Data Protection Insider, Issue 59

–  Särgava v Estonia: Safeguards Necessary for Examining a Lawyer’s Laptop and Mobile Phone – 

On 16th November, the ECtHR rendered a judgment on the confidentiality of legal professional communications in the case of Särgava v Estonia. As to the facts of the case, the applicant is a lawyer and at the same time a shareholder in companies, which were suspected by the law enforcement authorities to be controlled by organised crime. The applicant was suspected of being a member of organised crime, taking care of the paperwork of the illegal activities of the companies. In the course of the investigations, the authorities seized a number of digital devices belonging to the applicant, including hard drives, his mobile phone and laptop. His challenge in front of domestic courts that the digital devices should not have been seized and the information on them accessed, was not successful. Therefore, he filed a complaint with the ECtHR, claiming that the seizure and examination of his laptop and mobile devices violated ‘legal professional privilege and the inviolability of data carriers that concern the provision of legal services’ as protected by Article 8 ECHR. The Court ruled that indeed the authorities interfered with the applicant’s right to ‘correspondence’. The Court noted that the interference was based on domestic law, which could be interpreted to contain an exemption from the inviolability of lawyers’ communications when a lawyer is suspected of committing a crime. However, the Court ruled that the law was not clear and foreseeable and this did not provide sufficient procedural safeguards against abuse, because it did not regulate ‘how privileged material is distinguished and separated from material where lawyer-client confidentiality cannot be relied on.’ In other words, domestic law allowed for an absolute exemption from ‘lawyer-client confidentiality’. Then, the Court set out in more detail the possible safeguards which need to be anchored in law in such situations, including ensuring that the communications protected by lawyer-client confidentiality are sifted from those related to the suspected criminal activity, and ensuring that access to the seized materials is recorded and unwarranted access is hindered. The lack of safeguards led the Court to conclude that there has been a violation of Article 8 ECHR, even though it was not evident that in casu the confidentiality of the applicant’s communications were actually compromised. We would like to draw the reader’s attention to the discussion between the Dissenting and Concurring Opinions as to whether and how a lawyer should demonstrate that they have sustained harm as a result of the access to their clients’ communications by the law enforcement authorities and whether and how lawyers should separate their files according to those which are protected by lawyer-client confidentiality and those which are not.


– EDPB Guidelines on the Relationship between Article 3 and Chapter V –

On 18th November, the EDPB adopted ‘Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR’. According to the EDPB, the Guidelines aim to clarify ‘[the] interplay between Article 3 [concerning territorial scope] and the provisions of the GDPR on international transfers in Chapter V in order to assist controllers and processors in the EU in identifying whether a processing constitutes a transfer to a third country or to an international organisation and, as a result, whether they have to comply with the provisions of Chapter V of the GDPR.’ In this regard, the EDPB cover the following ground: i) ‘Criteria to Qualify a Processing as a Transfer of Personal Data to a Third Country or to an International Organisation’; and ii) ‘Consequences [of this Qualification]’. Whilst the Guidelines are short, they contain much in terms of substance and should be read by anyone interested in international transfers under the GDPR. Of interest, for example, will likely be: i) the criteria elaborated by the EDPB for the identification of the existence of a ‘transfer of personal data to a third country or to an international organisation’; and ii) the differentiated functionality of Article 3 in relation to transfers outside the EU which do not constitute ‘transfer[s] of personal data to a third country or to an international organisation’ and to those which do constitute ‘transfer[s] of personal data to a third country or to an international organisation. Given the brevity of the Guidelines, further clarification and more extensive argumentation would be welcome in many places – for example concerning the EDPB’s statement, in their criteria, that a transfer may exist when a ‘controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor’. The Guidelines will be open for public consultation until end of January 2022.


– Advocate General Delivers Opinion on Data Retention and Market Abuse –

On 18th November, Advocate General Campos Sánchez-Bordona delivered their Opinion in Joined Cases VD (C‑339/20) and SR (C‑397/20). The cases essentially revolved around the legitimacy of legislation requiring telecommunications providers to engage in general data retention schemes to allow authorities responsible for market abuse to be able to effectively investigate and prosecute those involved. Relying heavily on the CJEU’s judgment in La Quadrature du Net, and the relevant distinctions made in that case between ‘national security’ and other forms of crime in relation to the legitimacy of data retention schemes, the Advocate General suggested the Court ‘should [consider the issues]…as follows: (1) Article 12(2)(a) and (d) of Directive 2003/6/EC of the European Parliament and of the Council of 28 January 2003 on insider dealing and market manipulation (market abuse), and Article 23(2)(g) and (h) of Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC, must be interpreted as meaning that they preclude national legislation which imposes on electronic communications undertakings an obligation to retain traffic data on a general and indiscriminate basis in the context of an investigation into insider dealing or market manipulation and abuse…(2) A national court cannot limit in time the effects of the incompatibility with EU law of domestic legislation which imposes on providers of electronic communications services an obligation to retain traffic data on a general and indiscriminate basis which is incompatible with Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, and which allows the administrative authority responsible for carrying out investigations into market abuse to secure the disclosure of connection data without prior review by a court or an independent administrative authority.’ The Opinion is closely related to Opinions delivered, by the same Advocate General, on the same day, in other cases: Cases C‑793/19, SpaceNet, C‑794/19, Telekom Deutschland, and C‑140/20, Commissioner of the Garda Síochána and Others.


– European Commission Send Belgium a Reasoned Opinion concerning Belgian DPA Independence –

On 12th November, the European Commission sent the Belgian Government a reasoned opinion as concerns the issue of the independence of the Belgian DPA. At the core of the problem lie the allegations that some members of the DPA are not free from external influence, because they report to some governmental entity, or because they are members of the Information Security Committee, or because they have participated in COVID – 19 contact tracing projects. The reasoned opinion is a consequence of the fact that the Belgian government’s response to the Commission’s formal notice of 9th June 2021 ‘did not address the issues raised in the letter of formal notice and the members concerned have remained in their posts.’ If Belgium does not rectify the situation within two months, the Commission may refer the case to the CJEU.


– EDPB Agenda for 57th Plenary –

On 18th November, the EDPB held its 57th Plenary. Several substantive issues were discussed. The agenda included the following points which may be of interest:

‘2. Consistency mechanism and Guidelines’

        ‘2.1. Guidelines on the interplay between Article 3 and Chapter V’

        ‘2.2. Internal Guidelines on the practical implementation of amicable settlements’

‘3. Current Focus of the EDPB Members’

    ‘3.1. Handling of access requests concerning cooperation procedures – request for  mandate’

        ‘3.2. 101 Taskforce’

‘4. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat’

        ‘4.1. Statement on Digital and Data Strategy’

     ‘4.2. Follow-up and next steps on the EDPB report to LIBE Committee – request for mandate’

        ‘4.3. Preparation of a letter on the EU AML/CFT proposal – request for mandate’

        ‘4.4. EDPB reply to the UN letter sent to the EDPB Chair on 15 July 2021’

        ‘4.5. Letter to ENISA regarding EUCS compatibility with Schrems II’

At the time of writing, only the agenda of the meeting was available. More information on the meeting may be made available on the EDPB website in the following days.



– COVID Testing Provider Investigated regarding the Sale of Data –

According to inews, the Covid testing provider Cignpost Diagnostics ‘is being investigated by the UK’s data privacy watchdog over plans to sell customer’s DNA for medical research’. The media outlet reports that, according to documents seen by the Sunday Times, the provider had plans to analyse collected data or to sell data to third parties. Allegedly, the informed consent signed by customers included ‘links to another document outlining the research programme’ – although the relevant parts of the consent form have now allegedly been removed. Cignpost assert that they acted in full compliance with the law, have ‘robust systems and processes [in place] to ensure we protect…customers…[and that] protecting…data is paramount for [the] organisation’ The ICO are now investigating. Whilst there is surely a long way to go before anything is confirmed, and before any actions is taken, the progress of the case will be interesting to follow.


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort