Data Protection Insider, Issue 60

–  The Right of Access to the EPSO Exam Weighting Coefficients: JR v the European Commission – 

On 1st December, the CJEU ruled on the question of the right of an EPSO applicant to have access not only to the exam grade given to them, but also to the weighting coefficients which formed the final grade. As to the facts of the case, the applicant passed an EPSO written and oral exam, and was informed of the final grades of the two exams. In addition to the information provided in the notification of the grade, the applicant requested access also to the weighting coefficients of the different components of the oral exam, i.e. what factor each one played in forming the final grade. The Commission adopted a formal decision, refusing access to this information. The applicant decided to challenge this Decision in Court, evoking their right of access to their personal data in Article 17 Regulation 2018/1725. The Court noted that the applicant is implicitly raising a claim also under Regulation 1049/2001 on public access to documents of the EU administration, including of the Commission. The Court ruled that Regulation 2018/1725 is not applicable in casu, because the weighting coefficients do not constitute personal data. However, it ruled that access to the weighting coefficients should have been disclosed on the basis of Regulation 2001/1049, e.g. by redacting other information in the document containing these coefficients, which could be covered by obligations of secrecy. We note that the ruling is likely to contribute to the ongoing academic debate about the scope of the right of access to one’s personal data.


– ECtHR Rules on Publication of Personal Data and Freedom of Expression 

On 30th November, the ECtHR, in a Chamber judgment, ruled in the case of Țiriac v. Romania. In essence, the case concerned an article written about several businessmen, including the applicant. The article included information about personal wealth, as well as information about debts owed to the state. The applicant disputed certain of the information in the article as well as the way it had been presented. The applicant thus brought ‘general tort law proceedings against S.M [the journalist who wrote the article] and the company owning the newspaper’. After several rounds of appeal, the applicant was unsuccessful in these proceedings. Accordingly, the applicant lodged an application with the ECtHR: ‘The applicant complained about a breach of his right to honour and reputation, alleging that the domestic courts had failed to protect his rights, had assessed the circumstances of the case incorrectly and had denied him the possibility of obtaining compensation for the non-pecuniary damage suffered by him. He relied on Article 8 of the Convention.’ The Court found no violation. The Court reiterated its general principles concerning the balance between Article 8 and Article 10 of the Convention, including reiterating certain criteria relevant to the case to be considered in attempting to secure a balance: ‘the contribution to a debate of public interest, the degree of notoriety of the person affected, the subject of the news report, the prior conduct of the person concerned, and the content, form and consequences of the publication’. Working through these general principles, the Court found: ‘the national courts conducted a thorough balancing exercise between the competing rights at stake in conformity with the criteria laid down in the Court’s case-law. Having regard to the margin of appreciation available to the national authorities when weighing up divergent interests, the Court sees no strong reasons to substitute its view for that of the domestic courts…It could not be said therefore that by dismissing the applicant’s claim, the courts have failed to comply with the positive obligations incumbent on the national authorities of protecting the applicant’s right to private life under Article 8 of the Convention’.


The ECtHR on the Balance between Freedom of Speech and the Right to Erasure: Biancardi v Italy

On 25th November, the ECtHR rendered a very important judgment on the balance between two human rights, namely the right to freedom of expression (Article 10 ECHR) and the right to private life (Article 8 ECHR). As to the facts of the case, the applicant was a chief editor of an online newspaper in Italy. They published an article about the fight between the owners of a restaurant, the temporary closure of the restaurant and the subsequent criminal proceedings against the owners in the newspaper. The restaurant owners requested the editor to de-index the said article from the internet, which the editor did not do for a long period of time. The owners took the matter to court and the domestic courts imposed a fine on the editor for not having de-indexed the contested article. The editor claimed that the domestic rulings and the fine of 5, 000 Euros violated their right to freedom of expression. The Court ruled that this was not the case. In its reasoning, it first noted that the case was different from previous cases on the balance between the freedom of expression and the right to private life, in that what was at issue was not the content of the article, its publication and dissemination, or its archiving. The problem was making the article easily accessible by not de-indexing it. As the Court found, it was technically possible by the chief editor to perform this de-indexing by ‘“noindexing”’  which is ‘a technique used by website owners to tell a search engine provider not to let the content of an article appear in the search engine’s search results.’ Then, the Court noted that the domestic court’s rulings indeed constitute an interference with the applicant’s right to freedom of expression, which was prescribed by law and pursued a legitimate objective. On the question of the proportionality of the interference, the Court examined it under the following criteria: ‘(i) the length of time for which the article was kept online – particularly in the light of the purposes for which V.X.’s data was originally processed; (ii) the sensitiveness of the data at issue and (iii) the gravity of the sanction imposed on the applicant.’ The Court concluded that bearing in mind the sensitivity of the article’s content and the fact that it was not updated after the criminal proceedings against the owners of the restaurant were concluded, the financial fine was not excessive, especially bearing in mind the fact that the applicant was not ordered to ‘permanently remove the article from the Internet.’


