Monday 21 December 2015

Transfer of personal data relating to income between public institutions – the CJEU's judgment in C-201/14 Bara




Marcin Kotula, Legal Officer at the European Commission

The views expressed are purely those of the author and may not in any circumstances be regarded as stating an official position of the European Commission

Background

In case C-201/14, a preliminary reference from the Court of Appeal in Cluj (Romania), the CJEU was asked to examine a transfer of personal data of the applicants from a public institution to another public institution. The applicants were earning income from self-employment. The information about their declared income was transferred from ANAF (National Tax Administration Agency) to CNAS (National Health Insurance Fund). The CNAS then required the applicants to pay the arrears of contributions to the health insurance regime.

The first three questions of the national court focussed on the interpretation of Article 124 TFEU which relates to economic and budgetary policy and to the issue of the privileged access of public institutions to financial markets. They were found by the CJEU to be unrelated to the object of the national proceedings and in consequence inadmissible. The fourth question however dealt more explicitly with the issue of whether the transfer of the applicants' personal data relating to their income complied with the data protection rules. Hence, the CJEU examined that compliance in particular against the background of Articles 6, 7, 10, 11 and 13 of the data protection Directive (Directive 95/46/EC).

Article 6(1) of the Directive is one of the main points of reference in situations when personal data is passed on from one data controller to another and it specifies, in its point b), that personal data cannot be further processed in a way that is incompatible with the purposes for which it was collected. On the other hand, this Article can be restricted by a legislative measure adopted by a Member State pursuant to Article 13 of the Directive.

Articles 10 and 11 of Directive 95/46 describe what information needs to be provided by the data controller (the natural or legal person which determines the means and purposes of the processing of personal data) to the data subject (the identified or identifiable natural person whose data is processed). These two Articles correspond to the different circumstances in which personal data can be collected by the data controller. Whilst Article 10 refers to the information that needs to be provided when the personal data is collected from the data subject him(her)self Article 11(1) covers the situations where the personal data was collected otherwise than from the data subject.

However, the information obligations under Article 11(1) do not apply in situations envisaged in Article 11(2), thus for example when recording or disclosure of the data is expressly laid down by law. In those situations however the Member State must provide appropriate safeguards.

Article 13 of Directive 95/46 is also of particular importance for the issue of the information that needs to be provided to the data subject. This Article defines which rights and obligations under the Directive can be restricted by the legislation of the Member States and for which reasons. The information obligations of the data controller towards the data subject under both Article 10 and Article 11(1) are also among the rights and obligations that can be restricted. In principle, the possible reasons for restricting rights refer to certain public interest objectives. The reasons which appeared the most relevant for the case in question are laid down in Article 13(e) and (f).  Article 13(e) allows the Member States to adopt restrictions when these are necessary to safeguard an important economic or financial interest of a Member State or of the EU, including monetary, budgetary and taxation matters while Article 13(f) permits restrictions when necessary to safeguard monitoring, inspection or a regulatory function that is connected, even occasionally, with the exercise of official authority in for example monetary, budgetary or taxation matters.

The CJEU's analysis

At the beginning of the judgment the CJEU recalled some of its case-law about the basic concepts of data protection law such as the definitions of "personal data" and of "processing". In that part of the judgment it also reiterated the primary importance of Articles 6 and 7 of the Directive which set out the principles of legitimate and fair processing of personal data. The CJEU found that the principle of the fair processing of personal data, enshrined in Article 6, implies that the data subjects need to be informed about the transfer of their personal data from one public institution to another.

The CJEU then turned specifically to the analysis of the requirements of Article 10 and 11 of the Directive. This means that there were two types of processing of personal data which were relevant in this case. On the one hand, it was the transfer of the applicants' income data by the tax administration which collected it. On the other hand, it was the processing of the transferred data by the health insurance fund. Whilst Article 10 is applicable to the first type of processing the second one is covered by Article 11.

In its analysis of Article 10 the CJEU pointed out that under this Article the data subject must be informed about the purposes of the processing for which the personal data are intended. In addition, insofar as it is necessary to guarantee fair processing of the data, the data subject must also be informed about the recipients of the data and about the existence of various rights. Without this information the data subject could not be in a position to exercise the rights that have been set out in Articles 12 (right to access his/her personal data, to request the rectification or erasure of unlawfully processed personal data) and 14 (right to object to the processing in certain circumstances).

The CJEU's assessment on this point led it to conclude that the tax administration did not inform the applicants that their income data would be transferred to the health insurance fund. Whilst it was argued in the proceedings that a Romanian Law requires the authorities and public institutions to transfer to the health insurance fund the data necessary for determining whether a person qualifies as an insured person the CJEU considered that the scope of data that needs to be transferred pursuant to this Law does not cover personal data relating to income. This was so because persons without taxable income also qualify as insured persons. In consequence thus it was found that the Romanian Law in question could not constitute an information which complies with Article 10 of the Directive.
The CJEU then looked into the issue of whether this failure to comply with Article 10 could nevertheless be legalised on the basis of a restriction adopted by Romania pursuant to Article 13 of the Directive.

