What rights do asylum-seekers have as regards data protection law? This issue was clarified in today’s CJEU judgment in YS and M and S, which could also have broader relevance for any case which involves access to documents in the context of administrative procedures.
Both cases involved asylum-seekers in the Netherlands, who sought access to file notes concerning their case. However, they did not rely on the EU’s asylum procedures Directive, which states that asylum-seekers must be given the reasons for negative decisions and are entitled to access reports about the interviews held with them, but does not make mention of access to any other document. The second-phase procedures Directive, applicable to applications made after 20 July 2015, adds a right of access to country-of-origin information and expert advice which was used in making a decision on the asylum-seeker’s case, but still does not extend to a right to the entire file.
So they invoked the data protection Directive instead. The first question in this respect was whether the legal analysis in the file concerning their case was ‘personal data’ within the meaning of the Directive. According to the CJEU, it was not, for although that analysis ‘may contain personal data, it does not in itself constitute such data within the meaning of’ that Directive. That analysis ‘is not information relating to the applicant for a residence permit, but’ rather ‘information about the assessment and application by the competent authority of that law to the applicant’s situation’, based on the personal data available to the authorities.
The Court further opined that this was consistent with the purpose of the Directive, which was to ensure the right to privacy, including the check on the accuracy of the data and the correction of inaccurate data. A different approach would amount to ‘the right of access to administrative documents’, which was not the point of the Directive. It justified its analysis by analogy with the Bavarian Lager judgment, in which it had ruled that the Directive did not have the purpose of opening up the transparency of EU decision-making.
The second point was the extent of access to the personal data (as defined by the Court) which was being processed. On this point, the CJEU rejected the argument that the entire file document had to be made available, and instead stated that it was sufficient to give data subjects an intelligible summary of the personal data being processed.
Finally, the national court had asked about the possible application of Article 41 of the Charter, which sets out the right to good administration. The CJEU distinguished its prior case law, and asserted that this Charter right applied only to EU bodies, not to national administrations. But the right to good administration could still be invoked against national authorities as a general principle, as distinct from a Charter right.
The Court’s analysis of the main data protection issues here is not very convincing. There is nothing in the text of either the data protection Directive or the asylum procedures Directive that would suggest a distinction between administrative documents which contain personal data, and other types of collection of personal data. Quite clearly asylum-seekers do have an interest in knowing how their personal data is being processed in respect of an analysis of their application, and of correcting that personal data if it is correct.
To argue that the data protection Directive does not give access to administrative documents is a straw man argument. The question is not whether it aims to give access to all administrative documents, but only whether it gives access to those which contain personal data. The comparison with the Court’s Bavarian Lager judgment makes no sense either, for in that case data protection formed an express exception to the EU legislation on access to documents, and the two rights were in conflict.
The Court’s judgment on the second point is more convincing, in light of the wording of the data protection Directive, which only requires an intelligible summary of the personal data being processed to be made available.
Finally, the Court’s analysis of Article 41 of the Charter is a brave attempt to clear up the prior inconsistencies and confusion on this point, for instance in its recent judgment on procedural rights as regards subsidiary protection applications. Undeniably the Charter provision does only apply to EU bodies, not to Member States, but the Court nevertheless guarantees that the right to good administration can be claimed against the latter by clarifying that the right to good administration is nonetheless a general principle of EU law.
This is, apparently, the first time that the Court has confirmed that some rights are not in the Charter, but are protected as general principles of EU law. This raises important questions as to which other rights might be protected in that way, what the difference between the parallel rights to good administration might be, and whether the general principles have a different legal effect than Charter rights. But in the specific context of asylum proceedings, and more generally in many other areas of EU law, it is useful that the Court confirmed that applicants can still enforce (by a different means) the right to good administration against national authorities.
Barnard & Peers: chapter 8, chapter 9, chapter 26