Home > Awareness, Case law, Data Protection, European Court of Justice, Facebook, Google, Internet, Privacy, Social Media > Case law: leak of personal data (information)

Case law: leak of personal data (information)

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

T-259/03, Nikolaou v. Commission, 12.9.2007

Action for non-contractual liability based on acts and omissions of OLAF. OLAF had disclosed certain information about its investigation concerning the applicant: a leak of information to a journalist; its annual report with information about the investigation; and its press statement. Applicant had requested access to the file and the final case report.

Burden of proof for establishing non-contractual liability: Normal rule: The burden of proof is on the applicant to establish: i) Illegal action of an institution; ii) Damages; iii) Proof that damages were caused by the illegal action of the institution. However, burden of proof shifts to the institution when a fact giving rise to damages could have resulted from various causes, and the institution has not introduced any element of proof as to which was the true cause, even though it was best placed to do so. Court concluded OLAF staff member leaked information (including PD) to a journalist, which were published, and OLAF’s press release confirmed the veracity of facts (including PD) that had been mentioned in several press articles. PD definition: The information published in the press release was PD, since the DS was easily identifiable, under the circumstances. The fact that the applicant was not named did not protect her anonymity. Processing definition: 1. Leak (unauthorised transmission of PD to a journalist by someone inside OLAF) and 2. publication of press release each constitute processing of PD.


Leak constitutes unlawful processing in violation of Article 5 of Reg. 45/2001 because it was not authorized by the DS, not necessary under the other sub-paragraphs and it did not result from a decision by OLAF. Even though OLAF has a margin of discretion on transmissions, here it was not exercised because leak is unauthorised transmission. OLAF is best placed to prove how the leak occurred and that the Director of OLAF did not violate his obligations under Article 8(3) of Reg. 1073/99.

In the absence of such proof, OLAF (Commission) must be held responsible. No concrete showing of an internal system of control to prevent leaks or information in question had been treated in a manner that would guarantee its confidentiality.

Publication of press release was not lawful under Article 5(a) and (b) because public did not need to know the information published in the press release at the time of its publication, before the competent authorities had decided whether to undertake judicial, disciplinary or financial follow-up.

Damages for violation of DP rules: violation of Reg. 45/2001 qualifies as an illegal act of an institution conferring rights on an individual. Objective of Reg. is to confer such rights on DSs.

A leak of PD is necessarily a grave and manifest violation. Director has margin of appreciation on prevention, but made no showing.

OLAF gravely and manifestly exceeded the limits of its discretion in the application of Article 5(a) and (e), which was sufficient to engage the responsibility of the Community.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

This was the last case law analyzes from this series.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: