Tietosuojavaltuutetun toimisto (Finland) - 4300/182/2019

From GDPRhub
Tietosuojavaltuutetun toimisto - 4300/182/2019
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 2(2)(d) GDPR
Article 6(1)(c) GDPR
Article 55(3) GDPR
§ 29(2) Data Protection Act
§ 34 Public Access to Information Act
Type: Complaint
Outcome: Other Outcome
Started:
Decided: 04.05.2022
Published:
Fine: n/a
Parties: Supreme Court of Finland
National Case Number/Name: 4300/182/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: Vadym Kublik

The Finnish DPA also held, among the others, that it lacked competence under Article 55(3) GDPR to supervise the Supreme Court's criminal case disclosure policies because the court acted in its judicial capacity.

English Summary

Facts

A data subject requested a copy of a criminal case from the Finnish Supreme Court under The Public Access to Information Act. According to the Act, a person requesting the information does not have to indicate their identity, so the archives would not keep information about the case's recipient. However, the court asked the data subject for a personal identity number and home address for a billing purpose. It explained that it does not keep a separate register of persons who requested documents. Still, the information is required for the billing system maintained by the State Financial and Human Resources Service Center (Palkeet).

Concerned that the defendant in the criminal case could later learn about persons receiving case materials and retaliate against them, the data subject asked the Finnish DPA to investigate it.

The DPA assessed first whether it is competent to supervise the processing when courts disclose personal data contained in criminal records. Secondly, it examined the legality of collecting and processing personal identity numbers for billing purposes. Thirdly, it evaluated the Supreme Court's approach to providing information on those who requested and received a copy of a document.

Holding

Concerning the first question, the DPA held that under Article 2(2)(d) GDPR, the Regulation does not apply to the processing of personal data by competent authorities, including courts, for criminal prosecution. Furthermore, according to the CJEU's case C-245/20 - Autoriteit Persoonsgegevens, the procedure whereby a court temporarily makes available to journalists procedural documents containing personal data to enable them to understand better the course of the proceedings falls within the scope of that court's "judicial functions". Therefore, under Article 55(3) GDPR, the DPA is not competent to supervise such processing.

Regarding the second question, the DPA held that courts charge a fee under § 34 of the Public Access to Information Act for providing access to documents. Further, the payment in the present case is charged ex post facto, and according to § 29(2) of the Finnish Data Protection Act, a personal identity number may be processed for debt collection. Consequently, the processing is justified under Article 6(1)(c) GDPR as it is necessary for compliance with a legal obligation to which the controller is subject.

Finally, the DPA also requested the Supreme Court to reassess the likelihood and severity of the risk of discovering the data subject's identity by accessing information from the billing system where it is stored. The Supreme Court must announce the reassessment and possible measures to reduce or eliminate the risks by 15 September 2022.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Personal identification number when requesting a copy of a document and protection of personal data of recipients of a document

Keywords: personal identification number
billing

Legal basis: Decision in accordance with the EU General Data Protection Regulation

Diary number: 4300/182/2019

Decision of the Assistant Supervisor

According to an e-mail sent to the DPO's office, the whistleblower had requested a copy of the criminal case file from the Supreme Court under the Public Access Act, requesting his identity number and home address for billing purposes. After inquiring about the grounds for collecting personal data, especially the personal identity number, the Supreme Court replied that the invoicing system used by the state authorities, maintained by the State Financial and Human Resources Service Center (Palkeet), required a personal identity number or a legal entity business ID. In this respect, the notifier asked to investigate whether the Supreme Court acted in breach of the Data Protection Regulation when processing the personal identity number for sales invoicing.

The second issue raised by the notifier related to the principle of the Public Access to Information Act that the person requesting information does not have to indicate his or her identity, in which case no information is left in the archives to whom the document has been disclosed. In his scenario, the notifier considered that apparently the sales invoicing data is also personal data of the authority and thus at least the defendant in criminal proceedings would even have the right to obtain information to whom all the documents in his criminal case have been disclosed and retaliated against. The Supreme Court responded to such a threat of retaliation against natural persons who requested documents by failing to keep a separate register of persons who made requests for documents and, for example, if a party to the case expressly requested natural and legal persons requesting information on the basis of public access.

The notifier considered such an interpretation to be incorrect from the point of view of both the Publicity Act and the Data Protection Regulation, and asked the DPA to

Report received

On the basis of the notification, the Deputy Data Protection Supervisor requested a statement from the Supreme Court, in particular as to whether the processing of personal data should be considered as processing by the court in the exercise of its judicial functions.

The Supreme Court held that there had been a question of the disclosure of copies of judicial documents and that the disclosure of such documents would be assessed on the basis of the Public Access to Justice Act. Ultimately, according to the Supreme Court, the court decides on the disclosure of documents as a matter of jurisdiction. The collection of a fee for a copy is based on the State Basic Fees Act and the collection of fees is regulated by law on the enforcement of taxes and fees. According to the statement received, the personal identity number is not stored in the Supreme Court's case management system for billing purposes, but in the above-mentioned billing system.

Evaluation of issues

Competences of the Data Protection Authority

The first question involves two successive processing operations concerning personal data,
for which the competence of the Data Protection Authority will have to be assessed separately. It is first necessary to assess, in particular, the judicial disclosure of personal data contained in criminal records and whether the Data Protection Authority has competence to control such processing of personal data. The second issue is the competence with regard to the collection and processing of personal data for the post-clearance recovery of the fee provided for the release of the document.

The EU General Data Protection Regulation (abbreviated as GDPR, 2016/679) also applies to courts, as stated in recital 20. Article 10 of the Data Protection Regulation restricts the processing of personal data relating to criminal convictions and infringements under Article 6 (1) of the Regulation. However, according to Article 2 (2) (d) of the Data Protection Regulation, the Regulation does not apply when personal data are processed by competent authorities, including judicial authorities, for the purpose of criminal liability. In these respects, national provisions enacted under the EU Criminal Data Protection Directive (2016/680), such as the Criminal Data Protection Act (1054/2018), will apply. The processing of personal data also means, inter alia, the transfer of personal data by transfer or dissemination, and the transfer is mainly provided for in section 28 of the Data Protection Act (1050/2018) by referring to the provisions on the activities of public authorities.
publicity. However, according to Article 55 (3) of the Data Protection Regulation or Section 45 (2) of the Data Protection Act in Criminal Matters (1054/2018), the Data Protection Authority does not have the power to supervise the processing of personal data by courts in the exercise of their judicial functions.

The question of whether the disclosure of personal data processed in court falls within the jurisdiction of the Court has been dealt with in Case C-245/20 Autoriteit Persoonsgegevens. According to the judgment of 24 March 2022 (see https://curia.europa.eu), the procedure whereby a court temporarily makes available to journalists procedural documents containing personal data in order to enable them to better understand the course of the proceedings falls within the scope of that court's 'judicial functions'. . On this basis, I consider that the disclosure of a document containing personal data and thus such processing of personal data does not fall within the competence of the Data Protection Authority and I close the case in this respect without my competence.

According to section 34 of the Public Access to Information Act, the fee to be charged relates to the reimbursement of the costs associated with retrieving and issuing the document. According to section 5 of the Decree of the Ministry of Justice (1385/2018), the amount of the fee is affected by a special effort related to the evaluation and removal of confidential items from the extract or copy. Even in the case of a more cumbersome request for documents and the related legal assessment, the obligation to pay arises only after the request has been made and thus the collection and transfer of the fee to the service center does not involve a legal assessment that could be considered as processing personal data. On this basis, I consider that the competence of the DPA to supervise such processing is not limited by the aforementioned Article 55 (3) of the Data Protection Regulation.

Collection of personal identification number in connection with paid Document Requests

The processing of personal identification numbers is regulated in section 29 of the Data Protection Act. According to subsection 2 of the provision, the personal identification number may be processed in the recovery of a claim. The receivable may arise from different deliverables, such as when a fee is charged for a document order in arrears. On the other hand, according to subsection 4, the personal identification number shall not be unnecessarily entered in documents printed or prepared on the basis of the register.

According to the report received in the case, a fee has been charged for the request for documents in question retrospectively, and thus the Supreme Court may invoke section 29 (2) of the Data Protection Act to collect a personal identity number. Nor has it been established that the identity number was unnecessarily printed and entered in the documents drawn up on the basis of the invoicing system.

For this reason, I consider that the Supreme Court has had a basis for processing a personal identity number in accordance with section 29 of the Data Protection Act. The processing of personal data itself can be considered justified under Article 6 (1) (c) of the Data Protection Regulation, ie the processing is necessary to comply with a legal obligation of the controller.

Access to information on submitters and recipients of paid requests for documents

The notifier considered that there was a risk that the court would be asked to provide information on those who had requested and received a copy of the document. The realized risk would be retaliation against the recipients of the document, although according to section 13 of the Public Access to Information Act, the person requesting the information does not have to prove his or her identity. In the notifier's view, the risk could materialize in particular when, in a criminal case, a party requests information on the content of a document pursuant to section 11 of the Public Access to Information Act that may or may have affected the handling of his or her case.

From the point of view of the Data Protection Regulation, this is the principle of purpose limitation referred to in Article 5 (1) (b) of the Regulation. In this case, it is a question of how to protect personal data intended for the collection of a fee against incompatible processing purposes. According to Articles 24 and 25 of the Data Protection Regulation, the assessment of the necessary technical and organizational measures must take into account the varying degrees of probability and severity of the risks to the rights and freedoms of natural persons.

The Supreme Court has identified the risk scenario presented and considers that the risk does not materialize when the parties to a criminal case in such a case are told - without providing personal information about the recipients - that the recipients were natural and legal persons who requested the information. Although the Supreme Court says it does not keep any separate register of who has made requests for documents, the recipients' data has been stored in the above-mentioned billing system maintained by the State Financial and Personnel Administration Service Center for the purpose of collecting the payment.

How effective the Supreme Court's approach can be considered from the point of view of the protection of personal data depends, at least in part, on the application of the Public Access to Information Act to such tax recovery information. Without commenting on the application of the Disclosure Act because the Data Protection Authority does not have the control and supervision of the Disclosure Act, I suggest that the Supreme Court assesses the severity and likelihood of the risk scenario presented, persons, which could increase the likelihood of the risk materializing and, if the risk can be considered high, take measures to reduce or eliminate the risk.

In my view, this is not a question of the log data of section 19 of the Criminal Data Protection Act or of the data subject's right of inspection referred to in section 23. A reference for a preliminary ruling from the Administrative Court of Eastern Finland is pending in the OJEU (C-579/21) as to whether the data subject has a right to information about the persons who processed his or her data on the basis of the information rights of the Regulation (log data).

I ask the Supreme Court to state the probability of the risk scenario presented and
reassessment of severity and possible risk mitigation measures
or to be removed by 15.9.2022.

Appeal and service

An appeal may be brought against the decision of the Data Protection Officer or the Assistant Data Protection Supervisor
by appealing to the administrative court in accordance with the law on administrative proceedings
(808/2019) is laid down. The appeal is made to the administrative court.