#27 – The balance between freedom of expression and data protection

The balance between the right to freedom of expression and information and the right to data protection has been the center of discussion for quite some time now, especially in the context of journalistic activities. As both rights are not absolute, the question is – which right overrules the other?

In November 2021 the Supreme Administrative Court (Decision No. 11636 of 16 November 2021) rendered a rather significant decision which will not only determine the courts’ case law for the future but will also set an example of how media should approach personal data.

The case was initiated by a complaint of a public figure to the Commission for Personal Data Protection (CPDP) against an electronic media outlet. The media had publicly announced information about the person’s physical identity (names, PIN with the last four digits deleted, address), economic identity (property with a full address, description, price, entries, mortgage, deletion of mortgage, financial situation, participation, and membership in a non-governmental organisation) and social identity (profession, place of work, employment, affiliation information).

The media justified the publication of these data with journalistic purposes and argued that it used publicly accessible information from the Registry Agency.

In its argumentation, the Supreme Administrative Court supported the reasoning previously sustained by the Constitutional Court that the balance of these two competing rights requires a specific case-by-case assessment. The Constitutional Court annulled the provision of the Personal Data Protection Act stipulating fixed criteria regarding the admissibility of personal data processing for the purposes of journalism, academic, artistic, or literary expression. More information on the Constitutional Court’s decision and its impact, you can read here.

The Supreme Administrative Court emphasised that under the Personal Data Protection Act the processing of personal data carried out for journalistic purposes is lawful when carried out for the exercise of freedom of expression and the right to information, insofar as  the privacy is respected. The decision stated that the online media outlet acting as a data controller has violated the principle of data minimisation, which resulted in the imbalance between the two rights. According to the argumentation of the Supreme Administrative Court, the need to inform the public about the facts and to preserve the topic of the article can be carried out successfully without indicating the date of birth of the public figure or the exact number of his apartment and the property identifier. The fact that this information is publicly available in a public registry does not justify the disclosure of personal data as the publication in the public registry has different purposes than media publications. Moreover, the information available in the public registry is not immediately accessible to the public, but a certain administrative procedure should be followed. The processing of personal data for the purpose of journalistic activity, therefore, is a completely separate processing with its own purposes, which should comply independently with the requirements of the GDPR.

The decisions of the Constitutional Court and the Supreme Administrative Court coincide with the jurisprudence of the European Court of Human Rights and the European Court of Justice.  The balance between the rights must be found through a rational and pragmatic approach that takes into account the specific circumstances of each case. The current line of interpretation is likely to be followed by other courts and will be the basis for establishing lasting case law in resolving disputes on the balance between freedom of expression and the right to information on the one hand and personal data protection on the other. Without doubt, this decision will also have a significant social and public impact in the context of journalistic expression resulting in the media’s more considerate approach regarding personal data publication.

The whole text of the Supreme Administrative Court’s decision you can find here.

#25 CJEU Invalidates EU-US Privacy Shield, but Considers the Standard Contractual Clauses Valid?

On 16 July 2020 the Court of Justice of the European Union (CJEU) issued a preliminary ruling with significant importance regarding the instruments for transfer of personal data outside EU to so called “third countries”, in particular to the US.

Why it has come this far?

The request for a preliminary ruling was made in connection with the actions of Austrian privacy activist Mr. Maximillian Schrems who turned to the Irish Data Protection Commissioner asking for the suspension of the transfers of his data as Facebook’s user made by Facebook to the US, at this stage mainly based on the Standard Contractual Clauses (SCC). After the invalidation of Safe Harbour framework that was previously in place for EU-US data transfers (the Schrems I case), Mr. Schrems argued that the SCC do not provide a sufficient level of personal data protection in transfers from the EU to the US, since the rules in the US create conditions for disregard for the contractual obligations of legal persons (in this case  of Facebook) in connection with the SCC concluded by them. In the meantime, a new framework – the EU-US Privacy Shield – was adopted and its validity was also put into question with the reference to the CJEU.

What are the key takeaways from the CJEU’s judgement?

  • The EU-US Privacy Shield framework is invalid. The main arguments of CJEU are that:

(1) the US local laws enabling access and use of public authorities (via different surveillance programs) to personal data for national security, public interest and law enforcement purposes set limitations on personal data protection that are not proportionate and limited to what is strictly necessary as required by the EU law;

(2) the Ombudsperson mechanism in the Privacy-Shield framework does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, because the Ombudsperson:

(a) cannot be considered independent, as is appointed by the US Secretary of State and is an integral part of the US State Department, and

(b) is not empowered to adopt binding decisions on the US intelligence services.

  • Where personal data are transferred pursuant to SCC, a level of protection essentially equivalent to that guaranteed within the EU by the GDPR and the Charter of Fundamental Rights of the EU must be afforded. According to CJEU, this means a case by case assessment regarding both the contractual clauses agreed between the EU-data exporter and the third country- recipient, and any access by the public authorities of that third country to the data transferred, as well as the relevant aspects of the legal system of that third country.
  • Decision 2010/87 establishing the Standard Contractual Clauses as a tool for transfer of personal data remains valid.

According to CJEU, the Decision establishing the SCC contains effective mechanisms that make it practically possible to ensure compliance with the EU required level of protection and to suspend or prohibit the transfer in the event of the breach of the SCC or in case it becomes impossible to honour them. These mechanisms are:

(1) the obligation of the data exporter and the data recipient to verify, prior to any transfer, whether that level of protection is respected in the third country, and

(2) the requirement for the recipient to inform the data exporter of any inability to comply with the SCC, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.

  • Member States’ supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where:

(1) in the light of all the circumstances of the case, they consider:

(a) the SCC are not or cannot be complied with in that third country, and

(b) the protection of the data transferred that is required by EU law cannot be ensured by other means, and

(2) the EU-data exporter has not itself suspended or put an end to this transfer.

Why this decision is important?

The CJEU’s decision is crucial, because it reaffirms the problems regarding the EU-US data transfers identified years ago with the invalidation of Safe Harbour mechanism. It means that the EU will maintain its policy to insist on ensuring the highest possible data protection standards in its relations with third countries. The CJEU’s decision is a strong message to US government calling for implementation of additional safeguards in terms of data protection-national security paradigm.

For the business it means future uncertainties on how to lawfully arrange data transfers to third countries, especially to US, because:

  • one of the key tools for data transfers to US – the Privacy Shield – is no longer available;
  • the considerations of CJEU regarding non-conformity of the US surveillance programs with the EU privacy standards put in question whether the SCC – probably the most popular tool for data transfers – can be properly used for transfers to the US.

A probable solution could be a new privacy deal struck between EU and US, but in order to avoid the faith of Safe Harbour and the Privacy Shield, it needs to carefully address the issues identified by the CJEU that led to the invalidation of these tools.

Lastly, it seems likely to expect proactive approach from Member State supervisory authorities in terms of data transfers, especially in the light of their newly reaffirmed powers to suspend or prohibit a transfer based on SCCin certain cases where the effective compliance with the SCC in the third country or the level of data protection required by EU cannot be fully achieved.

Useful links:

  • The full decision of the CJEU can be found here
  • Press release of the CJEU can be found here
  • Statement of the Irish supervisory authority on the CJEU decision can be found here
  • Statement of the European Data Protection Board on the CJEU decision can be found here.

#24 Personal Data Protection in the Context of Assignment of Receivables (Cession) Agreement

Pursuant to the assignment of receivables (cession) agreement the creditor under a certain receivable (assignor) assigns it to a third party (assignee). As the assignment procedure involves processing of personal data of a third party – a debtor that is not a party to the agreement, thorough examination of the personal data protection rules and their applicability to the assignment of receivables is required. The present analysis examines a situation where the debtor is a natural person. The conclusions outlined below can be applied by analogy to assignments where the debtors are legal entities, taking into account the specifics of the relationship between legal entities (i.e. exchange of information about their legal representatives, proxies, etc.).

Is the debtor’s consent required for the purposes of assigning their receivables?

The consent under an assignment agreement may be approached from two perspectives:

  • Consent for the transaction itself – the debtor is not a party to the assignment agreement and their consent is not required for the transaction to take effect.
  • Consent as a basis for processing the debtors personal data – consent might also be viewed as a one of the legal grounds for processing personal data under Regulation 2016/679 (GDPR). As the debtor needs be able to assess whether, for what purposes and for what period of time to give their consent, it is an inappropriate legal grounds for personal data processing under assignment agreements. This is explained by the fact that if processing is based on consent, it would allow the debtor to block the creditor from disposing of their receivables by preventing the creditor from processing the personal data contained in the debt documentation or debt related documents – information about who the debtor is and what his contact details are, where his obligation arises from, what is its amount and maturity, etc.

What is the basis for the personal data processing under the assignment agreement?

