Case C‑439/19
B
(Request for a preliminary ruling from the Latvijas Republikas Satversmes tiesa)
Judgment of the Court (Grand Chamber), 22 June 2021
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Articles 5, 6 and 10 – National legislation providing for public access to personal data relating to penalty points imposed for road traffic offences – Lawfulness – Concept of ‘personal data relating to criminal convictions and offences’ – Disclosure for the purpose of improving road safety – Right of public access to official documents – Freedom of information – Reconciliation with the fundamental rights to respect for private life and to the protection of personal data – Re-use of data – Article 267 TFEU – Temporal effect of a preliminary ruling – Ability of a constitutional court of a Member State to maintain the legal effects of national legislation incompatible with EU law – Principles of primacy of EU law and of legal certainty)
Protection of individuals with regard to the processing of personal data – Regulation 2016/679 – Scope – Exceptions – Processing of data in the course of an activity which falls outside the scope of EU law – Activity which is intended to safeguard national security or which falls into that category – Concept – Activity intended to improve road safety – Not included
(European Parliament and Council Regulation 2016/679, Recital 16 and Art. 2(2)(a))
(see paragraphs 61-68)
Protection of individuals with regard to the processing of personal data – Regulation 2016/679 – Scope – Exceptions – Processing of data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties – Concept of competent authority – Need to have a link with the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation – National public authority disclosing to the public personal data relating to penalty points imposed for road traffic offences – Precluded
(European Parliament and Council Regulation 2016/679, recital 19 and Art. 2(2)(d); European Parliament and Council Directive 2016/680, recitals 10, 11 and Art. 3(7))
(see paragraphs 69-72)
Protection of individuals with regard to the processing of personal data – Regulation 2016/679 –Processing of personal relating to criminal convictions and offences – Concept of data relating to offences – Data relating to penalty points – Included – Concept of offences – Whether criminal in nature – Assessment criteria – Road traffic offences giving rise to the imposition of penalty points – Included
(European Parliament and Council Regulation 2016/679, Art. 10; European Parliament and Council Directive 2016/680, recital 13)
(see paragraphs 77-93, operative part 1)
Protection of individuals with regard to the processing of personal data – Regulation 2016/679 – Rules governing lawfulness of processing of personal data – Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority – National legislation obliging to give access to the public to personal data relating to penalty points and authorising the disclosure of that data to economic operators for re-use – Objective of general interest to improve road safety – Processing of personal data not necessary – Unlawful – Right of public access to official documents and right to freedom of information – Irrelevant – Primacy of the fundamental rights to respect for private life and to the protection of personal data
(European Parliament and Council Regulation 2016/679, recitals 39, 154 and Arts 5(1), 6(1)(e),10, 85 and 86)
(see paragraphs 99, 106, 108-113, 120-122, 126, 129, operative parts 2 and 3)
Questions referred for a preliminary ruling – Interpretation – Temporal effects of judgments by way of interpretation – Retroactive effect – Limitation by the Court – Principles of primacy of EU law and of legal certainty – Ability of a constitutional court of a Member State to maintain the legal effects of national legislation incompatible with EU law until the date of delivery of the final judgment – None
(Art. 267 TFEU)
(see paragraphs 132-137, operative part 4)
Résumé
EU data protection law precludes Latvian legislation which obliges the road safety authority to make the data relating to the penalty points imposed on drivers for road traffic offences accessible to the public
It has not been established that that system is necessary in order to achieve the objective pursued, namely improving road safety
B is a natural person upon whom penalty points were imposed on account of one or more road traffic offences. The Ceļu satiksmes drošības direkcija (Road Safety Directorate, Latvia) (‘the CSDD’) entered those penalty points in the national register of vehicles and their drivers.
Under the Latvian Law on road traffic, ( 1 ) information relating to the penalty points imposed on drivers of vehicles entered in that register is accessible to the public and disclosed by the CSDD to any person who so requests, without that person having to establish a specific interest in obtaining that information, including to economic operators for re-use. Uncertain as to the lawfulness of that legislation, B brought a constitutional appeal before the Latvijas Republikas Satversmes tiesa (Constitutional Court, Latvia), requesting the court to examine whether the legislation complied with the right to respect for private life.
