GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali
An institution which refuses access on the ground of prejudice to legitimate interests must state reasons for invoking such interests. The institution must explain how disclosure of a document could specifically and actually undermine the interest protected by the exception. The explanation cannot consist of a mere assertion that access would undermine privacy. Examination of the specific and actual nature of the undermining of the interest under Article 4(1)(b) of Regulation 1049/2001 is indissociable from the assessment of the risk that the legitimate interests of the data subject referred to in Article 8(b) of Regulation 45/2001 which, through the disclosure to the public, might be prejudiced by the transfer of personal data.
McCullough: The applicant cannot be deemed to have proved the necessity of having the personal data at issue transferred. The only justification provided was to supplement his written defence before the Greek Examining Magistrate. Applicant did not provide any information or justification as to how the submission of the requested documents containing that data would affect the Greek proceedings, the risks to which he would be exposed in procedural terms, and the merits of his defence if the documents were not submitted to the Greek Magistrate.
Exceptions under Article 4 must be interpreted and applied strictly. An institution refusing access must explain how disclosure of that document could specifically and actually undermine the interest protected by the exception. The fact that a document concerns an interest protected by an exception is not of itself sufficient to justify application of that exception. Rather, it is necessary for the institution to have previously determined (1) that the document would specifically and actually undermine the protected interest and (2) that the risk of the protected interest being undermined is reasonably foreseeable and not purely hypothetical. The institution must explain how granting access to the document could specifically and actually undermine the interest protected by the exception under Article 4(1)(b).
Here, Cedefop simply states that the persons concerned are protected as individuals and any access would lead to a serious violation of the privacy and integrity of the individual as they clearly demonstrated the opinions and views of the members on the subject matters discussed. However, Cedefop neither carried out an examination demonstrating that granting access to those documents would specifically and actually undermine the privacy of those members within the meaning of Article 4(1)(b), nor verified whether the risk of the protected interest being undermined was reasonably foreseeable and not purely hypothetical. It is not apparent how the opinions and views expressed could fall within the sphere of their privacy, since those meetings were professional.
TRANSFERS
Lindquist: The publication on the Internet did not constitute a transfer, as an Internet user would have to connect to the Internet and personally carry out the necessary actions to consult those pages. Mrs. Lindquist's Internet pages did not contain the technical means to send that information automatically to people who did not intentionally seek access. There is no transfer of data to a third country within the meaning of Article 25 when an individual in a Member State loads personal data onto an internet page which is stored with his/her hosting provider in that or another Member State, thereby making the data accessible to anyone who connects to the internet, including people in a third country.
Dennekamp II: Articles 7-9 of Regulation 45/2001 precisely limit the possibility of transferring personal data so as to make it subject to strict conditions which, if not fulfilled, prohibit any transfer. Those conditions always include the necessity of the transfer in the light of various aims.
APPROPRIATE LEGAL BASIS
PNR:
Adequacy decision: Requirements for transfer were based on a statute enacted by the USA in November 2001 and implementing regulations adopted thereunder, which concern enhancement of security and conditions under which persons may enter and leave the USA, fighting against terrorism and transnational crime. Thus, the transfer of PNR data is processing concerning public security. Even though PNR data are initially collected in the course of commercial activity, the processing addressed in the adequacy decision concerns safeguarding public security and law enforcement. The facts that the data are collected by private operators for commercial purposes and that those operators arrange for the transfer of the data to a third country does not prevent that transfer from being regarded as processing excluded from the Directive's scope. Thus, it falls within the first indent of Article 3(2) of the Directive, which excludes from the Directive's scope data protection in the course of activities provided for by Titles V and VI of the EU Treaty. Thus the adequacy decision is annulled.
Agreement: Article 95 of the EC Treaty (internal market) in conjunction with Article 25 of the Directive (transfers to third countries ensuring adequacy) do not justify EU competence to conclude the Agreement. The agreement relates to the same transfers as the adequacy decision, and thus processing operations are outside the scope of the Directive. The Council decision approving the conclusion of the agreement between the EU and the US on the processing of PNR data is annulled.
ADEQUATE LEVEL OF PROTECTION
Schrems: The word “adequate” in Article 25(6) signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed by the EU legal order. However, it requires the third country to ensure, by reason of its domestic law or international commitments, a level of protection of fundamental rights and freedoms essentially equivalent to that guaranteed by the EU by virtue of Directive 95/46 read in light of the CFR, otherwise that protection could be easily circumvented by transfers. Thus, the legal order of the third country covered by a Commission adequacy decision must have the means to ensure protection essentially equivalent to that guaranteed within the EU. When examining the level of protection afforded by a third country, the Commission must assess the content of the applicable rules resulting from domestic law or international commitments and the practice designed to ensure compliance. Also, in light of the fact that the level of protection ensured by the third country is liable to change, the Commission must, after adopting an adequacy decision, check periodically whether the adequacy finding remains factually and legally justified. Account must be taken of the circumstances that have arisen after the adoption of the decision. The Commission’s discretion as to adequacy is reduced and is subject to strict scrutiny, in view of the important role played by data protection in the light of the fundamental right to respect for private life and the large number of persons potentially concerned by transfers.
