TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | What does legitimate interest mean? The CJEU gives its answer in Rīgas Related reading: Notes from the IAPP Europe Managing Director, 26 May 2017

rss_feed
PrivacyCore_ad_300x250-01
OneTrust_Square Banner_300x250_DD_ROS_01_19
PrivacyTraining_ad300x250.Promo1-01

Yesterday, the Court of Justice of the European Union gave judgment in Rīgas, which concerns the right of a victim to identify the person who caused an accident. The facts of Rīgas may be mundane, but it is a useful and significant judgment as it discusses the legal basis upon which public bodies process personal data. In particular, whether a public body could be required to process personal data on the basis that processing was “necessary for the purposes of the legitimate interests pursued by the … third party or parties to whom the data are disclosed."

The question arose from a minor collision between a tram and a taxi on the streets of Riga, Latvia. A passenger had opened the door of the taxi, which scraped against the side of a tram. The tram company initially sought compensation from the taxi driver’s insurance company, but the insurer refused to pay out on the basis that the accident was the fault of the passenger. The tram company did not know who the passenger was, so it asked the Latvian police, which imposed an administrative sanction on the passenger. The police disclosed the passenger’s name but refused to disclose his identity card number or address. This was because Latvian law did not provide for the disclosure of such data to persons who were not parties to the sanctions procedure in question. The tram company challenged this decision before the Latvian courts, which referred a two questions to the CJEU.

The CJEU was firstly asked whether Article 7(f) of Directive 95/46 could require disclosure of personal data on the basis of the legitimate interests of a third party to whom it was to be disclosed. The CJEU held that such an obligation was not created by Article 7(f), which simply expressed the possibility of processing data for the purposes of the legitimate interests of a third party. However, the CJEU went on to hold that such a disclosure was not precluded by Article 7(f) “in the event that it is made on the basis of national law, in accordance with the conditions laid down in that provision."

The CJEU went on to set out what these three conditions are: firstly “the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed"; secondly, “the need to process personal data for the purposes of the legitimate interests pursued”; and finally, “that the fundamental rights and freedoms of the person concerned by the data protection do not take precedence."

As regards the first condition, the CJEU held that “there is no doubt that the interest of a third party in obtaining the personal information of a person who damaged their property in order to sue that person for damages can be qualified as a legitimate interest." As regards the second, the CJEU noted that “communication of merely the … name …  of the person who caused the damage does not make it possible to identify that person with sufficient precision.” Therefore, the CJEU held that “it is necessary to obtain also the address and/or the identification number of that person." Hence the first two conditions would seem to be fulfilled in this case 

The CJEU then turned to the final condition, that of “balancing the opposing rights and interests at issue." The CJEU noted that setting this balance depended “on the specific circumstances of the particular case." And it went onto suggest that one of the factors to take into consideration was “the possibility of accessing the data at issue in public sources." Another factor that the CJEU thought might be taken into consideration was the age of the data subject in question. In this regard the CJEU did not think it justified “to refuse to disclose to an injured party the personal data necessary for bringing an action for damages against the person who caused the harm … on the ground that the person who caused the damage was a minor.”

The CJEU analysis of how legitimate interests may provide a legal base for the processing of personal data is straight-forward. And it is the straight-forward nature of the CJEU’s analysis that makes the judgment in Rīgas useful. What makes Rīgas significant is what it says about the ability of public bodies to process personal data on the basis of such a legitimate interest. In Rīgas, the CJEU concluded that all the conditions for the processing of personal data for the purposes of the legitimate interests of the tram company existed. Notwithstanding this conclusion, the CJEU still required that any such disclosure take place “… on the basis of national law." The CJEU did not consider that such a legitimate interest could, of itself, provide a lawful basis for the processing in question. Such a lawful basis would have to be provided by Latvian law itself.

The approach of the CJEU in Rīgas seems consistent with Article 6 of the General Data Protection Regulation, which firstly provides that public authorities cannot rely on such legitimate interests to provide a lawful basis for the processing of personal data. Article 6 then goes onto provided that processing on the basis of a legal obligation or public duty must be on the basis of a law. Rīgas suggests that the CJEU may take a strict approach to the application of Article 6 to public authorities. And such an approach may have interesting implications for public authorities throughout the EU once the GDPR applies.

photo credit: DesignRecipe European Union Flags 2 via photopin (license)

2 Comments

If you want to comment on this post, you need to login.

  • comment Eduardo Ustaran • May 5, 2017
    Thank you for sharing this.  I agree that this is a significant decision which confirms how to approach this increasingly important ground for processing.  Question for you (and others): Do you think that under the GDPR and taking into account this decision, public authorities would be able to rely on legitimate interests as a lawful ground for disclosing data, if such a disclosure was not for the "performance of their tasks" as such?
  • comment Jay Libove • May 5, 2017
    Hi Eduardo. I'm pleased with this interpretation by the CJEU, that, in effect, data protection law itself is neutral, requiring other law to compel, and blocking data protection law from unreasonably interfering, with access to personal data when that personal data is legitimately needed by a balanced competing interest.
    As a person from US, having lived and worked in Europe now for a decade, I've often found myself pushing the US very hard towards Europe .. while also pushing Europe a bit towards the US. I think this judgment by the CJEU strikes that balance well. There have been a few cases in recent years where European data protection law has gone too far, either limiting legitimate rights of others, or penalizing for things where the cost of the remedy implied or proposed by the European regulators or courts would be out of balance for society (the Garante-Google decision in particular).
    So, to your explicit question, yes, if other law, or civil procedure, would compel disclosure of personal information in pursuit of the legally supported interest of a third party, then data protection law should not block a public authority (or any other source) from disclosing the requested data, under reasonably protective and restrictive terms about how that data would be used in legal process.