CJEU - C‑333/22 - Ligue des droits humains (Verification by the supervisory authority of data processing): Difference between revisions

From GDPRhub
No edit summary
Line 46: Line 46:


=== Facts ===
=== Facts ===
In 2016 a data subject sought security clearance from the National Security Authority in order to participate in an event.
In 2016 a data subject sought security clearance from the National Security Authority ("''NSA''") to participate in an event. The clearance was refused because of the personal data they held on the data subject. According to this data, the data subject had participated in 10 demonstrations between 2007 and 2016 which prevented him from being granted clearance. This fact was not disputed by the data subject.
The clearance was refused by the NSA because of the personal data they held on the data subject. According to this data, the data subject had participated in 10 demonstrations between 2007 and 2016 which prevented him from being granted clearance. This fact was not disputed by the data subject.


The data subject (via a legal advisor) requested the OCIP (Supervisory Authority under the LPD) to provide access to all the personal data the NSA held on him so that he could exercise his rights as a data subject. OCIP responded that the data subject only has an indirect right of access to that data and that OCIP itself would verify the lawfulness of its processing by the NSA. The OCIP replied to the data subject telling them that they had carried out necessary verifications and that 'if necessary, personal data had been amended or erased' from the police data banks.'
As required by Article 17 Directive 2016/680 (the "''Law Enforcement Directive''" or "''LPD''"), as implemented by Article 42 of the Belgian implementation law, the data subject requested the Supervisory Body for Police Information ("''OCIP''" or "''Supervisory Authority''") to provide access to all the personal data the NSA held on him so that he could exercise his rights as a data subject. In reply, OCIP responded that the data subject only has an indirect right of access to that data and that OCIP itself would verify the lawfulness of its processing by the NSA. Having carried out the necessary checks, and in a narrow application of Article 17(3) LDP, [INSERT FOOTNOTE] the OCIP informed the data subject that '''if necessary, the personal data had been amended or erased' from the police data banks.''<nowiki/>'


The data subject (in conjunction with Ligues des droits humains) filed in the Brussels First Instance Court. They asked firstly, if the Data Protection Law Enforcement Directive precluded national legislation to allow for judicial remedies against the decisions taken by the OCIP. Secondly, they asked for access to all the data subject’s personal data and the identification of the controllers and any recipients of the data. Lastly, they asked if national legislation could create a derogation from the right of access to the extent that the OCIP could merely state to the data subject that it had completed all necessary verifications without informing him of the personal data being processed and its recipients.  
This response did not give the data subject enough information to understand OCIP's decision. The data subject (in conjunction with Ligues des droits humains) filed an appeal before the Brussels First Instance Court. They asked, firstly, if the LPD precluded national legislation to allow for judicial remedies against the decisions taken by the OCIP. Secondly, they asked for access to all the data subject’s personal data and the identification of the controllers and any recipients of the data. Lastly, they asked if national legislation could derogate from the right of access and allow the OCIP to merely state to the data subject, as in the present case, that it had completed all necessary verifications without informing him of the personal data being processed and its recipients.  


The first-instance court did not find itself competent and referred the case to the Brussels Court of Appeal.  
The first-instance court did not find itself competent and referred the case to the Brussels Court of Appeal. In turn, the Court of Appeal referred two questions to the  CJEU:


The Court of Appeal referred two questions to the  CJEU:
# Do Articles 47 (the right to an effective remedy) and 8(3) (the right of access to data which has been collected concerning him or her) of the Charter of Fundamental Rights (CFR), require judicial remedies to be available against independent supervisory authorities (such as OCIP) when it exercises the rights of the data subject on behalf of the controller (the NSA).
 
# Does Article 17 of Directive 2016/680 remain valid with Articles 47 and 8(3) of the CFR, if it is read to oblige the supervisory authority to only inform the data subject that ‘all necessary verifications have taken place’ and that information does not enable any judicial remedies.
1. Do Articles 47 (the right to an effective remedy) and 8(3) (the right of access to data which has been collected concerning him or her) of the Charter of Fundamental Rights (CFR), require judicial remedies to be available against independent supervisory authorities (such as OCIP) when it exercises the rights of the data subject on behalf of the controller (the NSA).
 
2. Does Article 17 of Directive 2016/680 remain valid with Articles 47 and 8(3) of the CFR, if it is read to oblige the supervisory authority to only inform the data subject that ‘all necessary verifications have taken place’ and that information does not enable any judicial remedies.


=== Holding ===
=== Holding ===

Revision as of 17:24, 27 November 2023

CJEU - C‑333/22 Ligue des droits humains ASBL, BA v Organe de contrôle de l’information policiè
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 17 Directive 2016/680
Article 17(3) Directive 2016/680
Decided: 16.11.2023
Parties:
Case Number/Name: C‑333/22 Ligue des droits humains ASBL, BA v Organe de contrôle de l’information policiè
European Case Law Identifier: ECLI:EU:C:2023:874
Reference from:
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: sh


The CJEU decided that data subjects are entitled to an effective remedy against legally binding decisions, even when a supervisory authority excercises a data subject's rights on their behalf to a controller under Directive 2016/680.

English Summary

Facts

In 2016 a data subject sought security clearance from the National Security Authority ("NSA") to participate in an event. The clearance was refused because of the personal data they held on the data subject. According to this data, the data subject had participated in 10 demonstrations between 2007 and 2016 which prevented him from being granted clearance. This fact was not disputed by the data subject.

As required by Article 17 Directive 2016/680 (the "Law Enforcement Directive" or "LPD"), as implemented by Article 42 of the Belgian implementation law, the data subject requested the Supervisory Body for Police Information ("OCIP" or "Supervisory Authority") to provide access to all the personal data the NSA held on him so that he could exercise his rights as a data subject. In reply, OCIP responded that the data subject only has an indirect right of access to that data and that OCIP itself would verify the lawfulness of its processing by the NSA. Having carried out the necessary checks, and in a narrow application of Article 17(3) LDP, [INSERT FOOTNOTE] the OCIP informed the data subject that 'if necessary, the personal data had been amended or erased' from the police data banks.'

This response did not give the data subject enough information to understand OCIP's decision. The data subject (in conjunction with Ligues des droits humains) filed an appeal before the Brussels First Instance Court. They asked, firstly, if the LPD precluded national legislation to allow for judicial remedies against the decisions taken by the OCIP. Secondly, they asked for access to all the data subject’s personal data and the identification of the controllers and any recipients of the data. Lastly, they asked if national legislation could derogate from the right of access and allow the OCIP to merely state to the data subject, as in the present case, that it had completed all necessary verifications without informing him of the personal data being processed and its recipients.

The first-instance court did not find itself competent and referred the case to the Brussels Court of Appeal. In turn, the Court of Appeal referred two questions to the CJEU:

  1. Do Articles 47 (the right to an effective remedy) and 8(3) (the right of access to data which has been collected concerning him or her) of the Charter of Fundamental Rights (CFR), require judicial remedies to be available against independent supervisory authorities (such as OCIP) when it exercises the rights of the data subject on behalf of the controller (the NSA).
  2. Does Article 17 of Directive 2016/680 remain valid with Articles 47 and 8(3) of the CFR, if it is read to oblige the supervisory authority to only inform the data subject that ‘all necessary verifications have taken place’ and that information does not enable any judicial remedies.

Holding

On the first point, the CJEU held that Article 17 of Directive 2016/680 means that even when the rights of a data subject (as set out by the Directive) are exercised through a supervisory authority (as required by national law and permitted by Article 46(1) of the Directive), the data subject must still be able to have an effective judicial remedy against the decision of the supervisory authority. The court arrived at this decision by looking at Article 46(1)(g), Article 47(1) and (2) and Article 53(1) of the same Directive as well as Article 8(3) and 47 of the CFR.

Article 53(1) states that Member States must provide effective judicial remedy. Article 46(1)(g) requires that each competent national authority is entrusted with the task of checking the lawfulness of processing upon a request made by a data subject. The powers conferred on these authorities via Article 47(1) and (2) (effective investigative and corrective powers) along with the obligation posed by Article 17(3) to inform the data subject, means that the authority’s decision are legally binding under Article 53(1), regardless of whether the processing is found to be lawful or not. Since the decision is a legally binding one, the data subject must be able to obtain judicial review on the merits of such a decision. Such an interpretation is in accordance with Article 47 CR which states that the right to an effective remedy must be given to any person relying on the rights and freedoms guaranteed by EU Law.

On the second point, the CJEU found that the question did not affect the validity of Article 17(3) of Directive 2016/680 and that Article 17(3) can actually be read to be compatible with the CFR. In this manner, information requirements are explicitly linked to the right to an effective remedy, and data protection rights will usually trump public interest in balancing excercises.

Article 17(3) establishes an obligation on the supervisory authority to inform the data subject that ‘at least al necessary verifications or a review by the authority has taken place.’ That obligation does not create a bar on the authority to only provide a minimum amount of information to the data subject. The provision to provide limited information (in both the LED and national law) must be read in light of Article 52(1) CFR, so that authorities do not need to follow the exact wordings of those provisions if a lack of information would prevent someone from obtaining an effective remedy.

Interpreting 17(3) in light of the charter means that Member States's national law must first respect the essensce of a data subject's right to effective judicial protection and second weigh up the public interest purposes in limiting information. Member States must make it possible for data subjects to defend their rights, and with full knowledge of the facts, decide whether there is any point in appealing to a court. National measures that limit the information given to data subjects must therefore leave a degree of discretion to supervisory authorities, allowing them to provide more information than a national framework would otherwise require, and only after that conduct a balancing test with the public interest in limiting information. Courts should also have the jurisdiction to examine all questions of fact and law relevant to the dispute before it, which also limits the possibility of authorties to prioritise public interest. The court notes that data controllers under Article 15(4) of the Directive need to already document the factual or legal reasons to why it made a decision to limit (wholly or partly) the right of access to a data subject, since that information must be made available to the authorities, it must also be made avaialble to the court before which an action against the supervisory authority has been brought.

Comment

While this cases focuses on the Data Protection Law Enforcement Directive (2016/680), many provisions are the same as in the GDPR making the decision also relevant from a data protection perspective.

Further Resources

Share blogs or news articles here!