In a decision on 4 May, the Court of Justice of the European Union (CJEU) ruled that not all ‘legitimate interests’ can be used to justify the processing of an individual’s personal data, even when a public authority has deemed such processing ‘necessary’. (Case C13/16 Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’)
In the Rīgas case there was a traffic accident in Latvia, where a taxi passenger scraped the side of a tram with the taxi’s door. When the tram company sought compensation from the taxi company’s insurance provider they were refused, as the damage was caused by the taxi’s passenger not the taxi company. As the tram company did not know the identity of the passenger they then turned to the Latvian police who had fined the passenger at the time of the accident. While the police provided the tram company with the passenger’s name they refused to provide any further information owing to Latvian law not allowing such disclosures. Subsequently the tram company brought a challenge in a Latvian court, which then referred a question to the CJEU as to whether the Data Protection Directive permitted disclosure of personal data in situations where there was a legitimate interest of a third party seeking the personal data.
While the Directive provides that personal data may be processed where it is ‘necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed’ it also provides that where these interests are ‘overridden by the interests or fundamental rights and freedoms of the data subject’ then the processing can no longer be deemed ‘necessary’ and therefore cannot occur.
In the Rīgas case, the CJEU first held that there was no ‘requirement’ when it came to the processing of data for ‘legitimate interests’ and that instead the Directive merely expressed the possibility of processing data in such circumstances. However the court then went on to clarify that disclosures such as the one sought in the Rīgas case were not precluded provided that the disclosure is conducted ‘on the basis of national law’ and in accordance with the following conditions:
Disclosure not justified
In the Rīgas case, the CJEU found that the tram company’s due compensation adequately satisfied the first two conditions but that the standard was not met when it came to the third. Instead they stated that the totality of circumstances of a case must be analysed when assessing the third condition and that factors such as the data subject’s age and whether the data at issue was already available publically needed to be considered when weighing up the ‘fundamental rights and freedoms’ of the data subject. Consequently in Rīgas, as the taxi passenger in question was a minor, the CJEU did not consider the proposed disclosure justified.
Roadmap for the future
While this case offers insight into situations where public bodies such as police and health services process personal data on the basis of a ‘legitimate interest’ it also provides a road map of sorts when it comes to how such interests can be justified in the future.
Article 6 of the General Data Protection Regulation (GDPR) provides that from May 2018 public authorities will no longer be able to rely on ‘legitimate interests’ as a lawful basis for processing personal data in the same way they used to under the Data Protection Directive. Instead the GDPR sets a new standard and makes clear that any such processing can only be done on the basis of a strict legal obligation or clear public duty as provided by law. The ruling in Rīgas largely sets up this approach and indicates that when the GDPR takes effect the CJEU may interpret Article 6 strictly in determining what circumstances can be considered ‘legitimate’ when it comes to processing personal data, regardless of whether the controller is a public authority or private organisation. Consequently if an organisation is considering relying on the ‘legitimate interests’ clause of Article 6 to justify processing personal data they will need to ensure that any impact on the rights of data subjects is examined through a data protection impact assessment to ensure full GDPR compliance, particularly where the subjects are minors.