Yesterday, the Court of Justice of the European Union gave judgment in Rīgas, which concerns the right of a victim to identify the person who caused an accident. The facts of Rīgas may be mundane, but it is a useful and significant judgment as it discusses the legal basis upon which public bodies process personal data. In particular, whether a public body could be required to process personal data on the basis that processing was “necessary for the purposes of the legitimate interests pursued by the … third party or parties to whom the data are disclosed."
The question arose from a minor collision between a tram and a taxi on the streets of Riga, Latvia. A passenger had opened the door of the taxi, which scraped against the side of a tram. The tram company initially sought compensation from the taxi driver’s insurance company, but the insurer refused to pay out on the basis that the accident was the fault of the passenger. The tram company did not know who the passenger was, so it asked the Latvian police, which imposed an administrative sanction on the passenger. The police disclosed the passenger’s name but refused to disclose his identity card number or address. This was because Latvian law did not provide for the disclosure of such data to persons who were not parties to the sanctions procedure in question. The tram company challenged this decision before the Latvian courts, which referred a two questions to the CJEU.
The CJEU was firstly asked whether Article 7(f) of Directive 95/46 could require disclosure of personal data on the basis of the legitimate interests of a third party to whom it was to be disclosed. The CJEU held that such an obligation was not created by Article 7(f), which simply expressed the possibility of processing data for the purposes of the legitimate interests of a third party. However, the CJEU went on to hold that such a disclosure was not precluded by Article 7(f) “in the event that it is made on the basis of national law, in accordance with the conditions laid down in that provision."
The CJEU went on to set out what these three conditions are: firstly “the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed"; secondly, “the need to process personal data for the purposes of the legitimate interests pursued”; and finally, “that the fundamental rights and freedoms of the person concerned by the data protection do not take precedence."
As regards the first condition, the CJEU held that “there is no doubt that the interest of a third party in obtaining the personal information of a person who damaged their property in order to sue that person for damages can be qualified as a legitimate interest." As regards the second, the CJEU noted that “communication of merely the … name … of the person who caused the damage does not make it possible to identify that person with sufficient precision.” Therefore, the CJEU held that “it is necessary to obtain also the address and/or the identification number of that person." Hence the first two conditions would seem to be fulfilled in this case
The CJEU then turned to the final condition, that of “balancing the opposing rights and interests at issue." The CJEU noted that setting this balance depended “on the specific circumstances of the particular case." And it went onto suggest that one of the factors to take into consideration was “the possibility of accessing the data at issue in public sources." Another factor that the CJEU thought might be taken into consideration was the age of the data subject in question. In this regard the CJEU did not think it justified “to refuse to disclose to an injured party the personal data necessary for bringing an action for damages against the person who caused the harm … on the ground that the person who caused the damage was a minor.”
The CJEU analysis of how legitimate interests may provide a legal base for the processing of personal data is straight-forward. And it is the straight-forward nature of the CJEU’s analysis that makes the judgment in Rīgas useful. What makes Rīgas significant is what it says about the ability of public bodies to process personal data on the basis of such a legitimate interest. In Rīgas, the CJEU concluded that all the conditions for the processing of personal data for the purposes of the legitimate interests of the tram company existed. Notwithstanding this conclusion, the CJEU still required that any such disclosure take place “… on the basis of national law." The CJEU did not consider that such a legitimate interest could, of itself, provide a lawful basis for the processing in question. Such a lawful basis would have to be provided by Latvian law itself.
The approach of the CJEU in Rīgas seems consistent with Article 6 of the General Data Protection Regulation, which firstly provides that public authorities cannot rely on such legitimate interests to provide a lawful basis for the processing of personal data. Article 6 then goes onto provided that processing on the basis of a legal obligation or public duty must be on the basis of a law. Rīgas suggests that the CJEU may take a strict approach to the application of Article 6 to public authorities. And such an approach may have interesting implications for public authorities throughout the EU once the GDPR applies.
photo credit: DesignRecipe European Union Flags 2 via photopin (license)