On 1 August 2022 the Grand Chamber of the European Court of Justice (‘ECJ’) handed down a judgment in case C-184/20 (ECLI:EU:C:2022:601) that shows that the transparency doctrine of the crime fighters has gone too far.
Publication of personal data on a governmental website
Subject matter of the case is the legislation of Lithuania, that prescribes that persons with public functions have to declare their private interests, in order to prevent and combat corruption (par. 24-34). These declarations are made public on the website of a public authority, the Chief Ethics Commission, and is accessible to the general public.
Private interests include a great deal of personal data, including personal data of third parties without a public function (par. 29). The following data have to be declared (and are made public), regarding the person with a public function (‘declarant’ in the decision):
(1) forename, surname, personal identiﬁcation number, social security number, employer(s) and duties;
(2) legal person of which the declarant or his or her spouse, cohabitee or partner is a member;
(3) self-employed activity, as deﬁned in the Law on personal income tax;
(4) membership of undertakings, establishments, associations or funds and the functions carried out, with the exception of membership of political parties and trade unions;
(5) gifts (other than those from close relatives) received during the last 12 calendar months if their value is greater than EUR 150;
(6) information about transactions concluded during the last 12 calendar months and other current transactions if the value of the transaction is greater than EUR 3 000;
(7) close relatives or other persons or data known by the declarant liable to give rise to a conflict of interests.
The following data provided in the declaration cannot be made public:
the personal identiﬁcation number, the social security number, special personal data, and other data disclosure of which is prohibited by statute. In addition, the data of the other party to a transaction shall not be published where that party is a natural person.’
A director of a legal entity (not-for-profit) funded by the Lithuanian government, in the decision referred to as ‘OT’, did not object against providing the information on private interests to the authorities. He brought an action for annulment of a decision by the Chief Ethics Commission (that he infringed Lithuanian law), saying that the publication on the website of his private interests would adversely affect both his right to respect for private life and that of the other persons whom he would, as the case may be, be required to mention in his declaration (par. 40).
National law should respect fundamental rights
ECJ decides that there is a necessity to combat corruption (par. 73-80) and that the transparency obligations have a basis in Lithuanian legislation. However, regulations must also be tested against the GDPR; it is not enough that there is a basis in a national law. The measures should be proportionate and should not unnecessarily interfere with fundamental rights.
ECJ reminds of that in the following paragraphs (markup by me):
69 Article 6(3) of the GDPR specifies, in respect of those two situations where processing is lawful, that the processing must be based on EU law or on Member State law to which the controller is subject, and that that legal basis must meet an objective of public interest and be proportionate to the legitimate aim pursued. Since those requirements constitute an expression of the requirements arising from Article 52(1) of the Charter, they must be interpreted in the light of the latter provision and must apply mutatis mutandis to Article 7(c) and (e) of Directive 95/46.
70 It should indeed be borne in mind that the fundamental rights to respect for private life and to the protection of personal data, guaranteed in Articles 7 and 8 of the Charter, are not absolute rights, but must be considered in relation to their function in society and be weighed against other fundamental rights. Limitations may therefore be imposed, so long as, in accordance with Article 52(1) of the Charter, they are provided for by law, respect the essence of the fundamental rights and observe the principle of proportionality. Under the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others. They must apply only in so far as is strictly necessary and the legislation which entails the interference must lay down clear and precise rules governing the scope and application of the measure in question (judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C‑439/19, EU:C:2021:504, paragraph 105 and the case-law cited).
“the publication online of the majority of the personal data (…) does not meet the requirements of a proper balance”
ECJ decides publication on the website of the Chief Ethics Commission’s website is appropriate (par. 83-84), but that the extent of the data disclosed does not satisfy the necessity test (par. 85-116):
112 That having been explained, it must be found that the publication online of the majority of the personal data contained in the declaration of private interests of any head of an establishment receiving public funds, such as that at issue in the main proceedings, does not meet the requirements of a proper balance. In comparison with an obligation to declare coupled with a check of the declaration’s content by the Chief Ethics Commission the effectiveness of which it is for the Member State concerned to ensure by endowing that body with the means necessary for that purpose, such publication amounts to a considerably more serious interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter, without that increased interference being capable of being offset by any benefits which might result from publication of all those data for the purpose of preventing conflicts of interest and combating corruption.
ECJ rules that European legislation on data protection and the Charter of Fundamental Rights must be interpreted as precluding national legislation that provides for the publication online of the declaration of private interests,
in so far as, in particular, that publication concerns name-speciﬁc data relating to his or her spouse, cohabitee or partner, or to persons who are close relatives of the declarant, or are known by him or her, liable to give rise to a conﬂict of interests, or concerns any transaction concluded during the last 12 calendar months the value of which exceeds EUR 3 000.
Personal data that are liable to disclose indirectly sensitive information
Further ECJ further decides (par. 128) that the publication, on the website of the public authority of personal data that are liable to disclose indirectly the sexual orientation of a natural person constitutes processing of special categories of personal data.
Importance of this judgment
This judgment is important because it shows that when national governments create legislation to combat crime, it is not enough that the regulations have a legal basis and an objective of public interest. Such regulations must also be proportionate to the legitimate aim pursued. The publication of personal data in this Lithuanian case did not meet the requirements of a proper balance.
Of even broader importance is the decision that the processing of personal data that are liable to disclose indirectly the sexual orientation of a natural person (or other sensitive information) constitutes processing of special categories of personal data. This may be relevant to advertising companies such as Facebook and Google and other data brokers.
Addition 12 August 2022
WSJ article of 20 August on the judgment: EU Court Expands Definition of Sensitive Data, Prompting Legal Concerns for Companies.