Opinion of Advocate General in Facebook Ireland

On 2nd December, Advocate General Richard De La Tour provided an Opinion in the case of Facebook Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.. Essentially, the case concerns the standing of a German consumer protection organisation, under Article 80(2) of the GDPR, to file an injunction against Facebook. Specifically, the Question referred was: ‘Do the rules in Chapter VIII, in particular in Article 80(1) and (2) and Article 84(1), of Regulation (EU) 2016/679 preclude national rules which – alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the Regulation and the options for legal redress for data subjects – empower, on the one hand, competitors and, on the other, associations, entities and chambers entitled under national law, to bring proceedings for breaches of Regulation (EU) 2016/679, independently of the infringement of specific rights of individual data subjects and without being mandated to do so by a data subject, against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices or breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions?’. On the basis of argumentation building on the Fashion ID case, ‘[t]he particular characteristics of Regulation 2016/679’, and ‘[t]he literal, systematic and teleological interpretation of Article 80(2) of Regulation 2016/679’, the Advocate General concluded: ‘Article 80(2) of [the]…General Data Protection Regulation, must be interpreted as meaning that it does not preclude national legislation which allows consumer protection associations to bring legal proceedings against the person alleged to be responsible for an infringement of the protection of personal data, on the basis of the prohibition of unfair commercial practices, the infringement of a law relating to consumer protection or the prohibition of the use of invalid general terms and conditions, provided that the objective of the representative action in question is to ensure observance of the rights which the persons affected by the contested processing derive directly from that regulation.’ It will be interesting to see whether the Advocate General’s opinion is shared by the Court.


EDPB Addresses the UN and ENISA

On 18th November, the EDPB adopted the following two letters:

  • A letter addressed to the United Nations (UN), which concerns transfers of personal data to international organisations. The EDPB are pleased that the UN is participating in the EDPS taskforce on personal data transfers to international organisations. However, the EDPB underline that this participation does not prejudice the compliance of data transfers with the requirements of the GDPR.
  • A letter addressed to ENISA, which concerns the European Cybersecurity Certification Scheme for Cloud Services (EUCS) and more precisely the compliance with cybersecurity requirements when working with cloud infrastructures. The EDPB remind that compliance with Schrems II is essential. More precisely, they believe that ‘at least an assurance level of the EUCS should include appropriate specific criteria to  ensure  protection  against  threats represented  by  access  from  authorities  not subject to EU legislation and not offering a level of protection of personal data that is essentially equivalent to that guaranteed by the GDPR and recalled by the CJEU.’

The letters are available for consultation on the EDPB website.


Political Agreement on the Data Governance Act

On 30th November, the Commission announced ‘the political agreement reached…between the European Parliament and EU Member States on a European Data Governance Act.’ With this agreement ‘Trilogue negotiations have now concluded, paving the way for final approval of the legal text by the European Parliament and the Council.’ On the Act, the Commission highlight: ‘The Data Governance Act proposed in November 2020 will create the basis for a new European way of data governance in accordance with EU rules, such as personal data protection (GDPR), consumer protection and competition rules. Thanks to this Regulation, more data will be available and exchanged in the EU, across sectors and Member States. It will boost data sharing and the development of common European data spaces, such as manufacturing, cultural heritage and health, as announced in the European strategy for data.’ The Act is now subject to final approval by the European Parliament and the Council.


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort