Eric Daalder[1]
Member of the Administrative Jurisdiction Division of the Council of State and chairperson of the GDPR committee
Introduction
Article 55, paragraph 3 of the General Data Protection Regulation (GDPR) provides that ‘Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity’. Recital 20 of the preamble to the GDPR states that ‘[i]t should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations’. This gives rise to the question: what does ‘courts acting in their judicial capacity’ mean? The Central Netherlands District Court has made a reference for a preliminary ruling on this point to the Court of Justice of the European Union (case C-245/20). In this paper, I will explore the arrangements as mentioned in recital 20 of the preamble which have been made by the Dutch court. I will concentrate on the committee that has been formed by the three highest administrative law courts and explore the role of this committee and its first advisory opinions.
General arrangements by the Dutch courts
The various different courts in the Netherlands have made their own arrangements in relation to matters mentioned in recital 20 of the preamble. In civil law, criminal law and tax cases – which are heard by the district courts, courts of appeal and, on appeal in cassation, by the Supreme Court – the supervision of data processing operations by the courts is entrusted to the courts’ designated data protection officers (DPOs) and to the Procurator General at the Supreme Court. The Procurator General handles complaints and exercises the other supervisory powers provided for by privacy legislation, in so far as the processing operations relate to the work of the courts.
The GDPR committee of the highest administrative law courts
The three highest administrative law courts – the Administrative Jurisdiction Division of the Council of State (ABRvS), the Central Appeals Court for Public Service and Social Security Matters (CRvB) and the Trade and Industry Appeals Tribunal (CBB) – have adopted the Personal Data Processing by Administrative Courts Regulations (hereinafter: the Regulations) for the purpose of supervising processing operations.[2] The Regulations provide for the establishment of the GDPR committee. In this paper, I explore the role of that committee.
The members of the management boards of the three administrative law courts are the ‘controller’ within the meaning of article 4 (7) of the GDPR. Complaints concerning the actions and decisions of the controller can be submitted using a complaints form published on the website of the relevant court (article 6 of the Regulations). The GDPR committee has been established to consider complaints (article 2 of the Regulations). This committee is comprised of three members and three deputy members from each of the relevant courts (article 4 of the Regulations). The committee members choose their own chairperson. If the complaint concerns a processing operation by the court to which the chairperson belongs, a member from one of the other courts will temporarily assume the chairperson’s role. The role of the GDPR committee is described in article 3 of the Regulations:
‘3. The role of the committee
3.1 The committee advises the president of the ABRvS or the management board of the CRvB or CBB about the disposal of complaints in order to allow a decision or further decision to be taken on the relevant request to exercise the privacy rights specified in the GDPR.
3.2 The committee’s task in this respect is to assess whether the GDPR has been breached by the processing of the complainant’s personal data.
3.3 The committee can investigate whether it is possible to resolve the complaint informally.
3.4 The committee can provide the president of the ABRvS or the management board of the CRvB or the CBB with a general advisory opinion on the way in which personal data is processed and make recommendations on this subject.
3.5 The committee produces an annual report which renders an account on the number of complaints, the nature of those complaints and the committee’s findings.’
Handling requests by the GDPR committee
Article 5 of the Regulations lays down rules on how the GDPR committee handles requests for advisory opinions. These rules reflect the procedural rules for complaints against decisions by public bodies when the whole procedure is handled in a semi-judicial manner. Article 5 provides that the committee’s advisory option can be given by a single member or three members (article 5.1). Complaints that are manifestly inadmissible, manifestly unfounded or manifestly well founded can be disposed of without hearing the complainant (article 5.2). In other cases, the controller can respond to the complaint in writing and that response will be forwarded to the complainant (article 5.3). The complainant may also be heard by the committee at a hearing or by other means, for example by telephone or, as is more common since the Covid 19-crisis, by video conference. In practice, complainants are always heard. The controller or a representative of the controller is also invited to a hearing (article 5.4). Article 5.5 of the Regulations gives the committee the option of obtaining oral or written information from the DPO of the relevant court and/or seeking the DPO’s advice. The committee can also obtain oral or written information jointly from the DPOs for the judiciary, the Supreme Court, the Council of State and the Public Prosecution Service and/or request an advisory opinion from them. Finally, the committee may obtain written information from the controller and from the party or parties that performed the processing operation to which the complaint relates (article 5.6).
The GDPR committee issues its advisory opinion within three months after the date on which it receives the complaint (articles 7.1 and 7.3). If a hearing has been held, the advisory opinion will be accompanied by a report of the hearing (article 7.2). The controller then makes a decision about the complaint. If the controller departs from the committee’s advice, the decision will note the reason for this departure (article 7.4). The decision and the advisory opinion will be sent to the complainant. Advisory opinions and decisions by the controller made subsequent to them are published in anonymised form on the relevant court’s website.
The advisory opinions of the GDPR committee till thus far
To date, the GDPR committee has issued two advisory opinions, in both cases at the request of the president of the Administrative Jurisdiction Division. The first case concerned the policy of the communication department of the Administrative Jurisdiction Division, adopted in consultation with the president, of offering journalists in the building conditional access to certain documents of the case file in eligible cases being heard on that day. These documents are the application for review by the appellant, the statement of defence and, in appeal cases, the district court’s judgment. The aim is to give journalists the opportunity to obtain background information on cases that may be of interest to them, and it also makes it easier for the journalist to follow the hearings of the cases on the same day. The journalists are not permitted to make copies of the documents and must return them when they leave the court building. The complainant in the first case complained that this practice resulted in the communication department providing a journalist with information about an application for review in a case in which the complainant had acted as the applicant’s authorised representative in a case of a former policeman against the police authorities. That information included the VAT number of the representative, which was printed on the letterhead of the application for review. At the time, it was possible to deduce from the VAT number his citizen service number (BSN), which is classed as personal data within the meaning of the GDPR. The complainant was also of the opinion that his name, as authorised representative, should not have been disclosed, because this might harm him in other cases where he represented (former) members of the police force. The committee first examined whether a ‘judicial activity’ was involved in this case and answered that question in the affirmative. It found that the importance of hearings being public, for which the court is responsible, entails that the judiciary’s duties in a case include making a limited number of documents from the case file available for inspection by the media.
The aforementioned judgment of the Central Netherlands District Court concerned this same legal issue. The data subject asked the Dutch Data Protection Authority, the supervisory authority in relation to personal data processing operations, to take enforcement action against offering journalists access to the documents. The Data Protection Authority ruled on the basis of article 55, paragraph 3 of the GDPR that it did not have the competence to do so. This ruling is now under consideration in the case before the Central Netherlands District Court. The district court saw cause to make the aforementioned reference for a preliminary ruling.
In the GDPR committee’s opinion, offering access to the application for review constitutes a lawful personal data processing operation and disclosure of the application for review to the press was lawful. The committee therefore advised that the complaint should be declared unfounded. It found that sharing the application for review was necessary for the performance of a task carried out in the public interest within the meaning of article 6, paragraph 1 (e) of the GDPR and that the principles of the administration of justice being conducted publicly and independently make it essential for journalists to have a certain degree of access to the details of a case, so that they can provide the public with accurate information. The committee did not believe that the fact that the application for review contained the authorised representative’s citizen service number warranted not making the application available for inspection. In reaching this view, the committee took into account that a citizen service number does not constitute sensitive personal data and that the data subject was providing legal assistance in a professional capacity and by his own choice. The committee did make two recommendations. First, it advised stating explicitly on the Council of State’s website that it is possible for media organisations to obtain information about pending cases and that case documents are available to the media for inspection, as well as specifying which documents are available. Second, the committee recommended that the Administrative Jurisdiction Division’s rules on media access to documents, and journalists’ acceptance of those rules, should be recorded in writing. The president of the Administrative Jurisdiction Division agreed with the advisory opinion, declared the complaint unfounded and adopted the committee’s recommendations. Anonymised versions of the decision by the Administrative Jurisdiction Division’s president and the committee’s advisory opinion have been published on the Council of State’s website.[3]
The second case in which the GDPR committee issued an advisory opinion concerned the publication of an Administrative Jurisdiction Division judgment on the (paid) website of a legal publishing company. Contrary to normal practice, the judgment had not been anonymised and it included the appellant’s name. An investigation revealed that a staff member at the Administrative Jurisdiction Division had provided the publisher with an anonymised summary of the judgment for publication. The publishing company subsequently requested a copy of the judgment itself. A staff member of the Division then wrongly supplied a copy of the judgment that had not been anonymised. In breach of its own policy, the publishing company published the judgment on its judgments website without anonymising it. When this was discovered, the publisher removed the judgment from the website at the request of the Administrative Jurisdiction Division’s president. The complainant, to whom the judgment had been unfavourable, alleged that publication entailed unlawful processing of his personal data. The president of the Administrative Jurisdiction Division acknowledged that this was the case. The GDPR committee was also of the opinion that the complainant’s personal data included in the judgment had been processed in breach of the GDPR. The judgment should have been provided to the publisher in anonymised form. The committee therefore advised that the complaint be declared well founded. The complainant also requested compensation, citing an amount of €9,000 in this connection. The complainant argued that the damage incurred consisted of a violation of his personal integrity resulting from loss of control of his personal data. The complainant also alleged that the damage included the psychological suffering he had experienced. In addition, he mentioned that he had been at an advanced stage of a job application procedure but was suddenly rejected, which he believed had happened because the employer had found out about the judgment. In the committee’s opinion there was insufficient objective information in the file to establish the alleged damage resulting from the lost job opportunity or the psychological suffering. The GDPR committee however said that it could be concluded that the complainant had suffered a violation of his personal integrity as a consequence of the unlawful processing of personal data, since the judgment would not have been published on the website in non-anonymised form had it not been shared with the publisher in that form. The GDPR committee found that a compensation award of €500 would be fair because the complainant’s personal data had been available for some time to the large group of users with access to the website, and it recommended to the Administrative Jurisdiction Division’s president that the complainant be paid that amount. The president adopted this recommendation and ordered that the complainant receive €500.
Conclusion
This brief summary demonstrates that, on account of its composition and the quasi-judicial procedure that precedes its advisory opinions, the GDPR committee makes a contribution to supervising and verifying the personal data processing operations of the administrative law courts, which established the committee.
____________________________
[1] Eric Daalder is a member of the Administrative Jurisdiction Division of the Council of State and chairperson of the GDPR committee discussed in this paper.
[2] Regeling verwerking persoonsgegevens bestuursrechtelijke colleges (https://www.raadvanstate.nl/privacyverklaring/).
[3] Advisory opinion 9 April 2019, https://www.raadvanstate.nl/actueel/nieuws/@115379/gegevensverwerking/#highlight=avg-commissie.