AG: Belgian Law Must Provide Right to an Effective Judicial Remedy against Supervisory Authority
On 15 June 2023, Advocate General Laila Medina presented her Opinion in case C-333/22 (Ligue des droits humains ASBL, BA v Organe de contrôle de l’information policière). The case concerns the relationship between direct and indirect access to personal data held by law enforcement authorities and refers to the interpretation of Belgian law in accordance with Directive 2016/680, known as the Law Enforcement (Data Protection) Directive (LED).
In the case at issue, an individual was denied a security clearance certificate by the Belgian National Security Authority due to his past participation in demonstrations. He requested that the Belgian Supervisory Body for Police Information (OCIP) identify the controllers responsible for the data processing in order to gain access to the information about him. Without offering any other information, the OCIP simply stated that it had performed all the necessary checks. Unsatisfied with this answer, the individual – assisted by the Ligue des droits humains – filed an action against the OCIP before the Brussels court.
The referring Brussels Court of Appeal expressed doubts as to the compatibility of Belgian law transposing the data protection rules for police and judicial authorities as foreseen in Directive 2016/680 with Union law. It pointed out that, under Belgian law, all requests by data subjects in relation to their rights to access personal data in law enforcement contexts are to be made to the OCIP and that the OCIP need only briefly and simply inform the data subject that "the necessary verifications have been carried out." In addition, Belgian law does not foresee a judicial remedy against the OCIP.
Against this background, the Brussels Court of Appeal asked first whether Arts. 47, 8(3) CFR require provision to be made for a judicial remedy against an independent data protection supervisory authority. Second, the Brussels court questioned the compatibility of Art. 17(3) LED, which lays down the necessary information to be given to the data subject by the supervisory authority, with the fundamental rights of the Charter.
First, AG Medina pointed out that, with regard to the LED, a data subject who exercises his/her rights indirectly through a supervisory authority must have a judicial remedy against that authority in relation to its task of checking the lawfulness of processing. The Belgian regime, in transposing the LED, obviously derogates from the principle of direct exercise of the rights of data subjects with regard to all personal data processed by police services. Such a regime is incompatible with the Directive, as it establishes a blanket exemption to the direct right of access.
Secondly, AG Medina reiterated that Art. 17 LED, which governs the indirect exercise of rights through a supervisory authority, is compatible with the fundamental right of personal data protection and that it offers an effective remedy to the extent that:
- The supervisory authority may, depending on the circumstances, go beyond declaring that all the necessary checks have been carried out;
- The data subject is entitled to judicial review of the measures taken and to the assessment made by the supervisory authority concerning the data subject, which are subject to the obligations of the controller.
In sum, AG Medina stressed that it is essential to ensure that the rights of data subjects in the field of law enforcement can be exercised effectively.