The EU Court of Justice has ruled that where the data subject’s rights have been indirectly exercised through the supervisory authority, the data subject must have an effective judicial remedy against the authority’s legally binding decision (Case C-333/22).
• Facts of the case
In 2016, BA sought security clearance from the Belgian National Security Authority to be able to attend an event in Brussels. The national authority denied clearance inter alia for reasons of State security and preservation of the constitutional democratic order, on account of BA’s participation in several demonstrations over the last decade.
Under Belgian law, all requests based on rights relating to personal data processed by police services must be addressed to the Belgian supervisory authority for police information (“Organe de contrôle de l’information policière”, hereafter the “OCIP”). In 2020, invoking his right of access to personal data, BA requested the OCIP to identify the controllers responsible for the processing of his data and to provide him with access to all data concerning him so that he could exercise his rights.
Under Directive 2016/680 (also known as “the Law Enforcement Directive”), a national legislator may limit the direct exercise of data subjects' rights where this would undermine an objective of public interest. In such circumstances, the data subject’s rights must be exercised not directly with the controller but indirectly through the competent supervisory authority. To this end, Article 17 of the Directive provides that each supervisory authority must be entrusted with the task of verifying the lawfulness of processing. The supervisory authority is also required to inform the data subject concerned that all the necessary verifications have been carried out.
In that context, the OCIP informed BA that, in accordance with European and Belgian law, he only had an indirect right of access through the supervisory body and confirmed that it itself had verified the lawfulness of all data processing concerning BA, without providing any further details.
Unsatisfied with that answer, BA, together with the Ligue des droits humains, brought an action for interim relief before the Belgian courts. The Brussels Court of Appeal decided to refer preliminary questions to the Court of Justice, essentially concerning the lack of judicial remedy against a decision of the OCIP. In particular, it asked whether EU law requires Member States to provide for an effective judicial remedy enabling data subjects to challenge decisions of the supervisory authority when that authority indirectly exercises the data subject's rights in accordance with Article 17 of the Law Enforcement Directive. It also sought to ascertain whether Article 17 of the Directive complies with Articles 8(3) and 47 of the Charter of Fundamental Rights of the European Union (“the Charter”).
• Findings of the Court
On the exercise of a judicial remedy against a supervisory authority’s decision
First, the Court recalled that Member States must provide data subjects with the right to an effective judicial remedy against a legally binding decision of a supervisory authority. In the case at hand, it is therefore necessary to determine whether the OCIP adopted such a decision when it indirectly exercised the data subject’s rights.
In that regard, the Court observed that when a supervisory authority informs the data subject (i) of the result of the verifications carried out and/or (ii) closes the verification process, that decision necessarily produces legal effects concerning the data subject and affects his or her legal position. That decision therefore constitutes a "legally binding decision" vis-à-vis the data subject.
Accordingly, the Court held that where the rights of a data subject have been exercised through the competent supervisory authority and that authority informs the data subject of the result of the verifications carried out, the data subject must have an effective judicial remedy against the merits of the legally binding decision of that authority and, in particular, of how the supervisory authority exercised its verification powers.
On the validity of Article 17 of the Law Enforcement Directive in the light of the provisions of the Charter
With regard to the validity of Article 17 of the Directive, the Court recalled that the entitlement to an effective judicial remedy implies that individuals should be able to understand the grounds on which a decision affecting them is made. The Court also reiterated that the interpretation of the concept of "effective remedy" should mean that national courts, hearing actions brought against a supervisory authority, should have full jurisdiction, including the power to assess all factual and legal aspects relevant to the dispute at hand.
Since Directive 2016/680 obliges the supervisory authority only to communicate a minimum amount of information to the data subject, it could be liable to give rise to a limitation of the right to an effective judicial remedy.
However, that limitation is expressly provided for by law and is not absolute. Besides, the Court pointed out that it is the responsibility of Member States to establish regulations that empower the competent court to scrutinize both the grounds and the evidence upon which the supervisory authority relied to assess the lawfulness of data processing activities. Furthermore, the controller must document the factual or legal reasons underlying the decision to restrict the data subject's access rights, and this information must be provided to supervisory authorities. This implies that such information could also be made available to the data subject by the supervisory authority which holds a degree of discretion, in accordance with the principles of necessity and proportionality.
Having regard to all the foregoing considerations, the Court concluded that Article 17 of the Law Enforcement Directive is valid.
Final remarks
The Court interpreted Directive 2016/680, that establishes specific rules governing the safeguarding of personal data and their unrestricted movement within the realms of judicial cooperation in criminal matters and police collaboration. The primary objectives of the Directive are twofold. Firstly, it seeks to contribute to the establishment of an Area of Freedom, Security, and Justice by facilitating the exchange of personal data among authorities for law enforcement purposes. Secondly, it aims to ensure a high standard of protection for such data. However, achieving a harmonious reconciliation of the two policy objectives is challenging. With this case, the Court tends to strike a fair balance between law enforcement and data protection with regard to the exercise of rights by data subjects.
For further information about this case and/or for general legal advice relating to data protection, please contact Karel Janssens and/or Marion Nuytten.