Data Protection Insider, Issue 132

Data Protection Insider, Issue 132 - DPI 28

-CJEU: National Courts Authorising Personal Data Disclosure Are Not Data Controllers-

On 30th April, the CJEU clarified the application of several GDPR provisions to the functions of judicial supervisory bodies (the Inspecotrate in Bulgaria, in casu) and national courts which are called to authorize the disclosure of asset information of prosecutors, investigators, judges and their family members to the Inspectorate in Inspektorat kam Visshia sadeben savet. As to the facts of the case, in May 2023 the Inspectorate requested the referring court to lift the banking secrecy of several judges, prosecutors and investigators and their family members, following the expiration of the deadline of the submission of their declarations. The Inspectorate wanted to verify the data on their declarations, which are published, and thus to inspect whether there had been undue influence over their work. An interesting fact is that the referring court was concerned that previously, the Inspectorate had had unlawfully published the complete information about the assets of about 20 judges on its website, breaching its obligations concerning personal data security. Against that background, the referring court sent several preliminary ruling questions. The four questions concerned with data protection deal with the question of the role and responsibilities under the GDPR of the Inspectorate and the courts which are asked to lift banking secrecy. The CJEU guided the referring court as follows. First, on the material scope of the GDPR, it ruled that ‘disclosure, to a judicial body, of personal data that are protected by banking secrecy and that concern judges, public prosecutors and investigating magistrates as well as their family members, with a view to the verification of the declarations which are submitted by those judges, public prosecutors and investigating magistrates concerning their assets and those of their family members and which are published, constitutes processing of personal data that comes within the material scope of that regulation’. Second, on the question of controllership, it ruled that ‘a court having jurisdiction to authorise, at the request of another judicial body, disclosure by a bank to that body of data relating to the bank accounts of judges, public prosecutors and investigating magistrates as well as of their family members, cannot be classified as a controller within the meaning of that provision’. It clarified that it would rather be the Inspectorate which is likely to be the controller in that case. Third, on the question whether a court authorising the disclosure of the personal data in question acts as a supervisory authority in the meaning of Article 51 GDPR, the Court ruled that ‘Article 51 of the GDPR must be interpreted as meaning that a court having jurisdiction to authorise disclosure of personal data to another judicial body does not constitute a supervisory authority within the meaning of that article, where that court is not entrusted by the Member State in which it is situated with monitoring the application of that regulation in order to protect, in particular, the fundamental rights and freedoms of natural persons in relation to the processing of their personal data’. Fourth and last, on the question of the obligations of the referring court to ensure ex officio the security of the data by the Inspectorate before authorising the data disclosure to the Inspectorate, the CJEU established that ‘Article 79(1) of the GDPR, read in the light of Article 47 of the Charter, must be interpreted as meaning that a court having jurisdiction to authorise disclosure of personal data to another judicial body is not required, where an action pursuant to that provision has not been brought before it, to ensure of its own motion the protection of the persons whose data are concerned as regards compliance with the provisions of that regulation relating to the security of personal data, including where it is known that that body has, in the past, infringed those provisions’.

-ECtHR: Monitoring Prisoners’ Correspondence with Domestic Courts Breaches Article 8 ECHR-

On 24th April, the ECtHR ruled that the Ukraine breached Article 8 ECHR by unlawfully monitoring the correspondence of a prisoner with domestic courts in Karpenko v Ukraine (No 2). As to the facts of the case, the applicant is a prisoner, detained in a Ukrainian prison. He claims that he had been sending sealed letters to the Ukrainian High Administrative Court (HAC), complaining about how the prison administration handled his correspondence. From the documents submitted by the prison administration on the case, the applicant found indication that the said administration had opened and inspected his letters before forwarding them to the HAC. The indication was that the prison had recorded information such as the case number of his previous case with the HAC and the number of pages sent to the HAC when sending a cover letter to the HAC. He thus complained that the prison officials had monitored his correspondence in breach of his Article 8 ECHR rights. The Court first noted that it was disputed between the applicant, on one hand, and the prison administration and domestic courts, on the other hand, whether the correspondence with the HAC was sealed, as required by domestic regulations. It ruled that it was the prison authorities which had had to ensure that the envelope which was handed to them was sealed. It also acknowledged the fact that the prison administration had opened the prisoner’s letter, because of the information it had put in the cover letter to the HAC. The Court recalled that it ‘has previously, on many occasions, found a violation of Article 8 in view of the content of similar cover letters which disclosed the fact that prison officials had reviewed the content of prisoners’ correspondence’. Thus, it established a violation of Article 8 ECHR also in the present case.

