Data Protection Insider, Issue 25

– ECtHR Decides on Disclosure of Sensitive Medical Data –

On 26th May, the ECtHR issued its ruling in the P.T. v the Republic of Moldova case, concerning the disclosure of sensitive medical data. In terms of the facts of the case: the applicant is a HIV-positive citizen. He needed a certificate issued by the Military Centre that he was unable to perform his military service for medical reasons. The certificate mentioned, in coded form, that the reason was that he was HIV-positive. However, the codes were publicly available in the Official Gazette and thus easy to decode. The applicant needed to present this certificate in front of various administrative authorities, including when applying for a new identity card – obligatory in Moldova. The applicant complained that the disclosure of his HIV-positive status in an official document such as the military certificate constituted an infringement of his rights under Article 8 ECHR. In its ruling, the ECtHR recalled that the contested information is sensitive data and its disclosure thus automatically constitutes an interference with Article 8 ECHR. It noted that while the interference had basis in national law, it did not pursue a legitimate aim. This was enough for the ECtHR to find a violation of Article 8 ECHR. However, the ECtHR went on to point out the lack of necessity and proportionality of the said disclosure of the data, especially given the inadequacy of confidentiality measures and because such disclosure could scarcely be relevant in any context. It is unusual for the Court to add such additional information. That the Court did so could be a signal that any comparable legal provisions would be unlikely to pass the test of Article 8 ECHR.


– ECtHR Decides on Privacy and the Public Interest in Radio Broadcasts –

On 26th of May, the ECtHR ruled on the case of Marina v. Romania. In terms of the facts of the case: a Romanian radio programme read out the contents of a letter containing private information on the plaintiff, a superintendent in the police force, and his wife. The plaintiff then brought an action in tort for damages against the station’s actions, suggesting these constituted damages to his private life and had tarnished his reputation. The domestic Court agreed, granting compensation of 4,500 EUR. On appeal, however, a higher domestic Court overturned the decision on the grounds that: i) Mr. Marina had not suffered any concrete loss as a result of the radio station’s actions; ii) given the plaintiff’s position as a superintendent, he should be more tolerant of discussions concerning him in the public interest; and iii) the plaintiff had not made use of his right to reply. On the back of the latest judgment, the plaintiff brought the case before the ECtHR claiming a violation of his Article 8 right to respect for private and family life – alongside a claim of violation of his Article 6 right to a fair trial. The ECtHR found a violation of Article 8 on the grounds that the higher domestic Court had failed to conduct an adequate balance between the plaintiff’s right to privacy and the public interest in knowing the information. In particular, the ECtHR observed: i) the text which had been made public contained information which ‘could not be considered to have contributed to a “debate of general interest” for the community’; ii) it was unclear why the plaintiff’s position of superintendent should have been regarded as a figure of public interest with a consequently reduced expectation of privacy; iii) there was no evidence the plaintiff had shown ‘any tolerance or complacency with regard to the publication of aspects concerning his private life’; iv) ‘the [higher domestic] court [failed to conduct] a nuanced examination of the content of the statements in order to determine the extent to which the information about Mr Marina’s private life and the language used had actually contributed to a public interest debate’; and iv) the content of the information made public was not accurate. This is the latest in a long line of ECtHR case law dealing with the need for domestic Courts to carefully consider the balance between privacy and the public interest in the publication of private information. The decision in the case largely follows existing principles.


 – EDPB Holds 30th Plenary Session –

On 2nd June, the EDPB held its 30th Plenary Session. It adopted two documents:

  • A statement on data subject rights in relation to the state of emergency across the EU Member States .
  • A letter in response to several civil society organisations concerning Hungary’s emergency data protection law.

