Luxembourg, 15 June 2023
PRESS RELEASE No 104/23
Advocate General Medina: a data subject must have available to it a judicial remedy against an independent supervisory authority where he or she exercises his or her rights through that authority.
A broad and blanket exemption to the right of direct access to personal data in criminal matters is not
compatible with EU law.
An individual was refused by the Belgian National Security Authority a ‘security clearance certificate’ because he had participated in various demonstrations in the past. He thereupon asked the Belgian Supervisory Body for Police Information (hereafter, the “OCIP”) to identify the controllers responsible for the data processing at issue and to order them to provide him with access to all the information concerning him. The OCIP replied that it had carried out all necessary checks without providing any further details. Unsatisfied with that answer, the individual, together with the Ligue des droits humains, brought an action against the OCIP before the Belgian courts.
In this context, the Brussels Court of Appeal made a reference for a preliminary ruling to the Court of Justice with respect to directive 2016/6801, better known as “the Law Enforcement Directive”. That directive lays down rules on the protection of personal data and the processing of those data in the fields of judicial cooperation in criminal matters and police cooperation while reflecting the “specific nature of those fields”.
The Court of Appeal points out that under Belgian law, all requests based on rights relating to personal data processed by police services are to be made to the OCIP. That body simply informs the data subject that ‘the necessary verifications have been carried out’. Further, the national court doubts whether Belgian law allows for the exercise of a judicial remedy against the OCIP and seeks, in substance, to ascertain whether Article 17 of the directive complies with Article 8(3) and Article 47 of the Charter of Fundamental Rights of the European Union.
In her Opinion delivered today, Advocate General Laila Medina considers that under the Law Enforcement Directive, direct access to personal data held by authorities is the general rule whereas indirect access is the exception. The indirect exercise of rights through a supervisory authority is an additional guarantee and a safeguard for the data subject in circumstances in which the right to access is limited. When the data subject exercises his rights indirectly through a supervisory authority, he or she must have a judicial remedy against that authority in relation to its task of checking the lawfulness of processing.
In that context, the level of information provided by the supervisory authority to the data subject on the outcome of the check may not always be restricted to the minimum information that all necessary verifications have been carried out but may vary depending on the circumstances of the case in light of the principle of proportionality. Advocate General Medina points out that the Belgian law transposing the Law Enforcement Directive establishes a regime which derogates from the principle of direct exercise of the rights of data subjects with regard to all data processed by police services. Indeed, in view of the extremely broad scope of the data to which the regime of derogation applies, that regime establishes a blanket exemption to the direct right of access. Such a regime is incompatible with the Directive.
With regard to the remedies available to the data subject, the Advocate General takes the view that where the supervisory authority considers that it may not go beyond disclosing the minimum information, namely that all necessary verifications have been carried out, the exercise of judicial review would be impossible unless the court entrusted with the review of the decision of the supervisory authority is able to examine all the grounds on which that decision is based, as well as the decision by the controller to limit access. In such a case, the relevant information should be made available to that court.
Finally, Advocate General Medina considers that, article 17 of the Directive governing the indirect exercise of rights through the supervisory authority is compatible with the fundamental rights of protection of personal data and to an effective remedy as provided for in the Charter of Fundamental Rights of the European Union in so far as (i) the supervisory authority may, depending on the circumstances, go beyond stating that all necessary verifications have been carried out and (ii) there is available to the data subject a judicial review of the action taken and the assessment made by the supervisory authority concerning that data subject in the light of the obligations of the controller.
NOTE: The Advocate General’s Opinion is not binding on the Court of Justice. It is the role of the Advocates General to propose to the Court, in complete independence, a legal solution to the cases for which they are responsible. The Judges of the Court are now beginning their deliberations in this case. Judgment will be given at a later date.
NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.
1 Directive of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ 2016, L 119, p. 89).
Source – EU Court of Justice – Email