Data Protection Insider, Issue 64

EDPL Data Protection Insider 03.03.2022

- ‘SS’ SIA v Valsts ieņēmumu dienests: Processing by Tax Authorities Should Comply with the GDPR-

On 24th February, the CJEU ruled on several questions regarding the applicability and interpretation of several provisions of the GDPR to the processing of personal data by the tax authorities for tax purposes. As to the facts of the case, a Latvian website (‘SS’ SIA) which provides advertisement opportunities was asked by the tax authorities to provide information about the car serial numbers of advertised cars as well as further information, including the telephone numbers of the advertisers, for a specified timeframe in the past. If the information could not be restored, ‘SS’ SIA was requested to provide at the beginning of every month the information about the advertisements posted the month before. ‘SS’ SIA refused to provide the requested information and eventually the dispute between it and the tax authorities reached the domestic courts, which sent nine preliminary questions to the CJEU, concerning, especially, the interpretation of the legality of the requested data disclosure in question in light of Article 5 GDPR, which regulates the data protection principles. The Court’s ruling can be summarized as follows. First, the Court confirmed that the GDPR is applicable in casu, and not Directive 2016/680 (Police Directive), because the processing is not performed by a law enforcement authority and it is not clear that the tax authorities requested the data for law enforcement purposes. Consequently, the principles in Article 5 GDPR should be respected when requesting the data disclosure in question. Second, the Court clarified that the principles may not be restricted, unless a legal basis exists for the restriction in national law, as required by Article 23 GDPR and Article 52(1) CFREU. Third, the Court noted that for the request by the tax authorities to be compatible with the Article 5 GDPR principles, in particular data minimisation, the request should be narrowly phrased to the information which is actually necessary for the declared purpose of fighting against tax fraud. Hence, the request that ‘SS’ SIA transmit personal data for an undefined period of time might be disproportionate. We note that the reasoning of the Court will probably not come as a surprise to those who are familiar with the GDPR and the case law of the CJEU on the GDPR.

https://curia.europa.eu/juris/document/document.jsf;jsessionid=960819F9EE18FD497F8CB727A9232FE6?text=&docid=254583&pageIndex=0&doclang=DE&mode=lst&dir=&occ=first&part=1&cid=645370

- Y. v Poland: No Absolute Right to a Rectified Birth Certificate in Gender Reassignment Cases -

On 17th February, the ECHR adopted a ruling on the question of whether an individual has the right to be issued with a new birth certificate after having had their gender reassigned. As to the facts of the case, the applicant is ‘a female to male transsexual who obtained legal gender recognition’. After the gender reassignment, the applicant obtained new identity documents with a new name and the reassigned gender. In addition, their original birth certificate was annotated to reflect the changes. The extract of the birth certificate indicated the new gender. However, the applicant requested that they be issued with a new full birth certificate, stating their new gender. The Polish authorities turned down the applicant’s application and the applicant’s recourse to the domestic courts was not successful. As a result, the applicant complained that the fact that their birth certificate breached their right to private and family life under Article 8 ECHR. The Court decided to examine the case in light of the positive obligations of the State. In such cases the Court examines whether a fair balance has been struck between the interest of the State and the private and family life interests of the applicant. The Court noted that the Polish State had issued the applicant with new identity documents, the applicant had married a woman without a problem and that the extract of the birth certificate contained the reassigned gender. The Court acknowledged that the annotation in the full birth certificate might have caused the applicant ‘mental suffering’, but also considered that ‘it does not appear that in his daily life the applicant is required to reveal these intimate details of his private life and that the inconveniences complained of are sufficiently serious.’ This is mainly because the full birth certificate is accessed by very few officials and the applicant is rarely required to provide their full birth certificate. In addition, there is a public interest in maintaining the annotation in the full certificate – e.g. to prove the gender reassignment. Finally, the applicant ‘failed to provide any details that he had been affected by that situation and to what extent.’ Thus, the Court found that the Polish system struck a fair balance between the competing interests and there had been no violation of Article 8 ECHR.

