CJEU Ruled on Scope and Concepts of Law Enforcement Data Protection Directive
On 8 December 2022, the CJEU delivered one of the first comprehensive judgments on the interpretation of Directive 2016/680 which protects personal data in law enforcement activities (“LED”). It also gave important hints on the delineation between the LED and the General Data Protection Regulation (GDPR – Regulation 2016/679).
The judgment is based on a reference for preliminary ruling by a Bulgarian court, which has to decide on a legal action brought by VS. VS complained about the processing of his personal data by the public prosecutor (Case C-180/21, VS v Inspektor v Inspektorata kam Visshia sadeben savet).
The first question related to the interpretation of the purpose limitation principle in the LED. In essence, the Bulgarian court wanted to know whether there is a “processing for any of the purposes set out in Art. 1(1) LED other than that for which the personal data are collected” (Art. 4(2) LED) if the public prosecutor initially collected data on the data subject (here: VS) for the purposes of the detection and investigation of a criminal offence where the data subject was considered to be a victim but later used the data for the purpose of prosecuting that person.
According to the judges in Luxembourg, it can already be inferred from the wording of Art. 1(1) LED, read in conjunction with Article 4(2) LED, that, where personal data have been collected for the purposes of the ”detection” and “investigation” of a criminal offence and have subsequently been processed for the purposes of “prosecution”, that collection and that processing serve different purposes. Context and objectives pursued by the LED’s rules confirm this conclusion. As a result, the conditions of Art. 4(2) LED for the processing of “other purposes“ must be fulfilled. It is up to the referring court to assess these conditions, i.e., first, the controller must be authorised to process such personal data for such a purpose in accordance with EU or Member State law; second, processing must be necessary and proportionate to that other purpose.
The second set of questions related to the scope of the GDPR and LED. The Bulgarian court wanted to know whether the GDPR (and not the LED) is applicable if the public prosecutor used the investigation file (with the collected personal data in relation to VS) in civil proceedings, in which the prosecutor defended himself against claims of damages (put forward by VS) resulting from the excessive duration of pre-trial proceedings against him. In the affirmative, the next question was on the lawfulness of the processing, i.e. whether one of the exemptions of Art. 6 GDPR applied, which excludes the data subject’s consent to the processing of his personal data.
Regarding the delineation of scope between the GDPR and the LED, the CJEU referred to Art. 9 LED and concludes that the GDPR is applicable in the situation at issue. The CJEU argued that “even where the bringing of an action for damages against the State arises from alleged misconduct on the part of the public prosecutor’s office in the course of criminal proceedings, such as, as in the present case, alleged infringements of the right to be tried within a reasonable time, the aim of the State’s defence in such an action is not to perform, as such, that public prosecutor office’s tasks for the purposes set out in Article 1(1) of Directive 2016/680.”
In addition, the CJEU stated that the processing of personal data by means of defending the legal and financial interest of the State in civil proceedings can be regarded as lawful if it is necessary for the performance of a task carried out in the public interest, within the meaning of Art.6(1)(e) GDPR. It must be ensured, however, that this processing of personal data complies with all the applicable requirements provided for by that regulation.