What’s this about?
The European Court has ruled that decisions taken by a “supervisory authority” (i.e. a regulator, here one dealing with data protection issues), in the context in this matter of the indirect exercise of the data protection rights of an individual, are legally binding and subject to judicial review – a court must be able to verify the grounds and the evidence on which decisions are based,
What’s the legal and factual background?
An individual requested the Belgian National Security Authority to issue the individual, for professional purposes, security clearance. The individual was refused clearance on the basis that the individual had participated in various demonstrations.
The individual then made a request to the Supervisory Body for Police Information (“the Supervisory Body”) to provide the individual with access to all the information concerning the individual so that the individual could exercise their rights within an appropriate time period. The Supervisory Body informed the individual that the individual only had indirect access to the personal data in question and that the Supervisory Body would verify the lawfulness of the processing of his data. This request was made under particular EU data protection rules that are specific to the processing of personal data by official authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. Following verification, as allowed under Belgian law, the Supervisory Body replied to the individual that it had carried out the necessary verifications.
The individual in question then brought legal action before the Brussels First Instance Court, applying for interim relief. However, the court declared that it had no jurisdiction to hear and determine the application for interim relief.
The individual then brought the matter to the Brussels Court of Appeal which made a preliminary reference to the European Court of Justice (the European Court) for an interpretation of EU law, asking the European Court whether EU law requires an EU country to provide for the possibility for an individual to be able to challenge the decision of a supervisory authority where the latter exercises the rights of that individual with regard to the personal data processing at issue.
What did the court rule?
The European Court ruled that:
- Under the EU data protection rules that are specific to the processing of personal data by official authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the EU Charter of Fundamental Rights;
- Where the rights of an individual have been exercised, pursuant to the above-mentioned EU data protection rules that are specific to the processing of personal data by official authorities concerning criminal offences and penalties (specifically Article 17), through the competent supervisory authority and that authority informs the individual of the result of the verifications carried out, that individual must have an effective judicial remedy against the decision of that authority to close the verification process.
What are the takeaways?
This ruling is a reminder that legal systems must allow individuals to properly exercise their data protection rights through the courts, including against regulators. Data protection litigation continues to rise and organizations should ensure that they are able to handle cases brought against them.
We report about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The European Court judgment can be found here: https://curia.europa.eu/juris/document/document.jsf?text=&docid=279747&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1263784.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 347 2365|
Photo credit: Court of Justice of the European Union