Advocate General Sharpston delivered her Opinion on December 12, 2013, in Joined Cases C-141/12 and C-372/12, Y.S. v. Minister voor Immigratie, in which she analyzed the content of the right to access personal data in a minute created during an administrative procedure. The case is interesting, as it interprets both Article 12 of Directive 95/46 and Article 8(2) of the Charter of Fundamental Rights of the EU.
According to the summary of the case drafted by AG Sharpston in her decision (see para 1), “Y.S., M. and S. are third country nationals who have applied for lawful residence in the Netherlands. Y.S.’s application was refused. Those of M. and S. were granted. Each relies on EU law in order to obtain access to a document (‘the minute’) drafted by an official of the relevant authority and containing a legal analysis in the form of internal advice on whether to grant residence status. They argue that the legal analysis is personal data and thus, as a matter of EU law, they have the right to access the minute.”
In the case of Y.S., following the applicant’s request for access to the minute drafted for the decision, the Minister refused to provide access, on the ground that the minute contained, apart from personal data, a legal analysis. The Minister did provide, in so far as necessary, an overview of the data contained in the minute, the origin of that data and the authorities which had access to the data. Y.S. challenged the decision, and the court of appeals referred several questions to CJEU.
In the case of M and S, the Ministry rejected their requests, but two Dutch courts annulled the decision of rejection and obliged the Ministry to give the applicants a copy of the respective minutes. The Ministry challenged these court decisions to the Raad von State court, which has sent several questions to the Court of Justice of the European Union, following the preliminary ruling procedure.
Main referred questions
The questions are relevant in the correct application of the right to access personal data.
The first question asks whether the second indent of Article 12(a) of [Directive 95/46] should be interpreted to mean that there is a right to a copy of documents in which personal data have been processed, or is it sufficient if a full summary, in an intelligible form, of the personal data that have undergone processing in the documents concerned is provided?
The second question asks whether the words “right of access” in Article 8(2) of [the Charter] should be interpreted to mean that there is a right to a copy of documents in which personal data have been processed, or is it sufficient if there is provision of a full summary, in an intelligible form, of the personal data that have undergone processing in the documents concerned within the meaning of the second indent of Article 12(a) of [Directive 95/46]?
Another question asked by the Dutch court is whether a legal analysis, as set out in a minute, could be regarded as personal data within the meaning of Article 2(a) of [Directive 95/46].
The referred questions also cover the realm of the exceptions of the right to access personal data, as enshrined in Directive 95/46. In this regard, question 6 of the Raad von State asks whether the protection of the rights and freedoms of others, within the meaning of Article 13(1)(g) of [Directive 95/46] …, also cover the interest in an internal undisturbed exchange of views within the public authority concerned. Also, if the answer to that is in the negative, can that interest then be covered by Article 13(1)(d) or (f) of that directive?
AG Sharpston: “only information relating to facts about an individual can be personal data”
AG Sharpston acknowledges that “personal data is a broad concept” (para. 44) and “It can be understood to relate to any facts regarding that person’s private life and possibly, where relevant, his professional life (which might involve a more public aspect of that private life)” (para. 45).
As such, “information included in the minute relating to facts such as the name, date of birth, nationality, gender, ethnicity, religion and language of an applicant is ‘personal data’ within the meaning of Article 2(a) of Directive 95/46″ (para. 46).
However, the Advocate General does not consider that legal analysis is personal data. And as a consequence, access should not be granted to the part of the minute which enshrines the legal analysis regarding the asylum request of the applicants, using as legal ground the right to access personal data.
To justify her view, AG Sharpston argues that “only information relating to facts about an individual can be personal data. Except for the fact that it exists, a legal analysis is not such a fact. Thus, for example, a person’s address is personal data but an analysis of his domicile for legal purposes is not” (para. 56).
Further, the Advocate General explains that “facts can be expressed in different forms, some of which will result from assessing whatever is identifiable. For example, a person’s weight might be expressed objectively in kilos or in subjective terms such as ‘underweight’ or ‘obese’. Thus, I do not exclude the possibility that assessments and opinions may sometimes fall to be classified as data” (para. 57). “However, the steps of reasoning by which the conclusion is reached that a person is ‘underweight’ or ‘obese’ are not facts, any more than legal analysis is” (para. 58).
