|
EDPL Data Protection Insider 09.12.2021
- The Right of Access to the EPSO Exam Weighting Coefficients: JR v the European Commission -
On 1st December, the CJEU ruled on the question of the right of an EPSO applicant to have access not only to the exam grade given to them, but also to the weighting coefficients which formed the final grade. As to the facts of the case, the applicant passed an EPSO written and oral exam, and was informed of the final grades of the two exams. In addition to the information provided in the notification of the grade, the applicant requested access also to the weighting coefficients of the different components of the oral exam, i.e. what factor each one played in forming the final grade. The Commission adopted a formal decision, refusing access to this information. The applicant decided to challenge this Decision in Court, evoking their right of access to their personal data in Article 17 Regulation 2018/1725. The Court noted that the applicant is implicitly raising a claim also under Regulation 1049/2001 on public access to documents of the EU administration, including of the Commission. The Court ruled that Regulation 2018/1725 is not applicable in casu, because the weighting coefficients do not constitute personal data. However, it ruled that access to the weighting coefficients should have been disclosed on the basis of Regulation 2001/1049, e.g. by redacting other information in the document containing these coefficients, which could be covered by obligations of secrecy. We note that the ruling is likely to contribute to the ongoing academic debate about the scope of the right of access to one’s personal data.
https://curia.europa.eu/juris/document/document.jsf?text=&docid=250350&pageIndex=0&doclang=FR&mode=lst&dir=&occ=first&part=1&cid=1227084
- The ECtHR on the Balance between Freedom of Speech and the Right to Erasure: Biancardi v Italy -
On 25th November, the ECtHR rendered a very important judgment on the balance between two human rights, namely the right to freedom of expression (Article 10 ECHR) and the right to private life (Article 8 ECHR). As to the facts of the case, the applicant was a chief editor of an online newspaper in Italy. They published an article about the fight between the owners of a restaurant, the temporary closure of the restaurant and the subsequent criminal proceedings against the owners in the newspaper. The restaurant owners requested the editor to de-index the said article from the internet, which the editor did not do for a long period of time. The owners took the matter to court and the domestic courts imposed a fine on the editor for not having de-indexed the contested article. The editor claimed that the domestic rulings and the fine of 5, 000 Euros violated their right to freedom of expression. The Court ruled that this was not the case. In its reasoning, it first noted that the case was different from previous cases on the balance between the freedom of expression and the right to private life, in that what was at issue was not the content of the article, its publication and dissemination, or its archiving. The problem was making the article easily accessible by not de-indexing it. As the Court found, it was technically possible by the chief editor to perform this de-indexing by ‘“noindexing”’ which is ‘a technique used by website owners to tell a search engine provider not to let the content of an article appear in the search engine’s search results.’ Then, the Court noted that the domestic court’s rulings indeed constitute an interference with the applicant’s right to freedom of expression, which was prescribed by law and pursued a legitimate objective. On the question of the proportionality of the interference, the Court examined it under the following criteria: ‘(i) the length of time for which the article was kept online – particularly in the light of the purposes for which V.X.’s data was originally processed; (ii) the sensitiveness of the data at issue and (iii) the gravity of the sanction imposed on the applicant.’ The Court concluded that bearing in mind the sensitivity of the article’s content and the fact that it was not updated after the criminal proceedings against the owners of the restaurant were concluded, the financial fine was not excessive, especially bearing in mind the fact that the applicant was not ordered to ‘permanently remove the article from the Internet.’
