Personal data in criminal matters, according to advocate general, individual must have remedies against independent supervisory authority

In her opinion delivered on Thursday, 15 June, Advocate General Laila Medina at the Court of Justice of the EU believes that an individual must be able to have a judicial remedy against an independent supervisory authority when he or she is refused access to his or her personal data (Case C-333/22). She also considers that a blanket exemption to the right of direct access to personal data in criminal matters is not compatible with EU law. 

In fact, after the Belgian National Security Authority refused to issue him a security clearance certificate, an individual asked the Supervisory Body for Police Information (Organe de contrôle de l’information policière or OCIP) to identify those responsible for processing the data and to order them to grant him access to the information concerning him. The [supervisory] body simply assured him that it had “carried out the necessary verifications”. In the absence of a subsequent response, the individual and the Ligue des droits humains brought an action against the OCIP.

The Belgian Court of Appeal then wondered whether the directive on data protection in the area of law enforcement allows judicial remedies to be exercised against an intermediary such as the OCIP.

In the advocate general’s view, an individual must be able to bring an action against a supervisory authority so as to make sure that his or her data are processed lawfully. In this case, the authority is required to ensure that it has carried out the necessary verifications, but it may also, depending on the circumstances, provide more information. 

Moreover, Ms Medina thinks that the court with jurisdiction to evaluate the supervisory authority’s decision must be able to examine all the grounds that led to limiting access to the data.

Furthermore, the advocate general reiterates that the directive provides that individuals can contact the supervisory authorities directly and, in special cases, use intermediaries. However, Belgian law stipulates that all requests concerning rights relating to personal data processed by police services are to be addressed to the OCIP. In Ms Medina’s view, this regime is incompatible with the directive, since it introduces a blanket exemption to the right of direct access.

Opinion: https://aeur.eu/f/7i7 (Original version in French by Hélène Seynaeve)