Data Protection Insider, Issue 99

Data Protection Insider, Issue 99 - DPI 9

– CJEU: Verification of COVID-19 Certificates is Personal Data Processing –

On 5th October, the CJEU ruled that the notion of personal data processing under the GDPR includes the verification of COVID-19 certificates, as operated by Member State COVID-19 apps. As to the facts of the case, in January 2022, the applicant in the main proceedings (RT) challenged the validity of the Czech extraordinary measures, which were introduced to contain the spread of the COVID-19 virus. These measures included the verification of the health status of individuals based on the EU Digital COVID Certificate, which certified whether an individual had recovered from COVID or has been vaccinated or has tested negative to the virus. The checks were performed when individuals wished to take part in certain public events. The verification was performed via an app, into which individuals could upload the above-mentioned health information and which was read by a QR code by those organising the public events or other indoor and outdoor activities. In order to examine the legality of the measure, the Czech Supreme Administrative Court wondered whether the verification of the interoperable COVID certificates constitutes the processing of personal data under the GDPR. In its short judgment, the CJEU recalled its case law on the concepts of ‘personal data’ and ‘processing’ under the GDPR and quickly confirmed that the contested data processing falls within these concepts and hence the GDPR is applicable. It also repeated that the EU Regulation establishing the EU Digital COVID Certificate clearly referred to the applicability of the GDPR to the processing of the personal data on certificates. Finally, the Court invited the national court to examine the compatibility of the national measures with the other provisions of the GDPR, especially Articles 5 and 6.


– AG Opinion on the Retention of Civil Identity Data and Copyright –

On 28th September, AG Szpunar issued an Opinion which advised the Court that the e-Privacy Directive does not per se exclude the retention of civil identity data for the purposes of fighting copyright infringements, and proposed the conditions under which this could be compatible with EU law. The case which is examined by the AG refers to the activities of the French Hadopi Commission, which deals with copyright infringements by individuals who illegally upload copyrighted content online. Under French law, the said Commission works under the ‘‘graduated response’ mechanism’ and pursuant to it only where an infringement has already been established may the ‘Hadopi’s Commission for the protection of rights (…) obtain from the electronic communications service provider the identity, postal address, electronic address and telephone number of the holder of the subscription that was used to commit a copyright infringement.’ The question in the main proceedings concerns the compatibility with EU law of the retention and access to those personal data for the purposes of fighting copyright infringements. In the Opinion, the AG referred to a previous Opinion prepared for the case – see the discussion of the Court’s procedure for clarification as to this previous Opinion, unfortunately, at the time of writing, this previous Opinion does not seem to be available online. In the present Opinion he examined (1) the proportionality of the measure and the necessity of the data; and (2) the ‘existence of adequate material and procedural guarantees’. As to (1), the AG opined that ‘the Court’s case-law relating to the seriousness of the interference with fundamental rights caused by the retention of and access to IP addresses should be interpreted as meaning not that that interference is always a serious interference, but that it is a serious interference only where the IP addresses may result in the exhaustive tracking of the user’s clickstream and in very precise conclusions being drawn about his or her private life. (…) As that is not the case in a situation such as that at issue in the main proceedings, it follows that the interference which the retention of and access to the civil identities corresponding to an IP address used for the purpose of making available content in breach of copyright entails should be capable of being justified by an objective of combating crime in a broader sense than just serious crime.’ Furthermore, the AG argued that the data contested data are ‘indispensable’ for prosecuting the copyright infringements. These points lead the AG to conclude that the interference with fundamental rights is proportionate. As to (2), the AG submitted that the Court should distinguish between the ‘graduated response’ mechanism in the present cases, pursuant to which access is sought only to the data of an individual who is ‘the perpetrator of an infringement which has already been established to be revealed’ and between access to the data of a suspect for the purposes of demonstrating their guilt. On the basis of that distinction, the AG did not deem that the lack of a prior administrative or judicial review of the access to the data should be seen as a critical deficiency in the legality of the measure. Thus, he concluded that Article 15(1) e-Privacy Directive ‘must be interpreted as not precluding national legislation permitting the retention by providers of electronic communications services of, and access by an administrative authority entrusted with the protection of copyright and related rights against infringements of those rights committed on the internet to, data limited to civil identity data corresponding to IP addresses so that that authority can identify the holders of those addresses suspected of having committed those infringements and, if appropriate, take action against them, where that access is not subject to a prior review by a court or an independent administrative authority, provided that those data are the only means of investigation enabling the persons to whom that address was assigned at the time of the commission of the infringement to be identified.’ Finally, the AG devoted a section on proposing a ‘necessary and limited development’ of the Court’s case law on data retention, in which he concluded that ‘(t)he interpretation of Article 15(1) of Directive 2002/58 which I propose permits the retention of and access to civil identity data corresponding to IP addresses only with respect to the prosecution of infringements the perpetrators of which could not be identified in the absence of those data. It therefore covers only infringements committed exclusively on the internet and does not call in question the solutions laid down in the case-law relating to the retention of and access to a wider range of data, and pursuing other objectives.


– EDPB Adopts Documents During 84th Plenary Session – 

The EDPB held its 84th Plenary Session on 19th September. During the session, the EDPB adopted the following documents:

  • ‘EDPB-EDPS Joint Opinion 01/2023 on the Proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679’;
  • ‘Joint EDPB-EDPS contribution to the public consultation on the draft template relating to the description of consumer profiling techniques (Art.15 DMA)’;
  • Guidelines 01/2023 on Article 37 Law Enforcement Directive’
  • ‘Opinion 15/2023 on the draft decision of the Dutch Supervisory Authority regarding the Brand Compliance certification criteria’;
  • ‘EDPB response to MEP in’t Veld on intergovernmental agreements implementing the US Foreign Account Tax Compliance Act’;
  • ‘EDPB response to MEP in’t Veld on amendments to Irish legislation’.

The documents are available for consultation on the EDPB website.




DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply