Marcin Kotula, Legal Officer at the
European Commission
The
views expressed are purely those of the author and may not in any circumstances
be regarded as stating an official position of the European Commission
Background
In case C-201/14, a preliminary
reference from the Court of Appeal in Cluj (Romania), the CJEU was asked to
examine a transfer of personal data of the applicants from a public institution
to another public institution. The applicants were earning income from
self-employment. The information about their declared income was transferred
from ANAF (National Tax Administration Agency) to CNAS (National Health
Insurance Fund). The CNAS then required the applicants to pay the arrears of
contributions to the health insurance regime.
The first three questions of the
national court focussed on the interpretation of Article 124 TFEU which relates
to economic and budgetary policy and to the issue of the privileged access of
public institutions to financial markets. They were found by the CJEU to be
unrelated to the object of the national proceedings and in consequence
inadmissible. The fourth question however dealt more explicitly with the issue
of whether the transfer of the applicants' personal data relating to their
income complied with the data protection rules. Hence, the CJEU examined that
compliance in particular against the background of Articles 6, 7, 10, 11 and 13
of the data protection Directive (Directive 95/46/EC).
Article 6(1) of the Directive is
one of the main points of reference in situations when personal data is passed
on from one data controller to another and it specifies, in its point b), that
personal data cannot be further processed in a way that is incompatible with
the purposes for which it was collected. On the other hand, this Article can be
restricted by a legislative measure adopted by a Member State pursuant to
Article 13 of the Directive.
Articles 10 and 11 of Directive
95/46 describe what information needs to be provided by the data controller
(the natural or legal person which determines the means and purposes of the
processing of personal data) to the data subject (the identified or
identifiable natural person whose data is processed). These two Articles
correspond to the different circumstances in which personal data can be
collected by the data controller. Whilst Article 10 refers to the information
that needs to be provided when the personal data is collected from the data
subject him(her)self Article 11(1) covers the situations where the personal
data was collected otherwise than from the data subject.
However, the information
obligations under Article 11(1) do not apply in situations envisaged in Article
11(2), thus for example when recording or disclosure of the data is expressly
laid down by law. In those situations however the Member State must provide
appropriate safeguards.
Article 13 of Directive 95/46 is also
of particular importance for the issue of the information that needs to be provided
to the data subject. This Article defines which rights and obligations under
the Directive can be restricted by the legislation of the Member States and for
which reasons. The information obligations of the data controller towards the
data subject under both Article 10 and Article 11(1) are also among the rights
and obligations that can be restricted. In principle, the possible reasons for
restricting rights refer to certain public interest objectives. The reasons
which appeared the most relevant for the case in question are laid down in
Article 13(e) and (f). Article 13(e)
allows the Member States to adopt restrictions when these are necessary to safeguard an important economic or financial
interest of a Member State or of the EU, including monetary, budgetary and
taxation matters while Article 13(f) permits restrictions when necessary to
safeguard monitoring, inspection or a regulatory function that is connected,
even occasionally, with the exercise of official authority in for example
monetary, budgetary or taxation matters.
The CJEU's analysis
At the beginning of the judgment the CJEU recalled some of its case-law about the basic concepts of data
protection law such as the definitions of "personal data" and of
"processing". In that part of the judgment it also reiterated the
primary importance of Articles 6 and 7 of the Directive which set out the
principles of legitimate and fair processing of personal data. The CJEU found
that the principle of the fair processing of personal data, enshrined in Article
6, implies that the data subjects need to be informed about the transfer of
their personal data from one public institution to another.
The CJEU then turned specifically
to the analysis of the requirements of Article 10 and 11 of the Directive. This
means that there were two types of processing of personal data which were
relevant in this case. On the one hand, it was the transfer of the applicants'
income data by the tax administration which collected it. On the other hand, it
was the processing of the transferred data by the health insurance fund. Whilst
Article 10 is applicable to the first type of processing the second one is
covered by Article 11.
In its analysis of Article 10 the
CJEU pointed out that under this Article the data subject must be informed
about the purposes of the processing
for which the personal data are intended. In addition, insofar as it is necessary
to guarantee fair processing of the data, the data subject must also be
informed about the recipients of the data and about the existence of various
rights. Without this information the data subject could not be in a position to
exercise the rights that have been set out in Articles 12 (right to access
his/her personal data, to request the rectification or erasure of unlawfully processed
personal data) and 14 (right to object to the processing in certain
circumstances).
The CJEU's assessment on this
point led it to conclude that the tax administration did not inform the
applicants that their income data would be transferred to the health insurance
fund. Whilst it was argued in the proceedings that a Romanian Law requires the
authorities and public institutions to transfer to the health insurance fund
the data necessary for determining whether a person qualifies as an insured
person the CJEU considered that the scope of data that needs to be transferred
pursuant to this Law does not cover personal data relating to income. This was
so because persons without taxable income also qualify as insured persons. In
consequence thus it was found that the Romanian Law in question could not
constitute an information which complies with Article 10 of the Directive.
The CJEU then looked into the
issue of whether this failure to comply with Article 10 could nevertheless be
legalised on the basis of a restriction adopted by Romania pursuant to Article
13 of the Directive.
Out of the Article 13 reasons
that could justify restricting the rights and obligations under the Directive
the CJEU identified “an important economic or financial interest of a Member
State (…) including monetary, budgetary or taxation matters”, i.e. the reason
set out in Article 13(e) and “a
monitoring, inspection or regulatory function connected, even occasionally,
with the exercise of official authority in cases related to (inter alia) in
(e)”, i.e. the reason laid down in Article 13(f) as the ones that might have
been applicable to the case in question. The CJEU found however that these two
reasons could not legalise the non-compliance with Article 10 of the Directive
because the restrictions based on them have to be imposed in the legislation of
the Member State. This requirement was not met in the applicants' case given
that the Romanian Law, invoked in the proceedings, only envisaged the principle
of transfer of personal data relating to income from the authorities, public
institutions and other institutions to the health insurance fund. The
definition of transferable information and the detailed transfer arrangements
were however laid down in a different measure, namely a Protocol agreed between
the tax administration and the health insurance. This Protocol was not even
officially published. On top of that, the CJEU noted again that data relating
to income are not necessary for the determination if a person is insured.
Next, the CJEU scrutinised the
processing in question against the requirements of Article 11(1) of the
Directive. Under this Article the health insurance fund which received the
personal data relating to income would need to inform the applicants that it
acts as the data controller of the data in question and about the purposes of
the processing of that data. To the extent that it is necessary to guarantee
fair processing of the data the health insurance fund would additionally need
to inform the applicants in particular about the categories of data concerned.
Since no such information was
supplied to the applicants the CJEU examined whether this failure to comply
with Article 11(1) of the Directive could be legalised under Article 13 or
Article 11(2). The conclusion proved to be identical as the one reached with
regard to Article 10. Already before it
became clear that the definition of transferable information and the detailed
transfer arrangements were laid down in a Protocol concluded between the two
public institutions and not in a legislative measure and therefore the
benchmark for applying a restriction on the basis of Article 13 was not met.
The same was said with reference
to a possible derogation under Article 11(2). This Article also requires a law
for derogating from Article 11(1) which in addition must be accompanied by
appropriate safeguards. In the case in question there was no law which included
the required elements. Hence the derogation stipulated in Article 11(2) could
not apply either.
Comments
In contrast to many other recent
CJEU judgments related to personal data protection (Data Retention [Digital Rights Ireland],
Google Spain,
Safe Harbour [Schrems])
Bara was decided without any specific references to Charter Articles 7 and 8
which deal with the right to private life and the right to the protection of
personal data respectively. The issue at stake in Bara seems to have been
sufficiently comprehensively addressed already in the provisions of Directive
95/46 itself without the need to look into the Charter for additional elements
of interpretation.
In essence, in Bara the CJEU
followed its previous case-law on the relation between the data subject's right
to access his/her personal data, as laid down in Article 12(a) of Directive
95/46, and the other rights conferred on the data subject in the Directive.
Those other rights include inter alia the rights to request erasure,
rectification or blocking of the data and to object to the processing of
personal data, laid down in Articles 12(b) and 14 respectively. In the CJEU's
previous case-law (Rijkeboer,
YS and Others (discussed here and here), the latter rights were seen as dependent on the availability of the right of
access because without the information about the processing of their personal
data and about the various parameters of that processing the data subjects are
much less likely to be in a position to exercise any rights. The same logic can
be transposed to the information that the data controller is required to
provide to the data subject under Articles 10 and 11(1) of the Directive since
the type of information specified in those two Articles can also be seen as
essential to the exercise of the other rights of the data subject.
The CJEU searched for possible
derogations in Articles 13 and 11(2) of the Directive but found that neither of
them could justify the non-compliance with the information obligations under
Articles 10 and 11(1). As both Article 13 and 11(2) specify that derogations or
restrictions can only be imposed by law and not by a measure of a lower status
there was no basis for a valid derogation or restriction in the applicants'
case. Indeed, the most important parameters of the transfer of the applicants'
personal data relating to their income were set out in an administrative
arrangement (which was not officially published) concluded between the tax
administration agency which collected that data and the health insurance fund
to which it was transferred.
Would the situation be different
had the restrictions been adopted in a legislative measure, as required in
Article 13 of the Directive? On the one hand, the restrictions stipulated in
Article 13(e) and (f) seem to be particularly well-suited for the purposes of
the exchange of information relating to taxation matters. On the other hand,
when analysing the possibility of applying the Article 13 restrictions in this
case, the CJEU noted that data relating to income are not part of the personal
data necessary for the determination of whether a person is insured. Necessity however
is required both for adopting a restriction under Article 13 of the Directive
and for processing personal data on a legitimate basis under Article 7. Thus,
this sentence of the judgment could either mean that the restriction was simply
not necessary in this case or rather that the whole processing of data relating
to income by the health insurance fund was not necessary. If the latter meaning
is correct an Article 13 restriction could not have applied at all in this case
because Article 13 does not constitute a basis for restricting Article 7. In
any event, in the Advocate General's opinion it was the task of the national court
to verify if the processing of this data by the health insurance fund was
necessary.
In its analysis the CJEU relied
quite heavily also on the requirement of the fair processing of personal data
which is among the data protection principles in Article 6 of the Directive. In
paragraph 34 of the Bara judgment the CJEU states that the obligation of a
public institution to inform the data subjects about the transfer of their
personal data to another public institution derives already from this principle
of the fair processing of personal data.
It might be interesting to note
that the text adopted by the European Parliament in the first reading of the
new Data Protection Regulation specifies what elements must be included in a
legislative measure adopted by a Member State (pursuant to Article 21 of the
proposed new rules) to restrict rights and obligations under the data
protection rules.
The new data protection framework, including a list of these elements in Article 21(2), now seems destined for adoption after an
agreement on the compromise text was reached between the Commission, the
European Parliament and the Council on 15 December and confirmed by the EP LIBE Committee and the Coreper a few
days later.
Photo credit: europarl.europa.eu
No comments:
Post a Comment