CJEU: CCTV camera in family home falls under the Data protection directive, but it is in principle lawful

CJEU gave its decision today in Case C-212/13 František Ryneš – under the preliminary ruling procedure. The press release is available here and the decision here.

Facts

A person who broke the window of the applicant’s home and was identified by the police with the help of the applicant’s CCTV camera complained that the footage was in breach of data protection law, as he did not give consent for that processing operation. The Data Protection Authority fined the applicant, and the applicant challenged the DPAs decision in front of an administrative court. The administrative court sent a question for a preliminary ruling to the CJEU.

Video image is personal data

First, the Court established that “the image of a person recorded by a camera constitutes personal data because it makes it possible to identify the person concerned” (para. 22).

In addition, video surveillance involving the recording and storage of personal data falls within the scope of the Directive, since it constitutes automatic data processing.

Household exception must be “narrowly construed”

According to the Court, as far as the provisions of the Data protection directive govern the processing of personal data liable to infringe fundamental freedoms, they “must necessarily be interpreted in the light of the fundamental rights set out in the Charter (see Google Spain and Google, EU:C:2014:317, paragraph 68)”, and “the exception provided for in the second indent of Article 3(2) of that directive must be narrowly construed” (para. 29).

In this sense, the Court emphasized the use of the word “purely” in the legal provision for describing the personal or household activity under this exception (para. 30).

Such processing operation is most likely lawful

In one of the last paragraphs of the decision, the Court clarifies that “the application of Directive 95/46 makes it possible, where appropriate, to take into account — in accordance, in particular, with Articles 7(f), 11(2), and 13(1)(d) and (g) of that directive — legitimate interests pursued by the controller, such as the protection of the property, health and life of his family and himself, as in the case in the main proceedings” (para. 34).

This practically means that, even if the household exception does not apply in this case, and the processing operation must comply with the requirements of the Data protection directive, these requirements imply that a CCTV camera recording activity such as the one in the proceedings is lawful.

NB: The Court used a non-typical terminology in this decision – “the right to privacy” (para. 29)

What Happens in the Cloud Stays in the Cloud, or Why the Cloud’s Architecture Should Be Transformed in ‘Virtual Territorial Scope’

This is the paper I presented at the Harvard Institute for Global Law and Policy 5th Conference, on June 3-4, 2013. I decided to make it available open access on SSRN. I hope you will enjoy it and I will be very pleased if any of the readers would provide comments and ideas. The main argument of the paper is that we need global solutions for regulating cloud computing. It begins with a theoretical overview on global governance, internet governance and territorial scope of laws, and it ends with three probable solutions for global rules envisaging the cloud. Among them, I propose the creation of a “Lex Nubia” (those of you who know Latin will know why ;) ).  My main concern, of course, is related to privacy and data protection in the cloud, but that is not the sole concern I deal with in the paper.

Abstract:

The most common used adjective for cloud computing is “ubiquitous”. This characteristic poses great challenges for law, which might find itself in the need to revise its fundamentals. Regulating a “model” of “ubiquitous network access” which relates to “a shared pool of computing resources” (the NIST definition of cloud computing) is perhaps the most challenging task for regulators worldwide since the appearance of the computer, both procedurally and substantially. Procedurally, because it significantly challenges concepts such as “territorial scope of the law” – what need is there for a territorial scope of a law when regulating a structure which is designed to be “abstracted”, in the sense that nobody knows “where things physically reside” ? Substantially, because the legal implications in connection with cloud computing services are complex and cannot be encompassed by one single branch of law, such as data protection law or competition law. This paper contextualizes the idea of a global legal regime for providing cloud computing services, on one hand by referring to the wider context of global governance and, on the other hand, by pointing out several solutions for such a regime to emerge.

You can download the full text of the paper following this link: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2409006

How the ECHR defended the freedom of speech of a whistleblower who warned of illegitimate wiretapping by a secret service

It took the European Court of Human Rights 11 years to give its judgment in the case of Bucur and Toma v. Romania, the case of a whistleblower from the Romanian Intelligence Service (SRI) who warned the public in 1996 about the arbitrary wiretapping of journalists and other people by the service (Bucur) and one of the wiretapped journalists and his daughter (Toma and Toma).

The facts of the case have certain similarities to the “Snowden revelations” situation, in that it involves a whistleblower from a secret service which has powers in the field of national security, who warned the public that the service was arbitrarily interfering with the private life (especially, but not only) of journalists, businessmen and politicians, by wiretapping their phones. The decision of the ECHR is interesting because it is dual: it analyzes the situation of the whistleblower, as well as the situation of two individuals who were arbitrarily wiretapped.

ECHR gave its judgment on January 8, 2013, while the request was sent in 2002 (No. 40238/02). It found that, by sentencing Mr. Bucur to 2 years of imprisonment for his revelations for breaching the national security law, Romania had breached Article 10 – freedom of expression, of the European Convention of Human Rights. In addition, the Court found that by allowing the arbitrary wiretapping of Mr. Toma and his daughter, according to Mr. Bucur’s revelations, Romania had breached Article 8 – the right to private life, of the Convention.

Following the decision of the Court, Mr. Bucur received 20.000 EUR as a compensation for moral damages, and Mr. Toma and his daughter each received 7.800 EUR.

What did Mr. Bucur’s revelations say?

Mr. Bucur was an employee of SRI, responsible for monitoring and recording the wiretapped telephone communication of persons listed on a certain registry.

Within the framework of his activity, Mr. Bucur observed several irregularities: pencil was used to write in all the sections of the registry, a registry which was not complete; the real names of the wiretapped persons did not appear in the registry, nor the number of the order to wiretap issued by the prosecutor, the location of the wiretapped telephone, and the purposes of the wiretapping (para. 8). He also observed that the name in the registry did not always indicate the actual owner of the telephone (para. 8). “Furthermore, a considerable number of journalists, politicians and businessmen were wiretapped, especially with regard to resounding stories published by the press” (para. 8 – my translation).

Mr. Bucur took the issue to the head of the department, who reprimanded him: “(the head of the department) had advised him to give up his allegations and reminded him he had other problems and had children to raise, and he reportedly said: <<it is not us who will change how things are>>” (para. 9 – my translation).

Mr. Bucur further took the issue to a member of the Parliamentary Commission of the Control of SRI, who advised him that the best and quickest means to inform the public with regard to these issues is to hold a press conference (para. 10), which Mr. Bucur did on 13 May 1996.

Justification of his actions

According to the Court, he justified his actions by his wish to have Romanian laws complied with, and especially the Constitution. He mentioned that the disclosed information was not state secret, but the proof that SRI was involved in activities of political police, by order of the service’s chief, during a year of parliamentary and presidential elections. He also said that the beneficiaries of the arbitrary wiretapping were only the governing political party, and other political parties for their internal affairs. (para. 10).

Who is Mr. Bucur?

Unlike Mr. Snowden, Mr. Bucur had considerable experience for working in a secret service and surveilling people. He was 44 years old at the time of the revelations. Before working for SRI, he was an employee of the former Securitate forces under the Communist regime of Nicolae Ceauşescu, which was replaced in 1989 by a democratic regime after the Revolution.

In a 2009 interview for the French newspaper L’Express, he admitted that he decided to give this information to the public because he felt that the surveillance in 1995 Romania was even more arbitrary than what happened during the Communist regime: “In 1995 I woke up when I saw the name of many journalists, working for the daily newspapers “Ziua”, “Evenimentul Zilei”, on the list of persons whose conversations were listened to. In 1989, when I was listening to a sportsman, I had to ask for 5 authorizations, I had to make tones of administrative paperwork… In 1995, there was no more such an official aspect (of surveilling – my note): they would give me a piece of paper with the name of the person written with a pencil”.

What did the Court say with regard to Mr. Bucur’s freedom of expression?

The Decision of the Court is ample – having 182 paragraphs, and it is only available in French and Romanian. I will only point out to a few highlights.

-> In deciding whether the interference with Mr. Bucur’s right to freedom of expression was necessary in a democratic society, the Court applied the criteria with regard to public servants whistleblowers, developed in its Guja v. Moldova case (No. 14277, from February 12, 2008, paras. 70-78). The criteria are (NB: this is my translation, not an official one):

a) whether the applicant had other means to make the revelations

b) whether the information revealed was in the public interest

c) whether the information revealed is authentic

d) whether the information revealed caused “considerable damage” to the institution

e) whether the whistleblower acted with good faith

f) whether the sanction brought by the state against the whistleblower was severe

-> The Court found, regarding the public interest of the revelations, that: “the information revealed by the applicant is undoubtedly of public interest. The interception of telephone communications is particularly important in a society which has experienced during the communist regime a close surveilling by the secret services. This [the public interest – n.] is also proven by the fact that the press conference of 13 May 1996 was the subject of extensive media coverage, as evidenced by the documents filed by both the applicant and the Government. In addition, civil society was directly affected by the information disclosed, as anyone could have their telephone calls intercepted”. (para 101, my translation).

-> The Court, on the damage brought to the institution, balanced against the public interest: “the Court considers that the public interest in the disclosure of unlawful acts within the activity of SRI is so important in a democratic society that it outweighs the interest to maintain the trust of the public in this institution. The Court recalls in this regard that the free debate on issues of public interest is essential in a democratic state and it is important notto  discourage citizens to decide on such issues (Barfod c. Denmark, 22 February 1989 § 29, Series A No. 149)” (para. 115, my translation).

-> Conclusion of the Court: “Recognizing the importance of the right to freedom of expression on matters of public interest, the right of civil servants and other employees to signal unlawful conducts and actions observed within their working place, the duties and responsibility of employees owed to their employers and the right of the latter to manage their staff, the Court, after weighing in the other interests involved, concludes that the interference with the right to freedom of expression of the applicant, in particular his right to communicate information, is not “necessary in a democratic society. Accordingly, there has been a violation of Article 10 of the Convention” (para 120, my translation).

What did the Court say with regard to the right to private life of the wiretapped journalist and his daughter?

The Court only declared admissible the request of Mr. and Ms. Toma with regard to the storage of the files containing recorded telephone conversations (tapes) by SRI, and not the request regarding the wiretapping itself, which was found to have been filed too late, outside the 6 months term required by the Convention.

The Court recalled that “the telephonic communications are comprised in the notions of <<private life>> and <<correspondence>> as enshrined in Article 8(1) of the Convention, their interception, their storage in a secret file, and the communication of data related to the private life of an individual amount to an <<interference of a public authority>> in the exercise of the right guaranteed by Article 8 (see, among others, Dumitru Popescu v. Romania (No. 2), para. 61). For such an interference not to breach Article 8, it should be afforded by law, pursue a legitimate aim in accordance with Article 8(2) and, in addition, it must be necessary in a democratic society to achieve this aim” (para. 162 – my translation).

Among other things, the Court found that although SRI had some procedures regarding the time when a wiretapped conversation will be destroyed when it no longer serves a purpose, the procedures allowed a substantial risk that the conversations would not be destroyed and, thus, could be easily accessible at a later time (para. 164, as synthesized by right2info.org).

The Court considered that the applicants did not enjoy “a sufficient degree of protection against arbitrariness, as requested by Article 8 of the Convention” (para. 165 – my translation).

ECHR: an article about a wedding is not exclusively private

The European Court of Human Rights in Strasbourg decided on Thursday (16 January) that publishing photos from the wedding of two celebrities in a magazine without their consent, as long as the photos were not taken at the ceremony per se, but outside of the ceremony location, is not a violation of the right to private life as it is enshrined in Article 8 of the European Convention of Human Rights.

The Court decided in its Lillo Stenberg and SÆTHER v. Norway decision (Application no. 13258/09that “a wedding has a public side” (para. 37), hence “the publication of an article about a wedding cannot itself relate exclusively to details of a person’s private life and have the sole aim of satisfying public curiosity in that respect (see, Von Hannover (no. 2), § 110). It (the Court – n.n.) therefore considers that there was an element of general interest in the article about the applicants’ wedding” (para. 37).

In this regard, the Court entirely admitted the argument of the Supreme Court of Norway, which stated in a decision concerning the facts of the case that “a wedding is a very personal act. At the same time it also has a public side. A wedding is a public affirmation that two persons intend to live together, and has legal consequences in many different sectors of society. Thus information about a wedding does not in itself involve a violation of privacy if it is given in a natural form and based on a reliable source” (see para. 37 of the ECHR Decision).

According to the facts of the case, the first applicant is a musician and the second applicant is an actress. They are both known to the public in Norway. On 20 August 2005, the applicants married in a private ceremony which took place outdoors on an islet in the municipality of Tjøme in the Oslo fjord, approximately 100 km south of the capital. The weekly magazine Se og Hør published a two-page article about the wedding, accompanied by six photographs. The photographs were taken without the consent of the applicants and outside of the premises of the wedding.

Highlights of the judgment

A. Criteria to assess the balance between freedom of expression and the right to private life

The Court reiterated the specific criteria it uses to assess which right prevails in a certain situation – freedom of expression or the right to private life:

“(i) contribution to a debate of general interest

(ii) how well known is the person concerned and what is the subject of the report?

(iii) prior conduct of the person concerned

(iv) method of obtaining the information and its veracity/circumstances in which the photographs were taken

(v) content, form and consequences of the publication.”

(see para. 34 of the current case, Von Hannover (no. 2), paras. 109‑113, and Axel Springer AG,  paras. 89-95). 

B. Interference with dignity to weigh in between freedom of expression and private life?

Without clearly indicating in the wording of the judgment that it rallies with the point of view of the Norwegian Supreme Court, ECHR pointed out one of the arguments used by the Supreme Court which indicates that an interference with dignity is able to decisively lean in towards the protection of private life or freedom of expression.

“It [the Supreme Court – n.] also pointed out that neither the text nor the photographs in the disputed magazine article contained anything unfavourable to the applicants. It did not contain any criticism, nor was there anything in the content that could damage their reputation (see para. 41).

C. The implied legitimate expectation of privacy

ECHR accepted the Supreme Court’s view that “since the ceremony took place in an area that was accessible to the public, easily visible, and a popular holiday location, it was likely to attract attention by third parties”, hence “these elements should also be given a certain amount of weight” (see para. 43).

D. The increased autonomy of the national courts

Finally, I have to point out to the reiteration of the ECHR that “although opinions may differ on the outcome of a judgment, where the balancing exercise has been undertaken by the national authorities in conformity with the criteria laid down in the Court’s case‑law, the Court would require strong reasons to substitute its view for that of the domestic courts” (see para. 44).

UPDATE Tracing the right to be forgotten in the short history of data protection law: The “new clothes” of an old right

UPDATE:

The paper received the “Junior Scholar Award 2014″. “The junior scholar award is a new award at CPDP which is generously supported by Google. The winning paper is selected from the papers written by junior scholars who have already been selected from the general CPDP call for papers. The jury consists of: Ronald Leenes, University of Tilburg (NL), Bert-Jaap Koops, University of Tilburg (NL), Jess Hemerly, Google (US), Mariachiara Tallachini, EC-JRC (IT) and Chris Jay Hoofnagle, UC Berkeley (US). The award recognises outstanding work in the fi eld of privacy and data protection”.

This is an incredible honor! Thank you, CPDP!

***

I will present the paper Tracing the right to be forgotten in the short history of data protection law: The “new clothes” of an old right at the Computers, Privacy and Data Protection conference, next week in Brussels. I am scheduled on Wednesday, 22 January, from 15.30, at La Maison des Arts, within the “Academic/PhD session. The right to be forgotten”.

The session will be chaired by Bert-Jaap Koops, from Tilburg University (TILT).

The other papers from the session are:

  • Ten Reasons Why the ‘Right to be Forgotten’ should be Forgotten by Christiana Markou.
  • Information Privacy and the “Right to be Forgotten”: An Exploratory Survey of Public Opinion and Attitudes by Clare Doherty and Michael Lang.
  • Purpose Limitation and Fair Re-use by Merel Koning.

As for my paper, here you have its abstract:

When the European Commission (EC) published its draft Data Protection Regulation (DPR) in early 2012, a swirl of concern hit data controllers regarding the introduction of a sophisticated “right to be forgotten” in the proposal for the future DPR, which was considered to unprecedentedly impact the internet and its economics. Critics and advocates of the right to be forgotten engaged in consistent theoretical debates, doubled by the technical discourse about its (un)feasibility. This paper “decomposes” the right to be forgotten into the tangible prerogatives which are in fact granted to individuals. It shows that those prerogatives already exist to an extended degree in EU law, and have existed in the first data protection laws enforced in Europe. In addition, the controversial obligation to inform third parties about the erasure request is a “duty of best efforts” which pertains to controllers and which is significantly different than a duty to achieve a result. Recourse will be made to private law theory to underline this difference.

Keywords: the right to be forgotten, data protection, privacy, duty of best efforts.

For further information on CPDP 2014, check out the conference web page. It looks like it will be a tremendous get-together of privacy people.

Academic Paper: Personal Jurisdiction and Choice of Law in the Cloud

Authors: Damon C. Andrews, John M. Newman

Abstract:

Cloud computing has revolutionized how society interacts with, and via, technology. Though some early detractors criticized the “cloud” as being nothing more than an empty industry buzzword, we contend that by dovetailing communications and calculating processes for the first time in recorded history, cloud computing is — both practically and legally — a shift in prevailing paradigms. As a practical matter, the cloud brings with it a previously undreamt-of sense of location independence for both suppliers and consumers. And legally, the shift toward deploying computing ability as a service, rather than a product, represents an evolution to a contractual foundation for all relevant interactions.

Already, substantive cloud-related disputes have erupted in a variety of legal fields, including personal privacy, intellectual property, and antitrust, to name a few. Yet before courts can confront such issues, they must first address the two fundamental procedural questions of a lawsuit that form the bases of this Article — first, whether any law applies in the cloud, and, if so, which law ought to apply. Drawing upon novel analyses of analogous Internet jurisprudence, as well as concepts borrowed from disciplines ranging from economics to anthropology, this Article seeks to supply answers to these questions. To do so, we first identify a set ofnormative goals that jurisdictional and choice-of-law methodologies ought to seek to achieve in the unique context of cloud computing. With these goals in mind, we then supply structured analytical guidelines and suggested policy reforms to guide the continued development of jurisdiction and choice of law in the cloud.

Full text: Digital Commons Network

 

Peter Hustinx expressed “serious concerns” in a letter to EU officials regarding the appointment of the new EDPS

The mandate of Peter Hustinx as European Data Protection Supervisor will end on January 16. Mr. Hustinx will thus finish his second five year term as EDPS, leaving behind a strong legacy. The question is: who will further take care of this legacy?

In a letter sent to EU officials and published on January 7, Mr. Hustinx expresses “serious concerns about the procedure for the selection and appointment of a new European Data Protection Supervisor and Assistant Supervisor”, because “at this stage, it is highly unlikely that the appointment of a new Supervisor and Assistant Supervisor will take place either before or shortly after this date (January 16)”.

According to Article 42(1) of Regulation 45/2001, “The European Parliament and the Council shall appoint by common accord the European Data Protection Supervisor for a term of five years, on the basis of a list drawn up by the Commission following a public call for candidates“.

Article 42(2) of the Regulation states that “The European Data Protection Supervisor shall be chosen from persons whose independence is beyond doubt and who are acknowledged as having the experience and skills required to perform the duties of European Data Protection Supervisor, for example because they belong or have belonged to the supervisory authorities referred to in Article 28 of Directive 95/46/EC“.

According to Pcworld.com, although the call for candidates went out last year, Commission spokesman Antony Gravili said that “the selection panel concluded that none of the candidates had the qualities that are needed for the job.”

Mr. Hustinx considers that this fact “opens the perspective of a period of uncertainty as to when the new team of Supervisors will be appointed”. 

He continues with the view that “This uncertainty and the possibly long delays that may be involved, as well as their different consequences, are likely to harm the effectiveness and the authority of the EDPS over the coming months. The EU is presently in a critical period for the fundamental rights of privacy and data protection, and a strong mandate is required to provide the authority to ensure that these fundamental rights are fully taken into account at EU level. In this respect, I would recall that the operation of a fully effective independent control authority is an essential feature of that right, as set out in Article 8 of the Charter and Article 16 of the Treaty”.

In this context, Mr. Hustinx sent the letter to Mr. Maros Sefcovic, vice-president of the European Commission, Mr. Juan Fernando Aguilar, Chairman of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs and to Ambassador Theodors N. Sotiropoulos, Permanent Representative of Greece (as Greece recently took over the 6 months presidency of the European Council), asking them “to take all the steps necessary to ensure that a new Supervisor and Assistant Supervisor will be appointed as soon as possible”.

 

See also

IAPP’s Angelique Carson published an informative piece about Mr. Hustinx’s legacy in December on privacyassociation.org, which I invite you to read HERE.

 

AG Sharpston: legal analysis regarding a person’s situation is not personal data

Advocate General Sharpston delivered her Opinion on December 12, 2013, in Joined Cases C-141/12 and C-372/12, Y.S. v. Minister voor Immigratie, in which she analyzed the content of the right to access personal data in a minute created during an administrative procedure. The case is interesting, as it interprets both Article 12 of Directive 95/46 and Article 8(2) of the Charter of Fundamental Rights of the EU.

According to the summary of the case drafted by AG Sharpston in her decision (see para 1), “Y.S., M. and S. are third country nationals who have applied for lawful residence in the Netherlands. Y.S.’s application was refused. Those of M. and S. were granted. Each relies on EU law in order to obtain access to a document (‘the minute’) drafted by an official of the relevant authority and containing a legal analysis in the form of internal advice on whether to grant residence status. They argue that the legal analysis is personal data and thus, as a matter of EU law, they have the right to access the minute.”

In the case of Y.S., following the applicant’s request for access to the minute drafted for the decision, the Minister refused to provide access, on the ground that the minute contained, apart from personal data, a legal analysis. The Minister did provide, in so far as necessary, an overview of the data contained in the minute, the origin of that data and the authorities which had access to the data. Y.S. challenged the decision, and the court of appeals referred several questions to CJEU.

In the case of M and S, the Ministry rejected their requests, but two Dutch courts annulled the decision of rejection and obliged the Ministry to give the applicants a copy of the respective minutes. The Ministry challenged these court decisions to the Raad von State court, which has sent several questions to the Court of Justice of the European Union, following the preliminary ruling procedure.

Main referred questions

The questions are relevant in the correct application of the right to access personal data.

The first question asks whether the second indent of Article 12(a) of [Directive 95/46] should be interpreted to mean that there is a right to a copy of documents in which personal data have been processed, or is it sufficient if a full summary, in an intelligible form, of the personal data that have undergone processing in the documents concerned is provided?

The second question asks whether the words “right of access” in Article 8(2) of [the Charter] should be interpreted to mean that there is a right to a copy of documents in which personal data have been processed, or is it sufficient if there is provision of a full summary, in an intelligible form, of the personal data that have undergone processing in the documents concerned within the meaning of the second indent of Article 12(a) of [Directive 95/46]?

Another question asked by the Dutch court is whether a legal analysis, as set out in a minute, could be regarded as personal data within the meaning of Article 2(a) of [Directive 95/46].

The referred questions also cover the realm of the exceptions of the right to access personal data, as enshrined in Directive 95/46. In this regard, question 6 of the Raad von State asks whether the protection of the rights and freedoms of others, within the meaning of Article 13(1)(g) of [Directive 95/46] …, also cover the interest in an internal undisturbed exchange of views within the public authority concerned. Also, if the answer to that is in the negative, can that interest then be covered by Article 13(1)(d) or (f) of that directive?

AG Sharpston: “only information relating to facts about an individual can be personal data”

AG Sharpston acknowledges that “personal data is a broad concept” (para. 44) and “It can be understood to relate to any facts regarding that person’s private life and possibly, where relevant, his professional life (which might involve a more public aspect of that private life)” (para. 45).

As such, “information included in the minute relating to facts such as the name, date of birth, nationality, gender, ethnicity, religion and language of an applicant is ‘personal data’ within the meaning of Article 2(a) of Directive 95/46″ (para. 46).

However, the Advocate General does not consider that legal analysis is personal data. And as a consequence, access should not be granted to the part of the minute which enshrines the legal analysis regarding the asylum request of the applicants, using as legal ground the right to access personal data.

To justify her view, AG Sharpston argues that “only information relating to facts about an individual can be personal data. Except for the fact that it exists, a legal analysis is not such a fact. Thus, for example, a person’s address is personal data but an analysis of his domicile for legal purposes is not” (para. 56).

Further, the Advocate General explains that “facts can be expressed in different forms, some of which will result from assessing whatever is identifiable. For example, a person’s weight might be expressed objectively in kilos or in subjective terms such as ‘underweight’ or ‘obese’. Thus, I do not exclude the possibility that assessments and opinions may sometimes fall to be classified as data” (para. 57). “However, the steps of reasoning by which the conclusion is reached that a person is ‘underweight’ or ‘obese’ are not facts, any more than legal analysis is” (para. 58).

In my opinion, the most convincing legal argument which could justify that legal analysis regarding facts about an identified person is not personal data, is the one stating that “legal analysis as such does not fall within the sphere of an individual’s right to privacy. There is therefore no reason to assume that that individual is himself uniquely qualified to verify and rectify it and ask that it be erased or blocked. Rather, it is for an independent judicial authority to review the decision for which that legal analysis was prepared” (para. 60).

In other words, access to legal analysis would not serve the purpose of exercising the other rights of the data subject: the right to erasure, the right to rectification etc. So perhaps another question one could ask is whether the only purpose of the right to access personal data is the possibility for the data subject to exercise the other rights she has regarding the processing of her data.

The other question one could ask is how can a person require an independent judicial authority to review the decision for which that legal analysis was prepared, if she doesn’t know the content of the decision? Nevertheless, the answer to this last question is more substantially linked to the right to an effective judicial remedy.

The form in which access should be granted to personal data

AG Sharpston also addresses in her Opinion the question of the form in which access to personal data must be granted, having regard to the fact that the referring courts asked whether a copy of the minute has to be provided to the applicants.

First, the Advocate General establishes that the right to access as provided in Article 8(2) of the EU Charter “does not articulate a separate standard governing the form in which access must be made available” (para. 70) than Article 12 of Directive 95/46.

When read together with the principle of proportionality and legal certainty, I interpret Article 8(2) of the Charter to mean that access need not go beyond what is necessary in order to achieve its objectives and to give the data subject full knowledge of the personal data that are protected under that provision. The requirement set out in Article 12 of Directive 95/46 corresponds to those principles. For that reason, I do not consider that a separate inquiry into the form of access under Article 8 of the Charter is necessary” (para. 70).

AG Sharpston further considers that “Depending on the circumstances, a copy might be neither necessary nor sufficient” (para 73). She explains that “Directive 95/46 does not require personal data covered by the right of access to be made available in the material form in which they exist or were initially recorded. In that regard, I consider that a Member State has a considerable margin of discretion to determine, based on the individual circumstances in case, the form in which to make personal data accessible” (para 74).

The Advocate General adds that “In making that assessment, a Member State should take account of, in particular:

(i) the material form(s) in which that information exists and can be made available to the data subject,

(ii) the type of personal data and

(iii) the objectives of the right of access.” (para. 75).

The conclusion is that “the fact that personal data are contained in a document such as a minute does not imply that the data subject automatically has the right to that material form, that is to say, a copy or extract of that document” (para 79).

The second indent of Article 12(a) of Directive 95/46 states that the data subject has the right to obtain from the controller “- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source”. Hence, all the data undergoing processing must be communicated to the data subject “in an intelligible form”.

In my view, there are two possible variations of personal data undergoing processing that can be the object of an access request: 1. data processed in an intelligible form for the data subject and 2. data processed in a non-intelligible form for the data subject (such as binary language, code, foreign alphabet etc.). Whenever data is processed in a language (understood lato sensu) which is accessible to the data subject,  she is entitled to receive a copy of that data – be it an extract of a larger material form in which the data is processed. If the data is processed in a non-intelligible form for the data subject, she is entitled to receive the processed data, in a specific material form, translated into an intelligible language for the data subject.

In fact, as the online Oxford dictionary reveals, the origin of the noun “copy” ultimately rests in Latin: copia ‘abundance’ (in medieval Latin ‘transcript’, from such phrases as copiam describendi facere – ‘give permission to transcribe’). So a copy of personal data can be understood not only as an identical specimen to the original data, but also as a transcription of the original data.

Regarding the case at hand, I consider that as long as the facts of the case of the applicants are considered “personal data”, the applicants are entitled to receive a copy of the personal data enshrined in the minute, in the form of a photocopy of the minute in which all the information which is not considered to be personal data can be erased/covered with a black/blank line etc. I do not see why would it be disproportionate to communicate the personal data contained in the minute in this manner. Moreover, I consider that such a copy is the only one which ensures the effectiveness of the exercise of the other rights of the data subject – especially the right to rectification.

Exceptions of the right to access – “the protection of rights and freedoms of others cannot be read as including rights and freedoms of the authority processing personal data” 

Finally, AG Sharpston argues that, if the legal analysis could be considered personal data, then the data controller cannot invoke Article 13 subparagraph g as a justification for not offering access to the processed data: “the protection of rights and freedoms of others (that is, other than the data subject) cannot be read as including rights and freedoms of the authority processing personal data. If a legal analysis is to be categorised as personal data, that must be because it is related to the private interests of an identified or identifiable person. Whilst the public interest in protecting internal advice in order to safeguard the administration’s ability to exercise its functions may indeed compete with the public interest in transparency, access to such advice cannot be restricted on the basis of the first of those two interests, because access covers only what falls within the private interest” (para. 84.)

One last observation: what would the ECHR say?

In 2012 (22 May), the European Court of Human Rights gave its decision in a case which presents certain similarities with the case at hand – Trăilescu v. Romania (5666/04 and 14664/05; only available in French and Romanian). The applicant considered his right to private life, as enshrined in Article 8 of the European Convention of Human Rights was breached because the Ministry of Justice refused him access to his evaluation file – which was created in a decision process with regard to his admission in the body of magistrates. The applicant passed the exam to become a magistrate, but he was informed by the procureur général that he would not be appointed as a magistrate because he does not have a good reputation, a condition imposed by Law no. 92/1992. According to the Court, “pour rendre cette décision, le ministère public se fonda sur plusieurs faits, tels qu’ils résultaient du dossier « personnel » (dosarul de personal) établi par le parquet près le tribunal départemental de Mehedinţi à la suite des recherches effectuées quant à la personne du requérant en 2000 et 2001. Il ressort de la décision du ministère que le dossier « personnel » était constitué de renseignements fournis par les anciens employeurs du requérant, par ses connaissances et par la police d’Orşova, des recommandations et d’autres documents.”

The applicant contested that decision in court and during the proceedings he also asked to be granted access to his file. However, he did so by invoking the right to access information of public interest. His request was rejected by the national courts, which argued that the information contained in the file is personal and not of public interest.

The ECHR considered in its decision that the applicant did not exhaust all the remedies in the national judicial system, because he did not ask for access to his file pursuant to Law 677/2001 for the protection of individuals with regard to the processing of personal data (which transposes Directive 95/46 in Romania).

ECHR stated in its decision that “La loi no 677/2001 décrit également la procédure à suivre par toute personne intéressée pour avoir accès aux données à caractère personnel classifiées et l’accès au tribunal est prévu par l’article 18 de cette loi (paragraphe 39 ci-dessus). Rien n’indique que le contrôle exercé par le tribunal est limité d’une quelconque manière, pour pouvoir douter d’emblée de l’efficacité d’un tel recours. Dans ces circonstances, la Cour considère que rien ne permet de penser que les dispositions de la loi no 677/2001 n’offraient pas au requérant la possibilité de faire redresser son grief, ou qu’il ne présentait aucune perspective raisonnable de succès” (para. 70).

In other words, the Court in Strasbourg expressed its expectation that a request as the one in the main proceedings grounded in the right to access personal data presents “a reasonable perspective of success.”

NOTES:

‘ I would like to thank Mihaela Mazilu-Babel for pointing out this AG Opinion.

” CJEU is expected to deliver its decision in 2014.

The rights of the person regarding personal data protection – PhD thesis summary

(After three years of intense work in a field  not popular at all in Romanian legal research, I have finally done it :) The public defense of the thesis is scheduled for November 30, 2013, at the University of Craiova. The thesis is in Romanian. The pdf version of the Summary is temporarily available here.)

- SUMMARY -

Personal data protection is the subject of an intense global debate, triggered by the extraordinary development of Information Technology (IT), the ever growing capacity of its products to store, process data and of their inter-connectivity. The debate is especially triggered by the way its products are used.

Personal data protection emerged as a regulatory field in the 1970s in Western and Northern Europe, as well as in the United States of America. It developed with an alert rhythm, presenting alongside its development the characteristics of a global regulatory phenomenon.

