GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali
Appropriate legal basis: The Court rejected Ireland's argument that the sole or principal objective of the Directive is investigation, detection and prosecution of crime. Article 95(1) provides that the Council is to adopt measures for approximation of provisions laid down by law, regulation or administrative action in the Member States, which have the objective of establishment and functioning of the internal market. It may be used where disparities exist (or are likely to exist in the future) between national rules, which obstruct fundamental freedoms or create distortions of competition and thus have a direct effect on the functioning of the internal market. The premise of the Directive was to harmonize disparities between national provisions governing retention of data by service providers, particularly regarding the nature of data retained and periods of data retention. It was apparent that differences were liable to have a direct impact on the functioning of the internal market, which would become more serious with the passage of time.
Article 47 of the EU Treaty provides that none of the provisions of the EC Treaty may be affected by a provision of the EU Treaty, in order to safeguard the building of the acquis communautaire. Insofar as Directive 2006/24 comes within the scope of
Community powers, it could not be based on a provision of the EU Treaty without infringing Article 47. Directive 2006/24 provisions are limited to activities of service providers and do not govern access to data or use thereof by police or judicial authorities of the Member States. They are designed to harmonize national laws on the obligation to retain data, the categories of data to be retained, the periods of retention of data, data protection and data security, and the conditions for data storage. They do not involve intervention by police or law enforcement authorities of Member States, nor access, use or exchange by them. Thus Directive 2006/24 relates predominantly to the functioning of the internal market.
1.7. C-524/06, HUBER V. GERMANY, 16.12.2008 (“HUBER”)
Reference for a preliminary ruling by the Oberverwaltungsgericht für das Land Nordrhein-Westfalen (Germany). Huber, an Austrian national resident in Germany, requested the deletion of personal data relating to him (name, date and place of birth, nationality, marital status, sex, entries and exits from Germany, residence status, particulars of passports, statements as to domicile, reference numbers) in the German Central Register of Foreign Nationals (AZR). The Bundesamt assists public authorities responsible for the application of the law related to foreign nationals and asylum. The AZR is used for statistical purposes and by security and police services and judicial authorities for the prosecution and investigation of criminal activities. Germany rejected Huber’s request.
Question referred: Whether the processing of personal data of an Austrian national in the AZR is compatible with the requirement of necessity under Article 7(e) of Directive 95/46.
Scope of Directive 95/46: Article 3(2) excludes from the scope of Directive 95/46 the processing of personal data concerning public security, defense, and criminal law activities. Thus, in this case, only processing for a purpose relating to the right of residence and for statistical purposes falls within the scope of Directive 95/46.
Necessity: In light of the fact that Directive 95/46 is intended to ensure an equivalent level of data protection in all Member States, to ensure a high level of protection in the EU, the concept of necessity in Article 7(e) cannot have a meaning which varies among Member States. Thus, it is a concept which has its own independent meaning in EU law, and must be interpreted in a manner which fully reflects the objective of Directive 95/46.)
Under EU law, the right of free movement of a Member State national is not unconditional, but may be subject to limitations and conditions imposed by the Treaty and implementing rules. Legislation provides that a Member State may require certain documents to be provided to determine the conditions of entitlement to the right of residence. Thus, it is necessary for a Member State to have relevant particulars and documents available to it in order to ascertain whether a right of residence in its territory exists. Use of a register to support authorities responsible for application of the legislation on the right of residence is, in principle, legitimate.
However, the register must not contain any information other than what is necessary for that purpose, and must be kept up to date. Only anonymous information is required for statistical purposes. Access must be restricted to the responsible authorities. The central register could be necessary if it contributes to a more effective application of that legislation. The national court should decide whether these conditions are satisfied.
C-73/07, TIETOSUOJAVALTUUTETTU [FINNISH DATA PROTECTION OMBUDSMAN] V. SATAKUNNAN MARKKINAPORSSI OY AND SATAMEDIA OY, 16.12.2008 (“TIETOSUOJAVALTUUTETTU”)
Reference for preliminary ruling by the Korkein hallinto-oikeus (administrative court, Helsinki). Defendant 1: (a) collected public personal data (the name of persons whose income exceeded a threshold, the amount of earned and unearned income, and the wealth tax levied) from Finnish tax authorities and (b) published extracts in a regional newspaper each year. The newspaper stated that personal data can be removed on request without charge. Defendant 1 also: (c) transferred the data on CD ROM to Defendant 2 (owned by the same shareholders) which (d) disseminated them by text messaging system.
Questions referred: (1) |Whether collection, publication, transfer of a CD ROM and text messages constitutes processing of personal data; (2) Whether it is processing for solely journalistic purposes within the meaning of Article 9 of Directive 95/46; (3) Whether Article 17 and principles of Directive 95/46 preclude publication of data collected for journalistic purposes and their onward transfer for commercial purposes; (4) Whether personal data that have already been published in the media fall outside scope of Directive 95/46.
