|
|
The recent news on EU data protection
For more in-depth analysis go to lexxion.eu/dpi
|
|
|
- AG Opinion: Clarification on the Right to Obtain a Copy of One’s Data -
On 20th April, AG Emiliou provided an interpretation on the right of access to one’s data, in particular on the right to receive a complete and free copy of one’s data under Article 15 (3) GDPR in the case of FT v DW. As to the facts of the case, a patient who received dental care requested copies of all the documents related to the treatment they had received by a certain dentist in order to pursue their claim for maltreatment. The dentist agreed to provide the requested copies for a certain monetary fee. The patient claimed that their first copy should be free of charge, relying on Articles 12 and 15 (3) GDPR. Eventually, the dispute reached the domestic courts, which requested the CJEU to provide an interpretation of these two GDPR provisions. The three concrete questions read as follows: (1) does the motif for requesting copies under the GDPR play a role as to whether the right of access under the GDPR is applicable?; (2) may the right to a (free) copy be restricted under Article 23 GDPR?; and (3) does an individual have a right to an exact copy of all the documents? In his Opinion, AG Emiliou proposed that the CJEU should answer as follows: (1) the GDPR does not require that the only motif for requesting a copy to one’s data should be to control the legality of the data processing. Thus, the motif does not play a role for the exercise of the right of access to one’s data. As to question (2), AG Emiliou answered that charges may be imposed even on the first free copy as a way of a restriction under Article 23 GDPR, in casu on the grounds related to the protection of public health under Article 23 (1) (e) and (i) GDPR, as long as the restriction is necessary and proportionate. He provided his interpretation of what might be a necessary and proportionate charge and how his interpretation should be applied in the present case, but suggested that the national courts should eventually decide. As to (3), the AG endorsed the interpretation of AG Pitruzzella in case F.F. (on which we have previously reported). In short, an exact copy is not always a must, but sometimes it might be the only medium for providing complete and understandable information about the processing of one’s data.
|
|
|
- AG Opinion: Clarifications on Certain LED Provisions to Access to Cell Phone Data by the Police -
On 20th April, AG Campos Sanchez-Bordona delivered an opinion on the data protection aspects of police access to data stored on one’s mobile phone in CG v Bezirkshauptmannschaft Landeck. As to the facts of the case, a German citizen was caught in Austria with 85 g cannabis by the Austrian police. The latter confiscated his mobile phone and requested the applicant to provide them the PIN number in order to unlock the phone and look through it in order to discover who provided the applicant with the cannabis. The applicant refused to cooperate. The policemen tried nevertheless unsuccessfully to unlock it. The applicant decided to sue the police and the referring court
requested an interpretation of the legality of the police attempts to unlock and search though the applicant’s phone data under Articles 5 and 15 of the e-Privacy Directive. In his Opinion, the AG first argued that the CJEU should reject the request for preliminary ruling as inadmissible, as the case does not raise a question under the e-Privacy Directive. This is because, in his opinion, the e-Privacy Directive is applicable only where access is sought by the law enforcement authorities to metadata stored by mobile phone operators, which is not the case in casu. AG Campos Sanchez-Bordona suggested that if the CJEU does not reject the request for a preliminary ruling, then the question should be reformulated and examined under the LED. Thus, he suggested that the question should be whether the access sought was legal under the LED, in particular whether access may be sought only in cases of serious crime, and whether individuals should be informed that the police made attempts to access the data on the phone. Having rephrased and reframed the request for reference, the AG suggested that the LED does not require that the data processing by the police may take place only in cases of serious crime, but in cases of any (suspected) crime. For that, the requirements for a legal basis for the processing under national (or European) law must be satisfied (Articles 4 (1) (a) and 8 (1) LED). He argued then that subject to the restrictions on the right of access to one’s data in Article 15 (1) LED and to be informed of the processing of one’s data under Article 13 (3) LED, individuals should be informed that the police made attempts to access the data on their phone in order to be able to exercise their right to effective remedies under the LED and under Article 47 (1) CFREU. Still, the AG suggested that ‘(a)ny conduct by the data controller in breach of its duties under Article 13 of Directive 2016/680 may have other consequences but does not, I would reiterate, in itself influence the lawfulness or otherwise of the processing of those data.’
|
|
|
|
|
Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.
|
|
|
|
|
Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.
|
|
|
Never miss a DPI again !
In our online library you can always have a second look on all Data Protection Insider Issues already been published.
|
|
|
We sincerely apologize if you find this email an intrusion of your privacy or a source of inconvenience to you.
If you would like to unsubscribe from the newsletter service, please send an E-Mail to [email protected]
|
|
|
|
