Tag Archives: sensitive data

The right to be forgotten goes back to the CJEU (with Google, CNIL, sensitive data, freedom of speech)

The Conseil d’Etat announced today that it referred several questions to the Court of Justice of the EU concerning the interpretation of the right to be forgotten, pursuant to Directive 95/46 and following the CJEU’s landmark decision in the Google v Spain case.

The questions were raised within proceedings involving the application of four individuals to the Conseil d’Etat to have decisions issued by the CNIL (French DPA) quashed. These decisions rejected their requests for injunctions against Google to have certain Google Search results delisted.

According to the press release of the Conseil d’Etat, “these requests were aimed at removing links relating to various pieces of information :a video that explicitly revealed the nature of the relationship that an applicant was deemed to have entertained with a person holding a public office; a press article relating to the suicide committed by a member of the Church of Scientology, mentioning that one of the applicants was the public relations manager of that Church; various articles relating to criminal proceedings concerning an applicant; and articles relating the conviction of another applicant for having sexually aggressed minors.

The Conseil d’Etat further explained that in order to rule on these claims, it has deemed necessary to answer a number of questions “raising serious issues with regard to the interpretation of European law in the light of the European Court of Justice’s judgment in its Google Spain case.

Such issues are in relation with the obligations applying to the operator of a search engine with regard to web pages that contain sensitive data, when collecting and processing such information is illegal or very narrowly framed by legislation, on the grounds of its content relating to sexual orientations, political, religious or philosophical opinions, criminal offences, convictions or safety measures. On that point, the cases brought before the Conseil d’Etat raise questions in close connection with the obligations that lie on the operator of a search engine, when such information is embedded in a press article or when the content that relates to it is false or incomplete”.


Find what you’re reading useful? Please consider supporting pdpecho.

CJEU case to follow: purpose limitation, processing sensitive data, non-material damage

A new case received by the General Court of the CJEU was published in the Official Journal of the EU in February, Case T-881/16 HJ v EMA.

A British citizen seeks to engage the non-contractual liability of the European Medicines Agency for breaching data protection law. The applicant claims that “the documents in his personal file, which were made public and accessible to any member of staff of the European Medicines Agency for a period of time, were not processed fairly and lawfully but were processed for purposes other than those for which they were collected without that change in purpose having been expressly authorised by the applicant”.

Further, the applicant claims that “the dissemination of that sensitive data consequently called into question the applicant’s integrity, causing him real and certain non-material harm”.

The applicant asks the Court to “order the defendant to pay the applicant the symbolic sum of EUR 1 by way of compensation for the non-material harm suffered”.

Even if in the published summary there is no mention of the applicable law, it is clear that Regulation 45/2001 is relevant in this case – the data protection regulation applicable to EU institutions and bodies (EMA is an EU body). The rules of Regulation 45/2001 are fairly similar to those of Directive 95/46.

(Thanks dr. Mihaela Mazilu-Babel for bringing this case to my attention)


Find what you’re reading useful? Please consider supporting pdpecho.



Complaints Dealt With by EDPS in 2010

I will continue my endeavour started yesterday (read all about it HERE). Before analyzing some of the cases from the EDPS 2010 Report, I shoul mention that in 10 cases resolved in 2010 the EDPS found there was no breach of data protection rules, while in 11 cases non-compliance with data protection law was found to have occured (and reccommendations were addressed to the data controler concerned).

Here are the cases, just as they are explained in the EDPS 2010 Activity Report:

I. Compliance

1. Acces to one’s own medical file. The EDPS received a complaint relating to access to one’s own medical file held by an institution’s medical service. The EDPS confirmed that under the data protection rules, access to personal data does not oblige the controller to send the original medical file, but that it implied in practice being able to have a look at it (in person or in certain cases indirectly via a doctor) and/or take copies of it. With regard to the right to rectification of inaccurate or incomplete data, the EDPS underlined that the obligation to rectify data in the context of medical data is related only to factual data and not to health related assessments. The controller is therefore not obliged under data protection rules to modify the conclusion of a specific medical report. In such a context, the right to rectify the data could result in the possibility to include another report from another medical professional containing a different assessment. The EDPS therefore concluded in this case that there was no breach to data protection rules.

II. Non-compliance

1. Publication of personal sensitive data. A complaint was received about the publication of highly sensitive personal data in the Official Journal of the European Union and in the minutes of a European Parliament session. Following an inquiry into the matter, the EDPS concluded that the opinion of the Member of Parliament could have been expressed and the political message of the Written declaration could have been transmitted effectively without revealing the identities of the persons concerned. The EDPS requested the deletion of the names of the persons invoked by the Member in the Written declaration and in any other medium. He also requested that a formal and effective procedure be established in order to ensure that definitive versions of documents published in the Official Journal and on the internet site of the Parliament take into account modifications introduced by the services in charge of the preparation of documents.

2. Communication of personnel numbers through an agency’s internal e-mail. A complaint was received relating to the communication of personnel numbers of the members of staff of an agency to all users via the agency’s internal email addresses. The purpose of the particular processing was to invite all members of staff for an appointment with the agency’s Security section to have their photograph taken. The EDPS considered that, for this purpose it was fully sufficient to send a list containing only last name and first name of all the persons concerned. The personnel number on this list was irrelevant and excessive in relation to the said purpose and thus in violation of Article 4 of the Regulation. The EDPS invited the agency to formally instruct staff dealing with personal data to be selective and exercise particular care when sending massive internal or external mailings containing personal data so as to ensure that only data which are necessary for the purpose of the message are included.

3. Covert video surveillance. A staff member complained against covert video surveillance in his institution. In particular, he questioned the lawfulness of the use of a video camera which recorded him, without his knowledge, when he entered his supervisor’s office in his absence. The EDPS concluded that the institution had not demonstrated the existence of a legal basis which would explicitly allow the possibility of such highly intrusive operations and provide for specific conditions and safeguards. Without such a transparent legal basis and a structured approach, the proportionality of covert video surveillance was doubtful. The EDPS, therefore, called on the institution to re examine whether it wished to avail itself of covert surveillance in the future and if so, to submit its plans to the EDPS for prior checking.

In conclusion, data protection complaints to an authority such as the EDPS vary as much as the general subject matter of data protection. Whether people don’t have access to their personal information, whether their sensitive data is published or whtether they are being surveilled in an office without knowing, they feel like their privacy is being invaded and they want to react somehow. Nevertheless, it is clear that the right to data protection is not an absolute one. In case I.1. from above, the individual did not have the right to simply modify data concerning his health, even though the modification was meant for his own medical file. Health is a sensitive subject matter and keeping track of one’s medical condition is important, even though the medical condition changed. It would be interesting to know more facts from this particular case to analyze in depth this limit of the right to data protection.