Definition of personal data: Surname, given name of certain natural persons whose income exceeds certain thresholds as well as the amount of their earned and unearned income constitute personal data.
Definition of processing: All four types of activities constitute processing of personal data. This includes personal data that have already been published in unaltered form in the media. Operations referred to in Article 2(b) must be classified as processing where they exclusively concern material that has already been published in unaltered form in the media. A general derogation from the application of the Directive in such a case would largely deprive the Directive of its effect.
Scope of Directive 95/46: Only two exceptions to scope exist, which are set forth in Article 3(2). The first indent states that security and criminal law are activities of the state. The second indent states that processing by a natural person in the course of a purely personal or household activity concerns activities in the course of private or family life of individuals. Activities (c) and (d) are activities of private companies, and are not within the scope of Article 3(2). A general derogation from application of the Directive in respect of published information would largely deprive the Directive of its effect. Thus activities (a) and (b) are also not within the scope of Article 3(2).
Processing for solely journalistic purposes: Article 1 of the Directive indicates that the objective is that Member States should, while permitting the free flow of personal data, protect the fundamental rights and freedoms of natural persons and, in particular, their right to privacy, with respect to processing of their personal data. That objective can only be pursued by reconciling those fundamental rights with the fundamental right to freedom of expression. The objective of Article 9 is to reconcile the two rights. Member States are required to provide derogations in relation to protection of personal data, solely for journalistic purposes or artistic or literary expression, which fall within the fundamental right to freedom of expression, insofar as necessary for reconciliation of the two rights. To take account of the importance of the right of freedom of expression in every democratic society, it is necessary to interpret notions of freedom, such as journalism, broadly. Derogations must apply only insofar as strictly necessary. The fact that publication is done for profit making purposes does not preclude publication from being considered as "solely for journalistic purposes." The medium used is not determinative of whether it is "solely for journalistic purposes." Thus activities may be classified as "journalistic" if their sole object is the disclosure to the public of information, opinions or ideas, irrespective of the medium used to transmit them.
C-518/07, COMMISSION V. GERMANY, 9.3.2010 (“GERMANY”)
Infringement procedure against Germany, which transposed the second paragraph of Article 28(1) of Directive 95/46 (the requirement for an independent data protection Authority (DPA)) by making the authorities responsible for monitoring personal data processing outside the public sector in the different Lander subject to State oversight.
Independence of DPA: Independence normally means a status which ensures that the body concerned can act completely freely, without taking any instructions or being put under any pressure. There is nothing to indicate that the requirement of independence concerns exclusively the relationship between the supervisory authorities and the bodies subject to that supervision. The adjective "complete" implies a decision-making power independent of any direct or indirect external influence on the supervisory authority. The guarantee of independence of DPAs is intended to ensure the effectiveness and reliability of the supervision of compliance with data protection provisions, to strengthen the protection of individuals and bodies affected by their decisions. DPAs must act impartially and must remain free from any external influence, including that of the State or Lander. Independence precludes not only any influence exercised by supervised bodies, but also any directions or other external influence which could call into question the performance of those authorities of their task consisting of establishing a fair balance between the protection of the right to private life and the free movement of personal data. State scrutiny in principle allows the government of the respective Land to influence the decision of the supervisory authority or cancel and replace those decisions. This is not consistent with the principle of independence.
C-553/07, COLLEGE VAN BURGEMEESTER EN WETHOUDERS VAN ROTTERDAM V. RIJKEBOER, 7.5.2009 (“RIJKEBOER”)
Reference for a preliminary ruling by the Raad van State (Netherlands). Dutch law on personal data held by local authorities provides that on request, the Board of Aldermen must notify a data subject within four weeks whether his personal data have been disclosed to a purchaser or third party during the preceding year. Data held by the authority include basic data (name, date of birth, personal identification number, social security number, local authority of registration, etc.) and data on transfers. Mr. R requested to be informed of all instances where data relating to him were transferred in the preceding two years, and of the content and recipients. Dutch law on local authority personal records limited the communication of data to one year prior to the relevant request.
Questions referred: Whether the restriction provided for in the Netherlands law on local personal records on the communication of data to one year prior to the relevant request is compatible with Article 12(a) of Directive 95/46, whether read in conjunction with Article 6(1)(e) and the principle of proportionality.
Right of access: Right of access is necessary to enable the data subject to exercise his other rights (rectification, blocking, erasure, and notify recipients of same; object to processing or request damages). The right must of necessity relate to the past, otherwise the data subject would not be in a position effectively to exercise his right to have data presumed unlawful or incorrect rectified, erased or blocked or to bring legal proceedings and obtain compensation for damages. Member States have some freedom of action in implementing the Directive, but it is not unlimited. Setting of a time limit on the right of access must allow the data subject to exercise his rights. It is for the Member States to fix a time limit for storage of information on the recipients and the content of the data disclosed, and to provide access to that information which constitutes a fair balance
Comments (0)