On February 26th, the CJEU decided the following two related cases: DG v European Union Agency for Law Enforcement Cooperation (Europol), and European Union Agency for Criminal Justice Cooperation (Eurojust) and BW v. European Union Agency for Law Enforcement Cooperation (Europol), and European Union Agency for Judicial Cooperation in Criminal Matters (Eurojust). In terms of the facts, both cases essentially concern the investigation of criminal activity, via the collection of data connected with the use of the Sky EEC encrypted communications service, and the use of this data in joint task forces involving EU Member States, Europol, and Eurojust. In relation to this activity, defendants complained to the Court about Europol and Eurojust and the disproportionate and illegitimate collection and use of their personal data in relation to investigations – amongst other things, for example infringement of coordination obligations relating to double prosecution for the same offence – seeking (in BW) the annulment of certain legal bases on which data were collected and processed and (in both cases) compensation. Both cases were rejected by the Court. In doing so, the Court highlighted the limitations on actions against European organs for activities of Member States, and limitations on the types of claims for which European organs can be held liable – for example, limitations relating to hypotheticals. The Court also highlighted flaws in argumentation brought in relation to annulment of the legal basis for the collection and processing of data – for example relating to the lack of explanation as to how relevant activities constituted violations of relevant provisions – and in relation to compensation claims – for example highlighting the limited liability of European organs for procedural choices which fall within the sole competence of Member States. Unfortunately, the judgments are currently available only in French – a language the editors do not speak. Accordingly, electronic translations have been relied upon to understand the cases. In this regard, the editors can neither guarantee the accuracy of the translations, nor the accuracy of this summary. Given the complexity of the subject matter – both factual and legal – this summary has thus been written at a high level of generality, with the intention only of drawing attention to the existence of the cases and providing a rough indication of their content. All interested readers are advised to consult the original materials themselves for more detailed information.

On 5th March, AG Spielmann advised the Court to rule that the Bulgarian Criminal Procedure Code, which provides for the collection of a lot of categories of personal data for identification purposes, contradicts the LED in Pilev. As to the facts of the case, the defendant in the main proceedings is a natural person, who was caught driving a taxi in Bulgaria without a driver’s licence or a taxi licence, and who attempted to bribe the police when caught without these licences. The Public Prosecutor in Sofia submitted an indictment with the Sofia City Court (acting as a criminal court), as he claimed that the above events constitute criminal offences. The presiding judge verified the identity of the defendant by consulting his identity card. He noted that the Bulgarian Code of Criminal Procedure provides also for the collection of further identity data for identification purposes, such as ethnicity, nationality, place of birth and of residence, education level, marital status, and previous convictions. The referring court noted that these additional data could be useful for identification, but are not necessary for that purpose, while they could serve further purposes, e.g. determining the sentence. Thus, in essence, the court was uncertain whether the applicable provisions in Bulgarian law are compatible with the Law Enforcement Directive (LED), especially Articles 4(1)(c) (data minimisation), Article 8(1) (legal basis) and Article 10 (legal basis for processing special categories of data) and turned to the CJEU for guidance. In his Opinion, AG Spielmann decided to first examine the question of whether the LED (and not the GDPR) is applicable to the data processing operations in question, although, as he noted, this was taken for granted by the referring court. To answer this question, AG Spielmann first confirmed that indeed the question is a matter of the ‘processing of personal data’. Then, he examined whether the above processing by the referring court is carried out by a ‘competent authority’ (Article 3(7) LED) and whether it serves one of the ‘purposes’ enumerated in Article 1(1) LED. He opined that ‘national courts must be regarded as ‘competent public authorities’ for the purposes of that directive and as being subject to the provisions thereof when they process personal data in judicial decisions or documents relating to criminal proceedings’. He continued examining the question by focusing on ‘whether processing carried out by a court in the context of criminal court proceedings may be considered to fall within the scope ratione materiae of Directive 2016/680’, which he answered in the positive after a meticulous analysis of the question on the purposes of the processing. Amongst other things, AG Spielmann observed that ‘the activities of ‘prosecution’ could include not only the investigation conducted by the police and the decision as to whether or not to prosecute taken by the public prosecutor, but also the preparation of the case, the referral to a court and, where appropriate, criminal court proceedings such as those at issue in the dispute in the main proceedings’ and that if such processing would not fall within the scope of the LED, but instead the GDPR, that would lead to undesired consequences of the same processing falling under different legal instruments, the latter of which is not sensitive to the criminal law context. With regards to the substance of the referred question, AG Spielmann suggested that where the national law requires the systematic collection of all the categories of data as in the present case for identification purposes, the national law is not compatible with the LED where the data are not necessary for the verification of the defendant’s identity and left it to the national court to verify this.

-EDPB and EDPS Sign ‘Joint Statement on AI-Generated Imagery and the Protection of Privacy’-

On 23rd February, the EDPB and the EDPS signed the ‘Joint Statement on AI-Generated Imagery and the Protection of Privacy’. As the EDPB explains, the statement was ‘coordinated by the Global Privacy Assembly’s (GPA) International Enforcement Cooperation Working Group (IEWG) (and) represents the united position of 61 authorities across the world’. According to the EDPB, ‘AI image and video generation integrated into widely accessible social media platforms…have enabled the creation of non-consensual intimate imagery, defamatory depictions, and other harmful content featuring real individuals. The co-signatories are especially concerned about potential harms to children and other vulnerable groups, such as cyber-bullying and/or exploitation’.