Thursday, 18 November 2010

EU law invalid for interfering unjustifiably with privacy & data protection rights

An EU law requiring online publication of personal data (names of recipients of certain agricultural funds, plus amounts received) was declared invalid by the European Court of Justice, as unjustifiably interfering with privacy or data protection rights under the European Convention of Human Rights / EU Charter of Fundamental Rights, because it required blanket publication of all their names/amounts however much (or little) they received, however often, whatever the period or type of aid, etc.

This case is interesting because it underlines the possibility that other EU laws could be vulnerable to being struck down by the ECJ for undue interference with privacy rights, should a national court be persuaded to refer the matter to the ECJ. Data Retention Directive, anyone…?

(The Lisbon Treaty does make it easier for individuals and organisations to complain direct to the ECJ about certain limited EU acts, but we don't know how that'll work out in practice yet.)

The EU must act consistently with the Charter, including in making the laws they pass. However, the Charter's impact on national laws is more limited. It only applies to member states when they're implementing EU law.

What's more, the UK, along with Poland, weren't happy with the Charter and insisted on a Protocol 30 to the Lisbon Treaty to try to ensure that the Charter won't create new legal rights in the UK or Poland, and won't extend the ability of the ECJ or national courts to invalidate UK or Polish laws / regulations etc as inconsistent with the Charter's fundamental rights. This "opt-out" has been called disgraceful, but it may not be clear yet what the exact legal effect of the Protocol is.

Interestingly, in their recent successful application to have the Digital Economy Act judicially reviewed, one basis put forward in their statement of facts and grounds by ISPs BT and TalkTalk was the disproportionate impact of the Act on rights under the Charter as well as the Convention of Human Rights, and reports are that the judge will allow the review to consider fully all 4 of the grounds put forward - probably in Q1 2011. (ZDNet's reference to the judge waiting for the European Data Protection Supervisor's opinion seems mistaken, incidentally, as his opinion on ACTA and 3 strikes came out a while back, in June 2010.)

Anyway, here in the UK it seems people's personal data can get published on line on government websites without their consent or indeed knowledge, even when there's no law stipulating publication! (Hellooo New Forest District Council…)

Details

The court noted that -

  1. The EU Charter of Fundamental Rights (Wikipedia entry, another explanation, full text) has the same legal importance in the EU as the EU Treaties (since December 2009, when the Lisbon Treaty (Wikipedia entry) came into force).
  2. The validity of the EU Regulation provisions in question here must therefore be evaluated in the light of the Charter, including -
    • data protection - article 8(1) - ‘Everyone has the right to the protection of personal data concerning him or her’, including that personal data ‘must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law’, and
    • privacy - article 7 - 'Everyone has the right to respect for his or her private and family life, home and communications.'
    • (Note - the ECJ has said the Data Protection Directive should be interpreted in the light of fundamental rights under the European Convention of Human Rights anyway, including article 8's right to respect for private life - see Rundfunk)
  3. However, those rights aren't absolute, depending on their function in society, and may be subject to limitations provided for by law which respect the essence of those rights and freedoms and, subject to the principle of proportionality, are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others.
  4. Where rights under the Charter correspond to rights guaranteed by the European Convention on Human Rights, then their meaning and scope should be the same as those under by the Convention (article 52(3)), and anyway the Charter doesn't restrict or adversely affect rights recognised by the Convention (article 53).
  5. This means the case law of the ECHR is relevant when considering rights under the Charter, and indeed generally - notably the ECHR cases on respect for private life and protection of personal data. (Note - nothing new here, in that the ECJ generally considers the ECHR anyway where appropriate.)
  6. "In those circumstances, it must be considered that the right to respect for private life with regard to the processing of personal data, recognised by Articles 7 and 8 of the Charter, concerns any information relating to an identified or identifiable individual (see, in particular, European Court of Human Rights, Amann v. Switzerland [GC], no. 27798/95, § 65, ECHR 2000‑II, and Rotaru v. Romania [GC], no. 28341/95, § 43, ECHR 2000‑V) and the limitations which may lawfully be imposed on the right to the protection of personal data correspond to those tolerated in relation to Article 8 of the Convention."

In this case, the Regulation in question (1290/2005 on the financing of the common agricultural policy) required information to be published online regarding recipients of aid from certain EU agricultural funds - and publication of someone's name and income is an interference with their privacy, so even if the underlying laudable aim was transparency as to the use of public funds, the publication requirement still had to be legal, proportionate, necessary etc.

The law here (articles 44 and 42(8b) to be precise) wasn't valid as it required indiscriminate publication of all those details "without drawing a distinction based on relevant criteria such as the periods during which those persons have received such aid, the frequency of such aid or the nature and amount thereof." The court did say, to stem the possible flood of lawsuits no doubt, that no one could sue for past publication of those details. Going forward, obviously they can't be published in the same way.

There were other Data Protection Directive issues in the case but I won't cover them here.

Aside - the referring German court here actually tried to get the ECJ to rule on the validity of the Data Retention Directive, and on whether the Data Protection Directive prevents websites from storing the IP addresses of visitors without their express consent.

Sadly for those of us interested in these issues, the ECJ said, rightly, that those questions weren't relevant to this case, which was referred to them following lawsuits by fund recipients whose personal data had been published on a website (not by visitors to that site whose IP address had been recorded).

Case - Volker und Markus Schecke GbR (C-92/09), Hartmut Eifert (C-93/09), 9 Nov 2010.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.