The Data Protection News

Wednesday, November 07, 2007

Data protection case before the ECHR Grand Chamber


Relinquishment of jurisdiction in favour of the Grand Chamber in the case of S. and Michael Marper v. the United Kingdom
06/11/2007
The Chamber to which the case of S. and Michael Marper v. the United Kingdom had been allocated has relinquished jurisdiction in favour of the Grand Chamber. The case concerns the storing, by the authorities, of fingerprints and DNA samples taken from the applicants in the context of unsuccessful criminal proceedings against them. S., who had been prosecuted for attempted robbery, was ultimately acquitted, and the proceedings against Mr Marper, who was accused of harassment, were dropped. Both requested that the fingerprints and DNA samples be destroyed, but this was refused.




The hearing is on 27.2.2008.


It is profoundly a data protection case, which reminds, inter alia, the lack of protection in the law enforcement sector, in conjuction with the Council of Europe experts thoughts on the addition of a special data protection right in the list of the European Convention on Human Rights.


In several countries, there are broad exemptions and restrictions of the data subject's rights and the powers of the DPAs, with regard police and criminal justice files. Given the limited competence of the EU regarding these state's core issues, the Council of Europe appears as the appropriate forum to provide for binding instruments in this sector.


Labels: , , , , ,

Tuesday, November 06, 2007

Greek DPA: Robinson’s list does not cover e-marketing activities


With its recent Decision Nr. 57/2007, the Greek DPA dealt with a case concerning the lack of prior consent, in a direct marketing case (phone calls to individuals).

According to the general data protection law(L.2472/1997 = Dir.95/46), any person not wishing his personal data to be processed for direct marketing purposes may subscribe to a “Robinson’s list” (the “article 13” registry). Nevertheless, according to the sectoral e-privacy law (L.3471/2006=Dir.2002/58), e-marketing controllers or processors may not just rely on the “article 13” registry, since, with the exception of e-mail messages, the data subject must have previously stated its unambiguous consent.


Therefore, the DPA decided that:

- the traditional Robinson’s list does not apply to direct marketing telephone calls,

- the company that assigns to “independent co-operators” the campaign phone calls, since it defines the means and purposes of the data processing is responsible as a “controller”, while the “co-operators” are responsible as “controllers”.

The DPA warns correctly the company to ask for a previous consent, while, in the same time, the Authority does not provide for practical guidelines to the interested parties on the implementation of the legal requirements for prior consent. One solution may be a prior communication with the data subject, in order to inquire for its wishes. Needless to say, that this practice introduces a vicious circle.

Another -perhaps more traditional- way, may be a statement when the data subjects contact the company for a commercial purpose. Then, they may fill a form, providing for their consent or not. Thus, a target group may be limited to the persons that have already contacted the company, but why not? A wider audience may get the message from the public commercial campaigns: direct marketing is a much more effective tool for the rest, the special audience that really wishes to get the direct message.

It would be better for the Greek DPA, when handling cases in issues that hasn’t presented a remarkable rate of creativity, to consult the experts on best practices. In the said case, the DPA could have asked for relevant material the “FEDMA”, which is an expert trade union recognized by the WP 29.

Labels: , , ,

ECJ dismisses EDPS application to intervene as inadmissible


With a reasoning that goes very far from the recent ECJ case-law, the Court’s President rejected with his Order (C-73/07) an application of the European Data Protection Supervisor to intervene in a Finnish case with data protection aspects, as inadmissible.

As a decisive difference for this alteration has been underlined that this case was a preliminary ruling, whilst the two previous cases (C-317/04, C-318/04) were on direct petitions for Community acts annulment. The Court’s arguments are structured on an extremely narrow interpretation of the provisions on intervention, without applying the functional flexibility required, given the EDPS nature as an independent authority for Europe-wide data protection.

Independent authorities competent for the protection of personal data have the mission to assist all public institutions, when dealing with data protection cases. What is more, the Data Protection Authorities gather experiences acquired by the practical handling of data protection cases and these experiences go beyond the good application of data protection law. The DPAs are forums and laboratories of best practices, providing the most appropriate guidelines and effective solutions at economical, technical, social and moral level, as regards the complex issues occurring in the field of data protection. Unlike the courts, DPAs’ mission is mainly of a proactive nature and this would be the aim of an EDPS intervention in a preliminary ruling procedure.

The independent authorities’ power to intervene before the courts is a generally recognized principle of the contemporary procedural law. Relevant to this is the Human Rights Commissioner’s right to intervene before the European Court of Human Rights, according to the 14th Protocol of the European Convention.

Thus, the rejection of EDPS, who offered himself in order to explain his views and introduce his experiences with regard this pending case, which is expected to have pan-european impact on the interpretation of data protection law from courts and authorities, is obviously negative.

Further to the abovementioned reasons, this Order is negative, as it narrows unjustifiably the power of EDPS to intervene before ECJ, as stipulated in Regulation 45/2001. According to the Regulation, there is no provision excluding the EDPS from the preliminary ruling procedures, since the right to intervene in cases with data protection aspects is of a general scope and does not subject to limitations newly “discovered” by the Court.

All in all, the Court failed to maintain a high level of data protection independent supervision within the administrative structure of the Community, as provided for in article 286 TEC and as has been safeguarded until now with the two previous Orders in the PNR case.

Labels: , , ,