CJEU - C-439/19 - Latvijas Republikas Saeima (Penalty points)

From GDPRhub
CJEU - C-439/19 Latvijas Republikas Saeima (Penalty points)
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 2(2)(a) GDPR
Article 2(2)(b) GDPR
Article 10 GDPR
TFEU, Article 16
Charter of Fundamental Rights of the European Union, Article 8
Directive 95/46/EC, Article 3(2)
Directive (EU) 2016/680, Recital 13
Latvia Road Traffic Law
Decided: 22.06.2021
Parties: B
Parliament of the Republic of Latvia (Latvijas Republikas Saeima)
Case Number/Name: C-439/19 Latvijas Republikas Saeima (Penalty points)
European Case Law Identifier: ECLI:EU:C:2021:504
Reference from:
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: Panayotis Yannakas


The CJEU held that the administrative body handling the national register of vehicles and drivers should not publicly disclose penalty points imposed for road traffic offences. The Latvian law permitting such disclosure goes beyond what is necessary to improve road safety, and neither the right of public access to official documents nor the right to freedom of information are sufficient to justify a derogation from the right to data protection.

English Summary

Facts

An individual lodged a constitutional complaint reference on the national Law on Road Traffic is consistent with the fundamental right to respect for private life. The individual’s legal interest was grounded to the imposition of penalty points after some road traffic offences. These points were entered in the national register of vehicles and drivers.

Moreover, any company and any third person may obtain information relating to penalty points imposed on another person, either by enquiring directly at the CSDD or by using the services provided by commercial re-users. The relative Article 14(1)(2) of national law was stated that “Information relating […] to fines for the commission of road traffic offences which have been imposed on a person […] shall be regarded as information in the public domain”.

Latvian Parliament intended to improve road safety through each driver who infringes traffic regulations, particularly those disregarding them systematically, be openly identified. The only requirement for disclosure of the information, which contained in the national register of vehicles and their drivers, was subject to the condition that the information seeker must provide the national identification number of the drivers about whom they wish to enquire.

The CSDD handles the National Register, and they insisted that they transfer the legal ownership of the transmitted data under no circumstances. So, the re-users should use these data only to deduce the seriousness and frequency of those offences and ascertain whether a given person has committed road traffic offences. Since penalty points were classified as public data, may be re-used for commercial or non-commercial purposes other than the initial purpose for which the information was collected.

However, article 14(1)(2) of the Road Traffic National Act does not impose limits on the re-use of these data relating to penalty points. Under the contracts in which CSDD concludes with commercial re-users, the acquirer affirms that it will use the information obtained in accordance with the purposes indicated in the contract and in compliance with the legislation in force. Therefore, it cannot be ruled out if any possible processing is inappropriate or disproportionate.

It should be well-known to everyone that the GDPR provides enhanced protection to sensitive data. Article 10 of the GDPR refers to these data collections which are capable to give rise to social disapproval. The at-issue grant of data access is liable to stigmatise the data subject, and thereby, it is possible to constitute a serious interference with his or her private or professional life.

The referring national Court also asked CJEU whether the provisions of the GDPR must be interpreted as precluding national legislation which obliges the public body responsible for the register to disclose those data to any person who requests them, without that person having to establish a specific interest in obtaining the data.

Dispute

Since information relating to penalty points can be communicated upon request and transmitted for re-use to several companies, an individual filed a constitutional complaint challenging the conformity of the Act on Road Traffic with the right to privacy set out in the Latvian Constitution.

Because the Latvian Parliament adopted the National Law on Road Traffic, that institution participated in the proceedings. The CSDD, which processes the data at issue, was also heard. In addition, the National Data Protection Authority, Latvia) was also invited to give their opinion as amici curiae before the referring Court.

The Latvian Parliament explained that, in practice, disclosure of the information contained in the national register of vehicles and their drivers is subject to the condition that the person requesting the information must provide the national identification number of the driver about whom he or she wishes to enquire. Moreover, the CSDD pointed out that the Law on Road Traffic does not impose limits on either public access to or re-use of data relating to penalty points. As regards that they do not provide the legal transfer of the data; re-users must ensure by themselves that the information transmitted does not exceed the initial purpose for which the information was collected.

However, the National Data Protection Authority expressed its doubts about whether the Law on Road Traffic is consistent with the Latvian Constitution, which lays down the right to respect for private life. In its view, the importance and the objective of the processing carried out on the basis of the provision at issue in the main proceedings are not clearly established, and it cannot, therefore, be ruled out that processing is inappropriate or disproportionate.

The National Parliament considers that the provision at issue is lawful because it is justified by the objective of improving road safety, which requires that traffic offenders be openly identified and that drivers be deterred from committing offences. Also, the Right of Access to Information, which was directly included in the National Constitution, should be respected. The CSDD explained to the referring Court the functioning of the penalty points system and confirmed that the national legislation does not impose any limits on public access to and on the re-use of data relating to penalty points. Also, it pointed out that these contracts do not provide for the legal transfer of data, and these re-users shall ensure that the information transmitted to their customers does not exceed that which can be obtained from the CSDD. For example, one of the contractual terms stipulates that the acquirer of the information must use it in the manner laid down in the regulations in force and in accordance with the purposes indicated in the contract.

The National Data Protection Authority was in the position to observed that, Latvia’s statistics on traffic accidents, although showing a decrease in the number of accidents, there is no proof that the penalty points system and public access to information relating to it have contributed to that favourable development. So did not rule out the possibility that the data processing at issue may be inappropriate or disproportionate.

First of all, this CJEU’s proceedings do not concern the Law on Road Traffic in its entirety, but only in so far as that provision makes information relating to penalty points entered in the national vehicle register accessible to the public. That Court further considers that penalty points are personal data and must therefore be processed in accordance with the right to respect for private life. It emphasises that in assessing the scope of Article 96 of the Latvian Constitution, an account must be taken of the GDPR as well as of Article 16 TFEU and Article 8 of the Charter of Fundamental Rights of the European Union.

Holding

The CJEU highlighted that the term offence refers exclusively to criminal offence and that the term remains an autonomous concept of EU law. That means that it is not decisive if an offence is classified as an administrative offence in a national legal system. In determining whether an offence qualify as criminal offence we have to recall the three Engel criteria, namely (a) the legal classification of the offence under national law; (b) the nature of the offence; and (c) the degree of severity of the penalty incurred, the objective pursued by that provision. The EU Grand Chamber first took note that a traffic offence is liable to give rise to penalties of a certain severity and those points have legal consequences which may even extend to a driving ban or to constitute a serious interference with the fundamental rights to respect for private life and to the protection of personal data, since it may give rise to social disapproval and result in stigmatisation of the data subject.

Furthermore, it was asserted that disclosure of the National Road Traffic Act broadly falls within the material scope of the GDPR, and no exception is applicable. Article 2(2)(a) and (b) of the GDPR represents partly a continuation of the first indent of Article 3(2) of Directive 95/46. Therefore, the provisions of the GDPR shall not be interpreted in broader terms the Titles V and VI of the EU Treaty/Treaty of Lisbon and, in any case, border than the area of public security, defence, and State security.

The Court held that the GDPR also precludes the Latvian Parliament from authoring the CSDD to disclose penalty points to economic operators in order for the data to be re-used for commercial or non-commercial purposes.

Court consideration was the public disclosure and re-use of information under the view of Article 5 of the GDPR and more broadly lawful in light of the proportionality principle. The Court held that the Latvian Act goes beyond what is necessary to improve road safety as there are other less restrictive methods to achieve that objective. For example, by depriving the drivers of the right to drive a vehicle, a ban whose breach may be punished by effective sentences without public disclosure is necessary.

The penalty points system aims to influence the conduct of road users by distinguishing vehicle drivers who, systematically and in bad faith, disregard road traffic rules from drivers who occasionally commit offences. However, the lack of any further condition to obtain access may result in the data being disclosed for reasons unrelated to the objective of general interest of improving road safety.

Comment

With his opinion, the Advocate General pointed out that the GDPR intended to be a tiger for data protection and not a domestic kitten, to wit, the very purpose of the GDPR is to apply to any form of processing of personal data, regardless of the subject matter involved. There is no indication that the EU legislature intended for GDPR exemptions or Article 10 to be interpreted by way of national law. Approaching the enhanced protection of GDPR, we should be aligned with the fact that a number of concepts related requiring uniform interpretation throughout the EU Law. Recital 13 of the Law Enforcement Directive (Directive 2016/680) held that “[a] criminal offence […] should be an autonomous concept of Union law as interpreted by the Court of Justice of the European Union”. It is not the first time we have been through this, quite the opposite, for example, the European Arrest Warrant or the concept of deprivation of liberty (Article 26(1) of Framework Decision 2002/584) or the idea of EU Resident.

Further Resources

Share blogs or news articles here!