In both documents, the EDPB recalled that the GDPR remains applicable in emergency situations and that it is flexible enough to allow a balance between data protection rights and an efficient response to the emergency. The EDPB emphasized the main provisions of Article 23 GDPR, which regulates restrictions which might be passed under national law – for example on data subjects’ rights and core data protection principles. In this regard, the Board explicitly pointed out that “(t)he mere existence of a pandemic or any other emergency situation alone is not a sufficient reason to provide for any kind of restriction on the rights of data subjects; rather, any restriction must clearly contribute to the safeguard of an important objective of general public interest of the EU or of a Member State.” Thus, the EDPB clearly made a distinction between the legitimate restriction to data subject rights pursuant to Article 23 GDPR and a “blanket suspension” (emphasis added) of these rights when the restrictions are not limited “in scope and time”. The latter would clearly infringe the essence of fundamental rights, contrary to Article 23 GDPR. The EDPB has also announced that, in the coming months, it will release guidelines on the implementation of Article 23 GDPR. The adopted documents will be made available after the usual editorial and legal checks have taken place.


 – New DPIA Methodology –

A group of German institutions have produced a new DPIA Methodology. In terms of concept, the Methodology is based around the German Standard Data Protection Model (SDM). The SDM is a unique method for the operationalisation of data protection which has been endorsed by the German Datenschutzkonferenz – a body consisting of all German federal and state data protection authorities. In terms of scope, the Methodology has been designed to be used by all types of data controller – whether commercial or bureaucratic, whether large or small. The Methodology is the outcome of a two-year project in which the Methodology was tested, and refined, on real processing operations in real organisations. The Methodology is distinct from the main existing methodologies – those of the ICO and the CNIL – in two key ways. First, the methodology takes, as its normative reference point, all data protection obligations outlined in the GDPR as well as the rights and freedoms of data subjects. Second, the Methodology has been designed to be easy for organisations to use in practice. In this regard, the Methodology breaks the DPIA obligation into a series of phases. Then, for each phase, provides a step-by-step break down of the organisation of the process for the conduct of the phase as well as for the outcomes of the phase. Initial reactions from German data protection practitioners and supervisory authorities have been positive. The hope is that the Methodology can now play a role in the discussion in other countries and at European level and can help to bring further clarity to the DPIA obligation.


– CJEU to Decide on Standing of Representative Organisations –

On 28th May, the German Bundesgerichtshof decided to refer a case on data protection to the CJEU. In terms of the facts of the case: the Federation of German Consumer Organisations (vzbz) has accused Facebook of allowing certain online games – offered on one of its platforms – to illegitimately collect data on users. That Facebook did so, and that this constitutes a data protection violation seems relatively clear. In terms of the question referred: the Bundesgerichtshof nevertheless decided to stay proceedings pending an answer as to the degree to which such representative organisations have standing to bring cases of data protection infringements under the GDPR. Specifically, there remains debate, under Article 80 of the GDPR, as to whether the law permits organisations such as the vzbz to bring cases directly, or whether they may only bring cases on behalf of data subjects. This will be the first CJEU decision on the ability of representative organisations to bring cases under the GDPR. Whilst there is a general belief in the data protection community that the CJEU will deliver ‘data protection friendly’ decisions, we should be mindful that this does not always play out in fact.


– Gaia-X and European “Digital Sovereignty” –

Last October, the German government announced its plans for Gaia-X, a European cloud project. Currently, the idea is being developed as a German-French initiative, which is expected to grow into a pan-European project. Gaia-X has now been officially established as non-profit in Belgium. The project is not supposed to be a cloud service as such, but rather a “platform joining up cloud-hosting services from dozens of companies, allowing business to move their data freely with all information protected under Europe’s tough data processing rules.” The project is in line with EU policymakers’ will to boost European “digital sovereignty” and decrease digital reliance on the USA and China. As the Commission has reportedly said, the project should play a role in the European data strategy issued in February 2020. The release of the prototype is expected at the end of the year. However, the initiative has already been subject to criticism within Europe – for example because of the influence of tech giants such as Amazon Web Services on the project. There have also been warnings that “digital sovereignty” might not be achieved because the opportunity Gaia-X gives tech giants to offer their services might simply serve to boost their power and profit. Whereas it remains to be seen how the initiative will develop and what it will practically achieve, the political will within Europe to create GDPR-compliant alternatives to tech giants is to be welcomed.


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort