Data Protection Insider, Issue 62

EDPL Data Protection Insider 03.02.2022

- Telephone Interception During Criminal Proceedings with Adequate Safeguards: Adomaitis v Lithuania -

On 18 January, the ECtHR examined the case of Adomaitis v Lithuania concerning the question of communications interception against the ex-director of the Kybartai prison. As to the facts of the case, the applicant was suspected of abusing his office in order to offer better conditions for some inmates. As a result, criminal investigations were opened against him, which included the secret tapping of his telecommunications and putting a listening device in his office. These measures had been authorized by the domestic courts and had lasted for the maximum time envisaged by the law, namely one year. Subsequently, lacking sufficient evidence to charge the applicant, the obtained information from the surveillance measures was re-used in the course of disciplinary proceedings against the applicant. As a result, he was dismissed. He challenged the measures in front of the domestic courts. These concluded that the measures had been lawful. The applicant then filed two complaints with the ECtHR on the basis of Articles 6(1) and 13, and 8 ECHR respectively, concerning mainly the legality of the interception, the usage of the materials in the criminal and disciplinary provisions and the opportunities to challenge the measures. All complaints have relevance for data protection, even though they are not all based on Article 8. The ruling of the ECtHR can be summarized as follows. The first complaint concerned the alleged ‘lack of access to the materials from the secret surveillance against him, those materials having served as the basis for his dismissal from service. He also maintained that there was a lack of a proper and precise legal framework indicating how information gathered when employing criminal intelligence actions could be used and its lawfulness contested.’ The ECtHR decided to examine the complaint on the basis of Article 6 (1) ECHR and not on the basis of Article 13 ECHR, as no separate issue arose under Article 13 ECHR. It concluded that the applicable domestic law and the involvement of the domestic courts in authorising the surveillance measures and examining the challenges put forward by the applicant ensured the principle of adversarial proceedings and equality of arms. Hence, there was no violation of Article 6(1) ECHR. The second complaint concerned Article 8 ECHR, in relation to which the applicant alleged that the measures lacked a proper factual and legal basis. The Court recalled that the interception of the applicant’s telephone, the storage of the data and its disclosure in the disciplinary proceedings amounted to an interference with Article 8 ECHR. The Court concluded that the interference was lawful, because it had a clear legal basis and the surveillance measures had judicial authorization, preceded by a careful examination of the facts. As to the legitimate aim, the Court accepted that the measures served the purposes of preventing disorder and crime and protecting the rights and freedoms of the others. It argued that the measures were also necessary and proportionate because of the existing safeguards, including the courts’ reasoning before authorizing the measures and their extension in time, the fact that the maximum allowed period for the interception was not overstepped and the fact that the applicant had had the opportunity to contest the lawfulness and proportionality of the usage of the materials in the proceedings against him. Hence, there was no violation of Article 8 ECHR. We note the concerned raised by judge Koskelo in her partly dissenting Opinion, where she criticized the Court for not having paid attention to the fact that the domestic courts had not performed an adequate assessment for the re-usage of the materials, which were originally collected for the purposes of the criminal proceedings and re-used in the framework of the disciplinary proceedings against the applicant. The point was raised, amongst others, ‘in the light of contemporary principles relating to the protection of personal data in general’, which signals the influence of (EU) data protection law on the interpretation of the right to private life under Article 8 ECHR.

https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-215168%22]}

- ECtHR rules on Prisoner Correspondence in Vasilenko v. Ukraine -

On 13 January, the European Court of Human Rights ruled in the case of Vasilenko v. Ukraine. The Case was decided by Committee. The case essentially concerned ‘the alleged monitoring by the prison administration of the applicant’s correspondence in breach of Article 8 of the Convention and the lack of an effective domestic remedy in that regard, contrary to Article 13 of the Convention’. The Court followed the ‘general case-law principles of relevance…found, for example, in Glinov v. Ukraine’ in their finding that here had been a violation of both Articles 8 and 13. The Court highlighted the inadequacy of the domestic Courts’ consideration of the case as well as ‘that the proceedings did not go beyond the appellate stage, given the HAC’s [Higher Administrative Court] refusal to exempt the applicant from court fees, even though his similar request had been granted by both lower courts.’ In this regard, the Court concluded that: ‘It follows that the prison administration had breached the legal ban on monitoring of prisoners’ correspondence with prosecution authorities and that the domestic courts had failed to provide an adequate response to the applicant’s complaint in that regard.’ The case is short and easy to read but – as to be expected from a Committee ruling – predominantly reiterates previous considerations and eventually comes to a predictable conclusion.

https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-214756%22]}

- European Data Protection Board Guidelines on the Right of Access - 

On 18 January, the European Data Protection Board published their ‘Guidelines 01/2022 on data subject rights - Right of access: Version 1.0’. In terms of content, the Guidelines include detailed sections on: ‘Aim of the right of access, structure of Article 15 GDPR, and general principles’ – including discussions on the modalities of providing copies and on the completeness and correctness of information; ‘General considerations regarding the assessment of accuracy requests’ – including discussions on the form of request and the identification of data subjects; ‘Scope of the right of access and the personal data to which it refers’ – including discussions on the scope of personal data to which the right refers; ‘How can a controller provide access’ – including discussions on relevant appropriate measures in relation to ensuring access; and ‘Limits and restrictions of the right of access’ – including discussions on restrictions flowing from Article 23 and other derogations . These are lengthy Guidelines, coming in at 60 pages, but include numerous useful clarifications of the right to access and are well worth reading for all interested in the right. The Guidelines are a preliminary version which are open for public consultation. All public responses should be provided by March 11 – see the links below for more information. 

https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf; https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-012022-data-subject-rights-right_en

- EDPS Opinion on Cybercrime Convention -

On 20 January, the European Data Protection Supervisor issued ‘Opinion 1/2022 on the two Proposals for Council Decisions authorising Member States to sign and to ratify, in the interest of the European Union, the Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence’. The EDPS recognises the legitimacy of the aim of the Protocol and highlights several positive features – for example that the Protocol contains a ‘dedicated Article on the processing of personal data’. The EDPS also, however, observes certain regrets relating to the Protocol, including that the Umbrella Agreement ‘would apply to transfers from the EU to the United States of America in the framework of the provisions set out in the Protocol related to the co-operation between authorities’. The EDPS also makes a number of recommendations concerning future Council Decisions ‘should the Protocol be signed and ratified by the Member States’ – including, for example, that: ‘Member States should designate, pursuant to Article 7(5)(e) of the Protocol, a judicial or other independent authority’. In terms of content, the report contains in-depth discussions ‘On the safeguards regarding international data transfers and respect of fundamental rights’, ‘On enforceable data subject rights and effective legal remedies for data subjects’ and on the ‘Relationship between the data protection provision (Article 14) of the Protocol and other agreements’. This is a detailed and technical Opinion and advisable reading for those interested in international e-evidence discussions.

https://edps.europa.eu/system/files/2022-01/22-01-20_opinion_cybercrime_convention_en.pdf

- Advocate General in PNR Case: No Significant Challenge to the EU PNR Scheme in Light of Fundamental Rights -

On 27th January, Advocate General Pitruzzella delivered his Opinion in the framework of the preliminary ruling complaint submitted by the Ligue des droits humains with the Belgian Constitutional Court on the legality of the Belgian law implementing the EU PNR and API Directives. The Constitutional Court submitted several questions to the CJEU concerning the compliance of the PNR scheme with the CFREU, mostly with the fundamental rights to privacy and data protection, and with Article 23 GDPR. In his Opinion, the AG first recalled that the contested interference stemmed from EU law and therefore that the EU legislator is supposed to define clearly the scope of the interference. He clarified that the transfer of the PNR data to the Passenger Information Units (PIUs) and their subsequent processing constitutes an interference with Articles 7 and 8 CFREU and must satisfy the requirements of Article 52 CFREU. With regards to the transfer of the PNR data, he noted that certain categories of data, e.g. the category of ‘General remarks’, are too general and therefore suggested the invalidation of point 12 of Annex I. He noted then that the PNR data are only the minimum necessary for the purposes of the PNR Directive and are accompanied by other safeguards, such as security and confidentiality measures and a ban on the processing of sensitive data – we presume that this applies to all other data and data categories. Furthermore, the AG suggested that the PNR scheme should be distinguished from the existing case law on telecommunications surveillance, e.g. because the number of affected persons is lower and the processed data are not as intrusive. This allowed him to propose that the ‘generalized and undifferentiated’ transfer of PNR data to the PIUs is not disproportionate in light of the CFREU. He recalled that independent supervision is essential for compliance with the fundamental rights. On the question of the prior assessment of passengers, the AG recommended that: (1) the PNR data may be checked only against background databases which are relevant for the purposes of fighting serious crime and terrorism and have been established for these purposes; and (2) that profiling ‘cannot be carried out by means of machine-learning artificial intelligence systems, which do not make it possible to ascertain the reasons which led the algorithm to establish a positive match.’ Finally, the AG concluded that the general and undifferentiated retention of the data of all passengers for five years in an identifiable form is not proportionate. It remains to be seen whether the Court will follow the above recommendations and the AG’s reasoning. The Opinion is currently available only in French.

https://curia.europa.eu/jcms/upload/docs/application/pdf/2022-01/cp220019en.pdf

-Data Protection and Research: The Necessary Safeguards-

One of the novelties introduced by the GDPR were the minimum safeguards concerning the processing of personal data for research purposes and the opening clause offered to Member States concerning data protection and research. Still, a lot of questions remained about the application of the relevant provisions. On 27 January, the CNIL and the Belgian DPA clarified that research activities in the sphere of political profiling could breach the GDPR and could entail the imposition of sanctions to the controller and the individual researcher. As to the facts of the case, a Belgian NGO, DisinfoLab, collected the tweets published by different people concerning a member of the French Government (Benalla) and sought to analyse the political beliefs of those who tweeted on the topic. In response to the criticism of the methodology of the study, the NGO and the researcher published information about the tweet accounts and sensitive information about these such as the presumed political orientation, the religious beliefs and sexual orientation of those tweeting. The Belgian DPA established the following four breaches of the GDPR: (1) the data processing activity was not documented by the controller; (2) no DPIA had been carried out; (3) not enough security measures had been taken; and (4) the raw data were published without the consent or knowledge of the concerned people who published the tweets. As a result, it imposed a 2,700 Euro fine on the NGO and a 1,200 Euro fine on the researcher.

https://www.cnil.fr/fr/profilage-politique-lautorite-belge-de-protection-des-donnees-prononce-deux-sanctions-apres-saisine
Lexxion |