In my opinion, the most convincing legal argument which could justify that legal analysis regarding facts about an identified person is not personal data, is the one stating that “legal analysis as such does not fall within the sphere of an individual’s right to privacy. There is therefore no reason to assume that that individual is himself uniquely qualified to verify and rectify it and ask that it be erased or blocked. Rather, it is for an independent judicial authority to review the decision for which that legal analysis was prepared” (para. 60).
In other words, access to legal analysis would not serve the purpose of exercising the other rights of the data subject: the right to erasure, the right to rectification etc. So perhaps another question one could ask is whether the only purpose of the right to access personal data is the possibility for the data subject to exercise the other rights she has regarding the processing of her data.
The other question one could ask is how can a person require an independent judicial authority to review the decision for which that legal analysis was prepared, if she doesn’t know the content of the decision? Nevertheless, the answer to this last question is more substantially linked to the right to an effective judicial remedy.
The form in which access should be granted to personal data
AG Sharpston also addresses in her Opinion the question of the form in which access to personal data must be granted, having regard to the fact that the referring courts asked whether a copy of the minute has to be provided to the applicants.
First, the Advocate General establishes that the right to access as provided in Article 8(2) of the EU Charter “does not articulate a separate standard governing the form in which access must be made available” (para. 70) than Article 12 of Directive 95/46.
“When read together with the principle of proportionality and legal certainty, I interpret Article 8(2) of the Charter to mean that access need not go beyond what is necessary in order to achieve its objectives and to give the data subject full knowledge of the personal data that are protected under that provision. The requirement set out in Article 12 of Directive 95/46 corresponds to those principles. For that reason, I do not consider that a separate inquiry into the form of access under Article 8 of the Charter is necessary” (para. 70).
AG Sharpston further considers that “Depending on the circumstances, a copy might be neither necessary nor sufficient” (para 73). She explains that “Directive 95/46 does not require personal data covered by the right of access to be made available in the material form in which they exist or were initially recorded. In that regard, I consider that a Member State has a considerable margin of discretion to determine, based on the individual circumstances in case, the form in which to make personal data accessible” (para 74).
The Advocate General adds that “In making that assessment, a Member State should take account of, in particular:
(i) the material form(s) in which that information exists and can be made available to the data subject,
(ii) the type of personal data and
(iii) the objectives of the right of access.” (para. 75).
The conclusion is that “the fact that personal data are contained in a document such as a minute does not imply that the data subject automatically has the right to that material form, that is to say, a copy or extract of that document” (para 79).
The second indent of Article 12(a) of Directive 95/46 states that the data subject has the right to obtain from the controller “- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source”. Hence, all the data undergoing processing must be communicated to the data subject “in an intelligible form”.
In my view, there are two possible variations of personal data undergoing processing that can be the object of an access request: 1. data processed in an intelligible form for the data subject and 2. data processed in a non-intelligible form for the data subject (such as binary language, code, foreign alphabet etc.). Whenever data is processed in a language (understood lato sensu) which is accessible to the data subject, she is entitled to receive a copy of that data – be it an extract of a larger material form in which the data is processed. If the data is processed in a non-intelligible form for the data subject, she is entitled to receive the processed data, in a specific material form, translated into an intelligible language for the data subject.
In fact, as the online Oxford dictionary reveals, the origin of the noun “copy” ultimately rests in Latin: copia ‘abundance’ (in medieval Latin ‘transcript’, from such phrases as copiam describendi facere – ‘give permission to transcribe’). So a copy of personal data can be understood not only as an identical specimen to the original data, but also as a transcription of the original data.
Regarding the case at hand, I consider that as long as the facts of the case of the applicants are considered “personal data”, the applicants are entitled to receive a copy of the personal data enshrined in the minute, in the form of a photocopy of the minute in which all the information which is not considered to be personal data can be erased/covered with a black/blank line etc. I do not see why would it be disproportionate to communicate the personal data contained in the minute in this manner. Moreover, I consider that such a copy is the only one which ensures the effectiveness of the exercise of the other rights of the data subject – especially the right to rectification.
Exceptions of the right to access – “the protection of rights and freedoms of others cannot be read as including rights and freedoms of the authority processing personal data”
Finally, AG Sharpston argues that, if the legal analysis could be considered personal data, then the data controller cannot invoke Article 13 subparagraph g as a justification for not offering access to the processed data: “the protection of rights and freedoms of others (that is, other than the data subject) cannot be read as including rights and freedoms of the authority processing personal data. If a legal analysis is to be categorised as personal data, that must be because it is related to the private interests of an identified or identifiable person. Whilst the public interest in protecting internal advice in order to safeguard the administration’s ability to exercise its functions may indeed compete with the public interest in transparency, access to such advice cannot be restricted on the basis of the first of those two interests, because access covers only what falls within the private interest” (para. 84.)
