{"id":72331,"date":"2022-03-31T22:45:40","date_gmt":"2022-03-31T20:45:40","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-66\/"},"modified":"2022-03-31T22:45:40","modified_gmt":"2022-03-31T20:45:40","slug":"data-protection-insider-issue-66","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-66\/","title":{"rendered":"Data Protection Insider, Issue 66"},"content":{"rendered":"
\n

– The CJEU Confirms Its Stance on the Retention of Traffic and Location Data –<\/strong><\/em><\/a><\/span><\/p>\n

On 5th April, the CJEU rendered another judgment on the topic of the retention of traffic and location data and access to these data for law enforcement purposes in G.D. v Commissioner of An Garda S\u00edoch\u00e1na and others<\/em>. The six preliminary ruling questions originated in the challenge by a convict (G.D.) against the legality of the evidence collected on them by means of the processing of their traffic and location data. The six questions essentially come down to the question whether the data may be indiscriminately stored for law enforcement purposes by the electronic communications provider and under what conditions they may be accessed by the law enforcement authorities, as interpreted in light of Article 15(1) e-Privacy Directive and Articles 7, 8, 11 and 52(1) EU Charter of Fundamental Rights. In a first step, the Court confirmed its case law by stating that the e-Privacy Directive and the Charter preclude \u2018the general and indiscriminate retention of traffic and location data\u2019 \u2018for the purposes of combating serious crime and for the prevention of serious threats to public security\u2019<\/a>. In addition, the Court summarized its case law in which it had established that Member States may require the storage of the data of the users of telecommunication services for law enforcement purposes in certain cases \u2013 including when the retention of the traffic and location data is targeted, when imposing quick freeze measures, and in relation to IP addresses and civil identity data \u2013 as long as there are measures implemented against abuse and adequate remedies available. Second, the Court ruled that the Irish provisions for assessing the access to the traffic and location data by the police for the purposes of fighting serious crime are incompatible with the Charter and the e-Privacy Directive, as they do not guarantee independent assessment. This is because the assessment is assigned to a police officer who only needs \u2018to assess the suspicions that exist with respect to the persons concerned and the need for access to data that relate to them.\u2019 The Court ruled that this problem could not be offset by the fact that the assessment decision is subject to subsequent judicial review. Third and finally, the Court ruled that the national court may not limit the temporal effects of a ruling of incompatibility of national law with EU law, but that it is up to national courts to decide on the validity of evidence, which might have been gathered in breach of the EU data retention provisions, in light of national procedural law.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– ECtHR Rules on Secret Surveillance in Disciplinary Proceedings –<\/strong><\/span><\/em><\/a><\/p>\n

\n

On 29th March, the ECtHR examined the compatibility of the usage of secret surveillance measures for disciplinary purposes in Starkevic v Lithuania<\/em>. As to the facts of the case, the applicant was a police officer who had tried to convince an arrested person to steal goods. The police authority initiated a criminal investigation into abuse of office, in the course of which it used secret surveillance measures which were authorised by a national court. The information gathered was subsequently re-used for the purposes of disciplinary proceedings, which led to the applicant\u2019s dismissal. The applicant claimed that this re-usage violated his right to private life under Article 8 ECHR. In its ruling, the Court first confirmed that the re-usage of the materials, in principle, constituted an interference with Article 8 ECHR. As to the lawfulness of the interference, the Court found that both the interception itself and its re-usage in the ensuing disciplinary proceedings had a legal basis in domestic law. The application of the law was foreseeable to the applicant, who, based on his profession, was aware of the ethical and civil service regulations. The measure also pursued a legitimate purpose, namely the prevention of disorder and crime and \u2018inasmuch as it concerned the matter of the applicant being suitable for service in the police, the rights of others.\u2019 As to necessity and proportionality, the Court found that the measure was necessary, because of \u2018the constitutional duty to properly investigate possible official misconduct and find the relevant officials liable where there is a basis to do so.\u2019 As to proportionality, the Court noted that the whole procedure offered the applicant adequate procedural safeguards against abuse and that, although the criminal proceedings against the applicant had been discontinued and the related materials destroyed for data protection reasons, the domestic authorities were right in initiating the disciplinary proceedings, since the conduct of the applicant had discredited the name of an officer and eroded the trust in the police. Based on all of the above, the Court found that the contested interference with the applicant\u2019s private life did not violate Article 8 ECHR.<\/a><\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– ECtHR Rules on Uploading Prisoner Correspondence onto Network –<\/strong><\/a><\/em><\/span><\/p>\n

On 29th March, the ECtHR delivered its ruling in the case of Nuh Uzun and Others v. Turkey<\/em>.<\/a> The case concerns prisoners \u2018detained in various Turkish prisons in connection with alleged membership of a terrorist organisation, following the attempted military coup of 15 July 2016\u2019. The prisoners complained to judicial authorities about the \u2018practice of monitoring and\/or systematically uploading their correspondence \u2013 both incoming and outgoing \u2013 onto the National Judicial Network Server (Ulusal Yarg\u0131 A\u011f\u0131 Bili\u015fim Sistemi \u2013 \u201cUYAP\u201d)\u2019. These authorities, and subsequently the Constitutional Court, dismissed the claims. Accordingly, the applicant\u2019s lodged appeals with the ECtHR on the basis of Article 8 \u2013 and in some cases also on the basis of Article 6 \u2013 of the ECHR. In relation to Article 8, the Court found a violation of the applicants\u2019 rights. In this regard, the Court recognised that the uploading of correspondence constituted an interference with Article 8 and recognised further that: \u2018Where personal data in particular were concerned it was essential to have clear, detailed rules governing the scope and application of such measures, together with minimum safeguards aimed at preserving the integrity and confidentiality of data and procedures for their destruction, in order to provide the persons concerned with sufficient guarantees\u2019. However, none of the applicable legal provisions \u2018contained any reference to the scanning or uploading of prisoners\u2019 correspondence onto the UYAP server\u2019. Rather, the justification for the activity \u2018stemmed directly and specifically from an instruction issued by the Ministry of Justice\u2019. \u2018In the Court\u2019s view, the documents\u2026had\u2026been internal unpublished documents containing instructions from the Ministry of Justice to prisons. As a matter of principle, they did not have binding force. Thus, texts of this kind, which were not issued under any rule-making powers, could not be regarded as \u201claw\u201d of sufficient \u201cquality\u201d for the purposes of the Court\u2019s case-law, capable of affording adequate legal protection and the legal certainty necessary to prevent arbitrary interference by public authorities with the rights guaranteed by the Convention. Hence, the interference complained of could not be said to have been \u201cin accordance with the law\u201d within the meaning of Article 8 of the Convention\u2019. The judgment is available only in French, a language the authors do not speak fluently. Accordingly, this report has been generated on the basis of the press release. We would advise anyone interested in the topic to read the full case. <\/em><\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– AG Pikam\u00e4e Delivers Opinion on the Purpose Limitation and Storage Limitation Principles –<\/strong><\/span><\/em><\/p>\n

\n

On 31st March, AG Pikim\u00e4e issued his Opinion on the purpose limitation and limited storage principles in Digi T\u00e1vk\u00f6zl\u00e9si \u00e9s Szolg\u00e1ltat\u00f3 Kft. v. Nemzeti Adatv\u00e9delmi \u00e9s Inform\u00e1ci\u00f3szabads\u00e1g Hat\u00f3s\u00e1g<\/em>. As to the facts of the case, Digi is a provider of internet and TV services. Following a technical problem, in April 2018 Digi created a separate database containing about one third of the customer data it possesses for testing purposes. In September 2019, an ethical hacker hacked this test database and informed Digi of the hacking. Digi promptly notified the Hungarian DPA of the breach, which fined Digi for having violated the purpose limitation and storage limitation principles in Articles 5(1)(b) and (e) GDPR. Digi challenged the decision in front of a Hungarian court, which then sought guidance on the two principles by the CJEU. As to the purpose limitation principle, the AG observed that the purpose of creating the separate database for testing purposes could be seen as a different purpose from concluding a contract with the users and providing the agreed TV and\/or internet services. However, he considered that the new purpose could be interpreted to be compatible with the original purpose, because the concerned data subjects could legitimately expect that the controller, in casu<\/em> the service provider, might process their personal data in order to be able to provide the contracted services \u2013 e.g. by solving technical problems. As concerns the storage limitation principle, AG Pikim\u00e4e argued that the storage of the data on the separate test database was not justified after the technical problem was solved. It remains to be seen whether the Court will follow the AG\u2019s interpretation. We note that the analysis of the purpose limitation principle in particular raises questions about how to draw the line between a new purpose which is compatible with the original purpose, and a purpose which is not.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– AG Pitruzzella Delivers Opinion on De-Referencing –<\/em><\/strong><\/span><\/p>\n

On 7th April, AG Pitruzzella delivered their Opinion on de-referencing in TU, RE v Google LLC<\/em>. In essence, the case concerned the publication of articles and images of TU and RE in connection with \u2018critical opinions\u2026as to the reliability of the investment model of several\u2026companies\u2019. \u2018[Certain relevant] articles\u2026were displayed in the list of search results produced when the applicants\u2019 first names and surnames were entered in the search engine operated by Google, both on their own and in conjunction with particular company names, and [one] article\u2026was displayed when particular company names were entered\u2026Google also displayed the photographs of the applicants contained in [one] article\u2026as thumbnails in the overview of results of its image search.\u2019 \u2018The applicants requested the defendant, on the one hand, to de-reference the articles in question, which, in their view, contain[ed] a number of incorrect allegations and defamatory opinions based on false statements, and, on the other, to remove the thumbnails from the list of search results.\u2019 In this regard, the Bundesgerichtshof referred two questions to the CJEU.<\/span><\/p>\n

\n

\u2018(1) Is it compatible with the data subject\u2019s right to respect for private life\u2026and to protection of personal data\u2026if, within the context of the weighing-up of conflicting rights and interests\u2026within the scope of the examination of his or her request for de-referencing brought against the data controller of an internet search engine\u2026the national court\u2026concentrates conclusively on the issue of whether the data subject could reasonably seek legal protection against the content provider\u2026and thus at least provisional clarification on the question of the truth of the content displayed by the search engine data controller could be provided?<\/span><\/p>\n

(2) In the case of a request for de-referencing made against the data controller of an internet search engine, which in a name search searches for photos of natural persons which third parties have introduced into the internet in connection with the person\u2019s name, and which displays the photos which it has found in its list of search results as preview images (thumbnails), within the context of the weighing-up of the conflicting rights and interest\u2026within the context of the weighing-up of the conflicting rights and interests\u2026should the context of the original third-party publication be conclusively taken into account, even if the third-party website is linked by the search engine when the preview image is displayed but is not specifically named, and the resulting context is not shown with it by the internet search engine?\u2019<\/span><\/p>\n

\n

In relation to the first question, the AG concluded that \u2018it is not possible to concentrate conclusively on the issue of whether the data subject could reasonably seek legal protection against the content provider\u2026. In the context of such a request, it is incumbent on the data subject to provide prima facie evidence of the false nature of the content\u2026It is for the operator of the search engine to carry out the checks which fall within its specific capacities, contacting, where possible, the publisher of the referenced web page. Where the circumstances of the case so indicate in order to avoid irreparable harm to the data subject, the operator of the search engine will be able temporarily to suspend referencing, or to indicate, in the search results, that the truth of some of the information in the content to which the link in question relates is contested.\u2019 In relation to the second question, the AG concluded that \u2018Article 17(3)(a) [GDPR]\u2026should be interpreted as meaning that, within the context of the weighing-up of conflicting rights and interests arising from\u2026the Charter\u2026, in connection with a request for de-referencing made to the operator of a search engine seeking to obtain the removal, from the results of an image search carried out on the basis of a natural person\u2019s name, of photographs displayed in the form of thumbnails depicting that person, account should not be taken of the context of the publication on the internet in which those thumbnails originally appear.\u2019 This is an interesting Opinion, worth reading not only for its conclusions, but also for certain distinctions it makes in relation to online processing by search engines, concerning, for example, types of personal data \u2013 for example the special status of pictures \u2013 and concerning different types of internet searches \u2013 for example differentiating image searches from other forms of search. We would highlight, however, that there is no guarantee that the Court will follow the AG\u2019s Opinion or will rely on the distinctions made.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– Commission Calls for \u2018Correct Transposition\u2019 of GDPR and LED –<\/strong><\/span><\/em><\/a><\/p>\n

\u00a0<\/strong><\/span><\/p>\n

On 6th April, the Commission announced it had \u2018decided to send letters of formal notice to Germany\u2026Greece\u2026Finland\u2026and Sweden\u2026for failing to fulfil their notification obligations under the General Data Protection Regulation (GDPR) (Regulation (EU) 2016\/679) and the Data Protection Law Enforcement Directive (Directive (EU) 2016\/680)\u2019<\/a>. More specifically, the Commission observed: \u2018Germany has not yet notified measures transposing the Directive in relation to the activities of the Federal Police. Greece has failed to correctly transpose provisions relating, among others, to the scope of application of the Law Enforcement Directive and the time limits for the storage of data. Finland and Sweden have failed to fulfil their obligations as regards the right to effective judicial remedy for data subjects in certain cases.\u2019 The Member States now have two months to react and to \u2018take the necessary measures to remedy the breach of EU law identified by the Commission\u2019. If Member States do not react accordingly, the Commission may then take matters forward and proceed with the next step in the infringement procedure: the issue of a reasoned Opinion.<\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

– The CJEU Confirms Its Stance on the Retention of Traffic and Location Data – […]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72331","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72331","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72331"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72331\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72331"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72331"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72331"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}