Out of the Article 13 reasons that could justify restricting the rights and obligations under the Directive the CJEU identified “an important economic or financial interest of a Member State (…) including monetary, budgetary or taxation matters”, i.e. the reason set out in Article 13(e) and  “a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases related to (inter alia) in (e)”, i.e. the reason laid down in Article 13(f) as the ones that might have been applicable to the case in question. The CJEU found however that these two reasons could not legalise the non-compliance with Article 10 of the Directive because the restrictions based on them have to be imposed in the legislation of the Member State. This requirement was not met in the applicants' case given that the Romanian Law, invoked in the proceedings, only envisaged the principle of transfer of personal data relating to income from the authorities, public institutions and other institutions to the health insurance fund. The definition of transferable information and the detailed transfer arrangements were however laid down in a different measure, namely a Protocol agreed between the tax administration and the health insurance. This Protocol was not even officially published. On top of that, the CJEU noted again that data relating to income are not necessary for the determination if a person is insured.

Next, the CJEU scrutinised the processing in question against the requirements of Article 11(1) of the Directive. Under this Article the health insurance fund which received the personal data relating to income would need to inform the applicants that it acts as the data controller of the data in question and about the purposes of the processing of that data. To the extent that it is necessary to guarantee fair processing of the data the health insurance fund would additionally need to inform the applicants in particular about the categories of data concerned.

Since no such information was supplied to the applicants the CJEU examined whether this failure to comply with Article 11(1) of the Directive could be legalised under Article 13 or Article 11(2). The conclusion proved to be identical as the one reached with regard to Article 10.  Already before it became clear that the definition of transferable information and the detailed transfer arrangements were laid down in a Protocol concluded between the two public institutions and not in a legislative measure and therefore the benchmark for applying a restriction on the basis of Article 13 was not met.

The same was said with reference to a possible derogation under Article 11(2). This Article also requires a law for derogating from Article 11(1) which in addition must be accompanied by appropriate safeguards. In the case in question there was no law which included the required elements. Hence the derogation stipulated in Article 11(2) could not apply either.

Comments

In contrast to many other recent CJEU judgments related to personal data protection (Data Retention [Digital Rights Ireland], Google Spain, Safe Harbour [Schrems]) Bara was decided without any specific references to Charter Articles 7 and 8 which deal with the right to private life and the right to the protection of personal data respectively. The issue at stake in Bara seems to have been sufficiently comprehensively addressed already in the provisions of Directive 95/46 itself without the need to look into the Charter for additional elements of interpretation.

In essence, in Bara the CJEU followed its previous case-law on the relation between the data subject's right to access his/her personal data, as laid down in Article 12(a) of Directive 95/46, and the other rights conferred on the data subject in the Directive. Those other rights include inter alia the rights to request erasure, rectification or blocking of the data and to object to the processing of personal data, laid down in Articles 12(b) and 14 respectively. In the CJEU's previous case-law (Rijkeboer, YS and Others (discussed here and here), the latter rights were seen as dependent on the availability of the right of access because without the information about the processing of their personal data and about the various parameters of that processing the data subjects are much less likely to be in a position to exercise any rights. The same logic can be transposed to the information that the data controller is required to provide to the data subject under Articles 10 and 11(1) of the Directive since the type of information specified in those two Articles can also be seen as essential to the exercise of the other rights of the data subject.

The CJEU searched for possible derogations in Articles 13 and 11(2) of the Directive but found that neither of them could justify the non-compliance with the information obligations under Articles 10 and 11(1). As both Article 13 and 11(2) specify that derogations or restrictions can only be imposed by law and not by a measure of a lower status there was no basis for a valid derogation or restriction in the applicants' case. Indeed, the most important parameters of the transfer of the applicants' personal data relating to their income were set out in an administrative arrangement (which was not officially published) concluded between the tax administration agency which collected that data and the health insurance fund to which it was transferred.

Would the situation be different had the restrictions been adopted in a legislative measure, as required in Article 13 of the Directive? On the one hand, the restrictions stipulated in Article 13(e) and (f) seem to be particularly well-suited for the purposes of the exchange of information relating to taxation matters. On the other hand, when analysing the possibility of applying the Article 13 restrictions in this case, the CJEU noted that data relating to income are not part of the personal data necessary for the determination of whether a person is insured. Necessity however is required both for adopting a restriction under Article 13 of the Directive and for processing personal data on a legitimate basis under Article 7. Thus, this sentence of the judgment could either mean that the restriction was simply not necessary in this case or rather that the whole processing of data relating to income by the health insurance fund was not necessary. If the latter meaning is correct an Article 13 restriction could not have applied at all in this case because Article 13 does not constitute a basis for restricting Article 7. In any event, in the Advocate General's opinion it was the task of the national court to verify if the processing of this data by the health insurance fund was necessary.

In its analysis the CJEU relied quite heavily also on the requirement of the fair processing of personal data which is among the data protection principles in Article 6 of the Directive. In paragraph 34 of the Bara judgment the CJEU states that the obligation of a public institution to inform the data subjects about the transfer of their personal data to another public institution derives already from this principle of the fair processing of personal data.

It might be interesting to note that the text adopted by the European Parliament in the first reading of the new Data Protection Regulation specifies what elements must be included in a legislative measure adopted by a Member State (pursuant to Article 21 of the proposed new rules) to restrict rights and obligations under the data protection rules. The new data protection framework, including a list of these elements in Article 21(2), now seems destined for adoption after an agreement on the compromise text was reached between the Commission, the European Parliament and the Council on 15 December and confirmed by the EP LIBE Committee and the Coreper a few days later.



Photo credit: europarl.europa.eu

No comments:

Post a Comment