Other legal grounds, equal and alternative to the consent, may serve as basis for processing the debtor’s personal data, namely:

  • Regarding the assignor:
    • Compliance with a legal obligation – to provide the assignee with the debt documentation, i.e. to carry out the related processing of the personal data contained therein;
    • Existence of legitimate interest– to dispose of its receivable as it deems appropriate.
  • Regarding the assignee, besides the legitimate interest to collect their receivable, there is additional legal grounds for the personal data processing – the performance of a contract to which the data subject is a party (this is the contract under which the receivable has arisen). This ground, however, may be relevant, provided that the assignment has lead an action against the debtor by notification under Art. 99, Para. 3 and 4 of the Contracts and Obligations Act.

According to the Commission for Personal Data Protection (CPDP), the legal fact which makes the personal data processing admissible is the assignment of the receivable, not the notification of the debtor. This means that the assignee may lawfully process the debtor’s personal data even prior to this notification.

Other requirements for the personal data protection in the case of assignment of receivables

An essential requirement to be fulfilled in case of an assignment is the notification of the debtor of the processing of their personal data, since the data controller – assignee obtains the personal data not directly from the data subject, but from another source – the assignor. In order to ensure transparent data processing, the data subject needs to be provided with information under Art. 14 of the GDPR, namely:

  1. the identity and the contact details of the controller;
  2. the contact details of the data protection officer, where applicable;
  3. the purposes and legal basis for the processing;
  4. the categories of personal data concerned;
  5. the recipients of the personal data;
  6. the period for which the personal data will be stored;
  7. where applicable, the controller’s intention to transfer the personal data to a third country or international organisation, as well as additional information related to such data transfer;
  8. the legitimate interests pursued by the controller or by a third party when the processing is carried out on this ground;
  9. information on the rights of the data subject with respect to the processing;
  10. the source of the personal data;
  11. additional information in case the data is used for automated decision-making, including profiling.

The GDPR requires the controller to provide this information as follows:

  • within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
  • if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject;
  • if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

In practice, there are numerous cases where assignees have been sanctioned specifically for non-compliance with the above requirement to inform the data subject. The GDPR, as a rule, allows exceptions to the above obligation to provide information if the receipt or disclosure of data is expressly permitted by EU law or the laws of a Member State, which provides for appropriate measures to protect the legitimate interests of the data subject. It is unclear how CPDP will interpret this rule in the context of the assignment agreement (under which the disclosure and receipt of data is explicitly regulated by the Bulgarian legislation). Given the above practice of imposing sanctions, a safer approach for assignees would be to expressly notify the data subjects.

It is permitted to inform the data subject of the processing in parallel with notifying the debtor of the assignment by the assignee. This is explicitly recognized in the case law.

Is it possible that the expired limitation period of the assigned receivable affects the lawfulness of the personal data processing?

Whether the prescribed limitation period for the receivable has expired or not, whether the debtor’s objection to the expired limitation period has been duly exercised, etc., are all issues within the jurisdiction of the civil court and do not affect the lawfulness of the personal data processing.

You may read an article on the topic by Martin Zahariev here: https://www.tita.bg/free/commercial-law/660

#20 Proceedings before the Commission for Personal Data Protection

The Rules of Procedure for the Commission for Personal Data Protection were published on the 30 July 2019. They provide details regarding the Commission’s internal structure and organisation, the proceedings before it, as well the consulting and advising activities through which the Commission provides assistance to controllers.

The Rules of Procedure contain a list of all the proceedings before the Commission: handling of complaints regarding data rights violations; application of the powers granted to supervisory authorities by Regulation (EU) 679/2016 (GDPR); issuing statements on queries regarding personal data protection; approval of standard data protection contractual clauses in accordance with the Regulation; observation of procedures for the transfer of personal data to third parties or international organisations; conduct of preliminary consultations; investigations of notifications of personal data breach; approval of codes of conduct; accreditation and revocation of accreditation of code of conduct of the monitoring bodies.

Other procedures may also be established in legislation. In this article we will examine the main proceedings and the ones applicable to most subjects.

Complaints and alerts for data subject rights violations
Complaints and alerts are the means of informing the Commission of a violation of rights protected under the GDPR and the Personal Data Protection Act (PDPA). A complaint is filed for the violation of one’s own rights, whereas an alert is sent when another person’s rights have been violated. Such complaints and alerts cannot be anonymous or unsigned and must explicitly identify the person or entity, against which they are submitted, date and nature of the violation being specified as well. In case of irregularities, the person lodging the complaint or alert is given 3 days to correct the complaint. The validity, admissibility and merits of the complaint are assessed by the Legal Proceedings and Surveillance Direction of the Commission. The hearings for examination of complaints and alerts are public and the parties concerned are informed about their date and hour. At the end of the proceedings the Commission may decide to apply measures according to GDPR or PDPA and, alternatively or cumulatively, impose administrative penalties.