Romania enacted its first data protection law as late as 2001, as a consequence of its pre-accession obligations to join the European Union (EU). In spite of the long lack of preoccupation towards personal data protection, currently this field is also regulated in the Civil Code, under the section dedicated to personality rights – more precisely in Article 77, which specifically refers to the protection of personal data.

This thesis fills in the lacunae in the Romanian legal literature with regard to personal data protection, characterizing the right to personal data protection as a subjective right (droit subjectif) and making an exhaustive critique of the rights of the data subject to directly control data processing, which are analyzed as prerogatives of the general data protection right.

Therefore, the main question this thesis answers is: “What are the roles of the ‘control’ rights of the data subject in data protection law and how do they become effective, having regard to the complex system of norms which regulate them?”

Part I of the thesis establishes the main coordinates of a general theory of personal data protection. A one-dimensional theoretical foundation of this field is absent in the Romanian legal literature, while in the foreign legal literature the main fundamental theoretical preoccupation seems to be the differentiation between personal data protection and the protection of private life. To achieve this goal, the endeavor within Part 1 is divided in two chapters, the first one characterizing data protection as a regulatory field and the second one theorizing the right to personal data protection as a droit subjectif civil (subjective right).

The first chapter represents a historical misce an scéne, which is multi-dimensional from a territorial point of view, and contextual with regard to the data protection regulations. There are three main ideas which emerge from this analysis.   

First, it is underlined that the emergence of technologies to store and process information imposed the necessity of a juridical mechanism to protect individual freedom in relation to storing and processing personal information.

Second, this mechanism has been enacted relatively simultaneously in the 1970s and the beginning of the 1980s in Western democracies, having similar forms and principles. This led to the theories regarding the global convergence of data protection norms.

Finally, even though legal writers have identified until now several generations of data protection regulations, in fact the only substantial difference between the content of these regulations in different moments in time is the development from multiple dispersed norms with a common purpose – data protection, to the recognition and enactment of a subjective right to data protection.

With regard to the particularities of the Romanian data protection system presented in this chapter, the analysis of the transposition in the Romanian legal system of data protection norms can be remarked, starting with the substantiation of their necessity and underlying the differences between the transposition law (Law no. 667/2001) and Directive 95/46 for the protection of the individual with regard to data processing. These differences can lead in certain cases to the conclusion that transposition errors exist. For instance, such is the case with the broader understanding provided in the Romanian law for the lawful grounds of data processing.

The detailed provisions regarding informational privacy contained in the new Civil Code (NCC), as well as the concern showed strictly for personal data protection (Art. 77 NCC), are an indication of the fact that Romania has a modern civil code. It is built to support the individual in front of the digital age challenges, on one hand, and with regard to the interferences in her private life, on the other hand.  As it was already underlined in the legal literature, “certainly, this regulation will greatly contribute to the civilization of some inter-human interactions which are in great suffering in these rough times we are passing through, but also to holding back the uncontrolled zeal of authorities, which, under different pretexts, disregard rights such as the right to private life or dignity”[1].

However, in the near future, the existing rules regarding personal data protection – which have a broad material scope, will be put aside from the national legal system by the new EU Data Protection Regulation and the new EU data protection directive in criminal matters, which are currently under legislative debate in the European Parliament and the European Council (as long as they will be contrary to the new EU legislation).

Chapter 2, starting from the droit objectif of data protection, substantializes the existence of data protection in informational self-determination, which is further grounded in free will. The chapter continues with the transition from the identification of an interest which can be protected by data protection provisions to theorizing the right to personal data protection as droit subjectif.

Therefore, the classical elements of the droit subjectif are identified with regard to the right to personal data protection and detailed – the subject (titulaire) of the right, the object, and the content of the right, while its legal protection will be comprehensively studied in Part III of the thesis.

A significant contribution of Chapter 2 to data protection theory is the contextualization of the role of consent in the protection of personal data. According to it, the focus in data protection law should be removed from consent and placed upon the suitable safeguards of the data subject, such as the rights to control data processing, purpose limitation and accountability mechanisms. All of these safeguards are regulated with the purpose to create a complex system of protection of the data subject. These three types of safeguards are identified as being the prerogatives within the content of the right to personal data protection.

It was showed that, ultimately, the philosophy of data protection could be summarized: every person should have the right not to be subject to data processing, unless it is made on one of the recognized legal grounds (which are identified as being part of the meta-content of the right to personal data protection), and it is subject to suitable safeguards (which are identified as prerogatives within the content of the right to personal data protection). As the consent of the data subject is merely one of several legal grounds enshrined in data protection law, it was argued that the importance of consent in this field must be hierarchized bellow the necessity to clarify and detail the “suitable safeguards”. This is a consequence of coordinating the prerogatives of the right to personal data protection with the right’s object, an object which has a procedural nature and which represents an aggregation of mechanisms as normative instruments for transparency.

Therefore, it is further argued that the right to personal data protection is a non-pecuniary subjective right (droit subjectif), substantialized with the purpose to protect the interests of the person in the context of the Information Society. Its structure is complex, and its essence is rather procedural. It is showed, nevertheless, that all the classical elements of the droit subjectif have correspondents in the provision of the right to personal data protection.

The rights of the data subject which facilitate the informational self-determination, named in this thesis “control rights”, are systemized in Part II, following the structure of the European Commission’s proposal for a General Data Protection Regulation, which divides the rights into three categories: information and access rights, rectification and erasure rights, as well as the right to object (to data processing in general, and also to automated decisions taken on the basis of profiling).

According to one of the data protection principles, the data subject enjoys the possibility of directly participating to the processing of her data, and influencing it. This principle is known as the data subject participation and control principle. Along with seven other principles – fair and lawful processing, data minimization, purpose specification, data quality, disclosure limitations, information security and sensitivity principles, it plays an important part for the lawful processing of private data, having regard to the ultimate purpose of the protection of personal liberties. The rights of the data subject – right to information, right to access, right to rectification, right to objection, right not to be subject of an automated decision based on profiling, the proposed right to be forgotten and right to data portability (which are regulated in the draft data protection regulation), are normative expressions of the data subject participation and control principle with regard to data processing.

Authors, like Poullet, consider that the express provision of these subjective rights of the data subject in Convention 108 of the Council of Europe (with regard to personal data protection; adopted in 1981) marks the second generation of data protection laws and allows the data subject to control the use of her informational image and to assess the reasons of its utilization. It must be mentioned that, contrary to this opinion, most of the data protection laws enforced in Europe in the ‘70s have had regard to the fact that “the stream of personal data primarily flows from the weak actors to the strong”[2], guaranteeing from the beginning a set of rights of the data subject: the right to information and access, the right to rectification and the right to erasure. This set of rights has evolved within the national laws, being further regulated in detail by EU Directive 95/46 on the protection of individuals with regard to the processing of personal data.

Within the chapters of Part II, the content of each subjective right expressly enshrined in data protection law is conceptually grounded and its current provision is also analyzed from the point of view of the evolution of its normative history. The rights of the data subject are studied having regard firstly to Romanian law, and subsequently to the EU directives regulating in the field of data protection and the legislative proposals from the EU data protection reform package – the General Data Protection Regulation (GDPR) and the directive of data protection in criminal matters, which are currently in the process of being adopted. The case-law of the European Court of Human Rights in Strasbourg under Article 8 (respect for private life) of the European Convention of Human Rights will also be taken into account, especially with regard to the right to access. The necessity of such a comprehensive approach on the rights of the data subject is evident in the multi-layered legal system of a Member State of the EU.

Chapter 3 details the right to inform and the right to access the personal data being processed. The protection of personal data would lack efficiency if data subjects would not be able to acknowledge the existence of the processing, its context, and would not know what particular data are processed, how are they used and who has access to them. The two rights are the expression of a transparency principle, but a two-dimensional transparency, respectively transparency managed by the data controller and exclusively opposable to the data subject.

Informational self-determination has as starting point this kind of transparency. If the data subject does not know that her data are being processed and stored in certain databases, then it would be impossible for her to exercise any of the prerogatives which follow from legally guaranteeing the right to the protection of private data.

On the other hand, in the legal literature it was also underlined, with regard to data access, that “this right consistently constitutes a significant burden, both administratively and financially, to data controllers”[3].

