Data Protection Insider, Issue 35

Parfentyev v Russia: Prisons Monitoring Correspondence with the ECtHR breaches the ECHR

On 3rd November the ECtHR rendered a judgement in the Parfentyev v Russia case. According to the facts of the case, the applicant was serving a sentence for having sexually assaulted juvenile offenders when he was heading the local inspectorate for juvenile affaires. While under investigation, a news article concerning his private life, the sexual abuse charges and a photograph of him, were published. While in prison, the applicant first complained to the ECtHR that the publication breached his right to privacy. Second, he complained of the “the registration by the prison authorities of the applicant’s letters to the Court in the register of outgoing correspondence and sending them together with their own cover letters.” With regards to the first complaint, the ECtHR found a violation of Article 8 ECHR as the domestic courts had failed to recognise the publication as an interference with Article 8 ECHR and had not examined the balance of the right to privacy of the complainant and the right to freedom of expression (Article 10) of the publisher. The reasoning is straightforward and unsurprising in view of the previous case law on the topic. The second complaint, however, is more interesting from a data protection perspective. The ECtHR, on its own motion, re-qualified the complaint as a joint one under Article 8 ECHR in conjunction with Article 34 ECHR. The latter Article concerns the right to file a complaint with the ECtHR without hindrance and is purely procedural. Examining the issue from the point of view of confidentiality of communications and in view of the fact that the breach of which could lead to reprisals by the prison authorities against the applicant and the ensuing in potential intimidation, the Court ruled that this amounts to a violation of Article 34 ECHR. We note that the Court’s approach demonstrates the fluidity or overlap between the right to petition and the right to privacy (of communications). In this regard, the judgement gives further impetus to discussions on communications confidentiality – if individuals feel like their (electronic) communications are monitored, be it at work or by governmental authorities, could this discourage them from submitting complaints with DPAs or filing suit in court under the GDPR/LED?


– EDPS Strategy for Compliance of the EU Institutions with Schrems II

On 29th October the EDPS released a document focused on how the EU institutions, agencies and bodies should carry out Schrems II-compliant transfers to third countries and international organisations – especially to the USA. In its strategy, the EDPS has identified two priority areas of transfer: controller-to-processor and processor-to-sub-processor contracts. The EDPS has created a to-do-list for the short and medium term. For the short term, the EDPS has ordered the EU institutions, bodies and agencies to carry out a mapping of exercise describing which activities – e.g. procurement and contracts – involve the transfer of personal data. Then, these parties must report to the EDPS about three types of transfers: those without a legal basis, those based on derogations, and finally, transfers to private actors in the USA which involve high risks for data subjects. When it comes to new data processing operations, the EDPS recommends that transfers concerning personal data shall be avoided. For the medium term, the EDPS will offer guidance and engage in compliance and/or enforcement actions on a case-by-case basis. The EU institutions, bodies and agencies will also have to perform a Transfer Impact Assessment with the help of the data importer in order to reach a decision as to whether an existing transfer may continue. The EU institutions will further have to report on the use of derogations and on the continued and/or suspended transfers to countries that do not have an essentially equivalent level of protection. Finally, the EDPS “will also start exploring the possibility of joint assessments of the level of protection of personal data afforded in third countries and how these could be coordinated between authorities, controllers and other stakeholders to provide   guidance and ensure compliance with the Judgement.” We welcome the ongoing efforts of the EDPS to ensure compliance with Schrems-II. However, a data protection expert cannot help wondering why the EU institutions do not have a record yet of existing transfers and the legal basis on which they are based, and why they have not been already carrying out such impact assessments before transfers are carried out.


– New ICO Guidance on Criminal Offense Data –

The ICO has published new guidance on Criminal Offense Data. The Guidance is not exhaustive, but systematically covers the main questions raised as to how data controllers – except authorities which have ‘law enforcement functions who are processing for law enforcement purposes’ – might process criminal offense data. Amongst the topics governed by the Guidance are: the scope of criminal offense data – in relation to which the ICO employs a broad conceptualisation, including data on victims; the rules relating to the legitimate processing of criminal offense data – in relation to which the ICO highlights the need for the conduct of a DPIA and points out certain of the key risks involved; and the conditions for the processing of criminal offense data – relating to conditions elaborated in UK data protection law concerning criminal offense data. The category of criminal offense data has long existed in data protection law, is associated with specific rights and responsibilities, and concerns a form of personal data with unique social significance. Despite this, there has been surprisingly little specific attention given to this form of personal data over the past few years. In this regard, the ICO’s Guidance is welcome. However, the Guidance is from only one DPA and contains numerous references to the specifics of national data protection law. In this regard, it cannot be assumed that the Guidance will always apply in other European states.


– The CNIL Releases Guidance on Handling Data of Deceased Persons

The focus of the CNIL guidelines, released on 28th October, is on the social network profiles of deceased persons and what the relatives of the deceased person can do with them. The CNIL clarifies that, in principle, the profiles continue to exist until a relative requests their deletion because social network providers cannot know whether a user has died or has simply become inactive. In order to respect the confidentiality of the communications of deceased persons, however, relatives may not have access to the respective profile. They can only request that the profile be deleted or that the social network provider indicates on the profile that the person has died so that third parties are informed of the death. In addition, if the living relatives feel like the reputation or memory of the deceased person is being tarnished, they may file suit before the courts. Finally, the CNIL website offers a list of links to the biggest social networks where relatives can submit requests concerning the profile of a deceased person. We note that there is a much needed debate to be had on the processing of the personal data of the deceased – especially because the GDPR excludes from its scope of application the protection of this form of personal data. Thus, knowing that national authorities are working on this topic is a positive development. It remains to be seen how other countries decide to regulate this matter.


– New Draft of E-Privacy Proposal –

Over the past two weeks, certain media outlets – amongst others – have obtained copies of a draft of the German Presidency’s new e-Privacy Proposal. In this regard, Euractiv reports several interesting aspects of the draft likely to spark debate in the privacy and data protection community. Three aspects are highlighted. First, the draft suggests that there should be the possibility to process communications meta-data, without consent, to protect vital interests, which ‘may include for instance processing necessary for humanitarian purposes, including for monitoring epidemics and their spread or in humanitarian emergencies, in particular, natural and man-made disasters’. Second, the draft removes the possibility for data controllers to process communications data for ‘legitimate interests’. Third, the draft includes a clarification that e-Privacy law should not obstruct Member States’ abilities to access and use communications meta-data in the fight against crime. It will be interesting to see how these novel aspects eventually appear in the full official release of the draft. It will also be interesting to see how other Member States and interested stakeholders react to these novel proposals.


– Data Governance Act and EU Data Spaces –

Over the past two weeks, certain media outlets – amongst others – have obtained a draft copy of the EU’s Data Governance Act. Certain aspects of the draft have generated considerable interest. One such aspect, as Euractiv reports, is the Act’s intention to facilitate the exchange of non-personal data – to maximize the EU’s ability to extract value from the industrial data it generates – between data generators and data users via the creation of a system of ‘data intermediaries’. Discussion have emerged, in particular, around the fact that the function of these data intermediaries will be subject to a specific set of conditions. These conditions include: that the intermediary is located in the EU; and that third country authorities’ requests to access EU personal data are not responded to. The proposed approach has been suggested to be part of the Commission’s intention to improve the EU’s ‘digital sovereignty’ by enhancing EU control over its data stocks. There remain, however, disagreements as to the utility and possibility of data sovereignty measures – as well as to associated concepts such as data localisation and data protectionism. Accordingly, it will be interesting to see how debates around the details of the draft Act develop in the coming weeks and months.


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply