{"id":72354,"date":"2022-07-07T22:57:48","date_gmt":"2022-07-07T20:57:48","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-72\/"},"modified":"2022-07-07T22:57:48","modified_gmt":"2022-07-07T20:57:48","slug":"data-protection-insider-issue-72","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-72\/","title":{"rendered":"Data Protection Insider, Issue 72"},"content":{"rendered":"
\n

– PNR in Europe: Guidance and Caution by the CJEU –<\/a><\/strong><\/em><\/p>\n

\n

On 21st June, the CJEU rendered its judgment on the PNR scheme in the EU, based on a challenge brought by the Ligue des droits humains against the Belgian implementing PNR and API law. <\/a>The present post focuses on the PNR provisions. First, the Court clarified the scope of application of the general data protection instruments in relation to PNR data processing: the LED applies to the personal data processing carried out by the Passenger Information Units (PIUs) and by the law enforcement authorities which obtain access to the PNR data. The private carriers collecting the passenger data and other authorities, e.g. immigration authorities, are subject to the GDPR. Second, the CJEU examined a series of questions concerning the fundamental rights compliance of the different data processing provisions in the framework of PNR data. For example, in relation to the usage of AI, in particular machine learning technologies, for the automated analysis of the PNR data, the Court warned that such technologies are \u2018capable of modifying without human intervention or review the assessment process and, in particular, the assessment criteria on which the result of the application of that process is based as well as the weighting of those criteria\u2019 and might hamper individual review, because \u2018it might be impossible to understand the reason why a given program arrived at a positive match\u2019. Third, the Court recalled that PNR data may be processed only for the purposes listed in the PNR Directive and not for other purposes, e.g. security and intelligence. Fourth, the Court clarified that if data are to be disclosed to the law enforcement authorities after the initial period of six months, then the disclosure must be approved by an independent competent authority which is different from the PIU. Fifth, as concerns the data retention period, the Court ruled that the five-year retention of data about persons in relation to whom there is no evidence that they pose any risk, is in breach of Articles 7, 8 and 52 (1) CFREU. Sixth, according to the Court, PNR schemes which apply indiscriminately to all intra-EU flights and which allow the processing of data for border control and immigration purposes are incompatible with EU law. Finally, the Court ruled that domestic courts may not limit \u2018the temporal effects of a declaration of illegality which it is bound to make under national law\u2019 as concerns national law which is incompatible with the PNR Directive and primary EU law. We note that the criticism expressed by the CJEU does not amount to an invalidation of PNR-like schemes as such, which does not come as a surprise after the Court\u2019s Opinion in the framework of the EU-Canada PNR scheme. We also note that the reasoning and conclusions concerning the analysed PNR provisions, especially as concerns their compatibility with fundamental rights, provide general guidelines on the use of AI technologies in the law enforcement field.<\/span><\/p>\n<\/div>\n

 <\/p>\n

 <\/p>\n

\n

– CJEU Considers Termination of DPO –<\/a><\/span><\/strong><\/em><\/p>\n

\n

On 22nd June, the CJEU ruled in the case of Leistritz AG v LH<\/em>.<\/a> The case concerned a DPO, whose employment with a company was terminated without notice as the company had chosen to outsource the position. The DPO appealed to national courts and claimed that such a termination was not permissible by virtue of paragraphs 38(2) and 6(4) of the BDSG \u2013 German data protection law \u2013 under which limits to termination possibilities are outlined. \u2018In those circumstances, the Bundesarbeitsgericht (Federal Labour Court, Germany) decided to stay the proceedings and to refer the following questions to the Court of Justice\u2026\u2018(1) Is the second sentence of Article 38(3) of [the GDPR] to be interpreted as precluding a provision in national law, such as Paragraph 38(1) and (2) in conjunction with the second sentence of Paragraph 6(4) of the [BDSG], which declares ordinary termination of the employment contract of the data protection officer by the data controller, who is his or her employer, to be impermissible, irrespective of whether his or her contract is terminated for performing his or her tasks? If the first question is answered in the affirmative: (2) Does the second sentence of Article 38(3) of the GDPR also preclude such a provision in national law if the designation of the data protection officer is not mandatory in accordance with Article 37(1) of the GDPR, but is mandatory only in accordance with the law of the Member State? If the first question is answered in the affirmative: (3) Is the second sentence of Article 38(3) of the GDPR based on a sufficient enabling clause, in particular in so far as this covers data protection officers that are party to an employment contract with the data controller?\u2019 The CJEU considered only the first question, and concluded in this regard: \u2018the second sentence of Article 38(3) of the GDPR must be interpreted as not precluding national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer\u2019s tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.\u2019<\/span><\/p>\n

 <\/p>\n

 <\/p>\n

\n

\n

– AG Delivers Opinion on Law Enforcement and Data Collection –<\/a><\/span><\/strong><\/em><\/p>\n

\n

On June 30th, AG Pitruzzella delivered their Opinion in the case of Ministerstvo na vatreshnite raboti<\/em><\/a>. The case concerned an individual, who had been indicted in relation to a number of crimes. The indicted individual was then asked to provide a series of types of personal data \u2013 including \u2018recording[s] of\u2026fingerprints, [a] photograph\u2026and a sample to establish\u2026[a] DNA profile\u2019. The individual refused. A request was then made to the national courts to authorize the forced recording of the data in question. The relevant national court \u2013 \u2018the Spetsializiran nakazatelen sad (specialized criminal court)\u2019 \u2013 however, encountered a series of questions concerning the relevant national legislation. Whilst four questions were referred, the AG, following the request of the Court, focused on questions 3 and 4. These read: \u20183) Is it consistent with Article 6(a) of Directive 2016\/680 [concerning differentiation between the personal data of different categories of data subjects, in particular differentiation concerning \u2018persons with regard to whom there are serious grounds for believing that they have committed or are about to commit a criminal offence\u2019] taken in conjunction with Article 48 of the [Charter] that a national law, namely Article 68(4) of the ZMVR provides that, if the person under investigation for an intentional offense prosecuted ex officio refuses to voluntarily cooperate in the recording of personal data (\u2026photographs, dactyloscopy [data] and samples to establish a DNA profile), the court is obliged to order a forced collection of these personal data\u2026[although it] does not have the power to assess whether there are serious grounds for considering that the person has committed the offense? 4) Is it consistent with Article 10, Article 4(1)(a) and (c), and Article 8(1) and (2) of Directive 2016\/680 that a national law, namely Article 68, paragraphs 1 to 3, of the ZMVR, establishes as a general rule, [collection of] photographs, dactyloscopy [data] and swabs for the purpose of establishing a DNA profile of all persons charged with an intentional offense prosecuted ex officio?\u2019<\/span><\/p>\n

\n