https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-215604%22]}

- Commission Publishes Data Act -

On 23rd February, the Commission published its proposal for a Regulation ‘on harmonised rules on fair access to and use of data (Data Act)’. The Act is the second legislative proposal in the context of the EU strategy for data – alongside the Data Governance Act. According to the Commission: ‘The Data Act addresses the legal, economic and technical issues that lead to data being under-used’ and essentially ‘clarifies who can create value from data and under which conditions.’ In its press release, the Commission highlights a number of noteworthy aspects of the Act, including: ‘Measures to allow users of connected devices to gain access to data generated by them, which is often exclusively harvested by manufacturers’; ‘Measures to rebalance negotiation power for SMEs by preventing abuse of contractual imbalances in data sharing contracts’; ‘Means for public sector bodies to access and use data held by the private sector that is necessary for exceptional circumstances’; and ‘New rules allowing customers to effectively switch between different cloud data-processing services providers and putting in place safeguards against unlawful data transfer’. The proposed Act does not solely concern the processing of personal data and, in principle, its provisions should not impact the applicability of the GDPR. The Act does, however, contain provisions relevant for data protection law – including provisions concerning data portability. It will be interesting to see how the Act fares in subsequent legislative discussions. 

https://ec.europa.eu/commission/presscorner/detail/en/ip_22_1113

- EDPB Adopts a Series of Documents -

Following its 61st EDPB plenary meeting, the EDPB adopted the following three documents:

  • A ‘letter in reply to the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) regarding the Second Additional Protocol to the Cybercrime Convention, and in view of the two European Commission Proposals for Council Decisions authorising Member States to sign and ratify the Protocol’;
  • A ‘final version of the Guidelines on Codes of Conduct as a tool for transfers’;
  • A ‘letter on AI liability’.

The letter concerning the Second Additional Protocol to the Cybercrime Convention is already available on the EDPB website, and the others are expected to be published soon.

https://edpb.europa.eu/news/news/2022/edpb-adopts-reply-libe-2nd-additional-protocol-cybercrime-convention-guidelines_en

- EDPB Launches Enforcement on Public-Sector Cloud Use -

On 15th February, the European Data Protection Board announced ‘the kick-off of the first coordinated enforcement action of the European Data Protection Board.’ The coordinated action will involve enforcement actions by twenty-two European DPAs as well as the European Data Protection Supervisor. The Board highlight that cloud use in the public sector has grown significantly over the past few years – and point to the pandemic as a further driver of the trend. The Board also highlight, however, that ‘public bodies at national and EU level may face difficulties in obtaining Information and Communication Technology products and services that comply with EU data protection rules.’ Accordingly, the Board consider that: ‘Through coordinated guidance and action, the SAs aim to foster best practices and thereby ensure the adequate protection of personal data.’ Within the context of the coordinated action, over eighty public bodies, engaging in a range of different types of public sector activity, will be addressed. National authorities will then implement the action in a range of different ways at national level – including: ‘fact-finding exercise[s]; questionnaire[s] to identify if formal investigation[s are] warranted; commencement of…formal investigation[s]; follow-up of ongoing formal investigations.’ The Board highlight that: ‘In particular, SAs will explore public bodies’ challenges with GDPR compliance when using cloud-based services, including the process and safeguards implemented when acquiring cloud services, challenges related to international transfers, and provisions governing the controller-processor relationship.’ The outcomes of the national actions will be subject to coordinated analysis. Authorities will then make decisions concerning the logic of further actions. Further, aggregated results will be collected ‘generating deeper insight into the topic and allowing targeted follow-up at EU level.’ The Board will produce a report on the coordinated action by the end of 2022.

https://edpb.europa.eu/news/news/2022/launch-coordinated-enforcement-use-cloud-public-sector_en

- French Constitutional Council Rules on Data Retention -

The French Constitutional Council – a French court with powers to review the constitutionality of legislation – has decided that paragraphs II and III of article L. 34-1 of the postal code and electronic communications constitute a disproportionate infringement on the right to respect for private life. The applicants in the case asserted that the provisions required telecommunications operators to engage in blanket data retention without specifying adequate safeguards – including highlighting a lack of specification that retention be limited to serious crimes and a lack of specification that retention should be subject to ex ante approval by a court or independent authority. The Council found that the data to be retained were extensive and thus capable of being intrusive to individuals’ privacy and that the blanket retention approach constituted a disproportionate impact on the right to respect for private life. The Council also highlighted, however, that the relevant legal provisions are no longer in force and found that measures enacted based on the provisions should not be subject to constitutional review. Unfortunately, at the time of writing, information on the case was available from the Council only in French. The authors are not fluent French speakers and have relied on an electronic translation of the Council’s press release to produce this report. Whilst this is not ideal, the authors felt the judgment of a constitutional body on data retention was worthy of discussion and thus made the decision to include the judgment in this news-letter. Unfortunately, the authors cannot rule out the possibility that errors were made in translation or that these errors were reproduced in this report. Accordingly, the authors urge all readers interested in the decision to consult the primary materials themselves. 

https://www.conseil-constitutionnel.fr/actualites/communique/decision-n-2021-976977-qpc-du-25-fevrier-2022-communique-de-presse
Lexxion |