CJEU & legitimate interest in scope: what the controller should remember of.

CJEU gave the Judgement in the course of a preliminary ruling on whether Articles 6(1)(c) and 7(f) of the Data Protection Directive (95/46/EC) precluded national law from allowing installation of a CCTV system in the common parts of a residential building, relying on a legitimate interest (Case C-708/18).  

The overall answer is “No, it didn’t”. But what else is inside for data protection pros? 

Well, CJEU re-brought to the attention of data controllers critical cornerstones of the legitimate interest as a legal basis:

– there must be present and effective legitimate interest (‘purpose test’);

– processing at issue must be strictly necessary, i.e. the purpose “cannot reasonably be as effectively achieved by other means less restrictive of the fundamental freedoms. (‘necessity test’). This is closely intertwined with the ‘data minimisation’ principle; 

– a balancing test must be conducted (ref. WP29 Opinion 06/2014 on the notion of legitimate interests).

More to read:

https://www.rpc.co.uk/snapshots/data-protection/cjeus-cctv-ruling-guidance-on-legitimate-interests-processing/

Belgian data protection watchdog sends controversial ‘message’ with regard to non-profit data controllers.

An interesting GDPR enforcement case came from Belgium in late May. Imagine that a data controller is sending unsolicited postal communications and ignoring data subject rights to object (Article 21) and to be forgotten (Article 17). On top of that, it misidentified legal basis and relied on the legitimate interest instead of consent (of course, no balancing exercises have been conducted and no safeguards have been put in place).

What could happen to such a data protection ‘nihilist’? Article 83(5) suggests that its DPO may start looking for another job. However, things may go upside down if the controller is a… non-profit organisation. 

Not to keep an unnecessary suspense, the data controller in the case above was fined mere 1000 EUR (nope, I did not miss additional ‘zeros’). Of course, factoring in that it was the first case against this organisations and that the controller is a non-profit organisation with no regular turnover.

This all may be well true, but it seems that such ‘enforcement’ naturally tears the fabric of the GDPR as it factually gives all non-profit organisations carte blanche to violate ‘tastefully’ for their first time.

More details on this case:

A “purpose”​ element: what is inside the controller’s mind?

In ‘Opinion 4/2007’ on the concept of personal data, Working Party 29 (‘WP29’) identified four building blocks in the definition of personal data – ‘any information’, ‘relating to’, identified or identifiable’, ‘natural person’. They remained the same in the GDPR, thus rendering ‘Opinion 4/2007’ relevant for understanding the concept of personal data. 

However, WP29, instead of eliminating all subjectivity to the extent possible, seemed to add some unclarity to the explanation of what ‘relating to’ means.

WP29 sets out that ‘in order to consider that the data “relate” to an individual, a “content” element OR a “purpose” element OR a “result” element should be present’. In turn, ‘“purpose” element can be considered to exist when the data are used or are likely to be used, taking into account all the circumstances surrounding the precise case, with the purpose to evaluate, treat in a certain way or influence the status or behaviour of an individual’.

By itself, an idea to decide on whether the data are personal or not through the interpretation of the “purpose” element is quite controversial due to the subjective (rather than objective) nature of the notion of purpose.

An example given by WP29 brings this problem front and center:

Passenger vehicles owned by a transportation company suffer repeated damage when they are dirtied with graffiti. In order to evaluate the damage and to facilitate the exercise of legal claims against their authors, the company organises a register containing information about the circumstances of the damage, as well as images of the damaged items and of the “tags” or “signature” of the author. At the moment of entering the information into the register, the authors of the damage are not known nor to whom the “signature” corresponds. It may well happen that it will never be known. However, the purpose of the processing is precisely to identify individuals to whom the information relates as the authors of the damage, so as to be able to exercise legal claims against them. Such processing makes sense if the data controller expects as “reasonably likely” that there will one day be means to identify the individual. The information contained in the pictures should be considered as relating to “identifiable” individuals, the information in the register as “personal data”, and the processing should be subject to the data protection rules, which allow such processing as legitimate under certain circumstances and subject to certain safeguards.

Most likely, it is only common sense that can lead to the conclusion that the purpose is to precisely identify authors of the graffiti. However, the controller can potentially argue that it keeps the register and images for some other internal purposes not connected with the purpose of future identification. As a result, we may end up being engaged in a discussion about true intentions of the controller which might not be established easily due to a lack of the factual grounds.

The issue described above may prima facie seem to be solely theoretical. Moreover, the language used by the GDPR contains various ‘floating’ criteria implying the necessity to conduct evaluations on a case-by-case basis. However, one should not overlook that, by applying the concept of purpose as described above, we decide on whether the data are personal or not, and a positive answer inevitably triggers set of responsibilities vested in the controller under the GDPR and Member States laws. It can be assumed that more certainty is need when addressing such a fundamental issue which may (or may not) trigger application of the data protection legislation in general.

Interestingly, the GDPR suffers from the same flaw like the WP29 ‘Opinion 4/2007’. Under Article 9(1), processing of biometric data for the purpose of uniquely identifying a natural person is prohibited (unless one of the exemptions under Article 9(2) applies). This brings us back to the issue of identification of the controller’s intention. Ironically enough, Recital 51 applies more objective criteria when addressing the same issue:

“The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person

In other words, under Recital 51, it is ability of technical means to identify individuals that plays a key role (and not just purposes pursued by the controller). Unfortunately, this wording has been changed in Article 9(1) requiring to identify the subjective purposes (instead of objective abilities).