Data Protection Insider, Issue 98

Data Protection Insider, Issue 98 - DPI 6

– ECtHR Rules on UK Intelligence Services’ Surveillance –


On 12 September, the ECtHR ruled in the case of Wieder and Guarnieri v. the United Kingdom. The case essentially concerns the alleged collection, storage, processing and dissemination of the applicants’ personal data by UK intelligence services, although these applicants were located outside the UK. The applicants had initially complained to the UK’s Investigatory Powers Tribunal (“the IPT”). This complaint was unsuccessful – ‘in the IPT’s view, a Contracting State owed no obligation under Article 8 of the Convention to persons both of whom were situated outside its territory in respect of electronic communications between them which passed through that State. Furthermore, it was not persuaded that a privacy right was a right of action present in the jurisdiction and to find otherwise would be to extend the bounds of the domestic courts’ jurisdiction under Article 8 of the Convention’. Accordingly, the applicants turned to the ECtHR, complaining that ‘under Article 8…as a result of their work and contacts, their communications might have been intercepted, extracted, filtered, stored, analysed and disseminated by the United Kingdom intelligence agencies pursuant to the regime under section 8(4) of the Regulation of Investigatory Powers Act 2000 (“RIPA”)’. The Court found ‘a violation of Article 8 of the Convention in respect of the regime under section 8(4) of RIPA’. The body of the judgment on Article 8 concerned a novel consideration of jurisdictional issues – including a discussion of relationship between the physical location of an applicant and the interception of electronic communications – as well as an ex officio consideration of victim status – in which the Court opined on bulk surveillance regimes and the level of persuasion required to establish victim status. Moving on from these considerations to the substance, the Court finally held, ‘for the reasons identified in Big Brother Watch and Others (namely, the absence of independent authorisation, the failure to include the categories of selectors in the application for a warrant, and the failure to subject selectors linked to an individual to prior internal authorisation…) that there has been a violation’ of Article 8. This case, as with many others dealing with surveillance issues, deserves a close reading and will likely be of interest to the majority of the data protection community.

Learn more


– ECtHR Rules on Information concerning Criminal Convictions –


On 12 September, the ECtHR ruled in the case of N.F. and Others v. Russia. Essentially, the case concerned information on spent, and or lifted, criminal convictions, held by the Ministry of the Interior. At various times, the applicants had requested certificates from the Ministry concerning their convictions, mostly to provide to current or prospective employers. Because these certificates showed information relating to their criminal records, certain of the applicants were then, allegedly, dismissed from employment. The applicants complained to the Ministry that the processing of ‘data relating to discontinued criminal proceedings and spent and lifted convictions was unlawful and unnecessary and asked them to delete such data’. The Ministry refused, and, accordingly, the applicants brought court proceedings against the Ministry on several bases – including the necessity of storing the data for the defined period, and the legitimacy of the legal basis for storage of the data. Court proceedings were unsuccessful. Accordingly, the applicants complained to the ECtHR on the basis ‘that the processing by the Ministry of their personal data concerning discontinued criminal proceedings or lifted or spent criminal convictions had been in breach of their right to respect for their private life, as provided by Article 8 of the Convention’. The ECtHR found a violation of the Article 8, holding, that ‘the processing of the applicants’ data relating to criminal convictions which have become spent or which have been lifted by a court and of data relating to criminal proceedings which have been discontinued on “non-rehabilitative grounds” failed to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, such processing constituted a disproportionate interference with the applicants’ right to respect for their private life and cannot be regarded as “necessary in a democratic society”’. In coming to this conclusion, the Court focused on the criterion ‘necessary in a democratic society’. After reiterating the relevant general principles – including concerning the processing of data on criminal convictions and on the margin of appreciation – the Court highlighted several issues with the operative system, including the lack of effective possibility to review decisions and the lack of proportionality concerning the data storage itself. The case is interesting, albeit the conclusions unsurprising. Whilst reading, however, we could not help but wonder whether, and if so how, the current political situation impacts the Court’s approaches to data privacy issues in cases concerning Russia, as well as how decisions against Russia are now received and processed within that country.

Learn more


– AG Opinion on Publication of Information on Anti-Doping Violations – 


On 14 September 2023, the AG published their Opinion in the case of NADA and Others. The case essentially concerned an Austrian professional athlete, who was found guilty of having breached anti-doping rules. ‘As a consequence, the Austrian national anti-doping authority published her name, details of the breach concerned, and the period of suspension on its publicly accessible website’. In light of the above, the referring court posed several questions to the CJEU, which the AG bundled into four sets of considerations:

  1. Does publication of information on a specific doping offence constitute data concerning health under Article 9?
  2. Does public disclosure of a name, a breach of anti-doping rules, and the penalty incurred, constitute processing of personal data on criminal convictions or offences under Article 10?
  3. Does processing of personal data relating to acts breaching anti-doping rules make the USK – Unabhängige Schiedskommission (Independent Arbitration Committee, Austria) – an ‘official authority’ under Article 10?
  4. Is public disclosure – publication on an accessible website – of an athlete’s data, alongside information on anti-doping rule violations and consequent suspensions, compatible with lawfulness and data minimisation under Article 5(1)(a) and (c) and Article 6(3)?

The AG came to the following conclusions:

  1. Information on a breach of anti-doping rules linked to prohibited substances or methods does not, in itself, constitute ‘data concerning health’ under Article 9.
  2. Article 5(1)(c) and Article 6(3) do not prohibit a national authority from publicly disclosing an athlete’s personal data concerning anti-doping rule violations.
  3. Article 10 applies to the processing of personal data concerning possession and use by an athlete of substances on the World Anti-Doping Agency Prohibited List.
  4. A body tasked with reviewing decisions finding breaches of anti-doping rules is not automatically an ‘official authority’ under Article 10. If, however, such a task is mandated under law, then this is the case.

The Opinion is worth reading not only for the novel and interesting subject matter, but also as the case deals specifically with a number of fascinating matters seldom brought to bear on data protection issues – such as for example, the definition of ‘court or tribunal’. As always, it remains to be seen whether, and the extent to which, the AG’s Opinion will be followed by the Court.

Learn more


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply