GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗». Author Adv. Prashant Mali
The concern that data may be centrally stored and used for other purposes (e.g. criminal investigation or monitor the person indirectly) does not affect the validity of the Regulation, which provides only for preventing illegal entry into EU.
C-293/12 AND C-594-12, DIGITAL RIGHTS IRELAND LTD V. IRELAND, 8.4.2014 (“DRI”)
Reference for a preliminary ruling from the High Court (Ireland) and the Verfassungsgerichtshof (Austria). Digital Rights Ireland brought an action in High Court claiming that it owned a mobile phone which it used since 2006, challenging national measures requiring retention of data relating to electronic communications and asking the court to declare the invalidity of Directive 2006/24, which requires telephone communications service providers to retain traffic and location data for a period specified by national law to prevent, detect, investigate and prosecute crime and safeguard security.. This data that which is necessary to trace and identify the source of a communication and its destination, the date, time, duration and type of a communication, users’ communication equipment, and location of mobile equipment including name and address of subscriber, calling telephone number, number called and IP address for internet users.
The directive does not permit the retention of content, but it might have an effect on the use of the means of communication and consequently on the exercise of freedom
of expression guaranteed by Article 11 CFR. It also directly affects private life (guaranteed by Article 7 CFR) and constitutes processing of personal data (therefore falls under Article 8 CFR).
Articles 7 and 8 CFR: The obligation on providers of publicly available electronic communications services or public communications networks to retain data relating to a person’s private life and his communications in itself constitutes an interference with Article 7. Access of competent national authorities to the data constitutes a further interference with that right. The Directive constitutes an interference with Article 8 because it provides for processing of personal data. These interferences with Articles 7 and 8 are wide-ranging and particularly serious. The fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of users the feeling that their private lives are the subject of constant surveillance.
Any limitation on the exercise of rights and freedoms laid down by CFR must be provided by law, respect their essence and, subject to the principle of proportionality, limitations may be made to those rights and freedoms only if they are necessary and genuinely meet the objectives of general interest recognized by the EU or the need to protect the rights and freedoms of others. Even though retention constitutes a particularly serious interference with the right to privacy, it is not such as to adversely affect the essence of those rights given that the Directive does not permit the acquisition of knowledge of the content of the electronic communications. Nor does it adversely affect the essence of the right to protection of personal data because certain principles of data protection and data security must be respected by providers of publicly available electronic communications services or public communications networks, in order to ensure appropriate technical and organizational measures are adopted against accidental or unlawful destruction, accidental loss or alteration of the data.
Directive 2006/24: The material objective of the Directive is of general interest – to ensure that data are available for the purpose of the investigation, detection and prosecution of serious crime, and therefore to public security, and international terrorism. (Article 6 CFR lays down the right of any person to liberty and security.) Data relating to use of electronic communications are particularly important and a valuable tool in prevention of offences and the fight against crime.
Necessity/proportionality: The principle of proportionality requires that acts of EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation and do not exceed the limits of what is appropriate and necessary to achieve those objectives. Here, given the important role played by data protection in light of the fundamental right of privacy, and the extent and seriousness of the interference, the EU legislature’s discretion is reduced, thus the review of that discretion should be strict. Retention of data is an appropriate tool for the objective pursued.
The fight against serious crime and terrorism is of the utmost importance to ensure public security and its effectiveness may depend on the use of modern investigation techniques. But this does not, in itself, justify the necessity of the retention measure. Derogations and limitations in relation to data protection must apply only insofar as strictly necessary. Here, the legislation must lay down clear and precise rules governing the scope and application of the measures in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees effectively to protect their personal data against the risk of abuse, and unlawful access and use of the data. The need for safeguards is all the greater where personal data are subjected to automatic processing and there is significant risk of unlawful access to the data. Further, the Directive requires retention of all traffic data concerning fixed telephony, mobile telephony, internet access, internet e-mail and internet telephony – i.e. all means of electronic communication, the use of which is very widespread and of growing importance in people’s everyday lives. This covers all subscribers and registered users, and therefore entails an interference with the fundamental rights of practically the entire European population, without a need for a link to crime.
Lawfulness: The Directive fails to lay down objective criteria by which to determine the limits of access of competent national authorities to the data and its use, nor substantive and procedural conditions relating to access by competent national authorities and to their subsequent use. It does not lay down objective criteria to limit the number of persons authorized to have access and use to what is strictly necessary, and it is not made dependent on prior review carried out by a court or independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of obtaining the objective pursued.
Retention: The Directive establishes a retention period of a minimum of 6 months and a maximum of 24 months, but it is not stated that determination of this period must be based on objective criteria to ensure that it is limited to what is strictly necessary
Security: The Directive does not provide for sufficient safeguards to ensure effective protection of the data retained against risk of abuse and unlawful access. It does not lay down rules adapted to the vast quantity of data whose retention is required, the sensitive nature of that data, and the risk of unlawful access, nor is there a specific obligation set on Member States to establish such rules. Rather, it permits providers to have regard to economic considerations when determining the level of security.
Supervision: The Directive does not require that the data be retained within the EU, with the result that it cannot be held that the control by an independent authority of compliance with the requirements of data protection and security is fully guaranteed. This is an essential component of protection of individuals with regard to the processing of personal data.)
Necessity/proportionality: Accordingly, the EU legislature exceeded limits imposed by compliance with principle of proportionality in light of Articles 7, 8 and 52(1) CFR.
C-342-12, WORTEN-EQUIPAMENTOS PARA O LAR SA V. ACT (AUTHORITY FOR WORKING CONDITIONS), 30.5.2013 (“WORTEN”)
Reference for a preliminary ruling from Tribunal do Trabalho de Viseu (Portugal). Worten (a private company in Portugal) adopted a system of restricted access to working hour records of staff, which did not allow ACT to have automatic access. ACT considered this a serious offence of national law on workers and imposed a fine.
Questions submitted: (1) Whether the record of working time for each worker is covered by the concept of personal data under Article 2 of Directive 95/46; (2) If so, whether the Portugese state is obliged to provide appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network; (3) When the Member State does not adopt any such measure, and the employer as controller does not allow automatic access by the national authority responsible for monitoring working conditions, whether the principle of the primacy of European law is to be interpreted to mean that the Member State cannot penalize the employer for that action?
Personal data definition: Data contained in a record of working time concerning, in relation to each worker, the daily work periods and rest periods, constitute personal data because they represent “information relating to an identified or identifiable natural person.
Security: Article 17(1) requires controllers (not Member States) to adopt technical and organizational measures which, having regard to the state of the art and cost of their implementation, are to ensure a level of security appropriate to the risks represented. The obligation under national law to provide the national authority responsible for monitoring working conditions with immediate access to the record of working time does not imply the data must be made accessible to persons not authorised for that purpose (as Worten claimed). Rather, Worten must ensure that only those persons duly authorised to access the personal data in question are entitled to respond to a request for access from a third party. Thus, Article 17(1) is not relevant here.
Necessity/proportionality: The referring court must verify that the personal data contained in the record of working time are collected in order to ensure compliance with the national legislation relating to working conditions, that the processing of those data is necessary for compliance with a legal obligation to which Worten is subject and the performance of the monitoring task entrusted to the national authority responsible for monitoring working conditions. Only the grant of access to authorities having powers of monitoring could be considered to be necessary within
the meaning of Article 7(e). Further, the obligation to provide immediate access to the record could be necessary if it contributes to the more effective application of the legislation relating to working conditions. It is for referring court to decide whether this requirement is necessary.
Proportionality: Penalties must respect the principle of proportionality.
C-473/12, IPI V. ENGLEBERT (“ENGLEBERT”)
Reference for a preliminary ruling by the Belgian constitutional court. The applicant is responsible for ensuring compliance with conditions of access to and proper practice of the profession of estate agent. It asked the Charleroi commercial court to declare that defendants had violated applicable rules and should cease various estate agency activities, based on facts gathered by private detectives. The question arose whether the private detectives had acted in breach of national data protection provisions, because they had not informed defendants before collecting their data (Article 10 of Directive 95/46), or third parties at the time of collection of the data (Article 11 of Directive 95/46).
Questions referred: (1) Whether Article 13(1)(g) leaves the Member States free to choose whether to provide for an exception to the immediate obligation to inform set out in Article 11(1) if this is necessary in order to protect the rights and freedoms of others, or are the Member States subject to restrictions in this matter; (2) Whether the professional activities of private detectives, governed by national law and exercised in the service of authorities authorized to report to judicial authorities any infringement of the provisions protecting a professional title and organizing a profession, comes within the exception in Article 13(1)(d) and (g); (3) Whether that Article is compatible with Article 6(3) TEU, the principle of equality and non- discrimination.
Definition of personal data: Data collected by private detectives relating to persons acting
Comments (0)