Case law: leak of personal data (information)

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

T-259/03, Nikolaou v. Commission, 12.9.2007

Action for non-contractual liability based on acts and omissions of OLAF. OLAF had disclosed certain information about its investigation concerning the applicant: a leak of information to a journalist; its annual report with information about the investigation; and its press statement. Applicant had requested access to the file and the final case report.

Burden of proof for establishing non-contractual liability: Normal rule: The burden of proof is on the applicant to establish: i) Illegal action of an institution; ii) Damages; iii) Proof that damages were caused by the illegal action of the institution. However, burden of proof shifts to the institution when a fact giving rise to damages could have resulted from various causes, and the institution has not introduced any element of proof as to which was the true cause, even though it was best placed to do so. Court concluded OLAF staff member leaked information (including PD) to a journalist, which were published, and OLAF’s press release confirmed the veracity of facts (including PD) that had been mentioned in several press articles. PD definition: The information published in the press release was PD, since the DS was easily identifiable, under the circumstances. The fact that the applicant was not named did not protect her anonymity. Processing definition: 1. Leak (unauthorised transmission of PD to a journalist by someone inside OLAF) and 2. publication of press release each constitute processing of PD.

Lawfulness:

• Leak constitutes unlawful processing in violation of Article 5 of Reg. 45/2001 because it was not authorized by the DS, not necessary under the other sub-paragraphs and it did not result from a decision by OLAF. Even though OLAF has a margin of discretion on transmissions, here it was not exercised because leak is unauthorised transmission. OLAF is best placed to prove how the leak occurred and that the Director of OLAF did not violate his obligations under Article 8(3) of Reg. 1073/99.

In the absence of such proof, OLAF (Commission) must be held responsible. No concrete showing of an internal system of control to prevent leaks or information in question had been treated in a manner that would guarantee its confidentiality.

• Publication of press release was not lawful under Article 5(a) and (b) because public did not need to know the information published in the press release at the time of its publication, before the competent authorities had decided whether to undertake judicial, disciplinary or financial follow-up.

Damages for violation of DP rules: violation of Reg. 45/2001 qualifies as an illegal act of an institution conferring rights on an individual. Objective of Reg. is to confer such rights on DSs.

• A leak of PD is necessarily a grave and manifest violation. Director has margin of appreciation on prevention, but made no showing.

• OLAF gravely and manifestly exceeded the limits of its discretion in the application of Article 5(a) and (e), which was sufficient to engage the responsibility of the Community.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

This was the last case law analyzes from this series.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Case law: the time limit of right to access

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

C-553/07, College van burgemeester en wethouders van Rotterdam v. Rijkeboer, 7.5.2009

Reference for preliminary ruling. Dutch law on PD held by local authorities provides that on request, Board of Aldermen must notify a DS within 4 weeks whether his PD have been disclosed to a purchaser or 3rd party during the preceding year. Data held by authority include basic data (name, dob, personal id no., ssn, local authority or registration, etc.) and data on transfers. Mr. R requested to be informed of all instances where data relating to him were transferred in preceding 2 years, content and recipients.

Question referred: whether, pursuant to Article 12(a) (right of access) of Directive 95/46, a DS’s right of access to information on the recipients of PD regarding him and on the content of the data communicated may be limited to a period of one year preceding the request.

Time limit on right of access: Right of access is necessary to enable DS to exercise other rights (rectification, blocking, erasure, and notify recipients of same; object to processing or request damages). The right must of necessity relate to the past, otherwise DS would not be in a position effectively to exercise his right to have data presumed unlawful or incorrect rectified, erased or blocked or to bring legal proceedings and obtain compensation for damages. MSs have some freedom of action in implementing the Directive, but it is not unlimited. Setting of time limit on right of access must allow DS to exercise his rights. It is for MSs to fix a time limit for storage of information on the recipients and the content of data disclosed, and to provide access to that information which constitutes a fair balance between the interest of the DS in exercising his rights and the burden on the controller to store that information. In present case, limiting storage of information on recipients and content to one year, while the basic data is stored much longer, does not constitute a fair balance, unless it can be shown that longer storage would constitute an excessive burden.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

Stay tuned for the case law.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Case law: Commission v. Germany (independent DPA)

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

C-518/07, Commission v. Germany, 9.3.2010

Infringement action against Germany which transposed 2nd para. of Article 28(1) of Directive 95/46 (requirement for an independent DPA) by making the authorities responsible for monitoring PD processing outside the public sector in the different Lander subject to State oversight.

Requirement of complete independence of DPA: Independence normally means a status which ensures that the body concerned can act completely freely, without taking any instructions or being put under any pressure. There is nothing to indicate that the requirement of independence concerns exclusively the relationship between the supervisory authorities and the bodies subject to that supervision. The adjective “complete” implies a decision-making power independent of any direct or indirect external influence on the supervisory authority. The guarantee of independence of DPAs is intended to ensure the effectiveness and reliability of the supervision of compliance with DP provisions, to strengthen the protection of individuals and bodies affected by their decisions. DPAs must act impartially and must remain free from any external influence, including that of the State or Lander, and not of the influence only of the

supervised bodies. Independence precludes not only any influence exercised by supervised bodies, but also any directions or other external influence which could call into question performance of those authorities of their task consisting of establishing a fair balance between the protection of the right to private life and the free movement of PD.

State scrutiny in principle allows the government of the respective Land to influence the decision of the supervisory authority or cancel and replace those decisions. This is not consistent with principle of independence.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

Stay tuned for the case law.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Case law: data processing

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

C-73/07, Tietosuojavaltuutettu [Finnish DP ombudsman] v. Satakunnan

Markkinaporssi Oy and Satamedia Oy, 16.12.2008

Reference for preliminary ruling. Defendant 1 (a) collected public PD (name of persons whose income exceeds threshold, amount of earned and unearned income, wealth tax levied) from Finnish tax authorities and (b) published extracts in regional newspaper each year. Newspaper says PD can be removed on request without charge. Defendant 1 also (c) transferred the data on CD ROM to Defendant 2 (owned by same shareholders) which (d) disseminated them by text messaging system. Contracted with mobile telephony company to send text messages allowing users to receive information published in the newspaper; PD removed on request. Questions referred: (1) whether collection, publication, transfer of CD ROM and text messages constitutes processing of PD; (2) whether it is processing for solely journalistic purposes within Article 9 of Directive 95/46; (3) whether Article 17 and principles of Directive 95/46 preclude publication of data collected for journalistic purposes and its onward transfer for commercial purposes; (4) whether PD that has already been published in the media is

outside scope of Directive 95/46.

Processing: All 4 types of activities constitute processing.

Scope: Only two exceptions to scope, set forth in Article 3(2). First indent: security and criminal law=activities of the state. Second indent: processing by a natural person in course of a purely personal or household activity, concerns activities in course of private or family life of individuals. Activities (c) and (d) are activities of private companies, not within the scope of Article 3(2). A general derogation from application of directive in respect of published information would largely deprive directive of its effect. Thus activities (a) and (b) also not within scope of Article 3(2).

Processing for solely journalistic purposes: Article 1 of Directive indicates that objective is that MSs should, while permitting free flow of PD, protect the fundamental rights and freedoms of natural persons and, in particular, their right to privacy, with respect to processing of their PD. That objective can only be pursued by reconciling those fundamental rights with fundamental right to freedom of expression. Article 9’s objective is to reconcile the two rights. MSs required to provide derogations in relation to protection of PD, solely for journalistic purposes or artistic or literary expression, which fall within fundamental right to freedom of expression, insofar as necessary for reconciliation of the 2 rights. To take account of the importance of the right of freedom of expression in every democratic society, it is necessary to interpret notions of freedom, such as journalism, broadly. Derogations must apply only insofar as strictly necessary.

Fact that publication is done for profit making purposes does not preclude publication from being considered as “solely for journalistic purposes.” Medium used is not determinative of whether “solely for journalistic purposes.” Thus activities may be classified as “journalistic” if their sole object is the disclosure to the public of information, opinions or ideas, irrespective of the medium used to transmit them.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

Stay tuned for the case law.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Case law: Huber v. Germany (deletion of personal data)

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

C-524/06, Huber v. Germany, 16.12.2008

Reference for preliminary ruling. Huber, an Austrian national who is resident in Germany, requested the deletion of PD relating to him (name, date and place of birth, nationality, marital status, sex, entries and exits from Germany, residence status, particulars of passports, statements as to domicile, reference numbers) in the German Central Register of Foreign Nationals (AZR). Bundesamt assists public authorities responsible for application of law related to foreign nationals and asylum. Used for statistical purposes and by security and police services and judicial authorities re prosecution an investigation of criminal activities. Germany rejected the request.

Question submitted wrt DP: Is processing of PD of Austrian national in AZR compatible with the requirement of necessity under Article 7(e) of Directive 95/46?

Scope of Directive 95/46: Article 3(2) exclude from scope of Directive 95/46 processing of PD concerning public security, defence, criminal law activities. Thus, in this case, only processing for purpose relating to right of residence and for statistical purposes fall within scope of 95/46.

Necessity requirement: In light of intention that Directive 95/46 is intended to ensure an equivalent level of DP in all MSs, to ensure a high level of protection in the Community, concept of necessity in Article 7(e) cannot have a meaning which varies between MSs.

Thus, it is a concept which has its own independent meaning in Community law, and must be interpreted in manner which fully reflects the objective of Directive 95/46.

Under Community law, right of free movement of a MS national is not unconditional, but may be subject to limitations and conditions imposed by treaty and implementing rules.

Legislation provides that a MS may require certain documents to be provided to determine the conditions of entitlement to right of residence. Thus, it is necessary for a MS to have relevant particulars and documents available to it in order to ascertain whether a right of residence in its territory exists. Use of a register to support authorities responsible for application of legislation on right of residence is, in principle, legitimate.

However, register must not contain any information other than what is necessary for that purpose, and must be kept up to date. Access must be restricted to the responsible authorities. Central register could be necessary if contributes to more effective application of that legislation. National court should decide whether these conditions are satisfied.

Only anonymous information is required for statistical purposes.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

Stay tuned for the case law.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Case law: Ireland v. Parliament and Council (data retention)

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

C-301/06, Ireland v. Parliament and Council (data retention directive), 10.2.2009

Action for annulment of Directive 2006/24/EC on the retention of electronic communication data on ground that it was not adopted on appropriate legal basis (Article 95 TEC), amending Directive 2002/58 (also based on Article 95).

Appropriate legal basis for data retention directive: Court rejected Ireland’s argument that sole or principal objective of directive is investigation, detection and prosecution of crime. Article 95(1) TEC provides Council is to adopt measures for approximation of provisions laid down by law, Reg. or administrative action in MSs which have objective of establishment and functioning of internal market. May be used where disparities exist (or likely to exist in future) between national rules which obstruct fundamental freedoms or create distortions of competition and thus have direct effect on functioning of internal market. Premise of Directive was to harmonize disparities between national provisions governing retention of data by service providers, particularly regarding nature of data retained and periods of data retention. Apparent that differences were liable to have direct impact on functioning of internal market which would become more serious with passage of time.

Article 47 TEU provides that none of provisions of TEC may be affected by provision of TEU, in order to safeguard building of acquis communautaire. Insofar as Directive 2006/24 comes within scope of Community powers, it could not be based on provision of TEU without infringing Article 47. Directive 2006/24 provisions are limited to activities of service providers and do not govern access to data or use thereof by police or judicial authorities of the MSs. They are designed to harmonise national laws on obligation to retain data, categories of data to be retained, periods of retention of data, DP and data security, and conditions for data storage. They do not involve intervention by police or law enforcement authorities of MSs, nor access, use or exchange by them. Thus Directive 2006/24 relates predominantly to functioning of internal market.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

Stay tuned for the case law.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Case law: Promusicae

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

C-275/06, Promusicae, 29.1.2008

MS need to balance various fundamental rights when transposing directives: Reference for preliminary ruling. Telefonica had refused to disclose to Promusicae, an NPO, acting on behalf of its members who are holders of intellectual property rights, PD relating to users of the internet who accessed KaZaA file exchange program and shared files of PCs to recordings of Promusicae’s members, by means of connections provided by Telefonica. Promusicae wanted to bring civil actions against those persons. National court referred the question whether Community law permits MSs to limit duty of operators of telecom networks to supply traffic data.

Court held that this question raises the need to reconcile the requirements of protection of different fundamental rights, namely right to respect for private life on the one hand and rights to protection of property and effective remedy on the other hand. Directive 2002/58 provides rules determining in what circumstances and to what extent PD processing is lawful and what safeguards must be provided.

When transposing various intellectual property directives, MS must take care to interpret them such that there is a fair balance struck between the various fundamental rights protected by the Community legal order. Further, when implementing the national law transposing those directives, authorities and courts of the MSs must interpret them in a manner consistent with the directives and make sure that the interpretation does not conflict with those fundamental rights or other general principles of Community law, such as proportionality principle.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

Stay tuned for the case law.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Case law: Parliament v. Council (PNR)

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

C-317 and 318/04, Parliament v. Council (PNR), 30.5.2006

Action for annulment by EP of Council Decision 2004/496/EC on conclusion of agreement between EU and USA on processing and transfer of PNR data and on

adequacy decision on data transferred to USA, both of which were adopted on the basis of Directive 95/46.

Appropriate legal basis for EU /US agreement to transfer PNR data:

• Adequacy decision: Requirements for transfer were based on a statute enacted by the USA in November 2001 and implementing Reg.s adopted thereunder, which concern enhancement of security and conditions under which persons may enter and leave the USA, fight against terrorism, and fighting transnational crime. Thus, transfer of PNR data is processing concerning public security. Even though PNR data are initially collected in course of commercial activity, the processing addressed in adequacy decision concerns safeguarding of public security and law enforcement. Fact that data collected by private operators for commercial purposes and they arrange for transfer of data to third country does not prevent that transfer from being regarded as processing excluded from directive’s scope. Thus, it falls within the first indent of Article 3(2) of directive, which excludes from Directive’s scope DP in the course activities provided form by Titles V and VI of the EU Treaty. Thus decision on adequacy annulled.

• Agreement: Article 95 (internal market) in conjunction with Article 25 of the directive (transfers to third countries ensuring adequacy) do not justify Community competence to conclude Agreement. Agreement relates to same transfers as adequacy decision, and thus processing operations are outside scope of Directive. Council decision approving conclusion of agreement between EU and US on processing of PNR data is annulled.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

Stay tuned for the case law.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Commission v. Bavarian Lager (appeal)

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

C-28/08, Commission v. Bavarian Lager Co., 29.6.10

Application of Article 4(1)(b) of Reg. 1049/2001: General Court erred in limiting application of the exception in Art. 4(1)(b) to situations in which privacy or the integrity of the individual would be infringed for the purposes of Article 8 of the ECHR and the case law of the European Court of Human Rights, without taking into account the legislation of the EU concerning the protection of PD, particularly Reg. 45/2001. It disregarded the wording of the Article, which is an indivisible provision and requires that any undermining of privacy and the integrity of the individual must always be examined and assessed in conformity with the EU DP legislation. The Article establishes a specific and reinforced system of protection of a person whose PD could, in certain cases, be communicated to the public.

Recital 15 of Reg. 45/2001 indicates legislative intent that Art. 6 TEU and thereby Art. 8 ECHR should apply where processing is carried out in the exercise of activities outside the scope of Reg. 45/2001 (Titles V and VI of pre-Lisbon TEU). Such reference was unnecessary for activities within scope of Reg. 45/2001. Thus, where request based on Reg. 1049/2001 seeks access to documents including PD, Reg. 45/2001 becomes applicable in its entirety, including Articles 8 and 18. The General Court erred in dismissing the application of Art. 8(b) and 18 of Reg. 45/2001, and its decision does not correspond to the equilibrium which the legislator intended to establish between the two Regs.

Commission was right to verify whether DSs had given their consent to disclosure of PD concerning them. By releasing the expurgated version of the minutes, with the names of 5 participants removed (3 could not be contacted, 2 objected), Commission did not infringe Reg. 1049/2001 and complied with its duty of openness. By requiring that regarding these 5 persons, the applicant establish the necessity for those PD to be transferred, Commission complied with provisions of Art. 8(b) of Reg. 45/2001. As no necessity was provided, Commission was not able to weigh up the various interests of the parties concerned, nor to verify whether there was any reason to assume that the DSs’ legitimate interests might be prejudiced, as required by Art. 8(b)

Definition of PD: General Court correctly held that surnames and forenames may be regarded as PD. Thus list of names of participants in meeting is personal data, since persons can be identified. Definition of processing PD: Communication of PD in response to a request for access to documents constitutes processing.

Opinion of Advocate General Sharpston, 15.10.2009

Scope of Reg. 45/2001 under Art. 3: Art. 3(2) should be construed to define the circumstances in which the Reg. applies (“the processing of personal data wholly or partly by automatic means and . . . the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.”) Such processing of PD by all Community institutions is then covered (applying Art. 3(1)) insofar as it is “carried out in the exercise of activities all or part of which fall within the scope of Community law.” Other circumstances are not covered by Reg. 45/2001; they should be dealt with under Reg. 1049/2001, where requests are made to Community institutions for access to documents.

Applicability of Reg. 1049/2001 vs. Reg. 45/2001 in request for access to documents: B- 1 documents contain an incidental mention of PD, where the primary purpose of compiling the document has little to do with PD. Raison d’etre of such documents is to store information in which PD are of minimal importance. B-2 documents contain large quantity of PD (eg a list of persons and their characteristics). Raison d’etre of such documents is to gather together such PD.

• Applications for B-1 documents should be handled under Reg. 1049/2001; for B-2 documents, under Reg. 45/2001, because within its scope by virtue of Art. 3(2).

• Requests for B-1 documents do not require a reason, by virtue of Art. 6(1) of Reg. 49/2001; for B-2 documents, will have to demonstrate the need for transfer of data, in accordance with Art. 8(b) of Reg. 45/2001.

• Art. 8 ECHR (including justification test, where interference with privacy exists) must be applied with respect to application for B-1 documents to determine whether PD must be redacted, following Art. 4(1)(b) of Reg. 45/2001; B-2 documents will be subject to procedure outlined in Reg. 45/2001: processing must be lawful within meaning of Art. 5; applicant will have to give reasons in accordance with Art. 8; Art. will apply for applications from non-MSs or non-Community international organisations; Art. 10 regarding sensitive data applies; and Art. 18 requires the institution to inform the DS that he can object to processing.

• Disclosure under Reg. 1049/2001 of B-1 documents is erga omnes; Disclosure under Reg. 45/2001 of B-2 documents is case-by-case and not erga omnes.

Art. 4(1)(b) exception: 1st part of exception applies to B-1 and B-2 documents; 2nd part applies only to B-2 documents.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

Stay tuned for the case law.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

More Case Law: Commission v. Bavarian Lager

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement.

The purpose of this new series is to show actually how the relevant law should be applied in order to properly balance the right to free access of public information, free flow of information and the right to Privacy and Personal Data protection.

The series will balance both the applicability of Data Protection law in the private and public sector, focusing mostly on the Directive 95/46/EC (private sector) and Regulation 45/2001/EC (rights to data protection of individuals working with/for EU Institutions and bodies).

T-194/04, Bavarian Lager v. Comission, 8.11.2007 (reversed on appeal)

Application for annulment of Commission decision rejecting request of applicant (a trade association for German beer) for access to full minutes of a meeting organised by Commission (including names of attendees). The Commission had denied access to the names of 5 persons who attended the meeting, were members of a trade association and had not given consent to disclosure of their names, based on Article 4(1)(b) of Reg.1049/2001.

Legal obligation under Article 5(b) of Reg. 45/2001: The right of access to documents of the institutions laid down by Article 2 of Reg. 1049/2001 constitutes a legal obligation for purposes of Article 5(b) of Reg. 45/2001. Therefore, if Reg. 1049/2001 requires communication of data, Article 5 of Reg. 45/2001 makes such communication lawful.

Article 8(b) and obligation to prove need for transferred data: Access to documents containing PD falls within the application of Reg. 1049/2001. Article 6(1) states that the applicant is not required to justify his request. Therefore, where PD are transferred in context of Reg. 1049/2001, applicant does not need to prove necessity of disclosure of data for purposes of Article 8 of Reg. 45/2001 – otherwise would be contrary to principle of widest possible public access to documents held by institutions. Exceptions must be interpreted narrowly. Given that access to a document will be refused under Article 4(1)(b) of Reg. 1049/2001 where disclosure would undermine protection of privacy and integrity of individual, a transfer that does not fall under that exception cannot, in principle, prejudice the legitimate interests of the person concerned within the meaning of Article 8(b) of Reg. 45/2001.

DS’s right to object under Article 18: DS has right to object to processing, except in cases covered by Article 5(b), among others. Given that processing envisaged by Reg. 1049/2001 constitutes a legal obligation for purposes of Article 5(b), DS does not have a right to object. However, since Article 4(1)(b) of Reg. 1049/2001 lays down an exception to the obligation to provide access, it is necessary to consider the impact of disclosure on the DS. If communication would not undermine protection of privacy etc., then person’s objection cannot prevent disclosure.

Interpretation of Article 45/2001 in light of Article 8 ECHR: Reg.. 45/2001 must be interpreted in light of fundamental rights which form an integral part of general principles of law with respect to which the ECJ ensures compliance. Any decision taken pursuant to Reg. 1049/2001 must comply with Article 8 ECHR.

ECHR caselaw interprets “private life” broadly, and there is no reason in principle to exclude professional or business activities from concept of private life. To determine whether there is breach of Article 8, need to determine (1) whether there has been an interference with private life of DS, (2) whether that interference is justified (ie, it is in accordance with the law, pursues a legitimate aim, and is necessary in a democratic society – meaning relevant and sufficient, and proportionate to the legitimate aims pursued). In cases concerning disclosure of PD, the competent authorities have to be granted a certain discretion in order to establish a fair balance between competing public and private interests, subject to judicial review, referring to factors such as nature and importance of interests at stake and seriousness of interference.

Application of Article 4(1)(b) exception: To determine whether exception applies, it is necessary to examine whether public access is capable of actually and specifically undermining the protection of the privacy and integrity of the persons concerned.

The mere fact that a document contains PD does not necessarily mean that privacy or integrity of DS is affected, even though professional activities not, in principle, excluded from concept of private life. Here, persons present at the meeting whose names were not disclosed were present as representatives of trade association, and not in their personal capacity. Therefore, the fact that the minutes contain their names does not affect their private life. Minutes do not contain their personal opinions. Disclosure of the names is not capable of actually and specifically affecting the protection of privacy and integrity of those persons. Mere presence of their name on list does not constitute an interference.

Reg. 45/2001 does not require Commission to keep secret the names of persons who communicate opinions or information to it concerning exercise of its functions.

Court distinguishes Osterreichischer Rundfunk on ground that there, specific combination of name and income received by them, in contrast to this case, which falls under Reg. 1049/2001 and where it is name of person acting in professional capacity as representative of collective body, where no personal opinions can be identified.

Credits and acknowledgment go to Laraine Laudati, OLAF DPO.

Stay tuned for the Appeal judgment in this case.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the findings? Do you think that the applicant was right? 

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.