Notifications of a personal data breach
This notification is submitted by a controller, and the required content is set out in Article 67, paragraph 3 PDPA and Article 33, paragraph 3 GDPR. Once the notification is submitted, the Commission, within a period of two weeks, conducts an investigation, to determine its own level of involvement (whether it is the lead authority or it is supporting other personal data protection authorities in other Member States), the nature of the breach, the number of affected data subjects and records, the possible consequences and measures taken, as well as the level of risk involved in the breach.

Prior consultation
The Regulation requires controllers to consult the Commission where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. The Commission is given all the information related to the data processing, and base on it the Commission issues a written statement. The Regulation also provides for the for the possibility for Member States to make this procedure mandatory for certain types of data processing activities concerning public interest, public health, and social protection. The CPDP’s Rules of Procedure also provides that that in some cases the Commission may require controllers to seek consultation and preliminary permission regarding a particular processing operation where public interest and social protection are concerned. This prior consultation is intended to provide preliminary supervision, on the one hand, and to assist controllers in taking the necessary precautions to ensure protection of the data subjects’ rights. After the consultation, the Commission can exercise any of its powers under the Regulation (for example to impose a temporary or definitive limitation including a ban on processing, to impose an administrative fine or to issue warnings to the data controller or processor), or to issue a permission for the planned processing.

Approval of Codes of Conduct
Enterprises, associations, representative structures and categories of controllers are provided with the possibility to adopt their own Code of Conduct. Its purpose is to facilitate the application of the Regulation’s requirements and to guarantee the rights and freedoms of the data subjects whose data will be processed. The proceedings are again initiated by filing an application which must contain information on the applicant proposing the Code of Conduct, a unique name for the Code, and the categories of controllers it is applied to. The draft Code is evaluated as to whether it complies with the Regulation, facilitates the uniform application of the Regulation and guarantees the observation of data subject rights. In case a draft is not approved, it is sent back to the applicant for complementing or amending. The approved draft is translated and sent to the European Data Protection Board. This procedure is also applied to amendments and supplements to Codes of Conduct already in effect.

Organizing and conducting training programmes on personal data protection is the activity of the Commission where the widest range of subject might be involved. Such training can be organised upon the Commission’s initiative or at a specific request. The request must include the names, address and phone number of the applicant, the relevant documents and information, and it also has to be signed and dated. Regarding activities of high public interest and ones that, by their nature, require special attention, the Commission takes the initiative to organise training programmes for controllers and data processing personnel. According to the Rules of Procedure, data subjects, certifying bodies, controllers, data processing personnel and data protection officers may take part in the trainings. Sessions begin with a test for determining the level of initial knowledge, and there is a final exam as well. The participants receive a certificate confirming successful completion of the training.

#19 The Bulgarian Commission for Personal Data Protection Published an Opinion on the Form of Authorisation regarding the Exercise of Rights of Data Subject before Medical Institutions

Crucial for any controller opinion of the Bulgarian Commission for Personal Data Protection (the Commission) on the form of authorisation regarding the exercise of rights of the data subject before medical institutions has recently been published on their website.

The Commission made its statement in response to an enquiry submitted by a medical institution regarding patients’ access to their personal data, as well as regarding the exercise of their rights as data subject through an authorised person. The issue arose in the process of preparation of the institution’s internal rules on data protection aimed at synchronizing their data processing activities with the requirements of Regulation (EU) 2016/679. There are no clear provisions on this issue neither in the European, nor in the national legislation. To put it short, is a notarized form of authorization required for the exercise of the data subjects’ rights by another person under Articles 15-22 of the Regulation?

In its legal analysis, the Commission examines the conditions for the exercise of the data subjects’ rights as set out in Art. 12 of the Regulation. For the controller, the verification of the data subject’s identity is the the thing to begin with. The manner in which such verification is carried out depends on the specifics of each case, but the controller is generally supposed to use the already available data on the subject. Where there is doubt, the controller may request additional information from the data subject, and in case such is not provided or is unconvincing, the controller may refuse a remedy bearing the burden of proof regarding the unverifiability of the subject’s identity. With regards to the data subject, the procedure for the submission of rights requests is laid down in the Personal Data Protection Act – namely, a written application to the controller is required, unless otherwise specified by the controller, including by electronic means or an user interface. The Act states that an application submitted by an authorised person shall be accompanied by the respective form of authorisation. The Commission furthermore addresses the Health Act and the opportunity provided therein for patients to authorize another person in a written form to get acquainted with their medical files and make copies thereof . Taking into account the general regulatory framework regarding authorisation contained in the Obligations and Contracts Act which provides for an aggravated form of authorisation only upon the conclusion of transactions in aggravated form, as well as considering the absence of requirements in the special legislation relevant to the case, the Commission makes its final statement in response to the submitted enquiry, namely the medical institutions, in their capacity of controllers, have no legal grounds to require notary certification of the signature when authorizing another person to exercise the data subjects’ rights under Art. 15-22 of the Regulation.

Despite in the context of the exercise of rights of the data subject before a specific type of controllers – namely, the medical institutions, the conclusions drawn by the Commission can be applied in all cases of exercise of data subjects’ rights under the Regulation. In the absence of specific regulation, the “standard” written authorisation should always be sufficient for their exercise through an authorised person.

# 18 The Bulgarian Commission for Personal Data Protection published an opinion on the determination of the figures of “controller” and “processor” in the conduct of clinical trials

Crucial for the pharmaceutical sector opinion of the Bulgarian Commission for Personal Data Protection (CPDP/Commission) on the determination of the figures of “controller” and “processor” in the conduct of clinical trials was published on 10.06.2019 on the website of the Commission.

According to the opinion, when conducting clinical trials, the medical institutions and the sponsor of the clinical trial act in the capacity of joint controllers under the meaning of Art. 26 of the Regulation (EU) 2016/679 (GDPR).

The opinion has been published after CPDP examined a request by a company having the capacity of a “sponsor” under the meaning of § 1, item 8 of the Additional Provision of the Medical Products in the Human Medicine Act (MPHMA), i.e. a company which is responsible for initiating, management and/or financing a clinical trial and is participating in the clinical trials initiated by it. The requesting company states that while conducting clinical trials, the sponsor also has relations with other persons participating in the clinical trials, namely with the principal investigator and the investigators, as well with the members of the investigator’s team – collaborators, monitors and auditors of the trial.

To clearly determine the roles of the parties, CPDP examines the figures of “Controller” and “Processor” in the light of the national and EU legislation regulating clinical trials. Furthermore, CPDP explains that the Regulation (EU) No 536/2014 of the European Parliament and of the Council on Clinical Trials on Medicinal Products for Human Use and the MPHMA exhaustively determines the functions and tasks of all persons participating in a clinical trial. According to the Commission, the data processing activities related to the conduct of clinical trials, could not be carried out “on behalf” of the sponsor of the trial, since such activities cannot be carried out by it, but only by organizations authorized in accordance with the applicable procedures and having the status of a “medical institution”. This is yet another confirmation of the thesis long ago adopted both in theory and practice (including that of CPDP), that not each assignment contract automatically leads to arising of relationship of the type of controller-processor and that in order to adequately determine the roles and responsibilities of the parties with regard to the processing of personal data, the nature of the rights and obligations of the parties in the contractual relationship need to be taken into account.

An additional argument for classification of the parties‘ roles according to CPDP is the Opinion 1/2010 of the Article 29 Data Protection Working Party (now European Data Protection Board) on the concepts of “controller” and “processor” which explicitly states that when conducting clinical trials, the participants are processing personal data in the capacity of joint controllers (p. 30 from the Opinion).

The main consequence of this opinion for the pharmaceutical companies and the medical institutions that conduct clinical trials is that they will need to conclude an agreement between themselves that shall in a transparent manner determine their respective responsibilities for compliance with the obligations in the field of data protection. In particular, they will have to regulate matters related to exercising the rights of the data subject and their respective duties to provide the information referred to in Art. 13 and 14 of GDPR. Furthermore, the data subjects-participants in the clinical trial may exercise their rights in respect of and against each any of the controllers. (Art. 26, Para. 3 of GDPR).

# 16 INFORM e-Learning platform – a convenient means for introduction to data protection law

Recently our colleagues from Law and Internet Foundation have launched an online platform that introduces data protection law in an easily accessible manner. The e-learning platform is built as part of the INFORM (INtroduction of the data protection reFORM to the judicial system) project and is available on the following link.

The registration is quick and straightforward, allowing the user to choose his/ her role (judiciary, court staff & legal practitioner) since the platform is organised in three distinct modules. Each of the modules provides tailored content according to the specifics of each of the roles.

The platform provides comprehensive introduction to EU data protection law, focusing not only on GDPR but also on the provision of Directive 2016/680. The users can quickly check their knowledge on the topic as the e-learning platform maintains self-assessment functionality.

This article is created as part of the INFORM (INtroduction of the data protection reFORM to the judicial system) project, financed under the Justice Program of the European Commission. The contents of this article are the sole responsibility of the authors and can in no way be taken to reflect the views of the European Commission.