03/07/14

Recent Developments in Data Protection

ECJ Declares Data Retention Directive Invalid

On 8 April 2014, the Court of Justice of the European Union ("ECJ") handed down a judgment on two references for a preliminary ruling from the High Court of Ireland (Case C-594/12) and the Constitutional Court of Austria (Case C-293/12) declaring Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks (the "Data Retention Directive") to be invalid. The ECJ held that the Data Retention Directive interfered in a unjustified manner with the fundamental rights to respect for private life and protection of personal data (Articles 7 and 8 of the EU Charter of Fundamental Rights).

The Data Retention Directive sought to harmonise Member States' provisions concerning the retention of specific data (traffic and location data as well as related data necessary to identify the subscriber or user, but not the content of the communication or of information consulted) which are generated or processed by providers of publicly available electronic communications services or of public communications networks, in order to make them available for the purpose of the prevention, investigation, detection and prosecution of serious crime. The Data Retention Directive was implemented in Belgium on 30 July 2013 (see, VBB on Belgian Business Law, Volume 2013, No. 7, p.6-7; and Volume 2013, No. 8, p.11, available at www.vbb.com).

whether there is no overriding pu

In its judgment, the ECJ first examined the interference with the rights to respect for private life and to the protection of personal data. The ECJ concluded that the Data Retention Directive interferes in a serious manner with these fundamental rights by requiring the retention of the data and by allowing the competent national authorities to access those data. Furthermore, the ECJ considered that the retention and use of the data without informing the subscriber or registered user can give the individuals concerned the feeling that their private lives are the subject of constant surveillance.

The ECJ then examined whether such an interference with the fundamental rights at issue could be justified. On this aspect, the ECJ decided that the retention of data required by the Data Retention Directive is not such as to affect adversely the essence of the fundamental rights in question and that the possible transmission of the data to the competent national authorities genuinely satisfies an objective of general interest, i.e., the fight against serious crime and, ultimately, public security.

However, the ECJ added that by adopting the Data Retention Directive, the EU legislature exceeded the limits imposed by the principle of proportionality. In particular, the ECJ noted that, in view of the important role played by the protection of personal data in the light of the fundamental right to respect for private life and the extent and seriousness of the interference with that right caused by the Data Retention Directive, the EU legislature's discretion is limited.

Therefore, the ECJ held that, although the Data Retention Directive may be considered to be appropriate for attaining the objective pursued by it, the interference is not sufficiently detailed to ensure that it was actually limited to what is strictly necessary.

In particular, the ECJ considered that the Data Retention Directive does not define adequately: (i) the individuals, the means of electronic communication and the data concerned (in particular the Data Retention Directive does not make any differentiation, limitation or exception in the light of the objective of fighting against serious crimes); (ii) the objective criteria for determining the serious crimes which may justify an interference and the criteria as regards the conditions under which the competent national authorities may have access to the data and subsequently use them; and (iii) the objective criteria on the basis of which the data retention period must be determined.

Finally, the ECJ found that the Data Retention Directive does not provide for sufficient safeguards against abuse and unlawful access and use of the data (in particular, the Data Retention Directive does not require that the data be retained within the EU).

Importantly, the judgment delivered by the ECJ does not automatically affect the existence and validity of national legislation that has been adopted implementing the (now) invalid Data Retention Directive. Nevertheless, Belgian courts could take into account the ECJ judgment when applying the relevant rules under Belgian law. Hence, electronic communication service and network providers are likely to face a period of uncertainty about their ongoing obligations.

The European Commission has already stated that it will carefully assess the judgment and its impact. The European Commission is likely to propose amendments to the Data Retention Directive to bring it in line with the ECJ judgment.

ECJ Obliges Search Engine Operators to Delete Personal Data and Implement "Right to be Forgotten"

On 13 May 2014, the Court of Justice of the European Union ("ECJ") handed down a significant judgment regarding the protection of personal data on the Internet. The ECJ gave a preliminary ruling on a question referred to it by the Spanish National High Court. The Spanish court sought to know whether operators of search engines can be required to withdraw specific personal information from their indexes and search results.

The preliminary question had arisen from proceedings brought by Google Spain and Google Inc. against a decision of the Spanish Data Protection Agency (“AEPD”). In its decision, the AEPD had held that operators of search engines, such as Google, can be required to block access to certain data in view of the fundamental right to the protection of personal data of individuals under Data Protection Directive 95/46 (the “Data Protection Directive”). The decision of the AEPD followed a complaint lodged by Mr. Costeja González after he had failed to secure the deletion of two articles published on the website of a Spanish newspaper in 1998 in which reference was made to an auction notice of his repossessed home.

The ECJ first dealt with the question of whether Spanish data protection law must be applied to this case. The processing of data was carried out by Google Search, which is operated by Google Inc., based in the United States. Google Spain is a subsidiary of Google Inc. and has its seat in Spain. The Spanish subsidiary is responsible for promoting and selling online advertising space. When assessing the territorial application of the Data Protection Directive, the ECJ held that the data processing activities and the sale of online advertising space are closely linked with each other. It concluded that the processing of data is executed in the context of the activities of the Spanish subsidiary. Therefore, Spanish and EU data protection law must be applied to the data processing activities of Google under Article 4.1 (a) of the Data Protection Directive.

The ECJ added that operators of search engines qualify as “controllers” that “process” personal data within the meaning of the Data Protection Directive. As a result, the search engine operators are obliged to comply with Article 12(b) or Article 14 (a), first paragraph of the Data Protection Directive. Article 12(b) of the Data Protection Directive gives data subjects the right to request the rectification, the erasure or the blocking of data that do not comply with the Data Protection Directive. In addition, Article 14(a), first paragraph of the Data Protection Directive permits data subjects to object to the processing of their personal data on “compelling legitimate grounds relating to his particular situation”.

Accordingly, search engine operators can be obliged to remove links to personal data from the listed search results. In particular, search engine operators may have to remove links to web pages published by third parties and containing information relating to a person from the list of results displayed following a search made on the basis of a person’s name. The search engine operator must remove these links provided that the conditions under Article 12(b) or Article 14 (a), first paragraph of the Data Protection Directive are satisfied. The ECJ considered that personal data may become incompatible with the Data Protection Directive when the data appear to be inadequate, irrelevant or no longer relevant, even if the data were initially lawfully published on a website of a third party. If this is the case, a person should have the right to request the erasure of the data and of the links to the data from the list of results of the search engine.

The ECJ further noted that this principle might interfere with the right of the general public to have access to specific information. If this is the case, the right to privacy and to the protection of personal data must be balanced, on a case-by-case basis, against the interests of the Internet user and the general public.

Google has already taken steps to bring its search engine in line with the ECJ judgment. It made available an online form which data subjects can fill out to block websites containing personal data that are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed”. Google will verify the request and assess whether there is no overriding public interest in the information. The online form can be found here.

The Belgian Privacy Commission (Commissie voor de bescherming van de persoonlijke levenssfeer/Commission de la protection de la vie privée) published list of frequently asked questions on the right to be forgotten. The FAQ explains the scope of the right and gives guidance on how data subjects can exercise their right. The FAQ is available in Dutch and French.

Article 29 Working Party Opinion On Anonymisation Techniques

On 10 April 2014, the Article 29 Data Protection Working Party (the "Working Party"), an independent European advisory body on data protection and privacy comprised of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission, adopted an opinion (the "Opinion") that reviews the effectiveness and limits of existing anonymisation techniques. The Opinion also offers recommendations to handle these anonymisation techniques by taking account of the residual risk of identification inherent in each of them.

The Opinion confirms that there is a growing public interest in the re-use of data. However, open data may only provide benefits for society, individuals and organisations if everybody’s right to the protection of personal data and private life is respected. Anonymisation – which results from processing personal data in order to prevent identification irreversibly – may be a good strategy to keep the benefits of publication while mitigating the risks of identification.

Anonymised data do not fall under the scope of data protection rules, but data subjects may still be entitled to protection under other provisions (such as those protecting confidentiality of communications). In addition, the Opinion points out that the anonymisation process constitutes a further processing of personal data which, as such, must observe the data protection rules.

Case studies and research publications have shown how difficult it is to create a truly anonymous dataset whilst retaining as much of the underlying information as required for the task. Whether a given anonymisation technique can guarantee anonymisation is analysed on the basis of three risk factors:

(i) Singling out, i.e. the possibility to isolate some or all records which identify an individual in the dataset;

(ii) Linkability, i.e. the ability to link at least two records concerning the same data subject or a group of data subjects (either in the same database or in two different databases).

(iii) Inference, i.e. the possibility to deduce, with significant probability, the value of an attribute from the values of a set of other attributes.

The Opinion furthermore classifies the main anonymisation techniques:

(i) Randomisation techniques are techniques that alter the veracity of the data in order to remove the strong link between the data and the individual (e.g. noise addition, permutation and differential privacy);

(ii) Generalisation techniques which generalise or dilute the attributes of data subjects by modifying the scale or order of magnitude (e.g. aggregation or K-anonymity and L- diversity).

The Working Party also discusses pseudonymisation techniques, i.e. security measures consisting of replacing one attribute in a record by another (e.g. hashing and tokenisation). Since the natural person can still be identified indirectly, pseudonymisation will not result in an anonymous dataset.

The Working Party concludes that each anonymisation technique has its advantages and disadvantages, and provides that careful engineering on a case-by-case basis may result in a solution meeting the three criteria, which would be robust against identification performed by the most likely and reasonable means the data controller or any third party may employ. Data controllers must therefore adapt the application of an individual technique to the specific situation and apply a combination of those techniques as a way to enhance the robustness of the outcome, while taking into account the practical recommendations developed in the Opinion.

The full text of the Opinion can be consulted here.

Article 29 Working Party Opinion On Legitimate Interests Of Data Controller

On 9 April 2014, the Article 29 Data Protection Working Party (the “Working Party”), an independent European advisory body on data protection and privacy comprised of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission, adopted an opinion (the "Opinion") analysing the criteria set down in Article 7(f) of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Data Protection Directive"). Given the lack of harmonised interpretation of this provision throughout the EU and as work towards a new general Data Protection Regulation continues (the “proposed Regulation” - See, VBB on Belgian Business Law, Volume 2013, No. 2, p. 11, available at www.vbbb.com), the Working Party committed to draft this Opinion.

Article 7(f) of the Data Protection Directive is the last of six grounds for the lawful processing of personal data. It permits the processing of personal data based on the balancing of the interests involved. In particular, the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, must outweigh the interests or fundamental rights and freedoms of the data subject.

The Opinion stresses the autonomous significance and usefulness of the Article 7(f) criterion. It should not be treated as ‘a last resort’ for rare or unexpected situations where other grounds for legitimate processing are deemed not to apply. On the other hand, it should also not be seen as a preferred option and its use must not unduly be extended because it would be considered as less constraining than the other grounds.

The Opinion indicates that a proper Article 7(f) assessment is not a straightforward balancing test, but requires full consideration of a number of factors in order to ensure that the interests and fundamental rights of data subjects are taken into account.

As a result, factors that need to be considered when carrying the balancing test include:

(i) Weighing controller's legitimate interest

First, the controller must pursue a legitimate interest by processing the personal data. The Opinion defines an interest as the broader stake that a controller may have in the processing, or the benefit that it derives – or that society might derive – from the processing. The nature and source of the interest may vary, including whether the data processing is necessary for the exercise of a fundamental right, or is otherwise in the public interest or benefits from social, cultural or legal/regulatory recognition in the community concerned. In order to be relevant under Article 7(f), a legitimate interest must further (i) be lawful, i.e. in accordance with applicable EU and national law; (ii) be sufficiently clearly articulated to allow the balancing test to be carried out; and (iii) represent a real and present interest, i.e. not be speculative.

(ii) Weighing data subjects' interest

Second, the other side of the balance, the impact of the processing on the interests or fundamental rights of the data subject, is a crucial criterion. This notion of the data subjects’ ‘interests’ is defined even more broadly as it does not require a ‘legitimacy’ element. All categories of interests are taken into account as long as they are relevant to the Data Protection Directive. The Opinion indicates that both positive and negative consequences of the data processing should be considered. These may include situations where there is a risk of damaging the reputation, negotiating power, or autonomy of the data subject, but also broader, emotional consequences. The following factors have to play a role: (i) the nature of the data; (ii) the way data are being processed; (iii) the reasonable expectations of the data subject; and (iv) the status of the data controller and data subject, including the balance of power between them.

Finally, based on an analysis and weighing of the two sides against each other, a provisional ‘balance’ may be established. If the outcome is unclear, additional safeguards may be considered to ensure a fair balance, such as data minimisation; privacy-enhancing technologies; increased transparency; general and unconditional right to opt-out; and data portability.

For the future, the Working Party recommends implementing a recital to the proposed Regulation on the key factors to consider when applying the balancing test, as well as a recital requiring the controller, when appropriate, to document its assessment in the interests of greater accountability. Finally, the Working Party also supports including a substantive provision for controllers to explain why they believe their interests would not be overridden by the data subjects’ interests, fundamental rights and freedoms.

The full text of the Opinion can be consulted here.

dotted_texture