Out-Law News | 21 Jul 2014 | 2:19 pm | 2 min. read
As a result, the Court found that individuals do not have a right of access to the full legal analysis document under EU data protection laws.
Under the EU's Data Protection Directive, individuals have a general right to access the personal data stored about them by organisations.
The CJEU was asked to provide a ruling on the extent to which this right applies to legal analysis that contains personal data. It ruled on two cases referred to it from the Netherlands where two individuals had been denied access to the full legal analysis that underpinned decisions by the Immigration and Naturalisation Service (INS) in the country to reject their applications for residence.
The individuals had claimed that as the legal analysis contained their personal data that they had a right to access it. The INS had provided the individuals with a summary of the personal data contained in the analysis but had not disclosed the full legal analysis documents.
According to the judgment, the legal analysis documents produced by INS case officers contain information including applicants' "name, date of birth, nationality, gender, ethnicity, religion and language; details of the procedural history; details of the statements made by the applicant and the documents submitted; the legal provisions which are applicable; and, finally, an assessment of the foregoing information in the light of the applicable legal provisions".
Whilst the legal analysis contains personal data, the legal analysis itself is not personal data, the CJEU ruled. It said that providing a summary of the personal data contained in the legal analysis will satisfy organisations' duty to adhere to right of access requests.
"The data relating to an applicant for a residence permit contained in an administrative document … setting out the grounds that the case officer puts forward in support of the draft decision which he is responsible for drawing up in the context of the procedure prior to the adoption of a decision concerning the application for such a permit and, where relevant, the data in the legal analysis contained in that document, are ‘personal data’ within the meaning of that provision, whereas, by contrast, that analysis cannot in itself be so classified," the CJEU said in its judgment.
"An applicant for a residence permit has a right of access to all personal data concerning him which are processed by the national administrative authorities within the meaning of [the Data Protection Directive," it said. "For that right to be complied with, it is sufficient that the applicant be in possession of a full summary of those data in an intelligible form, that is to say a form which allows that applicant to become aware of those data and to check that they are accurate and processed in compliance with that directive, so that he may, where relevant, exercise the rights conferred on him by that directive."
Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said: "It is an interesting decision that places the protection of personal data squarely in the realms of privacy protection instead of also looking at other interests that may be at stake. As important as privacy is, much of the discussion surrounding reforms to laws which protect personal data is also focusing on, not simply the information itself, but what you do with that information. In a data analytics context for instance, a right to access data about you is pretty thin if you cannot also obtain the conclusions that are being drawn on the basis of that data."
"Of course, the current data protection reform proposals are looking to address this specific issue by introducing provisions which protect against using data to profile individuals without their knowledge or consent", he added.