CJEU - C‑333/22 - Ligue des droits humains (Verification by the supervisory authority of data processing)

From GDPRhub
Revision as of 15:13, 28 November 2023 by 84.113.103.211 (talk)
CJEU - C‑333/22 Ligue des droits humains ASBL, BA v Organe de contrôle de l’information policiè
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 17 Directive 2016/680
Article 17(3) Directive 2016/680
Decided: 16.11.2023
Parties:
Case Number/Name: C‑333/22 Ligue des droits humains ASBL, BA v Organe de contrôle de l’information policiè
European Case Law Identifier: ECLI:EU:C:2023:874
Reference from:
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: sh


The CJEU decided that data subjects are entitled to an effective remedy against legally binding decisions. This is even in law enforcement scenarios under Directive 2016/680 (LED).

English Summary

Facts

In 2016 a data subject sought security clearance from the National Security Authority ("NSA") to participate in an event. The clearance was refused because of the personal data they held on the data subject. According to this data, the data subject had participated in 10 demonstrations between 2007 and 2016 which prevented him from being granted clearance. This fact was not disputed by the data subject.

As required by Article 17 Directive 2016/680 (the "Law Enforcement Directive" or "LED"), as implemented by Article 42 of the Belgian implementation law, the data subject requested the Supervisory Body for Police Information ("OCIP" or "Supervisory Authority") to provide access to all the personal data the NSA held on him so that he could exercise his rights as a data subject. In reply, OCIP responded that the data subject only has an indirect right of access to that data and that OCIP itself would verify the lawfulness of its processing by the NSA. Having carried out the necessary checks, and in a narrow application of Article 17(3) LED,[1] the OCIP informed the data subject that 'if necessary, the personal data had been amended or erased' from the police data banks.'

This response did not give the data subject enough information to understand OCIP's decision. The data subject (in conjunction with Ligues des droits humains) filed an appeal before the Brussels First Instance Court. They asked, firstly, if the LED precluded national legislation to allow for judicial remedies against the decisions taken by the OCIP. Secondly, they asked for access to all the data subject’s personal data and the identification of the controllers and any recipients of the data. Lastly, they asked if national legislation could derogate from the right of access and allow the OCIP to merely state to the data subject, as in the present case, that it had completed all necessary verifications without informing him of the personal data being processed and its recipients.

The first-instance court did not find itself competent and referred the case to the Brussels Court of Appeal. In turn, the Court of Appeal referred two questions to the CJEU:

  1. Do Articles 47 (the right to an effective remedy) and 8(3) (the right of access to data which has been collected concerning him or her) of the Charter of Fundamental Rights (CFR), require judicial remedies to be available against independent supervisory authorities (such as OCIP) when it exercises the rights of the data subject on behalf of the controller (the NSA).
  2. Does Article 17 of Directive 2016/680 remain valid with Articles 47 and 8(3) of the CFR, if it is read to oblige the supervisory authority to only inform the data subject that ‘all necessary verifications have taken place’ and that information does not enable any judicial remedies.

Holding

On the first point, the CJEU held that Article 17 of Directive 2016/680 means that even when the rights of a data subject (as set out by the Directive) are exercised through a supervisory authority (as required by national law and permitted by Article 46(1) of the Directive), the data subject must still be able to have an effective judicial remedy against the decision of the supervisory authority. The Court arrived at this decision by looking at Article 46(1)(g), Article 47(1) and (2) and Article 53(1) of the same Directive as well as Article 8(3) and 47 of the CFR.

Article 53(1) LED states that Member States must provide effective judicial remedy. Article 46(1)(g) of the same Directive requires that each competent national authority is entrusted with the task of checking the lawfulness of processing upon a request made by a data subject. The powers conferred on these authorities via Article 47(1) and (2) LED (effective investigative and corrective powers) along with the obligation posed by Article 17(3) LDP to inform the data subject, means that the authority’s decision are legally binding under Article 53(1) LED, regardless of whether the processing is found to be lawful or not. Since the decision is a legally binding one, the data subject must be able to obtain judicial review on the merits of such a decision. Such an interpretation is in accordance with Article 47 CFR which states that the right to an effective remedy must be given to any person relying on the rights and freedoms guaranteed by EU Law.

The second question raises, as anticipated, a point regarding the compatibility of Article 17 LED with Articles 8 and 47 of the Charter of Fundamental Rights. In summary terms, the issue brought to the attention of the Court of Justice is as follows: following a request for access, Article 17 of the LED requires the supervisory authority—in this case, the OCIP—to provide only a minimal amount of information. Specifically, (i) that checks have been carried out, and (ii) that the individual has the right to an effective judicial remedy. Given these premises, the question arises as to whether this minimal content effectively allows for the filing of a judicial remedy.

To answer this question, the court employs two fundamental arguments.

Firstly, it is stated that the text of Article 17 of the LED provides a minimum content but does not prohibit the authority from informing the individual more comprehensively. Consequently, the text of the directive is not contrary to the Charter of Fundamental Rights, at least in the abstract.

Secondly, the Court recalls the fundamental role that information plays in the existence of an effective judicial remedy. Such information places the petitioner "in the best possible conditions and to decide, with full knowledge of the relevant facts, whether there is any point in his or her applying to the court." It is certainly not an absolute right, the Court clarifies, but any limitation must be necessary and reflect objectives of general interest recognized by Union law or protect the rights and freedoms of others.

As anticipated, Article 17 of the LED requires the supervisory authority to communicate "at least" a minimum amount of information. However, this provision does not prevent the authority from providing additional information. In this sense, the national provision must grant the competent authority a degree of flexibility that allows it, "in compliance with that national legislative framework, to engage in a confidential dialogue with the controller and, at the end of that dialogue, to decide on which information is necessary for the data subject to exercise his or her right to an effective judicial remedy and may be communicated to him or her without compromising the public interest purposes

Comment

While this cases focuses on the Data Protection Law Enforcement Directive (2016/680), many provisions are the same as in the GDPR making the decision also relevant from a data protection perspective. The case is important because the CJEU explicitly links information requirements to the right to an effective remedy. Moreover, it creates this link in the LED which is often more stringent than the GDPR given that it deals with law enforcement. This suggests that the courts reasoning would also be applicable to the GDPR.

Further Resources

Share blogs or news articles here!

  1. Directive (EU) 2016/680, the data protection law enforcement directive (LED), ensures the protection of personal data of individuals involved in criminal proceedings, be it as witnesses, victims or suspects.