negotiations on behalf of the Union for a future convention on AI, and welcomes the Union’s role in promoting trustworthy AI that is consistent with the Union’s values, through the first legally binding international instrument on AI, based on shared values and principles, notably on human dignity, democracy and the rule of law.’ The EDPS puts forward the following six key recommendations for the EU negotiation mandate. First, he recommends strengthening the protection of rights and interests of the affected (groups of) individuals as one of the general objectives of the proposed EU negotiation mandate, next to the single market objective. Second, the EDPS recommends that the negotiations should aim at ensuring better consistency with EU primary and secondary law. Third, the EDPS emphasizes the need to include more ‘procedural safeguards and rights for “AI subjects”’, complementing the existing safeguards in EU law. Fourth, the EDPS advocates for a risk-based approach and calls for a prohibition on AI systems which pose ‘unacceptable risk’ to fundamental rights, e.g. human dignity. Fifth, the EDPS ‘recommends including a negotiating directive according to which the convention should promote the adoption of a data protection by design and by default approach at every step of AI systems’ lifecycle, allowing the effective implementation of data protection principles by means of state-of-the-art technologies.’ Sixth and finally, the EDPS recommends a strong oversight system, under which the supervisory authorities have effective powers to investigate and enforce the Convention and also to cooperate with each other, including across borders.
– EDPB Adopts Five Documents –
During its October plenary meeting, the EDPB adopted the following five documents:
- ‘EDPB Letter to the EU Commission on procedural aspects that could be harmonised at EU level’;
- ‘Opinion 28/2022 on the Europrivacy criteria of certification regarding their approval by the Board as European Data Protection Seal pursuant to Article 42.5 (GDPR)’;
- ‘Statement 04/2022 on the design choices for a digital euro from the privacy and data protection perspective’;
- ‘Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority’;
- ‘Guidelines 9/2022 on personal data breach notification under GDPR’.
The documents are already available on EDPB’s website.