CJEU - C-13/16 - Rīgas satiksme

From GDPRhub
CJEU - C-13/16 Rīgas satiksme
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 6(1)(f) GDPR
Article 7, Directive 95/46 (DPD)
Decided: 04.05.2017
Parties: Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde
Rīgas pašvaldības SIA
Case Number/Name: C-13/16 Rīgas satiksme
European Case Law Identifier: ECLI:EU:C:2017:336
Reference from:
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: Panayotis Yannakas

The court elaborates on the concept of the three-part test for legitimate interests in the context of the old Data Protection Directive (95/46/EC), which contained a remarkably similar provision to the new Article 6(1)(f) of GDPR. This test breaks down into three parts, making it more logical to apply them in the following order: a) Purpose test, b) Necessity test, and c) Balancing test.

English Summary

Facts

It all started with an accident between a tram and a taxi on the streets of Riga, the capital of Latvia. A minor passenger had suddenly opened the cab's door, which scraped the side of a tram. The taxi driver's insurer refused to pay out on the basis that the collision was the fault of the passenger. The tram company did not know who the passenger was, so it asked the Latvian police. The police disclosed the passenger's name but refused to disclose his identity card number or address because the national law did not include disclosure provisions for such data to third persons. The tram company challenged police refusal before the National Court, and the Court referred two questions to the CJEU.

Dispute

The main question referred to the CJEU was whether Article 7(f) of DPD imposes an obligation on a Data Controller to disclose all the personal data necessary to start court proceedings against a person. The National Supreme Court further questioned whether the answer to the latter would vary if that person were a minor or not.

Holding

The CJEU laid down three cumulative conditions that make lawful the processing of personal data. When first applying the test, it was determined that the pursuit of a legitimate interest is not a question that should be answered only by the Data Controller. The same criterion should be answered by any party to whom the data are asked to be disclosed. Secondly, the CJEU continued with the need to process personal data for the purposes of legitimate interests; and ended with the balancing test that asserted that the fundamental rights and freedoms of the person concerned do not take precedence by the data protection.

The judge in para 29 & 30 specified that (a) is a legitimate interest if the interest of an injured party, in obtaining the personal information of the person who caused the damage, is based on the intention to sue the latter person. It was also noticed that (b) the address and/or the identification number of that person appears strictly necessary, as without them the Claimant would not be able to bring the action.

Since the first two conditions would seem to be fulfilled, the CJEU then turned to the final condition, that of "balancing the opposing rights and interests at issue". The judge noted that setting this balance depended "on the specific circumstances of the particular case". Furthermore, the judge went on to suggest that the factor to take into consideration was "the possibility of accessing the data at issue in public sources".

The judge commented on the matter of the data subject's age that a refusal to disclose to an injured party personal data is not an appropriate measure when these data are necessary to initiate the court procedure on the grounds that the person who caused the damage was a minor especially when such an action can be against the persons exercising parental authority.

Comment

This case is interesting for several reasons. The most significant is what it says about the ability of public bodies to process personal data. The CJEU’s conclusion there was that all the legal conditions were in favour of the tram company. Notwithstanding this conclusion, it is a legal requirement that any such disclosure take place "on the basis of national law". More specifically, the CJEU held that such a legitimate interest could not, of itself, provide a lawful basis for the processing in question. Such legal grounds should first have to be provided by national law itself.

This case was finalised only after the adoption of the General Data Protection Regulation (GDPR). That approach of the CJEU seems consistent with Article 6 of the General Data Protection Regulation. In addition, the GDPR's article does not provide that public authorities cannot only rely on such legitimate interests for the processing of personal data. Also, the processing must be on the basis of national law. Riga case suggested that a strict approach is necessary due to the application of Article 6 under public authorities' circumstances.

Further Resources

Share blogs or news articles here!