-ECtHR: Court Rules on Disclosures of Personal Information and Parliamentary Privilege-

On 8th April, the ECtHR ruled in the case of Green v. UK. In terms of the facts, the case essentially concerned the invocation of the use of parliamentary privilege, by a Member of the House of Lords in the UK, to name, in the course of parliamentary discussion, the applicant – a prominent businessman – ‘as the subject of an anonymised newspaper article’ dealing with allegations of ‘serious and repeated sexual harassment, racist abuse and bullying’ despite the fact that ‘the Court of Appeal had granted an interim injunction and anonymity orders to prevent the publication of his identity’. In this regard, the applicant complained that ‘the absence of ex ante and ex post controls on the power to use parliamentary privilege to reveal information subject to an injunction breached Article 8 of the Convention’ – the applicant also complained under Articles 6 and 13, the substance of these complaints will, however, not be examined here. The Court found no violation of Article 8. In coming to its conclusion, the Court highlighted that ‘the absence of ex ante and ex post controls on the power to use parliamentary privilege to reveal confidential information subject to an injunction – relates to the general framework for balancing rights of privacy and freedom of expression in Parliament in the domestic legal order’ and that it ‘must therefore be examined from the standpoint of the State’s positive obligations under Article 8’. The Court then went on to highlight the state’s broad margin of appreciation in light of the facts of the case – in particular in light of the relationship between the case and the internal functioning of Parliament. Accordingly, after considering the relevant ex ante, and ex post controls in place, highlighting a range of comparative law materials concerning the breadth of parliamentary privilege, and highlighting that ECtHR interference with UK parliamentary privilege would be unprecedented, and have significant problematic implications – including in relation to the separation of powers – the Court concluded: ‘in keeping with the well-established constitutional principle of the autonomy of Parliament…it is in the first instance for national parliaments to assess the need to restrict conduct by their Members. As the United Kingdom Parliament is aware of the problem of parliamentary privilege being used to frustrate injunctions and has addressed the need for further controls…the Court considers that for the time being it may be left to the respondent State, and Parliament in particular, to determine whether and to what extent ex ante and ex post controls might be necessary to prevent its Members from revealing information subject to privacy injunctions. However, given the serious impact that the disclosure of such information may have on the privacy of the individual concerned, not to mention the implications for the rule of law and the separation of powers within the United Kingdom constitution of parliamentarians usurping the role of judges, who have considered it necessary, after viewing the evidence before them, to grant an injunction, the Court considers that the need for appropriate controls must be kept under regular review at the domestic level. Consequently, as things currently stand the rule on parliamentary privilege did not exceed the margin of appreciation afforded to the respondent State and there exist no sufficiently strong reasons to justify the Court substituting its view for that of Parliament and requiring it or the respondent State to introduce further ex ante and ex post controls on freedom of speech in Parliament’.

-ECtHR: Court Rules on Publication of Convictions for Administrative Offences-

On 24th April, the ECtHR ruled in the case of Sytnyk v. Ukraine. In terms of the facts, the case essentially concerns ‘the alleged unfairness of administrative-offence proceedings against the applicant, a high-level public official in the field of anti-corruption, as a result of which he himself was found guilty of a corruption-related administrative offence, and the subsequent inclusion of his name, for an indefinite period, in a publicly accessible register of corrupt officials’. In this regard, the applicant complained to the Court that ‘he had been unjustly labelled “corrupt”, in breach of his right to respect for his private life as provided for in Article 8 of the Convention’ – the applicant also complained under Articles 6, and 18, the substance of these complaints will not, however, be considered here. The Court found a violation. The Court recognised that the publication constituted an interference, that this had happened in accordance with the law, and that this had pursued aim – ‘preventing corruption in the public service’. The Court considered, however, that the interference was not ‘necessary in a democratic society’. In this regard, the Court highlighted that ‘the decision-making process leading to the applicant’s being found guilty of a corruption-related administrative offence was seriously flawed’ and, in this regard ‘the national authorities failed to adduce “relevant and sufficient” reasons for the interference with the applicant’s right to respect for his private life’. The Court further found that a permanent entry into the Corrupt Officials Register – despite national law foreseeing the possibility for convictions for administrative offences to be expunged after a certain time – could not be considered proportionate.

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply