On 4 May 2017 the Court of Justice of the European Union (“CJEU”) delivered its judgment in the case Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’, answering two related questions:
‘(1) Must the phrase ‘is necessary for the purposes of the legitimate interests pursued by the … third party or parties to whom the data are disclosed’, in Article 7(f) of Directive 95/46/EC [the EU Data Protection Directive], be interpreted as meaning that the national police must disclose to Rīgas satiksme the personal data sought [by the latter] which are necessary in order for civil proceedings to be initiated?
(2) Is the fact that, as the documents in the case file indicate, the taxi passenger whose data is sought by Rīgas satiksme was a minor at the time of the accident relevant to the answer to that question?’
As a reminder, Article 7(f) provides a legal basis justifying the processing of personal data, where it “is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection…”.
As explained by Alison Knight in her post on the opinion of Advocate General Bobek of 26 January 2017, the case started with a road accident in Riga, Latvia. “A taxi driver had stopped his vehicle at the side of the road. As a trolleybus belonging to Rīgas satiksme was passing alongside the taxi, the taxi passenger opened the door, which scraped against and damaged the trolleybus.” After investigation it was found that an administrative offence had been committed in this case (arguably by the taxi passenger). While Rīgas satiksme sought compensation, the insurance company of the taxi driver refused to pay as the accident had been caused by the taxi passenger. But to direct its claim against the taxi passenger, Rīgas satiksme needed to have the passenger’s personal details.
The police refused to fully satisfy Rīgas satiksme’s request concerning the passenger’s details and statements and only provided his name, withholding his identity document number and his address.
Why did the police refuse to provide information beyond the passenger’s name? Because, by law, the case file in administrative proceedings leading to fines could only be transmitted to parties to the proceedings; and – as explained by AG Bobek at para. 21 – “as regards the identity document number and the address, the Datu valsts inspekcija (Latvian Data Protection Agency) prohibits the provision of such information relating to individuals”.
In fact, according to the Latvian Data Protection Agency (DPA), other routes were available to Rīgas satiksme:
- “either submit a reasoned request to the Civil Registry or
- apply to the courts pursuant to Articles 98 to 100 of the Latvian Law on Civil Procedure for the production of evidence, in order for the court in question to request from the national police the personal data so that Rīgas satiksme would be able to bring proceedings against the person concerned..” [para. 19]
The Latvian court referring the two questions to the CJEU does not exactly agree with the DPA and opines that these routes are not necessarily effective, in particular: the name of the passenger might not be enough to single out the passenger in the Civil Registry; and, arguably, an application for the production of evidence could only be done if the claimant had the address of the passenger [it seems].
How does the CJEU answer both questions?
It notes that:
- “Article 7(f) of Directive 95/46 does not, in itself, set out an obligation, but expresses the possibility of processing data such as the communication to a third party of data necessary for the purposes of the legitimate interests pursued by that third party.” [My emphasis]. [para. 26]. However, national law could have specific rules for this purpose.
- “Article 7(f) of Directive 95/46 lays down three cumulative conditions so that the processing of personal data is lawful, namely, first, the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, that the fundamental rights and freedoms of the person concerned by the data protection do not take precedence.” [para. 28] .Applying Article 7(f) to the circumstances of the case at hand, it seems that the first two conditions are met – that is:
- “the interest of a third party in obtaining the personal information of a person who damaged their property in order to sue that person for damages” is a legitimate interest. This had been acknowledged in the Promusicae judgement of the CJEU back in 2008. [para. 29].
- Communication of the address and/or the identification number of that person appears strictly necessary, as without them the claimant would not be able to identify the taxi passenger. [para. 30]
As regards the third condition, the CJEU is less categorical. The answer can only be case-specific. The seriousness of the infringement is relevant, as well as whether the data at issue is accessible from public sources, and even the age of the data subject. However, in the case at hand, the CJEU said that it does not seem justified to refuse the disclosure of the personal information simply on the ground that the data subject is a minor. [para. 33].
The CJEU thus concludes at para. 34 that “Article 7(f) of Directive 95/46 must be interpreted as not imposing the obligation to disclose personal data to a third party in order to enable him to bring an action for damages before a civil court for harm caused by the person concerned by the protection of that data. However, Article 7(f) of that directive does not preclude such disclosure on the basis of national law.”
Why is this case interesting?
For several reasons:
- The first one is that obviously this case is decided after the adoption of the General Data Protection Regulation (GDPR), which will be applicable in one year’s time from 25 May 2018. During the legislative process in advance of such adoption, one question on the reform discussions table was whether it would make sense to treat national identification numbers differently from other personal data, and in particular whether they should be considered as sensitive personal data (see Article 8 of Directive 95/46). This was finally rejected (see Article 9 of the GDPR). Still, one can ask whether a national identification number should be treated in the same way as addresses? The CJEU does not seem to be particularly bothered by this issue.
- The second one, is that the Rīgas satiksme is decided after the Breyer case (see my earlier post on the CJEU’s judgement in that case). And in Breyer the CJEU had ruled that “Article 7(f) of Directive 95/46 must be interpreted as meaning that it precludes the legislation of a Member State [– specifically one] under which an online media services provider may collect and use personal data relating to a user of those service, without his consent, only in so far as the collection and use of that information are necessary to facilitate and charge for the specific use of those services by that user, even though the objective aiming to ensure the general operability of those services may justify the use of those data after consultation of those websites.” [para. 64]. In other words, the CJEU in Breyer seems to suggest that EU Member States cannot be more restrictive than the wording in Article 7(f) itself… when the data controller is an online media services provider.
Are Breyer and Rīgas satiksme fully aligned? Notably, in Rīgas satiksme the data controller is not a private actor but a public entity. And the GDPR – which defines the legitimate interests legal basis as applying where “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child” – also expressly states that “Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks” [Article 6(1)]. In other words when public authorities process personal data to perform their tasks, they shall not rely upon the legitimate interest ground. Instead they shall rely upon Article 6(1)(e) as a legal basis instead (“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”). But can one say that, in the circumstances of the case at hand, the processing at stake (i.e. the disclosure of the national identification number and the address) was “processing carried out by public authorities in the performance of their tasks”?
- This brings me to my third point. Rīgas satiksme seems a straightforward case. But if one changes slightly the circumstances of the case, is it still that straightforward? Imagine an online service provider processing [to use a terminology that is more politically correct than “retaining,” as retention obligations are viewed slightly suspiciously these days as per the CJEU in Tele2 Sverige, see my post here] about its users. An alleged victim then addresses a request to the service provider asking for the details of one of its users. Does data protection law prevent the service provider from sharing the details allowing identification? Applying the three-pronged test of the CJEU, it would seem that the real issue would be to determine whether “the fundamental rights and freedoms of the person concerned by the data protection do not take precedence”, otherwise reliance upon this legal basis applied to the prospective sharing activity would not be permitted. So, ultimately, the answer would depend upon the seriousness of the unlawful activity and whether the data sought is already accessible. And, what if an online service provider takes the initiative to share the user details to victims or law enforcement agencies? Once again the real issue would seem to lie in whether “the fundamental rights and freedoms of the person concerned by the data protection do not take precedence.” The answer to this question would probably depend upon whether the processing of user data is systematic and specifically undertaken for detecting unlawful activities and/or interfere with the principle of confidentiality of communications. [I am sure readers remember the old E-commerce Directive and its Article 15(2), which makes it possible for Member States to impose information obligations upon intermediary providers. But do readers also remember Article 6(2)(b) of the proposed ePrivacy Regulation, which could be seen by some as ‘simplifying’ the framework, at least in relation to metadata relating to communications, as the processing of “electronic communications metadata” for the purposes of “detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communications services” appears lawful as such?]
This post originally appeared on the Peep Beep! blog and is reproduced with permission and thanks