Data Privacy, Independence of National Supervisory Authorities and Scrutiny: Case C-518/07

We need to catch up on some juicy judgments!

A while back, the Court of Justice declared in Case C-518/07 Commission v. Germany that Germany had breached Article 28 §1 of Directive 95/46/EC on data protection because the authorities it had established to monitor the processing of personal data were subject to state scrutiny and thus were not completely independent as required by that provision.

The judgment is a bit of a surprise.

Article 28 of Directive 95/46, entitled ‘Supervisory authority’, provides:

‘(1) Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.
These authorities shall act with complete independence in exercising the functions entrusted to them.

While German law makes a distinction depending on whether or not data processing is carried out by public bodies, it provides that all the authorities responsible for monitoring the application of the Directive are subject to some kind of scrutiny or other by Federal or State bodies.

The Commission considered that subjecting those authorities to State scrutiny was contrary to Article 28 §1 of the Directive. It considered that the requirement that the supervisory authorities exercise their functions ‘with complete independence’ must be interpreted as meaning that a supervising authority must be free from any influence, whether that influence is exercised by other authorities or outside the administration. Germany on the other hand disagreed with the Commission and considered that Article 28 §1 of Directive 95/46 requires the supervisory authorities to have functional independence only: Those authorities must be independent of bodies outside the public sector which are under their supervision and that they must not be exposed to external influences.

The Court held in favor of the Commission.

It held that contrary to what Germany submitted, there is nothing to indicate that the requirement of independence concerns exclusively the relationship between the supervisory authorities and the bodies subject to that supervision. On the contrary, it found that the concept of ‘independence’ is complemented by the adjective ‘complete’, which implies a decision-making power independent of any direct or indirect external influence on the supervisory authority.

The Court also held that the supervisory authorities provided for in Article 28 of Directive 95/46 are the guardians of the fundamental rights and freedoms in respect of data privacy. In order to guarantee that protection, the supervisory authorities must ensure a fair balance between, on the one hand, observance of the fundamental right to private life and, on the other hand, the interests requiring free movement of personal data. The guarantee of the independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the supervision of compliance with the provisions on protection of individuals with regard to the processing of personal data. It was established not to grant a special status to those authorities themselves as well as their agents, but in order to strengthen the protection of individuals and bodies affected by their decisions. It follows that, when carrying out their duties, the supervisory authorities must act objectively and impartially. For that purpose, they must remain free from any external influence, including the direct or indirect influence of the State or the Länder, and not of the influence only of the supervised bodies.

European Criminal Law and Coöperation : Recent Significant Measures

Have we mentioned this before ? The big growth area of EU law is criminal law.

Recently, the Council has adopted a number of significant measures in the field of criminal law. Here's a brief overview of them so that you get a taste of what is happening in that area.

The Council adopted its Framework Decision 2008/841/JHA of October 24th 2008 on the fight against organized crime to set out a common definition of what is organized crime. It also requires that member States punish organized crime.

It also adopted a Framework Decision - Council Framework Decision 2008/913/JHA of November 28th 2008 - on combating certain forms and expressions of racism and xenophobia by means of criminal law. It renders criminal intentional public acts designed to incite violence or hatred, or trivializing genocide and similar atrocities. Such acts will be punishable in all member States by a term of imprisonment of no more than 1 to 3 years.

Framework Decision 2002/475/JHA on combating terrorism has been modified by Council Framework Decision 2008/919/JHA of November 28th 2008. The consequence is the introduction of three new offences in EU legislation:
– public provocation to commit a terrorist offence;
– recruitment for terrorism; and
– training for terrorism.

At long last, Council Framework Decision 2008/977/JHA of November 27th 2008 on the protection of personal data processed in the framework of police and judicial coöperation in criminal matters has been adopted. This framework decision lays down rules on the exchange of personal data to enhance mutual trust between the competent authorities. The information exchanged will be protected to prevent obstruction to Member States' cooperation, while respecting the fundamental rights of individuals, in particular their right to privacy and to the protection of their personal data. The Framework Decision sets common standards on the confidentiality and security of the processing, on liability and on the obligation to lay down penalties for unlawful use. It defines the right of access to data, the right to rectification, erasure or blocking, the right to compensation and the right to seek judicial remedies. It allows member States to provide stricter safeguards for protecting personal data than those established in the framework decision.

Council Framework Decision 2008/978/JHA of December 18th 2008 on the European evidence warrant for the purpose of obtaining objects, documents and data for use in proceedings in criminal matters sets up a system by which member States can secure the transmission of existing evidence (objects, documents, data) from another member State within a short time frame.

Two important pieces of legislation have been adopted on mutual recognition.

The first is Council Framework Decision 2008/909/JHA of November 27th 2008 on the application of the principle of mutual recognition to judgments in criminal matters imposing custodial sentences or measures involving deprivation of liberty for the purpose of their enforcement in the European Union. This measure will enable sentenced persons to be transferred to another member State for enforcement of their sentences, partly with a view to their social rehabilitation.

The second is Council Framework Decision 2008/947/JHA of November 27th 2008 on the application of the principle of mutual recognition to judgments and probation decisions with a view to the supervision of probation measures and alternative sanctions. The purpose of this measure is to facilitate the social rehabilitation of sentenced persons, and to encourage the application of suitable probation measures and alternative sanctions in the case of offenders who do not live in the State of conviction. The Decision sets rules under which a member State, other than the member State in which the person concerned has been sentenced, recognizes judgments and, where applicable, probation decisions and other alternative sanctions and supervises same, taking any necessary relevant decisions.

That's enough crime for now, folks.

Privacy and Freedom of the Press: Case C-73/07

The Court of Justice has handed down a stack of interesting judgments lately. We can't write them all up today so be patient.

Here's one which deals with a conflict between data protection (privacy) and the freedom of the press. The judgment in Case C-73/07 Tietosujvaltuutettu v Satakunnan Markkinopörssi Oy and Others held that the publication of data from documents already in the public domain may be characterized as "journaisltic activities" if its object is the disclosure to the public of information, opinions or ideas and thus not protected from disclosure by Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

The story goes like this. The Finnish company, Markkinapörssi, collected public data from the Finnish tax authorities so as to publish it in the Veropörrsi newspaper each year. The information collected comprises the surname and given name of roughly 1.2 million persons whose income exceeds certain thresholds as well as the amount, to the nearest €100, of their income and details of the wealth tax levied on them. Markkinopörssi and Satamedia, an associated company to which the data at issue were transferred in the form of CD-ROM discs, signed an agreement with a mobile phone company which put in place, on Satamedia’s behalf, a text-messaging service allowing mobile phone users to receive information published in the Veropörrsi newspaper on their telephone for a charge of approximately €2. On request, the personal data are removed from that service.

People complained about that and alleged an infringement of their right to privacy. The Data Protection Ombudsman applied for an order prohibiting Markkinapörssi and Satamedia from carrying on the personal data processing activities at issue. They challenged that order before the Finnish courts and the Supreme Administrative Court referred a number of questions to the Court of Justice on the interpretation of Directive 95/46/EC and to ask in particular whether the operations involved are data processing undertaken solely for journalistic purposes and thus subject to exceptions and limitations relating to data protection.

The Court of Justice held, first, that the data involved, comprising the surname and given name of certain natural persons whose income exceeds certain thresholds as well as the amount, to the nearest €100, of their earned and unearned income, constitute personal data within the meaning of Article 2(a) of Directive 95/46/EC, since they constitute ‘information relating to an identified or identifiable natural person’ (see also Joined Cases C‑465/00, C‑138/01 and C‑139/01 Österreichischer Rundfunk and Others, paragraph 64).

The Court then held that the publication of such data in the circumstances of this case could be considered to be "solely for journalistic purposes" within the meaning of Article 9 of Directive 95/46/EC. The Court recalled that the provisions of a directive must be interpreted in the light of the aims pursued by the directive and the system it establishes (see, Case C-265/07 Caffaro, paragraph 14).

The Court then stated that while Directive 95/46/EC had the objective of protecting the fundamental right to privacy, that objective cannot be pursued without having regard to the fact that those fundamental rights must, to some degree, be reconciled with the fundamental right to freedom of expression. Recital 37 in the preamble to the directive makes clear that the object of Article 9 is to reconcile those two fundamental rights: the protection of privacy and freedom of expression. It is the member States which are required to reconcile the two. To do so, the Member States are required to provide for a number of derogations or limitations in relation to the protection of data and, therefore, in relation to the fundamental right to privacy, specified in Chapters II, IV and VI of the directive. Those derogations must be made solely for journalistic purposes or the purpose of artistic or literary expression, which fall within the scope of the fundamental right to freedom of expression, in so far as it is apparent that they are necessary in order to reconcile the right to privacy with the rules governing freedom of expression.

The Court continued that in order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary, first, to interpret notions relating to that freedom, such as journalism, broadly. Secondly, and in order to achieve a balance between the two fundamental rights, the protection of the fundamental right to privacy requires that the derogations and limitations in relation to the protection of data provided for in the chapters of the directive referred to above must apply only in so far as is strictly necessary.

It held that activities such as those involved in the main proceedings, relating to data from documents which are in the public domain under national legislation, may be classified as ‘journalistic activities’ if their object is the disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them. They are not limited to media undertakings and may be undertaken for profit-making purposes.

Constitutional Patriotism and the Right to Privacy: New Article by Professor Bignami

Professor Francesca Bignami, now of Gearge Washington University Law School, has published another terrific article on privacy in Europe.

The title of the article is "The Case for Tolerant Constitutional Patriotism: The Right to Privacy Before the European Courts" and it will be published in the Cornell International Law Journal. You can download it here.

This is what the abstract states:

"The theory of constitutional patriotism has been advanced as a solution to the European Union's legitimacy woes. Europeans, according to this theory, should recognize themselves as members of a single human community and thus acknowledge the legitimacy of Europe-wide governance based on their shared belief in a common set of liberal democratic values. Yet in its search for unity, constitutional patriotism, like nationalism and other founding myths, carries the potential for the exclusion of others. This article explores the illiberal tendencies of one element of the liberal canon-the right to privacy-in the case law of Europe's constitutional courts. It argues that, in confronting the tension between privacy and freedom of expression, the European Court of Justice has been more successful than the European Court of Human Rights at accommodating diverse national orderings and thus resisting the illiberal dangers of constitutional patriotism."

It is essential reading.

Privacy, Adequacy and Jersey

The Commission has recently published its decision finding that Jersey provides an adequate level of protection for personal data transferred from the EU.

The decision is taken pursuant to Article 25 §6 of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

As the fifth recital points out, the Bailiwick of Jersey is a British Crown dependency, is neither part of the United Kingdom nor a colony and enjoys full independence except for international relations and defence, which remain the responsibility of the British government. As a consequence, Jersey is a "third country"

The effect of the decision is that personal data can flow from the 25 EU member States and the three EEA member countries (Norway, Liechtenstein and Iceland) to Jersey without any further safeguard being necessary, in particular without requiring notification to national data protection supervisors.

This latest decision follows on from those making similar adequacy findings in respect of data transferred to Argentina, Canada, Switzerland, the USA, Guernsey and the Isle of Man.

Privacy and Search Engines like Google: Opinion of Art. 29 Working Party

The Working Party set up pursuant to Article 29 of Directive 95/46/EC on data protection has issued an interesting opinion on the privacy issues raised by search engines like Google or Yahoo.

You can find the opinion ("WP 148") here.

Part of the executive summary reads as follows:

"In this Opinion the Working Party identifies a clear set of responsibilities under the Data Protection Directive (95/46/EC) for search engine providers as controllers of user data. As providers of content data (i.e. the index of search results), European data protection law also applies to search engines in specific situations, for example if they offer a caching service or specialise in building profiles of individuals. The primary objective throughout the Opinion is to strike a balance between the legitimate business needs of the search engine providers and the protection of the personal data of internet users.

This Opinion addresses the definition of search engines, the kinds of data processed in the provision of search services, the legal framework, purposes/grounds for legitimate processing, the obligation to inform data subjects, and the rights of data subjects.

A key conclusion of this Opinion is that the Data Protection Directive generally applies to the processing of personal data by search engines, even when their headquarters are outside the EEA, and that the onus is on search engines in this position to clarify their role in the EEA and the scope of their responsibilities under the Directive. The Data Retention Directive (2006/24/EC) is clearly highlighted as not applicable to search engine providers."

The conclusion that Directive 95/46/EC applies to the processing of personal data by search engines outside the EU needs looking at more closely and is likely to be controversial.

File Sharing, Kazaa, Intellectual Property Rights and Privacy: Case C-275/06

The Court of Justice has handed down an interesting judgment in Case C-275/06 Promusicae v. Telefónica on the balance to be struck between privacy and the effective protection of intellectual property rights to prevent peer-to-peer musical file transfers.

It goes like this. In the blue corner you have several EC Directives protecting intellectual property rights, like Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, Directive 2001/29/EC on the harmonization of certain aspects of copyright and related rights in the information society, and Directive 2004/48/EC on the enforcement of intellectual property rights. In the red corner you have Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector. And in the middle you have folks using Kazaa on the internet, access to which is provided by an internet service provider like Telefónica in Spain.

Promusicae, a Spanish organization of producers and publishers of musical and audiovisual recordings, applied to the Spanish courts for an order that Telefónica should disclose the identities and physical addresses of people whom it provided with internet access services, and who were allegedly using the KaZaA file exchange program to share musical and audiovisual files. It sought disclosure of that information to be able to bring civil proceedings against the persons concerned.

Under Spanish law the communication of the data sought by Promusicae was permitted only in a criminal investigation or for the purpose of safeguarding public security and national defence. What Promusicae wanted to commence were clearly civil, not criminal proceedings. Thus, the question was referred to the Court of Justice whether EC law requires member States to lay down, in order to ensure effective protection of copyright, an obligation to communicate personal data in the context of civil proceedings.

The Court held that EC law as it currently stands does not require member States to render mandatory the disclosure of the sort of information requested by Promusicae to commence civil proceedings to protect intellectual rights.

As a result, the file sharers can have their data protected in Spain and it won't be disclosed to the likes of Promusicae to commence civil proceedings against them.

The question is therefore whether Spain could change its law to render disclosure of the personal data sought obligatory in the context of commencing civil proceedings.

The Court held that EC law does not preclude the mandatory disclosure of such information. But when member States introduce legislation to render such disclosure mandatory, the Court held that they must, when transposing the directives on intellectual property and the protection of personal data, rely on an interpretation of those directives which allows a fair balance to be struck between the various fundamental rights protected by the EC legal order. Further, when implementing the measures transposing those directives, the authorities and courts of the Member States must not only interpret their national law in a manner consistent with the directives but also make sure that they do not rely on an interpretation of them which would be in conflict with those fundamental rights or with the other general principles of Community law, such as the principle of proportionality (see Case C-101/01 Lindqvist, paragraph 87, and Case C-305/05 Ordre des barreaux francophones et germanophones and Others, paragraph 28 - a case we noted here.

A close reading of the Court's judgment and of the Advocate General's Opinion shows a divergence of view on disclosure of such personal data could ever be made mandatory in the context of civil proceedings.

The Advocate General in paragraphs 84 to 86 of her opinion came to the conclusion that Directive 2002/58 does not allow member States to render mandatory disclosure of personal data in the context of civil proceedings brought to protect the rights of others. She pointed out that Article 15(1) of Directive 2002/58 set out two types of bases for exceptions, namely, on the one hand, in the first four alternatives, national security (that is, State security), defense, public security, and the prevention, investigation, detection and prosecution of criminal offenses and, on the other, in the fifth alternative, unauthorized use of the electronic communication system. In addition, Article 15(1) of Directive 2002/58 refers to Article 13(1) of Directive 95/46, which contains further grounds of exception. The question was what exactly did that reference to Article 13(1) of Directive 95/46 mean. She noted that Article 13(1)(g) of Directive 95/46 allows the communication of personal data for the protection of the rights and freedoms of others. Unlike the grounds of exception in Article 13(1) of Directive 95/46, this ground is not expressly listed in Article 15(1) of Directive 2002/58.
Viewed in isolation, that could be understood as a reference to all the grounds of exception under Article 13(1) of Directive 95/46. However, that is contradicted, she opined, by the fact that Article 15(1) of Directive 2002/58 itself mentions grounds of exception which are intended to allow a restriction ‘in accordance with Article 13(1) of Directive 95/46’. Those grounds correspond only in part to the grounds in Article 13(1) of Directive 95/46 and do not include the exception for the rights of others, mentioned under (g). Consequently, the grounds mentioned in Article 13(1) of Directive 95/46 are applicable in the electronic communications sector only in so far as they are expressly included in Article 15(1) of Directive 2002/58. As the protection of the rights and freedoms of others was clearly omitted from the list in Article 15(1) of Directive 2002/58, the reference to Article 13(1) of Directive 95/46 could not incorporate it indirectly.

The Court of Justice took the opposite view in its judgment. It held in paragraph 53 of its judgment:

"It is clear, however, that Article 15(1) of Directive 2002/58 ends the list of the above exceptions with an express reference to Article 13(1) of Directive 95/46. That provision also authorises the Member States to adopt legislative measures to restrict the obligation of confidentiality of personal data where that restriction is necessary inter alia for the protection of the rights and freedoms of others. As they do not specify the rights and freedoms concerned, those provisions of Article 15(1) of Directive 2002/58 must be interpreted as expressing the Community legislature’s intention not to exclude from their scope the protection of the right to property or situations in which authors seek to obtain that protection in civil proceedings."

Transparency and Privacy: Case T-194/04

There's an obvious tension between transparency and privacy. Now the Court of First Instance has stepped right into the fight and sided categorically with transparency. In its recent judgment in Case T-194/04 The Bavarian Lager Co. Ltd. v. Commission the Court of First Instance renders almost nugatory the protection afforded by Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the EC institutions.

The story goes like this. The Commission commenced Article 226 EC proceedings against the United Kingdom because of some legislation in force at the time that restricted the import of foreign beer. The Commission, with a view to finding a satisfactory solution to the case, organized a meeting with British government officials and trade representatives. Ultimately, a solution was reached and the case closed. But then, an importer of German beer wanted to know the names of the individuals who attended the meeting. For what purpose you may well ask. The Commission asked the individuals concerned whether they agreed to have their names revealed. Five of those attendees, no doubt fearing retribution or harassment by the importer, refused to have their identity revealed. The Ombudsman got involved and handed down a scathing report denouncing the Commission for not revealing the identity of those who had refused to have their names disclosed, claiming they had no right to privacy. The Article 29 Working Party then handed down a report in response (but the Court of First Instance pays scant attention to that inconvenient truth). The German importer made a request for the minutes of the meeting with the names of attendees included under Regulation 1049/2001 (the public access to documents regulation). The Commission refused to disclose the names invoking data protection and the terms of Regulation 45/2001. The importer then challenged the Commission's refusal before the Court of First Instance.

The Court of First Instance annulled the Commission's refusal. The judgment must be read to be believed.

The Court held that the list of participants in the minutes contained personal data, since the persons who participated at that meeting could be identified there. Notwithstanding the fact that it was personal data, it was not protected by Regulation 45/2001 because the mere fact that a document contains such data does not necessarily mean that the privacy or integrity of the persons concerned is affected, even though professional activities are not in principle excluded from the concept of "private life".

It also held that the privacy and integrity of a person is not compromised even if personal data relating to that person is revealed. As a consequence, any objection by such a person to disclosure of the personal data cannot prevent disclosure under Regulation 1049/2001.

What was quite extraordinary was the way in which the European Data Protection Supervisor intervened to plead that the very regulation that established his office did not apply, referring to his "paper" on public access to documents and data protection.

Damages for Breach of Data Protection Regulation by OLAF: T-259/03

The Commission's anti-fraud office, OLAF, has a reputation for carrying out investigations in a manner unworthy of a public authority in a modern, liberal, democratic society. For an example of its modus operandi, see our post here.

In a discreet judgment, the Court of First Instance has found the Commission liable in damages for egregious breaches of the Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. In its judgment in Case T-259/03 Kalliopi Nikolaou v. Commission, the Court of First Instance ordered the Commission to pay €3 000 (US$4,165.65) in compensation because OLAF leaked information about its investigation and published derogatory statements about Ms. Nikolaou which, although they did not name her expressly, were such that she could be identified personally.

Ms. Nikolaou had originally claimed €900 000 (US$ 1,249,559) in damages. The Court of First Instance finally awarded a very low amount because it found that the other instances of illegal conduct by OLAF had not actually caused the loss and damage claimed.

This is the first judgment awarding damages for a breach of Regulation 45/2001. It is a shame that it is only available in Greek and French in summary form. The Court published a press release in French which gives much more information than the judgment.

New EU/USA PNR agreement published

The new agreement between the USA and the EU about the transfer of Passenger Name Record data by air carriers to the US Department of Homeland Security has been published.

You can find the agreement itself here. Council Decision 2007/551/CFSP/JHA on the signing of the agreement is available here.

This new agreement - that applies provisionally from the date of signing (July 26th 2007) - replaces the agreement concluded on October 19th 2006 which expired on July 31st 2007 at the latest. (See also Council Decision 2006/729/CFSP/JHA). It is intended to be a long-term arrangement between the two parties that should set this matter to rest.

For previous posts on the matter, see here, here, here and here (there may have been others too, but that is enough for now).