On January 26, 2017, the Advocate General (AG) to the Court of Justice of the European Union (CJEU) Mr. Bobek opined that there is no legal obligation for a data controller under EU data protection law to disclose data enabling the identification of a person allegedly responsible for an administrative offence.
In this case, there was a street accident in Riga involving a taxi and bus. The taxi company told the Latvian police who was the passenger that opened the door allegedly causing the accident. The bus company, Rīgas satiksme, did not participate in the administrative proceeding leading to sanctions against the taxi’s passenger. However, it later asked the police to disclose the identity of the passenger to sue him for damages before a civil judge. The police gave Rīgas satiksme only the passenger’s name but refused to provide the ID number and address, needed to start the civil proceeding.
The Administratīvā rajona tiesa (District Administrative Court) upheld the action brought by the taxi company and ordered the police to provide the requested information.
The police appealed against that ruling before the Augstākā tiesa (Supreme Court, Latvia). The supreme court sought an opinion from the Latvian Data Protection Agency, which indicated that, in this specific case, the data controller (the police) is not obliged to process and communicate the data to individuals or entities that are not part of the administrative proceeding.
Because the Latvian Supreme Court still had doubts about Rīgas satiksme’s right under Article 7(f) of Directive 95/46/EC (“Directive”), it decided to stay the proceeding and preliminary ask the CJEU whether Article 7(f) of Directive 95/46/EC imposes an obligation on the national police to disclose the personal data of the person allegedly responsible for an administrative offense so allowing the aggrieved party to bring an action.
Article 7 governs the criteria “for making data processing legitimate” and allows Member States to process data if:
processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1.
As mentioned, the AG deemed that there is no obligation under Article 7(f) of the Directive for the controller to “disclose data enabling the identification of a person allegedly responsible for an administrative offence so that Rīgas satiksme can launch civil proceedings”. According to the AG, “Article 7 rather provides for general rules in order for the data processor to determine when, if, how and to what extent it may process personal data that it has acquired”.
Thus, Article 7(f) of the Directive merely provides a faculty to process the data, as long as three elements exist: 1) there is a legitimate interest justifying processing; 2) that interest prevails over the rights and interests of the data subject (balancing of interests); 3) the processing is necessary for the realization of the legitimate interests.
The AG notes that the Directive does not define legitimate interests. “Thus, it is for the data controller or processor, under the supervision of national courts, to determine whether there is a legitimate aim that could justify an interference with private life”.
The AG noted that “the issuing of a legal claim, as in the main proceedings, is a legitimate interest, as stated by Article 7(f)”.
The AG noted that with regard to the balancing of interests that there is “no reason why the interests for fundamental rights of the data subject should override the specific legitimate aim of the damaged party in pursuing civil proceedings”.
Finally, should the balancing of interests lead to the result that the interests of the data subject do not prevail over the interests of the person requesting disclosure of personal data, the necessity and the scope of the information to be disclosed shall be determined according to the applicable law.
On a side note, the fact that the data subject was a minor at the time of the accident is not material in this regard.
More on case C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’ is available at http://curia.europa.eu…