The right to information and the right to access are enshrined in the first data protection laws, starting with the Bundesdatenschutzgesetz – the German federal law adopted in 1977, followed by Loi relatif a l’informatique, aux fichiers et aux libertes, adopted in France in 1978, the Data Protection Act, adopted in 1984 by the British Parliament, and the Wet Perssonregistraties, adopted in 1989 in The Netherlands. Initially, the distinction between the two rights is not clear, the French law being the only one which differentiates them. Both the German and the British law enshrine similar prerogatives to both of the rights, one under the right to information, and the other under the right to access.

The two rights appear under the guise of “possibilities” in Convention 108 of the Council of Europe, and as individual subjective rights within Directive 95/46, along with the right to object, the right to rectify data and the right not to be subject to decisions based on automated data processing. Articles 10, 11 and 12 of Directive 95/46 provide that every time personal information is collected, the data subjects must be informed about the details of the data processing and have the right to receive a copy of all the processed data. The three articles from Directive 95/46 have been transposed in Law no. 677/2001 on the protection of individuals with regard to the processing of personal data, in Articles 12 and 13, which are analyzed in detail in Chapter 3 from the point of view of their content and procedure for their adjudication.

The idea of a legal regime which would guarantee the access of individuals to their own information has appeared for the first time in the Romanian system, after the 1989 Revolution, with regard to the personal files created by the Securitate (the secret service of the former Romanian communist regime). Two years after Law no. 187/1999 – which guarantees the access to these files, was enforced, the transposition law of Directive 95/46 was adopted, in a system which, until then, had not recognized a social and legal necessity to protect personal data beyond the sensitive matter of accessing the files of the former Securitate. It must be underlined, nevertheless, that the right to access, according to Article 13 of the Law no. 677/2001, provides a considerably simplified procedure for accessing personal data than the procedure required by the National Council for the Study of the Securitate’s Archives. This raises the question of a national provision which does not comply with the harmonization standard established by a directive in its rationae materiae scope.

The provisions of Law no. 677/2001 with regard to the rights to information and access represent, to a high degree, a correct transposition of the provisions of Directive 95/46, including from the point of view of their exceptions and restrictions. The only inadvertence refers to the omission, in the case of the right to access, of the condition that access must be asked for “without constraint”. This condition, even though is provided in Article 12(1) of Directive 95/46, is not mentioned in the GDPR proposal. However, until the GDPR enters into force, Article 12 of Directive 95/46 can be invoked by the data subject as long as she considers that she was constrained to ask for access to the processed data.

Nevertheless, it must be underlined that Law no. 677/2001 has strengthened the protection of the two rights by adding compulsory details of the processing to be offered to the data subject, compared to the set of details required by Directive 95/46.

Chapter 4 analyzes the rights to intervene directly in the data processing operation. One may say that, after information and access, a second “step” towards informational self-determination allows the data subject to directly intervene in the data processing operations. The data subject has the right to obtain the rectification, update and even erasure of her processed private data. Without this second component of the prerogatives of the right to personal data protection, informational self-determination would remain utopian.

The Romanian data protection law regulates in Article 14 “the right to intervene upon the data”, the content of which enshrines the rectification, erasure, blocking and update of personal data. Directive 95/46 does not literally provide for a distinct right to intervention upon the data, but it regulates the erasure, blocking and rectification of data within Article 12 – “the right to access”. The solution of the Romanian legislature expresses the essence of these rights. They ultimately represent the possibility of the data subject to directly intervene in the process of data processing.

The possibility of the data subject to effectively and concretely intervene in the data processing has generated most of the controversies about the rights of the data subject as enshrined in the EU data protection reform package. The European Commission has introduced in the draft GDPR two new “interventional” rights – the right to be forgotten, which, in fact, represents the development of the right to erasure, and the right to data portability.

The intention to regulate these rights has generated two opposite opinions. On one hand, the European Commission is supported in its endeavor especially by the European Data Protection Supervisor, by the non-governmental organizations which promote the protection of human rights in the digital age and by most of the European academia in the field of law and technology. On the other hand, global IT companies, some of the governments of the EU member states, as well as part of the American law and technology academia have criticized the regulation of the two rights. Both perspectives are detailed in this chapter.

Both the supporters and the critics of the right to data portability and the right to be forgotten seem to omit the fact that incarnations of these rights already exist in the current data protection law in the European Union. This is one of the reasons why the rights to intervention were grouped in the same chapter of the thesis, to make it easier for the reader to compare the norms in the first data protection laws, the current legal framework and the proposed regulation and directive from the reform package.

Among the conclusions of the chapter, it can be underlined that, even though the right to be forgotten, technically, is the right to erasure which presupposes the existence of two correlative obligations, one of result – erasure of data, and one of best efforts – the information of third parties who had access to data about the erasure request, obligations which are opposable to data controllers on a quasi-global level, it represents much more: it protects the autonomy, liberty and identity of the individual in an over-digitalized world, not only in space, but also in the temporal dimension (which justifies the idea of “forgetfulness”).

With regard to the right to data portability, it is the exponent of a new generation of juridical concepts of the regulation of private life. One should admit that its functions are complex, effecting not only privacy, but also competition between service providers of the Information Society. Nevertheless, its regulation in a data protection normative act indicates that the fundamental role of data portability is to offer data subjects enhanced control over their informational self-determination.

The right to object to data processing and the right to object to automated decisions based on profiling are studied in Chapter 5.

The general right to object to data processing, as well as the rights of the data subject to object to decisions based on profiles represent the category of the rights of the data subject with the least clear content. This might happen because the two rights are not a part of the common body of provisions of the first data protection laws in Europe, unlike the two categories of rights studied above – “the rights to know” and the rights to directly intervene in the data processing operation.

Comparing the material scope of the two rights, the general right to object is the expression of theoretical preoccupations, which are linked to the grounds of a fundamental right to informational self-determination, while the right of the person to object to decisions based on profiling is rather the response to practical and current concrete problems. The succinct characterization of profiling made in one of the subsections of this chapter shows the danger for individual liberty, lato sensu, on one hand, and for democratic societies, on the other hand. This danger is represented by profiling beyond any control.

Inspired by the first French data protection law of 1978, Directive 95/46 regulated a general right of the data subject to object to the processing, in exceptional circumstances, even if the processing complies with the law. The main condition for a successful objection request is the existence of “compelling legitimate grounds” in a particular situation.

The normative evolution of the general right to object is analyzed in the first section of the chapter, underlying the absence of this prerogative from the first data protection laws in Europe, and also from the data protection international legal instruments. Subsequently, the content of the right to object as regulated by Law no. 677/2001 is analyzed having regard to the correspondent provisions from Directive 95/46, followed by the development of this right in the EU data protection reform package.

One of the conclusions of Chapter 5 is that the Romanian legislator has extended significantly the material scope of the general right to object, compared to the provisions of Directive 95/46. Hence, while the directive limits the application of the right to object for the situations in which the processing is necessary for the performance of a task carried out in the public interest and the processing is necessary for the purposes of the legitimate interests pursued by the controller, the Romanian data protection law does not limit the application of the right depending on the lawful basis for data processing, which means that it is possible to object to the processing including when the data subject has consented to it, but also when the lawful ground for processing is a legal obligation of the controller.

The right of the data subject not to be subject to a decision based on automated processing is contextualized within the framework of an analysis of profiling as a phenomenon of the current economy. The prerogatives of the data subject against the arbitrary effects profiling can have on individuals are subsequently analyzed.

The analysis of the rights of the data subject reveals without doubt the existence of a general right to informational self-determination, guaranteed by the specific provisions of data protection. The data subject not only has the right to be informed about the existence of data processing operations and to know their details, but can also directly intervene on them by requiring the erasure, rectification or the updating of data. Moreover, she can object to the processing, even if it is lawful. In principle, the control of the data subject over her informational image is substantial.

However, its substance is diminished because of the limited material scope of certain rights and their exceptions and restrictions regulated in the data protection normative acts – all of which are being analyzed and exemplified in Part II of the paper. Perhaps the most diminishing factor of its substance comes from the passivity of the data subject. The data subject must effectively exercise their rights so that they will assure the control over their informational identity.

In this regard, Part III describes the ways in which the data subject can defend the rights enshrined in the wider content of the right to the protection of private data, by analyzing the simple civil actions to achieve this purpose, and the more complex action in civil liability, before the national courts.

Access to justice of the data subject to protect her rights has a special place in the Romanian data protection system, because it is regulated in the chapter dedicated to “the rights of the data subject in the context of data processing” (Chapter IV, Law no. 677/2001), at Article 18 – “the right to a judicial remedy”.

The data subject can protect the prerogatives of the content of the right to data protection by making recourse to criminal liability, liability resulting in contraventions or civil liability. The thesis aimed to analyze only the last two.

Civil remedies for data protection law breaches are of two types. First, the protection of the rights of the data subject can be done through civil actions in realization of the rights, a possibility which results from Article 18 of Law no. 677/2001. Second, if the data subject considers that she suffered damages resulting from the data protection law breaches, she can make use of a civil action in civil liability, according to Article 18(2) of Law no. 677/2001, which refers to any breach of the data protection law, not exclusively to breaches of the provisions of Chapter IV regarding the rights of the data subject.

Civil liability of data controllers and of data processors can be also invoked in court making use of the provisions of the new Civil Code: Article 1349 – the general clause for civil liability, corroborated with Article 253 – the clause for civil liability in the case of breach of non-pecuniary rights.

The liability resulting in contraventions of data controllers that do not comply with data protection law can be engaged on the basis of Articles 31-35 of the Law no. 677/2001, which regulates “contraventions and sanctions” in the field of data protection, but also on the basis of Article 13 of Law no. 506/2004 of personal data processing and the protection of private data in the electronic communications sector. A fundamental role in the application of sanctions in the field of data protection pertains to Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal – ANSPDPC (The National Authority for Supervising Personal Data Processing).

Finally, if we look upon personal data protection lato sensu and we corroborate it with the specific prerogatives of the right to the protection of private life, then we can conclude that criminal liability can also be engaged with regard to data controllers, according to Article 195 of the Criminal Code, which sanctions the crime of “violating the secret of correspondence”. As a matter of fact, Law no. 677/2001 refers to “crimes” in the chapter dedicated to sanctions, admitting that some characteristics of the regulated contraventions can be transformed in the content of a “crime”, but without specifically regulating such crimes sanctioned by penal law. This last aspect is not a part of the proposed scope of this thesis and will not be analyzed.

Even though there seems to be an inflation of legal procedures conferred to the data subject in order to guarantee her right to personal data protection, they are rarely utilized. According to preliminary data from a report of the Agency for Fundamental Rights of the European Union (“Data Protection: Redress Mechanisms and Their Use”) dedicated to redress mechanisms for damages caused by data protection law breaches in 16 member states of the EU, including Romania, data protection cases are few and dispersed among a variety of national courts and redress for damages caused by data protection law breaches is centered around Data Protection Authorities. These facts have several causes of a normative and institutional nature, but, at the same time, are justified by the attitude that the citizens of the EU, in general, and Romanians, in particular, have regarding personal data processing. According to the most recent Eurobarometer in this field (Eurobarometer No. 359), published in 2011, 33% of Europeans and 39% of Romanians “completely agree” that the disclosure of personal data is not a major problem, while 70% of Europeans and 61% of Romanians have complete trust that the national public authorities protect their personal data.

Chapter 6 analyzes the civil actions in realization of the rights which are available to data subjects, marking the distinction between the legal grounds for such actions, on one hand, and the legal grounds for judicial redress for the damages caused by the unlawful processing of personal data, on the other hand. A few practical uses of the actions in realization are also discussed. For instance, the confusion made by the Romanian judicial actors between the right to access personal data and the right to access information of public interest is highlighted (Section 3).

The Romanian legislator procedurally guarantees the protection of the prerogatives of the data subject with regard to data processing by regulating expressis verbis a “right to a judicial remedy”. The fact that judicial remedies against breaches of data protection law are regulated under the guise of a subjective right within Law no. 677/2001 makes the Romanian system of data protection to be prepared to effectively protect the data subject. However, it seems to be just “prepared”, as the effectiveness of the protection is influenced by several factors, such as the level of information of the data subject with regard to the dangers of unlawful data processing and the level of knowledge of the actors of the judicial system – magistrates and lawyers, about the mechanisms of protection of the data subject in the context of personal data processing, or the responsibility of data controllers with regard to the data processing operations they engage in. Having regard to all of these facts, the effectiveness of the protection of the rights of the data subject through civil actions is still awaited to manifest.

The right of the data subject to a judicial remedy confers to its titulaire all the premises for the adjudication of the right to personal data protection in Romanian law, establishing a rule of territorial competence, according to which the court of the domicile of the data subject is competent to decide on the civil actions for the protection of her rights provided for by Law no. 677/2001, and exempting the data subject to pay the special judicial fee for the introduction to Court of actions concerning data protection breaches.

The conditions to exercise civil actions for data breaches are analyzed in this chapter, by thoroughly looking into the provisions of Law no. 677/2001. This chapter also presents the argument that not only the rights of the data subject, understood stricto sensu – the right to access, to information, to object, and the right not to be the object to an individual decision based on automated profiling can be defended through civil actions in realization, but also any civil right correlative to any obligation of the data controller regulated by Law no. 677/2001.

One of the particularities underlined was the lack of “determined interest” for an action in realization of the right to be informed. Another one was the confusion between the right to access personal data and the right to access public information which often appears in the case-law of Romanian courts and which was tackled before the European Court of Human Rights in Strasbourg in Trăilescu case.

The passive capacity to stand trial is also analyzed for proceedings regarding the realization of rights of the data subject. Therefore, the concepts of data controller and data processor are analyzed. In this context, a test was proposed in order to establish the material scope of data protection provisions: “there is no data processing operation without a data controller and no data controller without a data processing operation”. This perspective alleviates the proof of the existence of a responsible legal or natural person for the fulfillment of obligations stemming from processing personal data, as it was showed in the case of search engines identified as data controllers which have to comply with their data protection legal obligations.

Regarding the passive capacity to stand trial in civil proceedings through which the rights of the data subject are protected, it was observed that in the special case of the action in realization of the right not to be the object of a decision based on automated data processing, having regard to the de facto elements of each case, it is possible for a third party to the data processing operation to have passive capacity to stand trial, considering that according to this right “decisions” taken on the ground of profiling can be revoked.

Chapter 7 is a radiography of civil liability for damages created by the breach of non-pecuniary rights, having regard on one hand that Article 18(2) of Law no. 677/2001 provides for the possibility of the data subject to bring a legal action to cover the damage suffered as a result of unlawful data processing, and on the other hand that the new Civil Code provides for a complex system of compensation for damages created by the breach of non-pecuniary rights.

It is argued that civil liability for this type of damage presents sufficient characteristics to support the conclusion that, starting with the entering into force of the new Civil Code, the legal regime of civil liability in Romanian civil law was enriched with an autonomous cause of action in the case of damage created by breach of non-pecuniary rights.

In this regard, it must first be acknowledged that the new Civil Code enshrines a specific provision for the compensation of pecuniary and non-pecuniary damages created by breach of non-pecuniary rights – Article 253(4). It represents an individualization of the general cause of action for civil liability in the new Civil Code – Article 1349.

Secondly, the regulation in the new Civil Code of a complex system of compensation for the damage caused by breach of non-pecuniary rights must be taken into account. This system entails ordinary and emergency non-pecuniary measures, but also pecuniary compensation.

Thirdly, after analyzing the content of the express provision for compensation for damages created by breach of non-pecuniary rights in the new Civil Code, the significant legal literature on this matter and, especially, the case-law of Romanian courts [a significant part of this chapter being dedicated to the latter], the conclusions show a reconfiguration of the general conditions needed to trigger civil responsibility. They need to be subjected to a complex verification having regard to the case law of European Court of Human Rights and the Court of Justice of the European Union [if applicable] on fundamental rights, and also to the limits of non-pecuniary civil rights detailed in the new Civil Code.

In conclusion, civil liability for damage caused by breach of non-pecuniary rights has autonomous standing in the legal regime of civil liability in Romanian civil law, presenting numerous particularities.

Therefore, the autonomous legal ground which triggers the civil liability of data controllers must be applied and interpreted within the complex system of the entire civil liability mechanism of the Romanian civil law. This system, in the case of data protection, can be imagined as a Matryoshka doll. The smallest of the “dolls” is represented by the hypothesis enshrined in Article 18(2) of Law no. 677/2001, which is comprised by the hypothesis of civil liability for damages created by breach of non-pecuniary rights enshrined in Article 253(4) NCC, which is comprised by the general provision for civil liability, enshrined in Article 1349 NCC. As such, each hypothesis has its own individuality and independent existence. However, they can be used as a whole, this characteristic conferring uniqueness to the whole system and effectiveness in protecting the rights of the data subject and, ultimately, the right to personal data protection.

Considering that the right to personal data protection is a subjective non-pecuniary right, the dispositions in Articles 252-256 NCC are applicable to its protection, starting with the rules of a mixed system of compensation for the non-pecuniary damage, and finishing with the rules envisaging the revised test which triggers civil liability. The specialization of civil liability for damages caused by breach of unlawful data processing pursuant to Article 18(2) of Law no. 677/2001 has as a consequence the systemic application of data protection law, in order to establish whether there was indeed a breach.

Chapter 8 details the administrative means of protection of the civil rights of the data subject, introducing the National Authority for the Supervision of Personal Data Processing (NASPDP), its competences and procedures.

According to paragraph 62 of the Preamble of Directive 95/46, data protection authorities, in general, are fundamental for an effective data protection system. Their purpose is not solely to sanction breaches of the rights of the data subject, but also to be an integrated part in the system for the protection of personal data, having several roles: punitive, normative and consultative. This is why the creation of national data protection authorities was imposed by the EU as harmonization standard through Article 28 of Directive 95/46. According to Article 28(1) of the DPD, each Member State must have one or more public authorities responsible for monitoring the application within its territory of the data protection laws, which must act with complete independence in exercising the functions entrusted to them.

The minimum competences that a data protection authority must have, according to Article 28(3) of the directive, are the following: (i) investigative powers, (ii) effective powers of intervention, such as that of delivering opinions before processing operations are carried out, of ordering the blocking, erasure or destruction of data, (iii) the power to engage in legal proceedings where the national data protection provisions have been violated. To these, Article 28(2) DPD adds (iv) the competence to be a consultative body for administrative measures or regulations in the field of personal data protection.

The sanctions to be applied for violations of data protection law are decided by the Member States, without the Directive establishing a minimum level for the value of the sanctions or the type of legal responsibility to be engaged in the case of data protection law violations. According to a Fundamental Rights Agency report (“Data Protection in the European Union: The Role of Data Protection Authorities”, 2010), the transposition of such a general provision into national legal systems generated significant variations, which were also influenced by national laws in administrative and criminal law, both at the time of the entering into force of data protection law and at the time of their subsequent application.

Romania initially chose to confer the function of a data protection authority to the already existing Ombudsman, according to the first version of Law no. 677/2001. This option proved to be deficient, four years later the Parliament voting a special law for the creation of a new public authority – NASPDP.

The Romanian DPA enjoys efficient legal means to ensure an effective protection for the rights of the data subject, which are in accordance with EU law. However, the activity of the NASPDP does not often rise to the level of its competences and its fundamental role it has in the protection of the fundamental rights of the data subjects. The EU Fundamental Rights Agency remarked in the 2010 report on DPAs, with regard to the activity of the European data protection authorities, that “in many Member States, DPAs are not in a position to carry out the entirety of their tasks because of the limited economic and human resources available to them”, enumerating Romania to be among those states. Moreover, the Agency observes that in many states, such as Bulgaria, Denmark, Slovakia and Romania, “a gap exists between the protection of the right to privacy in theory, which may formally conform to the requirements of EU and international law, and its protection in the law in practice”.

As a conclusion of Part III, data subjects enjoy a multitude of legal means of protection for their rights with regard to personal data processing. In this entire system of protection, the data subjects themselves play the fundamental role, because as long as they will acknowledge the risks of unlawful processing of their private data by different data controllers, they will also realize that the initiative to protect their fundamental rights through the procedural rights contained within the right of personal data protection belongs to them. It is the only way in which this extremely detailed and well construed normative system will become effective.

In conclusion, the thesis showed that the rights of the data subject to control the processing of their private data; the right to be informed, the right to access, the right to rectification, the right to object to data processing and the right to object to automated individual decisions, are prerogatives within the content of the subjective right to the protection of personal data. The thesis also analyzed in detail the particularities of the transposition of these rights from Directive 95/46 in the Romanian legal system, the influence which the ECHR case-law has upon them, especially upon the right to access, and the way in which they will be regulated in the near future in the EU. The entire endeavor leads to the conclusion that individuals have sufficient legal instruments to protect their personality rights in the Information Society. For those rights to be effective, individuals themselves need to acknowledge the risks entailed by data processing and digital storage of personal data, and the existence of their rights and the means to exercise them.


[1] E. Chelaru, Drepturile personalităţii în reglementarea Noului Cod Civil, Revista Dreptul, nr. 10/2011, p. 61.

[2] S. Gutwirth, Privacy and the Information Age, Rownan & Littlefield Publishers, Inc., SUA, 2002, p. 85.

[3] P. Carey, Data Protection. A practical guide to UK and EU law, 3rd edition, Oxford University Press, 2009, p. 130.

Court of Justice of the EU: Member States are not obliged to provide for exceptions in the application of data subjects’ rights

The Court of Justice of the European Union ruled on November 7, in Case C-473/12 IPI v. Geofrey Engelbert, that Article 13(1) of Directive 95/46, providing for exceptions in the application of the rights of the data subjects, “must be interpreted as meaning that Member States have no obligation, but have the option, to transpose into their national law one or more of the exceptions which it lays down to the obligation to inform data subjects of the processing of their data”.

Article 13(1) has the following content:

Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6(1), 10, 11(1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard:

(a)      national security;                                                               (b)      defence;                                                                                 (c)      public security;                                                                           (d)      the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions;                                                                                          (e)      an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters;                                                                                    (f)      a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e);                                                           (g)      the protection of the data subject or of the rights and freedoms of others.’

It must also be noted that these exemptions apply to:                                                        – the principles relating to data quality enshrined in Article 6(1) of the Directive;  –  the right to information, in Articles 10 and 11(1) of the Directive;                           – the right to access personal data, enshrined in Article 12 of the Directive, a provision which also contains the right to rectification, erasure and blocking of data (Article 13(2));                                                                                                                             -publicizing of processing operations, enshrined in Article 21 of the Directive.

By identity of reason, one can conclude that the decision of the Court in IPI v. Engelbert, applies also to the other provisions to which Article 13(1) refers, not only to Articles 10 and 11. The latter were relevant in this particular case.

The conclusion of the Court is rather interesting. It is a well known fact that “Directive 95/46 amounts to harmonisation which is generally complete“, as the Court itself notes in para. 31 of the Ipi v. Engelbert decision, citing Case C‑101/01 Lindqvist[2003] ECR I‑12971, paragraphs 95 and 96, and Huber, paragraphs 50 and 51. How does the idea of non-compulsory exemptions and restrictions provided for in Directive 95/46 fall within the concept of “generally complete harmonisation”?

To justify this approach, the Court added in para. 31 that “the provisions of Directive 95/46 are necessarily relatively general given that it has to be applied to a large number of very different situations, and that the directive includes rules with a degree of flexibility and, in many instances, leaves to the Member States the task of deciding the details or choosing between options”, citing Lindqvist, para. 83.

The most compelling reason for the Court to decide so must have been an argument it brought in para. 28 of the IPI Decision: “It is apparent from recitals 3, 8 and 10 of Directive 95/46 that the European Union legislature sought to facilitate the free movement of personal data by the approximation of the laws of the Member States while safeguarding the fundamental rights of individuals, in particular the right to privacy, and ensuring a high level of protection in the European Union.”

It appears that the Court is more likely to interpret the provisions of Directive 95/46 through the “high level of protection” criterion, rather than the “generally complete harmonization” one.

The IPI Decision raises several questions:

* Do Member States have the liberty to provide for no exemptions and restrictions derived from Article 13(1) of the Directive at all? 

*If this is not the case, what are the criteria to decide which are the minimum exceptions that must be regulated?

*Is the list of exemptions and restrictions enshrined in Article 13(1) of the Directive limited? In other words, taking into account that the generally complete harmonisation allows Article 13(1) to be interpreted in a flexible manner, can the state provide for additional exceptions?

One last remark is that the question of exemptions and restrictions of data protection law is sensitive, only if one takes into account the national security exception often invoked for interfering with the privacy of electronic communications. In this regard, see also THIS older post on pdpEcho.