GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali
SCOPE
Bonnier: Directive 2006/24 deals exclusively with handling and retention of data generated by electronic communication service providers for the purpose of the investigation, detection, and prosecution of serious crime and their communication to competent national authorities. Thus a national provision transposing the EU intellectual property directive which permits an ISP in civil proceedings to be ordered to give a copyright holder information on the subscriber to whom the ISP provided an IP address allegedly used in an infringement is outside the scope of Directive 2006/24 and therefore not precluded by that Directive. It is irrelevant that the Member State concerned has not yet transposed Directive 2006/24.
LAWFULNESS
DRI: The material objective of Directive 2006/24 is of general interest – to ensure data are available for the purpose of the investigation, detection and prosecution of serious crime, and therefore to public security, and international terrorism. (Article 6 CFR lays down the right of any person to liberty and security.) Data relating to use of electronic communications are particularly important and a valuable tool in the prevention of offences and the fight against crime.
The proportionality principle requires that acts of EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation and do not exceed the limits of what is appropriate and necessary to achieve those objectives. Given the important role played by data protection in light of the fundamental right of privacy, and the extent and seriousness of the interference (of Directive 2006/24), the EU legislature’s discretion is reduced, thus the review of that discretion should be strict. Retention of data is an appropriate tool for the objective pursued.
The fight against serious crime and terrorism is of utmost importance to ensure public security and its effectiveness may depend on the use of modern investigation techniques. But this does not, in itself, justify the retention measure being considered to be necessary. Derogations and limitations in relation to data protection must apply only insofar as strictly necessary. Here, the legislation must lay down clear and precise rules governing the scope and application of the measures in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of the data. The need for safeguards is all the greater where personal data are subjected to automatic processing and there is significant risk of unlawful access to the data. Further, the Directive requires retention of all traffic data concerning fixed telephony, mobile telephony, internet access, internet e-mail and internet telephony
i.e. all means of electronic communication, the use of which is very widespread and of growing importance in people’s everyday lives. It covers all subscribers and registered users – and therefore entails an interference with the fundamental rights of practically the entire European population. It does not mandate any link to crime.
Directive 2006/24 fails to lay down objective criteria by which to determine the limits of access of competent national authorities to the data and its use, nor substantive and procedural conditions relating to access by competent national authorities and to their subsequent use. It does not lay down objective criteria to limit the number of persons authorized to have access and use to what is strictly necessary, and is not made dependent on prior review carried out by a court or independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of obtaining the objective pursued.
The Directive establishes retention period of a minimum of 6 months and a maximum of 24 months, but it does not state that determination of the exact period must be based on objective criteria to ensure that it is limited to what is strictly necessary.
The Directive does not provide for sufficient safeguards to ensure effective protection of the data retained against the risk of abuse and unlawful access. It does not lay down rules adapted to the vast quantity of data whose retention is required, the sensitive nature of that data, and the risk of unlawful access, nor is there a specific obligation set on Member States to establish such rules. Rather, it permits providers to have regard to economic considerations when determining the level of security.
The Directive does not require that the data be retained within the EU, with the result that it cannot be held that the control by an independent authority of compliance with the requirements of data protection and security is fully guaranteed. This is an essential component of protection of individuals with regard to the processing of personal data.
Accordingly, the EU legislature exceeded limits imposed by compliance with principle of proportionality in light of Articles 7, 8 and 52(1) CFR.
ARTICLES 7, 8 CFR
Schecke: The validity of legislation requiring publication must be assessed in light of provisions of the CFR, including Article 8. However, CFR Article 52(1) accepts that limitations may be imposed on rights under the CFR, as long as they are provided by law, respect the essence of those rights and are proportionate (necessary and genuinely meet objectives of general interest recognised by the EU or the need to protect the rights and freedoms of others). Further, CFR Article 52(3) states that for rights in the CFR, which correspond to rights in the ECHR, the meaning and scope shall be the same as for the ECHR.
Publication must a) be provided by law, b) respect the essence of the rights and freedoms in CFR Arts. 7 and 8, and c) be proportionate (necessary and genuinely meet the objectives of general interest recognised by the EU or the need to protect the rights and freedoms of others). Here, publication is lawful since it is specifically provided for by the Regulation. It meets the general interest requirement because publication is intended to enhance transparency regarding the use of CAP funds and sound financial management. Regarding proportionality, it is necessary to analyse whether the EU balanced its interest in guaranteeing transparency and ensuring best use of public funds with the rights of beneficiaries to privacy and data protection. Derogations to data protection are allowed only insofar as strictly necessary.
