Data Protection Insider, Issue 13

Data Protection Insider, Issue 13 - Image Landing Page DPI 29

– EDPB Adopts Three Documents –

On December 2nd and 3rd the EDPB met in plenary session. As a result of the session, the EDPB adopted the following three documents:

• Art. 64 GDPR Opinion on Accreditation Requirements for Codes of Conduct monitoring bodies by UK SA.
• Response to BEREC request for guidance on the revision of its guidelines on net neutrality rules.
• Guidelines on “the Criteria of the Right to be Forgotten in the search engine cases under the GDPR” (part 1).

The documents are not yet available on the EDPB website. We would assume, however, that the documents will be made available over the course of the coming days and weeks following internal checks.

– ECtHR: Covert Surveillance – A Never-ending Quest for Legality? –

In the ECtHR case of Hambardzumyan v. Armenia the ECtHR examined a complaint on the use of secret surveillance measures. As a result of these measures, the applicant – previously a director at a penal facility in Armenia – was caught taking a bribe from one of the inmates in exchange for a transfer to an open prison. The ECtHR ruled that there was a violation of Article 8 ECHR on account of the fact that the warrant which allowed the surveillance did not comply with domestic law. The judicial authorisation merely reproduced the text provided by the police and did not restrict the scope of the surveillance measure – for example, the warrant did not specify with sufficient clarity the activities it authorized – or specify its targets. Thus, the Court concluded there was ineffective judicial supervision and the measures did not fulfil the level of precision required for the content of a surveillance warrant. Having concluded this, the ECtHR did not examine the necessity and proportionality of the surveillance measure. This is a pity, since in other similar surveillance cases, as reported earlier in this newsletter, the ECtHR also decided it was not necessary to examine such key questions. Is this approach to surveillance a tactical, geo-political, move by the Court? Or is it rather that secret surveillance is a moving target and the Court prefers not to draw bright lines which will need to be revised?

– ECtHR: No Unlimited Seizure of Documents –

In Kırdök and Others v. Turkey the ECtHR dealt with an Article 8 complaint by three Turkish lawyers whose electronic documents had been seized by the police. The police intended to gather evidence against a fourth lawyer, who was sharing an office and the associated electronic facilities with the applicants – including computer systems. The police had acted upon a warrant which was issued only in respect to the fourth lawyer, who was suspected of having links to the PKK. The applicants had requested either the restitution or destruction of the seized data but were refused by the police. The Court found a violation of Article 8 ECHR owing to the fact the measures were not necessary and proportionate and did not correspond to a pressing social need. The Court cited several specific reasons for finding a violation. First, the contested seizure was based on a court order which had not specified which documents could be seized or how the pieces of information and documents to be seized were relevant for the investigation. Second, whilst the seized materials may have been subject to professional confidentiality – and therefore particularly worthy of protection – there was no procedure in place to filter the documentation in such a way as to protect this confidentiality. Finally, whilst the domestic courts were under an obligation to assess the request of the applicants to have the information returned or deleted, there were no domestic provisions in place to enforce this obligation. The judgment raises, however, a significant practical problem for law enforcement agencies who wish to access datasets in which confidential material might be contained: how can searches and seizures filter documentation and information in such a way that no confidential information is improperly seized when they are not, ex ante, certain of the content of each file?

– EDPS Launches European Parliament Election Probe –

The EDPS is carrying out ‘an investigation into the European Parliament’s use of a US-based political campaigning company to process personal data as part of its activities relating to the 2019 EU parliamentary election’. Specifically, the EDPS is looking into the European Parliament’s use of the US company NationBuilder to process personal data collected via the website thistimeimvoting.eu – which collected personal data from over 329,000 people. The EDPS suggests that existing controversies surrounding the company, as well as previous inadequacies in the European Parliament’s approach to the processing of personal data in election campaigns, support the need for the investigation. On the one hand, the investigation is welcome given the significance personal data has obtained in relation to elections across the EU. On the other hand, however, the investigation highlights the perplexing approach taken by the European Parliament to personal data in elections. The Parliament recognises the importance of the fair and legitimate use of data in elections – the EDPS highlight the adoption of a Parliamentary Resolution on the need to protect European elections from data misuse. Yet still the Parliament chooses to rely on a controversial non-EU company to process citizens’ electoral data.

 

– E-Privacy: Commission to Propose new Draft –

The Internal Market Commissioner, Thierry Breton, has announced the Commission will present a revised e-Privacy proposal as part of the forthcoming Croatian Presidency. The announcement comes shortly after EU Member States rejected the Finnish Presidency’s proposition for a common Council position on the Commission’s current e-Privacy Regulation. This rejection made the next steps, and eventual likelihood of success, for the current e-Privacy proposal highly uncertain. The announcement is welcome for several reasons. Two seem particularly relevant. First, given the stalled progress of the current e-Privacy proposal, a new proposal may be the best way to reignite the e-Privacy legislative process. Second, the announcement signals that the Commission understand that the current state of affairs under the e-Privacy Directive is not ideal and, accordingly, are not willing to let necessary e-Privacy reform fall by the wayside. Whilst welcome, the announcement still leaves several questions open. Three seem particularly significant. First: which procedure will the Commission rely on to introduce a new proposal at this stage? Second: how will the new proposal substantially differ from the current proposal? Finally: how – if at all – will any substantial changes address the current impasse in front of the Council and succeed in bringing about political agreement among Member States?

– RTBF before the Bundesverfassungsgericht: A Tale of Two Constitutions –

In a recent judgment, the German Constitutional Court (BVerfG) dealt with a constitutional complaint relating to the Right to be Forgotten (RTBF). The case concerned the request by the applicant, a convicted murderer who had been released from prison after 30 years, to have his name deleted from news articles from the 1980s which had reported on his case. These articles had been lawfully published by Spiegel, which now offers free online access to its archives. In the case, the Court ruled in favour of the applicant. Amongst the many interesting aspects of the case, the fundamental rights standard used for the review of the complaint stands out. The BVerfG ruled that because, in casu, one of the applicable EU laws – namely law concerning media privilege – provided Member States with leeway in implementing provisions, the German Basic law (Grundgesetz or “GG”) should be applied as a standard for constitutional review. The BVerfG reached this conclusion based on the argument that the applicable GG provisions (on freedom of expression and personality rights) offered equally high, or even higher, protection than the CFREU. If that had not been the case, then the CFREU standards would have to have been incorporated in the domestic review of the case. The ruling holds the line set in the original constitutional dialogue between the BVerfG and the CJEU in the so-called Solange cases – which pre-date the CFREU.

 

Über

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort