Opinion of Advocate General Szpunar delivered on 17 December 2020.

• Jurisdiction: European Union
• ECLI: ECLI:EU:C:2020:1054
• Date: 17 December 2020
• Celex Number: 62019CC0439
• Court: Court of Justice (European Union)

Provisional text

OPINION OF ADVOCATE GENERAL

SZPUNAR

delivered on 17 December 2020(1)

Case C‑439/19

B

joined parties:

Latvijas Republikas Saeima

(Request for a preliminary ruling from the Satversmes tiesa (Constitutional Court, Latvia))

(Request for a preliminary ruling – Regulation (EU) 2016/679 – Processing of personal data – Information relating to penalty points for road traffic offences – Concept of processing of personal data relating to criminal convictions and offences – National rules providing for the disclosure of such information and allowing its re-use)

I. Introduction

1. In 1946, George Orwell commented on the ‘Keep Death off the Roads’ campaign, which a former Member State of the European Union was running at the time, as follows: ‘If you really want to keep death off the roads, you would have to replan the whole road system in such a way as to make collisions impossible. Think out what this means (it would involve, for example, pulling down and rebuilding the whole of London), and you can see that it is quite beyond the power of any nation at this moment. Short of that you can only take palliative measures, which ultimately boil down to making people more careful’. (2)

2. The case at issue before the Satversmes tiesa (Constitutional Court, Latvia), which has turned to the Court by way of the present request for a preliminary ruling, has, at its core, the ‘palliative measures’ referred to above: in order to foster road safety by making drivers more aware and careful, penalty points are recorded against drivers who commit motoring offences. That information is then communicated and transmitted for re-use. The referring court, which is hearing a constitutional complaint that has been brought before it, is seeking to assess the compatibility of the national law in question with Regulation (EU) 2016/679 (3) (‘the GDPR’).

3. This makes the present case an almost classic data protection case in the sense that it is predominantly set in the offline-world and involves a vertical relationship between a State and an individual, placing it seamlessly within a line of cases which have reached the Court since the seminal Stauder judgment, (4) arguably the first case on data protection au sens large. (5)

4. In assessing how far a Member State can interfere with the personal rights of an individual in order to pursue its aim of fostering road safety, I shall propose to the Court that measures such as the Latvian legislation in question are not proportionate to the aim they intend to achieve.

5. But before we get to that point, the present case raises a whole range of fundamental and intricate questions, which will take us through the GDPR at breakneck speed. Fasten your seatbelts. It may save you the odd penalty point.

II. Legal framework

A. EU law

1. The GDPR

6. Chapter I of the GDPR, entitled ‘General Provisions’, contains Articles 1 to 4, which set out the subject matter and objectives, material and territorial scope as well as definitions.

7. Article 1 of the GDPR, entitled ‘Subject matter and objectives’, reads as follow:

‘1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.’

8. Article 2 of the GDPR, entitled ‘Material scope’, provides:

‘1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

2. This Regulation does not apply to the processing of personal data:

(a) in the course of an activity which falls outside the scope of Union law;

(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;

(c) by a natural person in the course of a purely personal or household activity;

(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

...’

9. Chapter II of the GDPR, which contains Articles 5 to 11, sets out the principles of the regulation: principles relating to processing of personal data, lawfulness of processing, conditions for consent, including a child’s consent in relation to information society services, processing of special categories of personal data and of personal data relating to criminal convictions and offences, and processing which does not require identification.

10. Pursuant to Article 5 of the GDPR, headed ‘Principles relating to processing of personal data’:

‘1. Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’

11. Article 10 of the GDPR, headed ‘Processing of personal data relating to criminal convictions and offences’, states:

‘Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.’

2. Directive 2003/98/EC

12. Article 1 of Directive 2003/98/EC, (6) headed ‘Subject matter and scope’, reads as follows:

‘1. This Directive establishes a minimum set of rules governing the re-use and the practical means of facilitating re-use of existing documents held by public sector bodies of the Member States.

2. This Directive shall not apply to:

(a) documents the supply of which is an activity falling outside the scope of the public task of the public sector bodies concerned as defined by law or by other binding rules in the Member State, or in the absence of such rules, as defined in line with common administrative practice in the Member State in question, provided that the scope of the public tasks is transparent and subject to review;

(b) documents for which third parties hold intellectual property rights;

(c) documents which are excluded from access by virtue of the access regimes in the Member States, including on the grounds of:

— the protection of national security (i.e. State security), defence, or public security,

— statistical confidentiality,

— commercial confidentiality (e.g. business, professional or company secrets);

(ca) documents access to which is restricted by virtue of the access regimes in the Member States, including cases whereby citizens or companies have to prove a particular interest to obtain access to documents;

(cb) parts of documents containing only logos, crests and insignia;

(cc) documents access to which is excluded or restricted by virtue of the access regimes on the grounds of protection of personal data, and parts of documents accessible by virtue of those regimes which contain personal data the re-use of which has been defined by law as being incompatible with the law concerning the protection of individuals with regard to the processing of personal data;

(d) documents held by public service broadcasters and their subsidiaries, and by other bodies or their subsidiaries for the fulfilment of a public service broadcasting remit;

(e) documents held by educational and research establishments, including organisations established for the transfer of research results, schools and universities, except university libraries and

(f) documents held by cultural establishments other than libraries, museums and archives.

3. This Directive builds on and is without...