https://hudoc.echr.coe.int/eng#{%22article%22:[%228%22],%22documentcollectionid2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22],%22itemid%22:[%22001-213711%22]}
- Opinion of Advocate General in Facebook Ireland -
On 2nd December, Advocate General Richard De La Tour provided an Opinion in the case of Facebook Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.. Essentially, the case concerns the standing of a German consumer protection organisation, under Article 80(2) of the GDPR, to file an injunction against Facebook. Specifically, the Question referred was: ‘Do the rules in Chapter VIII, in particular in Article 80(1) and (2) and Article 84(1), of Regulation (EU) 2016/679 preclude national rules which – alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the Regulation and the options for legal redress for data subjects – empower, on the one hand, competitors and, on the other, associations, entities and chambers entitled under national law, to bring proceedings for breaches of Regulation (EU) 2016/679, independently of the infringement of specific rights of individual data subjects and without being mandated to do so by a data subject, against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices or breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions?’. On the basis of argumentation building on the Fashion ID case, ‘[t]he particular characteristics of Regulation 2016/679’, and ‘[t]he literal, systematic and teleological interpretation of Article 80(2) of Regulation 2016/679’, the Advocate General concluded: ‘Article 80(2) of [the]…General Data Protection Regulation, must be interpreted as meaning that it does not preclude national legislation which allows consumer protection associations to bring legal proceedings against the person alleged to be responsible for an infringement of the protection of personal data, on the basis of the prohibition of unfair commercial practices, the infringement of a law relating to consumer protection or the prohibition of the use of invalid general terms and conditions, provided that the objective of the representative action in question is to ensure observance of the rights which the persons affected by the contested processing derive directly from that regulation.’ It will be interesting to see whether the Advocate General’s opinion is shared by the Court.
https://curia.europa.eu/juris/document/document.jsf;jsessionid=140F1AA0E2C002133F61738CC3F87077?text=&docid=250421&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=5704494
- EDPB Addresses the UN and ENISA -
On 18th November, the EDPB adopted the following two letters:
A letter addressed to the United Nations (UN), which concerns transfers of personal data to international organisations. The EDPB are pleased that the UN is participating in the EDPS taskforce on personal data transfers to international organisations. However, the EDPB underline that this participation does not prejudice the compliance of data transfers with the requirements of the GDPR.
A letter addressed to ENISA, which concerns the European Cybersecurity Certification Scheme for Cloud Services (EUCS) and more precisely the compliance with cybersecurity requirements when working with cloud infrastructures. The EDPB remind that compliance with Schrems II is essential. More precisely, they believe that ‘at least an assurance level of the EUCS should include appropriate specific criteria to ensure protection against threats represented by access from authorities not subject to EU legislation and not offering a level of protection of personal data that is essentially equivalent to that guaranteed by the GDPR and recalled by the CJEU.’
The letters are available for consultation on the EDPB website.
https://edpb.europa.eu/news/news/2021/edpb-adopts-letters-un-enisa_en
- Political Agreement on the Data Governance Act -
On 30th November, the Commission announced ‘the political agreement reached…between the European Parliament and EU Member States on a European Data Governance Act.’ With this agreement ‘Trilogue negotiations have now concluded, paving the way for final approval of the legal text by the European Parliament and the Council.’ On the Act, the Commission highlight: ‘The Data Governance Act proposed in November 2020 will create the basis for a new European way of data governance in accordance with EU rules, such as personal data protection (GDPR), consumer protection and competition rules. Thanks to this Regulation, more data will be available and exchanged in the EU, across sectors and Member States. It will boost data sharing and the development of common European data spaces, such as manufacturing, cultural heritage and health, as announced in the European strategy for data.’ The Act is now subject to final approval by the European Parliament and the Council.
https://ec.europa.eu/commission/presscorner/detail/en/IP_21_6428
Never miss a DPI again !
In our online library you can always have a second look on all Data Protection Insider Issues already been published.
Visit online library: https://dev.lexxion.eu/en/dpi/
Recommend this newsletter. If you were forwarded this email, subscribe here https://dev.lexxion.eu/en/newsletter/
Lexxion Verlagsgesellschaft mbH
Güntzelstr. 63
10717 Berlin
Deutschland
+49-(0)30-814506-0
www.lexxion.eu
We sincerely apologize if you find this email an intrusion of your privacy or a source of inconvenience to you. If you would like to unsubscribe from the newsletter service, please click here: Manage Subscriptions:
Terms https://dev.lexxion.eu/en/terms-conditions/ | Privacy https://dev.lexxion.eu/en/data-protection/
|