For natural persons, there is nothing to show that lawmakers made an effort to strike a balance. No automatic priority can be conferred on the objective of transparency over data protection, even if important economic interests are at stake. Thus, the lawmaker exceeded the limits, which the proportionality principle imposes.
Publication of the data in question with respect to the complainant legal person does not go beyond limits imposed by the proportionality principle. The seriousness of the breach manifests itself in different ways for legal persons versus natural persons. It would impose an unreasonable administrative burden on the competent national authorities if they were obliged to examine, before the data are published for each legal person who is a beneficiary, whether the name of that person identifies natural persons. Thus, the legislation requiring publication is valid with respect to the legal persons.
Schwartz: Taking and storing of fingerprints by national authorities, governed by Article 1(2) of Regulation 2252/2004, constitutes a threat to rights of respect for private life and protection of personal data.
Article 52(1) allows for limitations on exercise of rights in Arts. 7 & 8 as long as limitations are provided for by law, respect the essence of those rights, and respect proportionality (necessary and genuinely meet objectives of general interest recognised by EU or need to protect rights and freedoms of others). Here, the taking of fingerprints for passports is provided by Regulation 2252/2004 to prevent falsification of passports and prevent fraudulent use thereof, to prevent illegal entry into EU, therefore it pursues an objective of general interest recognised by the EU.
DRI: Directive 2006/24 does not permit retention of content, but it might have an effect on the use of the means of communication and consequently on the exercise of freedom of expression guaranteed by Article 11 CFR. It also directly affects private life (guaranteed by Article 7 CFR) and constitutes processing of personal data (and therefore falls under Article 8 CFR).
The obligation on providers of publicly available electronic communications services or public communications networks to retain data relating to a person’s private life and his communications in itself constitutes an interference with Article 7. Access of competent national authorities to the data constitutes a further interference with that right. The Directive constitutes an interference with Article 8 because it provides for processing of personal data. The interferences with Articles 7 and 8 are wide-ranging and particularly serious. The fact that data are retained and subsequently used without the subscriber or registered user being informed is likely
to generate in the minds of users the feeling that their private lives are the subject of constant surveillance.
Any limitation on the exercise of rights and freedoms laid down by the CFR must be provided by law, respect their essence and, subject to principle of proportionality, limitations may be made to those right and freedoms only if they are necessary and genuinely meet objectives of general interest recognized by the EU or the need to protect the rights and freedoms of others. Even though retention constitutes a particularly serious interference with the right to privacy, it is not such as to adversely affect the essence of those rights given that the Directive does not permit the acquisition of knowledge of the content of the electronic communications. Nor does it adversely affect the essence of the right to protection of personal data because certain principles of data protection and data security must be respected by providers of publicly available electronic communications services or public communications networks – to ensure appropriate technical and organizational measures are adopted against accidental or unlawful destruction, accidental loss or alteration of the data.
Schecke: Publication on the website of data naming beneficiaries and amounts they receive constitutes interference with private life under CFR Article 7. It is irrelevant that data concerns activities of a professional nature, as under Article 8 ECHR, as the CFR has held that no principle justifies exclusion of activities of a professional nature from the notion of private life.
ARTICLE 8 ECHR
Rechnungshof: The provisions of Directive 95/46, insofar as they govern the processing of personal data liable to infringe fundamental freedoms, in particular the right to privacy, must be interpreted in light of that right, which forms an integral part of the general principles of EU law. Article 8 ECHR states that public authorities must not interfere with the right to respect for private life, unless it is in accordance with law and is necessary in a democratic society to protect certain interests.
The collection of data by name relating to an individual's professional income, with a view to communicating it to third parties, falls within the scope of Article 8. The ECHR has held that communication of the data infringes the right of the persons concerned to respect for private life.
Regarding necessity, the purpose of the provision was to keep salaries within reasonable limits, which fits within the "economic well-being of the country". But “necessary” means that a pressing social need is involved and the measure is proportionate to the legitimate aim pursued. The authorities enjoy a margin of appreciation. The interests of the state must be balanced against the seriousness of the interference. The interference is justified only insofar as publication of the names is both necessary and appropriate to the aim of keeping salaries within reasonable limits, which is for the national court to examine. If not, then the interference also constitutes a violation of Articles 6 and 7 of Directive 95/46.
V: Article 8 ECHR on private life relates to a fundamental right which covers the right to secrecy of one's medical state. The transfer of that data to
Comments (0)