One last observation: what would the ECHR say?
In 2012 (22 May), the European Court of Human Rights gave its decision in a case which presents certain similarities with the case at hand – Trăilescu v. Romania (5666/04 and 14664/05; only available in French and Romanian). The applicant considered his right to private life, as enshrined in Article 8 of the European Convention of Human Rights was breached because the Ministry of Justice refused him access to his evaluation file – which was created in a decision process with regard to his admission in the body of magistrates. The applicant passed the exam to become a magistrate, but he was informed by the procureur général that he would not be appointed as a magistrate because he does not have a good reputation, a condition imposed by Law no. 92/1992. According to the Court, “pour rendre cette décision, le ministère public se fonda sur plusieurs faits, tels qu’ils résultaient du dossier « personnel » (dosarul de personal) établi par le parquet près le tribunal départemental de Mehedinţi à la suite des recherches effectuées quant à la personne du requérant en 2000 et 2001. Il ressort de la décision du ministère que le dossier « personnel » était constitué de renseignements fournis par les anciens employeurs du requérant, par ses connaissances et par la police d’Orşova, des recommandations et d’autres documents.”
The applicant contested that decision in court and during the proceedings he also asked to be granted access to his file. However, he did so by invoking the right to access information of public interest. His request was rejected by the national courts, which argued that the information contained in the file is personal and not of public interest.
The ECHR considered in its decision that the applicant did not exhaust all the remedies in the national judicial system, because he did not ask for access to his file pursuant to Law 677/2001 for the protection of individuals with regard to the processing of personal data (which transposes Directive 95/46 in Romania).
ECHR stated in its decision that “La loi no 677/2001 décrit également la procédure à suivre par toute personne intéressée pour avoir accès aux données à caractère personnel classifiées et l’accès au tribunal est prévu par l’article 18 de cette loi (paragraphe 39 ci-dessus). Rien n’indique que le contrôle exercé par le tribunal est limité d’une quelconque manière, pour pouvoir douter d’emblée de l’efficacité d’un tel recours. Dans ces circonstances, la Cour considère que rien ne permet de penser que les dispositions de la loi no 677/2001 n’offraient pas au requérant la possibilité de faire redresser son grief, ou qu’il ne présentait aucune perspective raisonnable de succès” (para. 70).
In other words, the Court in Strasbourg expressed its expectation that a request as the one in the main proceedings grounded in the right to access personal data presents “a reasonable perspective of success.”
‘ I would like to thank Mihaela Mazilu-Babel for pointing out this AG Opinion.
” CJEU is expected to deliver its decision in 2014.
A look at political psychological targeting, EU data protection law and the US elections
Cambridge Analytica, a company that uses “data modeling and psychographic profiling” (according to its website), is credited with having decisively contributed to the outcome of the presidential election in the U.S.. They did so by using “a hyper-targeted psychological approach” allowing them to see trends among voters that no one else saw and thus to model the speech of the candidate to resonate with those trends. According to Mashable, the same company also assisted the Leave. EU campaign that leaded to Brexit.
How do they do it?
“We collect up to 5,000 data points on over 220 million Americans, and use more than 100 data variables to model target audience groups and predict the behavior of like-minded people” (my emphasis), states their website (for comparison, the US has a 324 million population). They further explain that “when you go beneath the surface and learn what people really care about you can create fully integrated engagement strategies that connect with every person at the individual level” (my emphasis).
According to Mashable, the company “uses a psychological approach to polling, harvesting billions of data from social media, credit card histories, voting records, consumer data, purchase history, supermarket loyalty schemes, phone calls, field operatives, Facebook surveys and TV watching habits“. This data “is bought or licensed from brokers or sourced from social media”.
(For a person who dedicated their professional life to personal data protection this sounds chilling.)
Under US privacy law this kind of practice seems to have no legal implications, as it doesn’t involve processing by any authority of the state, it’s not a matter of consumer protection and it doesn’t seem to fall, prima facie, under any piece of the piecemeal legislation dealing with personal data in the U.S. (please correct me if I’m wrong).
Under EU data protection law, this practice would raise a series of serious questions (see below), without even getting into the debate of whether this sort of intimate profiling would also breach the right to private life as protected by Article 7 of the EU Charter of Fundamental Rights and Article 8 of the European Convention of Human Rights (the right to personal data protection and the right to private life are protected separately in the EU legal order). Put it simple, the right to data protection enshrines the “rules of the road” (safeguards) for data that is being processed on a lawful ground, while the right to private life protects the inner private sphere of a person altogether, meaning that it can prohibit the unjustified interferences in the person’s private life. This post will only look at mass psychological profiling from the data protection perspective.
Does EU data protection law apply to the political profilers targeting US voters?
But why would EU data protection law even be applicable to a company creating profiles of 220 million Americans? Surprisingly, EU data protection law could indeed be relevant in this case, if it turns out that the company carrying out the profiling is based in the UK (London-based), as several websites claim in their articles (here, here and here).
Under Article 4(1)(a) of Directive 95/46, the national provisions adopted pursuant to the directive shall apply “where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State“. Therefore, the territorial application of Directive 95/46 is triggered by the place of establishment of the controller. Moreover, Recital 18 of the Directive’s Preamble explains that “in order to ensure that individuals are not deprived of the protection to which they are entitled under this Directive, any processing of personal data in the Community (EU – n.) must be carried out in accordance with the law of one of the Member States” and that “in this connection, processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State” (see also CJEU Case C-230/14 Weltimmo, paras. 24, 25, 26).
There are, therefore, no exceptions to applying EU data protection rules to any processing of personal data that is carried out under the responsibility of a controller established in a Member State. Is it relevant here whether the data subjects are not European citizens, and whether they would not even be physically located within Europe? The answer is probably in the negative. Directive 95/46 provides that the data subjects it protects are “identified or identifiable natural persons“, without differentiating them based on their nationality. Neither does the Directive link its application to any territorial factor concerning the data subjects. Moreover, according to Article 8 of the EU Charter of Fundamental Rights, “everyone has the right to the protection of personal data concerning him or her”.
I must emphasise here that the Court of Justice of the EU is the only authority that can interpret EU law in a binding manner and that until the Court decides how to interpret EU law in a specific case, we can only engage in argumentative exercises. If the interpretation proposed above would be found to have some merit, it would indeed be somewhat ironic to have the data of 220 million Americans protected by EU data protection rules.
What safeguards do persons have against psychological profiling for political purposes?
This kind of psychological profiling for political purposes would raise a number of serious questions. First of all, there is the question of whether this processing operation involves processing of “special categories of data”. According to Article 8(1) of Directive 95/46, “Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.” There are several exceptions to this prohibition, of which only two would conceivably be applicable to this kind of profiling:
In order for this kind of psychological profiling to be lawful, the controller must obtain explicit consent to process all the points of data used for every person profiled. Or the controller must only use those data points that were manifestly made public by a person.
Moreover, under Article 15(1) of Directive 95/46, the person has the right “not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc.”. It is of course to be interpreted to what extent psychological profiling for political purposes produces legal effects or significantly affects the person.
Another problem concerns the obligation of the controller to inform every person concerned that this kind of profiling is taking place (Articles 10 and 11 of Directive 95/46) and to give them details about the identity of the controller, the purposes of the processing and all the personal data that is being processed. In addition, the person should be informed that he or she has the right to ask for a copy of the data the controller holds about him or her and the right to ask for the erasure of that data if it was processed unlawfully (Article 12 of Directive 95/46).
Significantly, the person has the right to opt-out of a processing operation, at any time, without giving reasons, if that data is being processed for the purposes of direct marketing (Article 14(b) of Directive 95/46). For instance, in the UK, the supervisory authority – the Information Commissioner’s Office, issued Guidance for political campaigns in 2014 and gave the example of “a telephone call which seeks an individual’s opinions in order to use that data to identify those people likely to support the political party or referendum campaign at a future date in order to target them with marketing” as constituting direct marketing.
Find what you’re reading useful? Consider supporting pdpecho.
Posted in Comments, Europe, News, US and Canada
Tagged big data, big data analytics, cambridge analytica, data protection, data protection and elections, directive 95/46/EC, personal scope of EU charter, personal scope of EU data protection, privacy, profiling, profiling for electoral campaign, US elections