Data Protection Insider, Issue 26

– ECtHR Rules on Retention of Personal Data for Law-Enforcement Purposes –

On 11th June, the ECtHR issued its ruling in the P.N. v Germany case, concerning the collection and storage of personal data for law enforcement purposes. According to the facts of the case, the applicant had been charged with, and convicted several times of, different types of crimes. Because he is considered by the German police to be a recidivist likely to re-offend and criminal investigations had been opened against him again, the police decided to collect the following data from him: photographs of his face and the body, fingerprints, palm prints and a description him. The data were to be stored in police files for five years. The applicant complained that the collection, storage and processing of the data was an infringement of his rights under Article 8. In its ruling, the ECtHR recalled that the collection and storage of personal data by law-enforcement authorities constitutes an interference with Article 8. It noted that the interference had a basis in national criminal law and pursued a legitimate aim – namely the prevention of crime and the protection of the rights and freedoms of others by facilitating future investigations. As to the necessity and proportionality of the measure, the ECtHR noted that the contested data processing was legitimate as it was subject to specific criteria and accompanied by sufficient safeguards against abuse – as derived from its case-law and Council of Europe Convention 108. The Court highlighted: (1) the limited data storage period and the possibility of deleting data once they are no longer necessary, (2) the fact that more sensitive data such as DNA and cellular samples – as in S. and Marper – were not collected, (3) the presence of measures preventing against unauthorised access and unlawful dissemination, (4) the limited criteria for collection – the applicant had actually been convicted several times in the past and other criminal proceedings against him had been discontinued, and (5) the consideration of the risk of re-offending posed by the applicant. It is notable that, in its reasoning, the ECtHR made a clear distinction between the present case, and previous comparable cases in which an infringement was found – such as M.K v France and S. and Marper v the United Kingdom. In doing so, the Court thus provides further clarity as to the bounds of legality of law enforcement data collection schemes.

– ECtHR Rules on Post-Mortem Privacy –

On 16th June, the ECtHR handed down its judgment in the case of Boljević v. Serbia. The facts of the case were as follows: The plaintiff had always thought Mr. A. had been his father. After the death of Mr. A, the plaintiff found out that Mr. A had started proceedings, which had concluded in 1972, to disavow paternity. The plaintiff then sought to ‘re-open those proceedings in order to establish the identity of his biological father on the basis of DNA testing, which was unavailable in 1972’. The national Courts, however, refused to re-open proceedings as the statutory time limit had already expired – in 1977. The applicant then claimed a violation of Article 8. The ECtHR considered the case in light of the Member State’s positive obligations and found a violation on the basis that, although the decision of the national Courts had been in accordance with the law and based on a legitimate interest, this decision did not represent a fair balance of the interests involved. The ECtHR provided five reasons for the decision: first, ‘the applicant attempted to establish the identity of his biological father, which has been recognised as a vital interest protected by the Convention and…does not disappear with age’; second ‘the applicant became aware of the final judgment regarding his parentage in 2011 or 2012, decades after the applicable deadline for the reopening of the proceedings’; third, ‘the private life of a deceased person…from whom a DNA sample would have had to be taken could not have been adversely affected by a request…made following his death’; fourth, there is no indication in the case file as to what the position of the deceased’s family would have been in respect of a DNA test’; fifth, ‘the…argument that the applicant should have lodged a new civil claim [could not be accepted]’. This is not strictly a data protection case. The case nevertheless has relevance for data protection. This is one of the few cases in which the ECtHR has directly ruled on issues of the privacy of the deceased and thus directly touches on discussions as to whether data protection law should apply to the deceased. In the case, the ECtHR takes a blunt approach – seemingly in line with previous case-law – disavowing the possibility for deceased persons to have privacy rights impacted by post-mortem activities. One wonders, however, whether, as the connections between individuals and social systems through data develop, and as the concepts of rights in data develop and become more subtle in parallel, this blunt approach will be sustainable.

 – EDPB Holds 31th Plenary Session –

During its 31st Plenary Session, held on 18th June, the EDPB adopted the following documents:

  • A response to MEP Körner regarding TikTok: in which the EDPB indicates that the Board has decided to set up a taskforce concerning the app.
  • A response to MEPs regarding the (prospective) deployment of Clearview AI by European law enforcement and national security authorities: in which the EDPB raises several concerns about the facial recognition app as used by law enforcement authorities, especially as regards the legality of the transfer of biometric data outside the EU/EEA and the strict necessity of the data processing in question. The EDPB highlights that further work on biometric technologies will need to be carried out in future.
  • A response to ENISA regarding EDPB representative to the ENISA Advisory Group: in which the appointment of the EDPB representative is indicated
  • A response to open letter from NYOB: in which the concerns raised by NYOB about the efficiency of the one-stop-shop mechanism are addressed.

The documents are already available on the EDPB website and can be consulted.

 – EDPB Holds 32nd Plenary Session –

On 17th June, the EDPB released information on the outcome of its 32nd Plenary Session. In the session, the Board adopted two statements and three letters:

  • A statement on the interoperability of contact tracing applications: in which the EDPB once again highlights the need for apps to be voluntary and recalls the data protection concerns associated with interoperability.
  • A statement on the processing of personal data in the context of reopening the Schengen borders: in which the EDPB highlights the ongoing relevance of data protection in relation to conditions attached by Member States to the reopening of borders.
  • A response to a letter from MEP Moritz Körner on the relevance of encryption bans in third countries for assessing the level of data protection: in which the EDPB highlights that any ban on encryption would seriously weaken the possibility for controllers in third countries to achieve the standard of protection required under the GDPR.
  • A second letter to MEP Körner addresses the topic of laptop camera covers: in which the EDPB notes that manufacturers of laptops do not qualify as controllers or processors and are therefore cannot be subject to an obligation under the GDPR to install camera covers.
  • A letter to the Committee of European Auditor Oversight Bodies: concerning the possibility ‘to cooperate and receive feedback on negotiations of draft administrative arrangements for the transfer of data to the US Public Company Accounting Oversight Board (PCAOB)’.

Documents not yet available on the EDBP’s website should be made available shortly, following internal checks.


– EDPS Opinion on the European Strategy for Data –

On 16th June, the EDPS issued an Opinion on the Commission’s European Strategy for Data. In its Opinion, the EDPS first made general remarks about the strategy concerning the applicability of the core principles of EU data protection law – for example concerning data subject rights, the role of data intermediaries and the distinction between personal and non-personal data. He then focused more specifically on specific aspects of the strategy. In this regard, the following topics appeared prominently: the concept of “public good”; Open Data; the role of the EU institutions in realising the purposes of the strategy; the processing of personal data for scientific purposes; common European data spaces; digital literacy and skills; and ‘data altruism’. With regards to ‘data altruism’, the EDPS highlights that the ‘donation’ or ‘sale’ of personal data may not be used to waive the applicability of EU data protection law. In general, the EDPS advocates for full compliance with the GDPR when it comes to the realisation of the Data Strategy and provided concrete guidance on achieving this aim. For example, in the context of scientific research, the EDPS raises the concern that (scientific) research is not defined and the ‘boundaries between public interest, academic freedom and  private gain today are more blurred than ever.’ Therefore, he calls for clarification of the respective terms in future legislation and policy documents. In general, the EDPS is positive about the strategy as he believes it will contribute to European Digital Sovereignty: ‘(t)he EDPS strongly believes that  one  of  the  most  important objectives  of the Data Strategy should be to prove the viability and sustainability of an alternative  data  economy model – open,  fair  and  democratic.’ The EDPS has commits to issue further guidance ‘on any legislative follow-up to the Data Strategy’. Accordingly, future comments by the EDPS on this topic are to be expected.

– Conseil d’Etat Rules Against Parts of CNIL’s Cookie Guidance –

On 19th June, 2020, the French Conseil d’Etat handed down a judgment in which it invalidated parts of the CNIL’s guidance on cookies. Specifically, the Conseil d’Etat found that the CNIL could not, in its guidance, impose a ban on ‘cookie walls’. The Conseil d’Etat did recognise that the obligation to obtain consent for the use of cookies is a requirement set out in the GDPR. The Conseil also recognised, however, that the CNIL – in the context of guidelines which are intended to merely constitute flexible principles – did not have the power to impose such definitive bans. The CNIL has committed to respect the decision and will amend the problematic guidelines accordingly. At first glance, the decision is particularly interesting from a procedural perspective. The case constitutes one of the few instances – to our knowledge – in which a Court has ruled on the legitimacy of a position in guidance put forward by a DPA. In passing the judgment, the Conseil d’Etat may have taken a step – albeit perhaps a small step – in clarifying the ambiguities in the relationship between DPAs and the judiciary, and in clarifying the ambiguities in the relationship between DPAs and their norm setting capacity. Further detailed consideration of the case will be necessary, however, to tease out the form and degree of the significance of the case.



DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply