CJEU - C-13/16 - Rīgas satiksme
| CJEU - C‑13/16 Rīgas satiksme | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 6(1)(f) GDPR Article 7, Directive 95/46 (DPD) |
| Decided: | |
| Parties: | Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde Rīgas pašvaldības SIA |
| Case Number/Name: | C‑13/16 Rīgas satiksme |
| European Case Law Identifier: | ECLI:EU:C:2017:336 |
| Reference from: | |
| Language: | 24 EU Languages |
| Original Source: | Judgement |
| Initial Contributor: | Panayotis Yannakas |
The court elaborates the concept of the three-part test for legitimate interests in the context of the old Data Protection Directive (95/46/EC), which contained a very similar provision with the new Article 6(1)(f) of GDPR. This test breaks down into three parts, which makes more sense to apply them in the following order: a) Purpose test, b) Necessity test, and c) Balancing test.
English Summary
Facts
All started from an accident between a tram and a taxi on the streets of Riga, the capital of Latvia. A minor passenger had suddenly opened the door of the cab, which scraped the side of a tram. The taxi driver's insurer refused to pay out on the basis that the collision was the fault of the passenger. The tram company did not know who the passenger was, so it asked the Latvian police. The police disclosed the passenger's name but refused to disclose his identity card number or address because the national law did not include disclosure provisions for such data to third persons. The tram company challenged police refusion before the national court, and the court referred two questions to the CJEU.
Dispute
The main question referred to the CJEU was whether the Article 7(f) of DPD imposes an obligation on a data controller to disclose all the personal data necessary to start court proceedings against a person. The National Supreme Court further questioned whether the answer to the latter would vary if that person were a minor or not.
Holding
CJEU laid down three cumulative conditions that make lawful a processing of personal data. Starting the test, the pursuit of a legitimate interest is not a question which should be answered only by the data-controller. The same criterion should be answered by any party to whom the data are asked to be disclosed. Secondly, the CJEU pursued with the need to process personal data for the purposes of the legitimate interests; and ended by the balancing-test that the fundamental rights and freedoms of the person concerned do not take precedence by the data protection.
The judge in the para 29 & 30 specified that (a) is a legitimate interest if the interest of an injured party, to obtaining the personal information of the person who cause the damage, is based to the intension to sue that person. Also noticed that (b) the address and/or the identification number of that person appears strictly necessary, as without them the claimant would not be able bringing the action.
Since the first two conditions would seem to be fulfilled, the CJEU then turned to the final condition, that of "balancing the opposing rights and interests at issue". The judge noted that setting this balance depended "on the specific circumstances of the particular case". Furthermore, went onto suggest that the factor to take into consideration was "the possibility of accessing the data at issue in public sources".
The judge commented on the matter of data-subject's age, that is not appropriate measure a refusion to disclose to an injured party the personal data, when these data are necessary for initiate the court procedure, on the ground that the person who caused the damage was a minor. Especially when such as an action can be against the persons exercising parental authority.
Comment
This case is interesting for several reasons. The most significant is that it says about the ability of public bodies to process personal data. The CJEU conclusion there was that all the legal conditions were in favour of the tram company. Notwithstanding this conclusion, is a legal requirement that any such disclosure takes place "on the basis of national law". More specific, the CJEU held that such a legitimate interest could not, of itself, provide a lawful basis for the processing in question. Such a legal ground should first have to be provided by national law itself.
This case was finalized only after the adoption of the General Data Protection Regulation (GDPR). That approach of the CJEU seems consistent with Article 6 of the General Data Protection Regulation. Also, the GDPR's article does not provide that public authorities cannot only rely on such legitimate interests for the processing of personal data. Also, the processing must be on the basis of a national law. Riga is suggested that a strict approach is necessary due to the application of Article 6 under public authorities' circumstances. GDPR Articles.
Further Resources
Share blogs or news articles here!
