data it law May 2017: data protection impact assessments by WP29 & legitimate interests in Rigas

The overview of interesting Data & IT Law articles and news in May 2017!


The interpretation of a legitimate interest by the EU Court of Justice

The Court of Justice of the EU published a decision C-13/16 Rigas. It had to deal with a situation of revealing personal information to identify the person that caused an accident. The issue was to what extend should the public authorities reveal such data pursuant to the rule about processing “necessary for the purposes of the legitimate interests pursued by the … third party or parties to whom the data are disclosed.

The article at iapp covers the decision. The Court held that: “such an obligation was not created by Article 7(f), which simply expressed the possibility of processing data for the purposes of the legitimate interests of a third party. However, the CJEU went on to hold that such a disclosure was not precluded by Article 7(f) “in the event that it is made on the basis of national law, in accordance with the conditions laid down in that provision.”

The CJEU went on to set out what these three conditions are: firstly “the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed”; secondly, “the need to process personal data for the purposes of the legitimate interests pursued”; and finally, “that the fundamental rights and freedoms of the person concerned by the data protection do not take precedence.”

An important point is that “the CJEU still required that any such disclosure take place “… on the basis of national law.” The CJEU did not consider that such a legitimate interest could, of itself, provide a lawful basis for the processing in question. Such a lawful basis would have to be provided by Latvian law itself.


WP29 opinion on data protection impact assessments

The Article 29 Working Party published its Opinion about the legal regime of data protection impact assessments pursuant to GDPR. Lukaszolejnik’s blog gives a brief overview of WP29’s findings. Among other things, it mentions these types of situations:

  • Profiling is in use.
  • Automated-decision making with legal or similar significant effect.
  • Systematic surveillance
  • Sensitive data
  • Large scale data processing
  • Linked databases – in other words, data aggregation
  • Data concerning vulnerable data subjects
  • “New technologies in use”. WP29 mentions “Internet of Things” is explicitly in scope for a DPIA. 
  • Data transfer outside of the EU
  • “Unavoidable and unexpected processing”

The basic rule is that “if less than two points are met, the system potentially may not need a DPIA – unless it does need it after all.”

Moreover, the WP29 had stressed that even “if DPIA is not necessary, the data controller still must perform certain tasks, specifically “maintain a record of processing activities under its responsibility”. Such actions – let’s call them a “small DPIA” or a “DPIA Threshold Assessment” need to be documented, and performed regardless whether a full-scale DPIA is made.”


Damages for distress by a personal data protection rules breach in Scotland

In Scotland the Court in Edinburgh awarded over £17,000 in damages to a couple in a civil claim. The couple argued that they experienced “extreme stress” due to the “highly intrusive” use of CCTV and audio recording system by the neighbours.

According to the article by corderycompliance, ”(t)he CCTV cameras covered the couple’s private property and the property owner’s husband taunted the couple as he said that he could listen to private conversations in their garden – the couple feared that their private conversations inside their flat were also being recorded (two audio boxes had been installed immediately below front bedroom windows).”

The Court held that the data processing was intrusive, excessive, unjustified and “an effort to oppress”. It also linked to a previous decision of UK Court of Appeal in case of Google –v- Vidal-Hall, that established a right to damages for “distress” only for breaches of the Data Protection Act from 1998.


What is the meaning of lawfulness in the GDPR?

The Centre for IT & IP Law at KU Leuven had published an interesting article about the term “lawfulness under the GDPR”.

The author argues that “(l)awfulness, as now used in the GDPR, specifically and exclusively refers to having a lawful ground for processing under Article 6.“ In the Date Protection Directive, the term was used in a broader meaning.

The reasons to accept such interpretation include:

  • change of a title between the Directive and GDPR
  • the new provision’s opening sentence now also explicitly reads “[p]rocessing shall be lawful only if…”.
  • a legislative history of Article 82 on the ‘Right to compensation and liability’
  • the recitals (notably 40 et seq.) and satellite provisions such as Article 8 on processing of children’s information in an ISS context.
  • language versions consistency

Leave a Reply

Your email address will not be published. Required fields are marked *