Data Protection Insider, Issue 44

M.C. v. the United Kingdom: ECtHR on the Disclosure of Criminal Convictions

On 30th March 2021, the ECtHR delivered their ruling in the case of M.C. v. the United Kingdom. The case concerned a woman who, in 2007, was ‘convicted of failing to stop after a road traffic accident’. In 2013, the woman applied for a job in China and was required to provide an ‘enhanced criminal record certificate (“ECRC”)’. Under the laws in force at that time, her 2007 conviction was included in the certificate. Following a change in law, ‘the applicant’s conviction [was made] subject to mandatory disclosure in an ECRC until 31 August 2018.’ The woman then lodged a complaint before the ECtHR under Article 8 – among other Articles – ‘about the past disclosure of her conviction and the fact that it remained subject to mandatory disclosure until 31 August 2018.’ The Court considered the Article 8 compliant predominantly in light of the ‘necessity’ criterion and in particular in light of whether a strict disclosure regime would be legitimate under the ECHR. In this regard, the Court recognised, in principle, ‘that a State can, consistently with the Convention, adopt general measures which apply to pre‑defined situations regardless of the individual facts of each case even if this might result in individual hard cases…[and that] such general measures may be in the form of a single, absolute prohibition…or may, as in the present case, be in the form of a criterion which, if met, carries particular consequences.’ The Court further highlighted that: ‘The central issue in both kinds of cases is not whether less restrictive rules should have been adopted but whether, in adopting the general measure in question and striking the balance it did, the State acted within the margin of appreciation afforded to it.’ With regard to the current case, the Court concluded that the UK had not overstepped its margin of appreciation and found no violation. In reaching the decision, the Court highlighted, amongst other things: the need for advance clarity in conviction disclosures in employment relationships; the dangers of arbitrariness which would arise with a more discretionary system; the resourcing implications of a more discretionary system; the reasonableness of the UK’s assessment of the forms of convictions to be disclosed under the legislation in question; and the existence of differentiation in relevant categories of offenders and offences in the legislation in question.


Matalas v Greece: Balancing Privacy and the Right to Freedom of Expression

On 25th March the ECtHR ruled in Matalas v Greece case concerning the balance between the right to privacy and the right to freedom of expression. As to the facts of the case, the applicant was the manager of a public company. In this capacity he wrote to the legal advisor of the company, suggesting the latter had engaged in unethical and unprofessional behaviour, including not informing him in a timely fashion about the pending court cases against the company. The legal advisor complained about the statements in court, claiming that they had tarnished her reputation and personality rights. As a result of the domestic proceedings the applicant was given a five month suspended prison sentence. He filed a complaint under Article 10 ECHR with the ECtHR. The ECtHR examined whether the domestic courts had struck a fair balance between the right to privacy of the lawyer (Article 8 ECHR) and the applicant’s right to freedom of expression (Article 10 ECHR). The Court noted that the interference with Article 10 ECHR had a legal basis and pursued a legitimate aim, namely to protect the reputation of the legal advisor. However, the Court ruled that the interference with Article 10 ECHR was not ‘necessary in a democratic society’ and that the reasons relied on by the domestic courts for the criminal conviction were not ‘relevant and sufficient’, finding a violation of Article 10 ECHR. Relying on its established case law on examining interferences with Article 10 ECHR, the ECtHR took into consideration the following factors: i) the domestic courts had failed to make a distinction between facts and opinions and that the contested statements represented partially a subjective value judgement, which cannot be per se factually proven, but can be at most be supported by facts, which were presented by the applicant but ignored by the domestic courts; ii) the fact that there was an ongoing dispute between the applicant and the plaintiff, which was not considered by the courts; iii) the limited impact on the reputation of the plaintiff, since the letter was addressed to her personally and not to a broader circle of people, and that the language used was not insulting; and iv) the lack of justification for imposing a criminal sentence, even if suspended, as this measure could be legitimate only in exceptional cases, which are hard to justify in the case of a private dispute. We note that the Court’s reasoning concerning i) is interesting as, currently, there are ongoing debates about the application of the data protection principle of accuracy to opinions, i.e. whether and how it should be interpreted in relation to subjective statements. Hence the observations of the Court could have a guiding impact in establishing accuracy standards.


