Cordery

Legal.Compliance.

European Court Rules That Data Protection Regulator Decisions Must Be Subject To Judicial Review

What’s this about?

The European Court has ruled that decisions taken by a “supervisory authority” (i.e. a regulator, here one dealing with data protection issues), in the context in this matter of the indirect exercise of the data protection rights of an individual, are legally binding and subject to judicial review – a court must be able to verify the grounds and the evidence on which decisions are based,

What’s the legal and factual background?

An individual requested the Belgian National Security Authority to issue the individual, for professional purposes, security clearance. The individual was refused clearance on the basis that the individual had participated in various demonstrations.

The individual then made a request to the Supervisory Body for Police Information (“the Supervisory Body”) to provide the individual with access to all the information concerning the individual so that the individual could exercise their rights within an appropriate time period. The Supervisory Body informed the individual that the individual only had indirect access to the personal data in question and that the Supervisory Body would verify the lawfulness of the processing of his data. This request was made under particular EU data protection rules that are specific to the processing of personal data by official authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. Following verification, as allowed under Belgian law, the Supervisory Body replied to the individual that it had carried out the necessary verifications.

The individual in question then brought legal action before the Brussels First Instance Court, applying for interim relief. However, the court declared that it had no jurisdiction to hear and determine the application for interim relief.

The individual then brought the matter to the Brussels Court of Appeal which made a preliminary reference to the European Court of Justice (the European Court) for an interpretation of EU law, asking the European Court whether EU law requires an EU country to provide for the possibility for an individual to be able to challenge the decision of a supervisory authority where the latter exercises the rights of that individual with regard to the personal data processing at issue.

What did the court rule?

The European Court ruled that:

  • Under the EU data protection rules that are specific to the processing of personal data by official authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the EU Charter of Fundamental Rights;
  • Where the rights of an individual have been exercised, pursuant to the above-mentioned EU data protection rules that are specific to the processing of personal data by official authorities concerning criminal offences and penalties (specifically Article 17), through the competent supervisory authority and that authority informs the individual of the result of the verifications carried out, that individual must have an effective judicial remedy against the decision of that authority to close the verification process.

What are the takeaways?

This ruling is a reminder that legal systems must allow individuals to properly exercise their data protection rights through the courts, including against regulators. Data protection litigation continues to rise and organizations should ensure that they are able to handle cases brought against them.

Resources

We report about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.

The European Court judgment can be found here: https://curia.europa.eu/juris/document/document.jsf?text=&docid=279747&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1263784.

For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 347 2365
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

Photo credit: Court of Justice of the European Union

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.