SAFE HARBOUR
Schrems: US public authorities are not required to comply with safe harbor principles. Decision 2000/520 specifies that safe harbor principles may be limited to the extent necessary to meet national security, public interest or law enforcement requirements, or statute, regulation or case law. Self-certified US organisations receiving personal data from the EU are thus bound to disregard safe harbor principles when they conflict with US legal requirements. Decision 2000/520 does not contain sufficient findings regarding US measures which ensure adequacy by reason of domestic law or international commitments. Rather, it enables interference with fundamental right to respect for private life of persons whose personal data is or could be transferred from the EU to the US.
The Decision does not contain any finding regarding US rules intended to limit the interference when they pursue legitimate objectives such as national security, nor refer to effective legal protection against such interference. FTC procedures and private dispute resolution mechanisms concern compliance with safe harbor principles (against US organisations) and cannot be applied with respect to measures originating from the State. Moreover, the Commission found that US authorities could access the personal data transferred and process it in a way incompatible with the purposes for which it was transferred, and beyond what was strictly necessary and proportionate for the protection of national security, and data subjects had no redress regarding their rights of access, rectification and erasure. Legislation permitting public authorities to have generalized access to the content of electronic communications compromises the essence of the fundamental right to respect for private life. Legislation not providing for any possibility for an individual to pursue legal remedies in order to have access, rectification or erasure of his own personal data does not respect the essence of the fundamental right to effective judicial protection.
Thus, Article 1 of the Decision does not ensure adequacy and the decision is consequently invalid.
Articles 1 and 3 are inseparable from 2 and 4 and the annexes, thus the entire Decision 2000/520 is invalid.
REGULATION 45/2001
SCOPE
Egan & Hackett: Neither Article 2(3) of Regulation 1049/2001, nor Article 3(2) of Regulation 45/2001, nor any other provision, contains any restriction such as to exclude from their respective scopes documents which were, but are no longer, available.
LAWFULNESSNikolaou: The leak constitutes unlawful processing in violation of Article 5 of Regulation 45/2001 because it was not authorized by the data subject, not necessary under the other sub-paragraphs and it did not result from a decision by OLAF. Even though OLAF has a margin of discretion on transmissions, here it was not exercised because the leak is an unauthorized transmission. OLAF is best placed to prove how the leak occurred and that the Director of OLAF did not violate his obligations under Article 8(3) of Regulation 1073/99. In the absence of such proof, OLAF (the Commission) must be held responsible. No concrete showing was made of an internal system of control to prevent leaks or that the information in question had been treated in a manner that would guarantee its confidentiality.
Publication of the press release was not lawful under Article 5(a) and (b) because the public did not need to know the information published in the press release at the time of its publication, before the competent authorities had decided whether to undertake judicial, disciplinary or financial follow-up.
DIRECTIVE 95/46
SCOPE
Rechningshof: Applicability of Directive 95/46 cannot depend on whether the specific situations at issue have a sufficient link with the exercise of the fundamental freedoms guaranteed by the Treaty (free movement of workers). The EU system of data protection has a wide scope, is defined in very broad terms, and does not depend on whether, in every specific case, the processing of personal data has a connection to the free movement between the Member States. A contrary interpretation could make the limits of the field of application of the Directive unsure and uncertain. The system consists of checks and balances in which processing of personal data is subject to a number of conditions and limitations.
Lindquist: Loading personal data on an Internet page is processing by automatic means.
Huber: Article 3(2) excludes from the scope of Directive 95/46 the processing of personal data concerning public security, defense, and criminal law activities. Thus, in this case, only processing for a purpose relating to the right of residence and for statistical purposes falls within the scope of Directive 95/46.
Tietosuojavaltuutettu: Only two exceptions to scope exist, which are set forth in Article 3(2). The first indent states that security and criminal law are activities of the state. The second indent states that processing by a natural person in the course of a purely personal or household activity concerns activities in the course of private or family life of individuals. Activities (c) and (d) are activities of private companies, and are not within the scope of Article 3(2). A general derogation from application of the Directive in respect of published information would largely deprive the Directive of its effect. Thus activities (a) and (b) are also not within the scope of Article 3(2).
Rynes: Video surveillance involving the recording and storage of personal data falls within the scope of the Directive, since it constitutes automatic data processing.
LAWFULNESS
ASNEF: The second condition of Article 7(f) of Directive 95/46 (the interests of the controller or recipients must not be overridden by the fundamental rights and freedoms of the data subject) necessitates a balancing of the opposing rights and interests concerned which depends on the individual
Comments (0)