– EDPB Holds 47th Plenary Session

On 30th March the EDPB held its 47th Plenary Session. From the published agenda it becomes clear that the focus of the discussion was the joint EDPB/EDPS Opinion regarding the proposals for Regulations on the ‘Green Digital Certificate.’ These proposals concern the COVID – 19 interoperable certificates on vaccination, testing, and recovery, which seek to facilitate the free movement to and within the EEA during the pandemic. The Opinion has already been published and contains 14 main data protection-oriented comments and recommendations: i) the effectiveness, necessity and proportionality of the proposed certificates need to be justified; ii) due to the lack of conclusive scientific evidence concerning the immunity of those who are vaccinated or have recovered, the certificates should not become an entry or exit requirement and those who do not have it should not be discriminated against; iii) no Impact Assessment on the impact of the certificates and an assessment of existing less intrusive measures was presented; iv) there are risks of falsifying the certificates in order to be able to travel more freely; v) there is a risk that Member States might decide to re-use the certificates and the data on the certificates for domestic purposes, not foreseen in the regulations, in which case these still need to comply with the CFREU; vi) the purposes of the certificates and the data processed in their framework need to be narrowly defined as required by the quality-of-the-law requirement and as required for monitoring the legality of the re-use of the certificates and the data by Member States; vi) the certificates will contain sensitive data, e.g. that someone has recovered from COVID-19, and inferred sensitive data – e.g. that someone might suffer from a special condition which gave them priority in obtaining the vaccine if they are younger; vii) there must be a sunset clause in operating the certificates scheme and in relation to the storage of any data for the purposes of the certificates; viii) the Regulations should not lead to the establishment of central databases; ix) the certificates should be issued in both digital and paper formats in order to ensure all relevant people have access to them; x) the data categories to be entered on the certificate should be restricted and no further categories should be added in order to avoid further data protection risks; xi) data security, including through technical and organisational measures should be ensured; xii) those issuing the certificates should be designated as controllers and the controllers and processors should be made public so that individuals may exercise their data protection rights – in this respect the Commission’s role in ensuring interoperability should be clarified; xiii) the Opinion welcomes the fact that the Regulations envisage that a new certificate should be issued if data on an existing certificate are inaccurate or outdated, thus clarifying how the right to rectification applies; and (xiv) where data are transferred to third countries to confirm the status of an individual (vaccinated/recovered), these transfers should be subject to the applicable safeguards for international transfers.



– EDPS Issues Formal Comments on the Proposed EU Health Package

The EDPS has published formal comments on on a ‘package of three legislative proposals for a European Health Union.’ The comments are spread across three documents, each dealing with one of the legislative proposals: i) ‘EDPS Formal comments on the Commission proposal for a Regulation of the Parliament and of the Council on a reinforced role for the European Medicines Agency in crisis preparedness and management for medicinal products and medical devices’ – in which the EDPS recommends, amongst other things, ‘that specific provisions on the application of data protection law are included in the proposal’; ii) ‘EDPS Formal comments on the Proposal for a Regulation of the European Parliament and of the Council on establishing a European Centre for Disease Prevention and Control amending Regulation (EC) No 851/2004’ – in which the EDPS recommends, amongst other things, that ‘the categories of individuals who will have their personal data processed should be clearly demarcated alongside a description of the specific measures to protect the rights and freedoms of the individuals involved, in line with data protection legislation’; and iii) ‘EDPS Formal comments on the Proposal for a Regulation of the European Parliament and of the Council on serious cross-border threats to health and repealing Decision No 1082/2013/EU’ – in which the EDPS, amongst other things, recommends ‘providing for further implementing or delegated acts that would lay down the roles of the actors involved in the processing of personal data via the use of IT tools and systems envisaged in the proposal’.


Report of the Special Rapporteur on the Right to Privacy

The UN Special Rapporteur on the Right to Privacy – Joseph A. Cannataci – has delivered his latest report to the UN Human Rights Council. In the report, the Special Rapporteur considers two issues in particular: i) privacy and artificial intelligence – including the elaboration of a set of eight main ‘privacy principles for the use of artificial intelligence solutions’ as well as a discussion of the ‘[a]ssessment of criticality of artificial intelligence solutions’; and ii) children’s privacy – including an extensive discussion of the issues arising around the effective protection of children’s privacy as well as a set of recommendations concerning the protection of children’s privacy. The report is well worth reading for anyone interested in privacy and data protection. The report deals with topics which are of vital importance to the development of privacy and data protection whilst the substance of the report offers both valuable insight as well as useful propositions as to how to address issues. It will be interesting to see how the ideas in the report now diffuse amongst the privacy and human rights community – both within and outside the UN. 



– EU and the Republic of Korea Conclude Adequacy Talks

On 30th March the European Commission and the Personal Information Protection Commission of the Republic of Korea concluded the ongoing adequacy talks in relation to data protection. This will allow the adoption of an Adequacy Decision by the European Commission, which will make the transfer of personal data to the Republic of Korea easier. The scope of the adequacy finding covers both the commercial and public sectors and complements the EU-Republic of Korea Free Trade Agreement. It appears that the scope does not cover the law enforcement sector. The conclusion of the talks was positively influenced by the passing of the new Personal Information Protection Act and the enhanced powers of the Korean Personal Information Protection Commission. In addition, during the talks, the EU Commission obtained additional safeguards – including as concerns the access by law enforcement authorities to personal data – in the form of enhanced redress possibilities. The Commission will now trigger the procedure for the adoption of the Adequacy Decision. This includes obtaining the opinion of the EDPB on the draft Decision and of the Member State representatives in the comitology procedure. We note that the additional safeguards seem to be triggered by the CJEU case law in Schrems I and Schrems II. It remains to be seen how strong and effective they will be.


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort