Greetings from Brussels.
The Danish data protection authority, Datatilsynet, recently published an interesting decision against an insurance company in connection with a compensation case that I think is of general public interest to folks in the EU.
For context, in 2015, a Danish data subject was grievously injured in a road traffic accident. The resulting injuries meant the individual had to give up their employment, and in 2019 was awarded an early retirement pension by the local government. Conversely, the insurance company refused to pay compensation to the gentlemen for loss of earning capacity. Moreover, the company launched a surveillance action to monitor the data subject and the extent of injury in support of its decision and subsequently refused to hand over the surveillance material in a lawsuit brought against the company in the last year.
I had the opportunity to speak with Tim Clements and Petruta Pirvan of data protection consultancy and training company Purpose and Means to get a more concise take on the case. What is clear is that the Danish DPA expressed serious criticism against the insurance company for violating the provisions of Article 15 of the EU General Data Protection Regulation by rejecting a right to access request from the data subject without demonstrating what is termed as “decisive considerations.” Through legal representation the data subject had requested access to the monitoring file — repeatedly — which was refused by the insurance company.
The company claimed that giving the data subject access to the observation reports, photos and videos — resulting from the surveillance activity — would paralyze its ability to pursue its own interests in a lawsuit against the data subject. The insurance company based its assertions on the Danish Data Protection Act, section 22, subsection 1, which provides that: “The right of access may thus be limited if the data subject's interest in the information is found to give way to decisive considerations of private interests, including the consideration for the person.” This essentially entails that there can only be exceptions to the right of access in cases where there is an imminent danger that the interests of private individuals will suffer "significant" damage. The DPA did not agree with the company’s argument (in this specific case), stating that while the plaintiff may well use the information in litigation, this in itself did not constitute a decisive consideration in the company’s interests. Moreover, the DPA further noted the right to access exists precisely to give data subjects (including plaintiffs) an ability to check the accuracy of the information and the legality of the processing, and only concrete and demonstrable decisive considerations can give rise to a waiver of rights to access.
It is also worth noting that in this particular case, the initial lead supervisory authority was the Swedish Data Protection Agency, as the insurance company is based in Sweden. Nevertheless, the case was taken over by the Danish Data Protection Authority based on Article 56(2) of the GDPR. In other words, the case was treated as a local case as the subject matter alone significantly impacted Danish data subjects. The Swedish DPA agreed with the approach, and the Swedish and Danish DPAs cooperated across borders on the case.
As for the case itself, the monitoring material has been handed over to the data subject’s legal representation, and a lawsuit has been filed against the company and is underway with a compensation claim for payment. Regardless of the case’s outcome, this could be viewed as a win for corporate transparency, and importantly, a win for the citizens.