-
Recent Posts
- Why data protection law is uniquely equipped to let us fight a pandemic with personal data
- A US Bill from 1974 shares so much DNA with the GDPR, it could be its ancestor
- Planet49 CJEU Judgment brings some ‘Cookie Consent’ Certainty to Planet Online Tracking
- The CJEU decides lack of access to personal data does not unmake a joint controller: A look at Wirtschaftsakademie
- Brief case-law companion for the GDPR professional
- Exam scripts are partly personal data and other practical findings of the CJEU in Nowak
- A Conversation with Giovanni Buttarelli about The Future of Data Protection: setting the stage for an EU Digital Regulator
- Why did Facebook just receive (one of) the biggest data protection fine(s) on record
- Exam scripts and examiner’s corrections are personal data of the exam candidate (AG Kokott Opinion in Nowak)
- Highlights of the draft LIBE report on the ePrivacy Reg
Archives
Tags roulette
AG Mengozzi Article 8 Charter article 29 working party big data CJEU cloud computing CNIL data portability data protection Data Protection Directive data protection laws data protection officer data protection reform data protection regulation directive 95/46 directive 95/46/EC EDPS European Commission European Data Protection Supervisor European Parliament Facebook Gabriela Zanfir GDPR Google personal data PNR privacy right to be forgotten Surveillance technology Viviane RedingCategories
RSS
Meta
All about personal data protection and privacy
EPIC.ORG news- An error has occurred; the feed is probably down. Try again later.
- EDRi
- European Data Protection Supervisor
- An error has occurred; the feed is probably down. Try again later.
- CNIL
- Agir pour un futur numérique responsable : la CNIL organise un colloque pour ses 45 ans
- La CNIL publie son premier dossier thématique dédié à l’identité numérique
- Designs trompeurs, certification et transferts : les trois lignes directrices adoptées par le CEPD en février
- « Les Gardiens du numérique » : l’escape game sur la vie privée à la Cité des sciences et de l’industrie à Paris
- Thématiques prioritaires de contrôle 2023 : caméras « augmentées », applications mobiles, fichiers bancaires et dossiers patients
- ICO
- ICO takes action against Lewisham Council for failing to respond to hundreds of Freedom of Information requests
- ICO issues reprimand to the Metropolitan Police Service for inadequate handling of files related to organised crime groups
- ICO reaches agreement with Easylife Ltd
- ICO statement on Government response to Sir Patrick Vallance’s Pro-Innovation Regulation of Technologies Review
- ICO shares resources to help designers embed data protection by default
- Privacy Commissioner Canada
- Announcement: Commissioner welcomes conclusion of the U.S. Federal Trade Commission’s investigation into Ashley Madison breach
- Announcement: OPC blog post: learn how identifiers on your phone can be used to track you
- Don’t repeat past mistakes, Privacy Commissioner warns as government reviews national security framework - December 6, 2016
- Media Advisory: Privacy guardians to unveil recommendations on modernizing Canada’s national security framework - December 5, 2016
- Announcement: Contributions Program launches call for innovative research and knowledge translation proposals - November 30, 2016
pdpEcho 
Court of Justice of the EU: Member States are not obliged to provide for exceptions in the application of data subjects’ rights
The Court of Justice of the European Union ruled on November 7, in Case C-473/12 IPI v. Geofrey Engelbert, that Article 13(1) of Directive 95/46, providing for exceptions in the application of the rights of the data subjects, “must be interpreted as meaning that Member States have no obligation, but have the option, to transpose into their national law one or more of the exceptions which it lays down to the obligation to inform data subjects of the processing of their data”.
Article 13(1) has the following content:
Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6(1), 10, 11(1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard:
(a) national security; (b) defence; (c) public security; (d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions; (e) an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters; (f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e); (g) the protection of the data subject or of the rights and freedoms of others.’
It must also be noted that these exemptions apply to: – the principles relating to data quality enshrined in Article 6(1) of the Directive; – the right to information, in Articles 10 and 11(1) of the Directive; – the right to access personal data, enshrined in Article 12 of the Directive, a provision which also contains the right to rectification, erasure and blocking of data (Article 13(2)); -publicizing of processing operations, enshrined in Article 21 of the Directive.
By identity of reason, one can conclude that the decision of the Court in IPI v. Engelbert, applies also to the other provisions to which Article 13(1) refers, not only to Articles 10 and 11. The latter were relevant in this particular case.
The conclusion of the Court is rather interesting. It is a well known fact that “Directive 95/46 amounts to harmonisation which is generally complete“, as the Court itself notes in para. 31 of the Ipi v. Engelbert decision, citing Case C‑101/01 Lindqvist[2003] ECR I‑12971, paragraphs 95 and 96, and Huber, paragraphs 50 and 51. How does the idea of non-compulsory exemptions and restrictions provided for in Directive 95/46 fall within the concept of “generally complete harmonisation”?
To justify this approach, the Court added in para. 31 that “the provisions of Directive 95/46 are necessarily relatively general given that it has to be applied to a large number of very different situations, and that the directive includes rules with a degree of flexibility and, in many instances, leaves to the Member States the task of deciding the details or choosing between options”, citing Lindqvist, para. 83.
The most compelling reason for the Court to decide so must have been an argument it brought in para. 28 of the IPI Decision: “It is apparent from recitals 3, 8 and 10 of Directive 95/46 that the European Union legislature sought to facilitate the free movement of personal data by the approximation of the laws of the Member States while safeguarding the fundamental rights of individuals, in particular the right to privacy, and ensuring a high level of protection in the European Union.”
It appears that the Court is more likely to interpret the provisions of Directive 95/46 through the “high level of protection” criterion, rather than the “generally complete harmonization” one.
The IPI Decision raises several questions:
* Do Member States have the liberty to provide for no exemptions and restrictions derived from Article 13(1) of the Directive at all?
*If this is not the case, what are the criteria to decide which are the minimum exceptions that must be regulated?
*Is the list of exemptions and restrictions enshrined in Article 13(1) of the Directive limited? In other words, taking into account that the generally complete harmonisation allows Article 13(1) to be interpreted in a flexible manner, can the state provide for additional exceptions?
One last remark is that the question of exemptions and restrictions of data protection law is sensitive, only if one takes into account the national security exception often invoked for interfering with the privacy of electronic communications. In this regard, see also THIS older post on pdpEcho.
Share this:
Like this: