CJEU - C‑333/22 - Ligue des droits humains (Verification by the supervisory authority of data processing)

From GDPRhub
Revision as of 20:09, 20 November 2023 by Sh (talk | contribs) (Created page with "{{CJEUdecisionBOX |Case_Number_Name=C‑333/22 Ligue des droits humains ASBL, BA v Organe de contrôle de l’information policiè |ECLI= |Opinion_Link= |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf;jsessionid=1D4F9FB57B77C5B68D792C677F4CB76C?text=&docid=279747&pageIndex=0&doclang=de&mode=req&dir=&occ=first&part=1&cid=449687 |Date_Decided=16.11.2023 |Year=2023 |GDPR_Article_1= |GDPR_Article_Link_1= |GDPR_Article_2= |GDPR_Article_Link_2= |EU_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C‑333/22 Ligue des droits humains ASBL, BA v Organe de contrôle de l’information policiè
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 17 Directive 2016/680
Article 17(3) Directive 2016/680
Decided: 16.11.2023
Parties:
Case Number/Name: C‑333/22 Ligue des droits humains ASBL, BA v Organe de contrôle de l’information policiè
European Case Law Identifier:
Reference from:
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a


The CJEU decided that data subjects are entitled to an effective remedy against legally binding decisions, even when a supervisory authority excercises a data subject's rights on their behalf to a controller under Directive 2016/680.

English Summary

Facts

In 2016 a data subject sought security clearance from the National Security Authority in order to participate in an event. The clearance was refused by the NSA because of the personal data they held on the data subject. According to this data, the data subject had participated in 10 demonstrations between 2007 and 2016 which prevented him from being granted clearance. This fact was not disputed by the data subject.

The data subject (via a legal advisor) requested the OCIP (Supervisory Authority under the LPD) to provide access to all the personal data the NSA held on him so that he could exercise his rights as a data subject. OCIP responded that the data subject only has an indirect right of access to that data and that OCIP itself would verify the lawfulness of its processing by the NSA.

The data subject (in conjunction with Ligues des droits humains) filed in the Brussels First Instance Court. They asked firstly, if the Data Protection Law Enforcement Directive precluded national legislation to allow for judicial remedies against the decisions taken by the OCIP. Secondly, they asked for access to all the data subject’s personal data and the identification of the controllers and any recipients of the data. Lastly, they asked if national legislation could create a derogation from the right of access to the extent that the OCIP could merely state to the data subject that it had completed all necessary verifications without informing him of the personal data being processed and its recipients.

The first-instance court did not find itself competent and referred the case to the Brussels Court of Appeal.

The Court of Appeal referred two questions to the CJEU:

1. Do Articles 47 (the right to an effective remedy) and 8(3) (the right of access to data which has been collected concerning him or her) of the Charter of Fundamental Rights (CFR), require judicial remedies to be available against independent supervisory authorities (such as OCIP) when it exercises the rights of the data subject on behalf of the controller (the NSA).

2. Does Article 17 of Directive 2016/680 remain valid with Articles 47 and 8(3) of the CFR, if it is read to oblige the supervisory authority to only inform the data subject that ‘all necessary verifications have taken place’ and that information does not enable any judicial remedies.

Holding

On the first point, the CJEU held that Article 17 of Directive 2016/680 means that even when the rights of a data subject (as set out by the Directive) are exercised through a supervisory authority (as required by national law and permitted by Article 46(1) of the Directive), the data subject must still be able to have an effective judicial remedy against the decision of the supervisory authority. The court arrived at this decision by looking at Article 46(1)(g), Article 47(1) and (2) and Article 53(1) of the same Directive as well as Article 8(3) and 47 of the CFR.

Article 53(1) states that Member States must provide effective judicial remedy. Article 46(1)(g) requires that each competent national authority is entrusted with the task of checking the lawfulness of processing upon a request made by a data subject. The powers conferred on these authorities via Article 47(1) and (2) (effective investigative and corrective powers) along with the obligation posed by Article 17(3) to inform the data subject, means that the authority’s decision is legally binding under Article 53(1) regardless of whether the processing is found to be lawful or not. Since the decision is a legally binding one, the data subject must be able to obtain judicial review on the merits of such a decision. Such an interpretation is in accordance with Article 47 CR which states that the right to an effective remedy must be given to any person relying on the rights and freedoms guaranteed by EU Law.

On the second point, the CJEU found that the question did not affect the validity of Article 17(3) of Directive 2016/680. Article 17(3) established an obligation on the supervisory authority to inform the data subject that ‘at least al necessary verifications or a review by the authority has taken place.’ That obligation is not establishing a bar on the authority to only provide the minimum amount of information to the data subject. In general Article 17(3) must be implemented in a way which firstly provides enough information for the data subject to have an effective judicial remedy and secondly weighs up the public interest in warranting the limitation of that information. In this manner, public interests do not preclude data protection rights.

Comment

While this cases focuses on the Data Protection Law Enforcement Directive (2016/680), many provisions are the same as in the GDPR making the decision also relevant from a data protection perspective.

Further Resources

Share blogs or news articles here!