The Constitutional Court held that, in its assessment of that constitutional law, it must take account of the General Data Protection Regulation (‘the GDPR’). ( 2 ) Thus, it asked the Court to clarify the scope of several provisions of the GDPR with the aim of determining whether the Latvian Law on road traffic is compatible with that regulation.
By its judgment, delivered in the Grand Chamber, the Court holds that the GDPR precludes the Latvian legislation. It notes that it has not been established that disclosure of personal data relating to the penalty points imposed for road traffic offences is necessary, particularly with regard to the objective of improving road safety invoked by the Latvian Government. Furthermore, according to the Court, neither the right of public access to official documents nor the right to freedom of information justify such legislation.
Findings of the Court
In the first place, the Court holds that the processing of personal data relating to penalty points constitutes ‘processing of personal data relating to criminal convictions and offences’, ( 3 ) in respect of which the GDPR provides for enhanced protection because of the particular sensitivity of the data at issue.
In that context, it notes, as a preliminary point, that the information relating to penalty points is personal data and that its disclosure by the CSDD to third parties constitutes processing which falls within the material scope of the GDPR. That scope is very broad, and that processing is not covered by the exceptions to the applicability of that regulation.
Thus, first, that processing is not covered by the exception relating to the non-applicability of the GDPR to processing carried out in the course of an activity which falls outside the scope of EU law. ( 4 ) That exception must be regarded as being designed solely to exclude from the scope of that regulation the processing of personal data carried out by State authorities in the course of an activity which is intended to safeguard national security or of an activity which can be classified in the same category. These activities encompass, in particular, those that are intended to protect essential State functions and the fundamental interests of society. Activities relating to road safety do not pursue that objective and consequently cannot be classified in the category of activities having the aim of safeguarding national security.
Second, the disclosure of personal data relating to penalty points is not processing covered by the exception providing for the non-applicability of the GDPR to processing of personal data carried out by the competent authorities in criminal matters either. ( 5 ) The Court finds, in fact, that in carrying out that disclosure, the CSDD cannot be regarded as such a ‘competent authority’. ( 6 )
In order to determine whether access to personal data relating to road traffic offences, such as penalty points, amounts to processing of personal data relating to ‘offences’, ( 7 ) which enjoy enhanced protection, the Court finds, relying in particular on the history of the GDPR, that that concept refers only to criminal offences. However, the fact that, in the Latvian legal system, road traffic offences are classified as administrative offences is not decisive when determining whether those offences fall within the concept of ‘criminal offence’, since it is an autonomous concept of EU law which requires an autonomous and uniform interpretation throughout the European Union. Thus, after recalling the three criteria relevant for assessing whether an offence is criminal in nature, namely the legal classification of the offence under national law, the nature of the offence and the degree of severity of the penalty incurred, the Court finds that the road traffic offences at issue are covered by the term ‘offence’ within the meaning of the GDPR. As regards the first two criteria, the Court finds that, even if offences are not classified as ‘criminal’ by national law, the nature of the offence, and in particular the punitive purpose pursued by the penalty that the offence may give rise to, may result in its being criminal in nature. In the present case, the giving of penalty points for road traffic offences, like other penalties to which the commission of those offences may give rise, are intended, inter alia, to have such a punitive purpose. As regards the third criterion, the Court observes that only road traffic offences of a certain seriousness entail the giving of penalty points and that they are therefore liable to give rise to penalties of a certain severity. Moreover, the imposition of such points is generally additional to the penalty imposed, and the accumulation of those points has legal consequences which may even extend to a driving ban.
In the second place, the Court holds that the GDPR precludes Latvian legislation which obliges the CSDD to make the data relating to the penalty points imposed on drivers of vehicles for road traffic offences accessible to the public, without the person requesting access having to establish a specific interest in obtaining the data.
In that regard, the Court points out that the improvement of road safety, referred to in the Latvian legislation, is an objective of general interest recognised by the European Union and that Member States are therefore justified in classifying road safety as a ‘task carried out in the public interest’. ( 8 ) However, it is not established that the Latvian scheme of disclosing personal data relating to penalty points is necessary to achieve the objective pursued. First, the Latvian legislature has a large number of methods which would have enabled it to achieve that objective by other means less restrictive of the fundamental rights of the persons concerned. Second, account must be taken of the sensitivity of the data relating to penalty points and of the fact that their public disclosure is liable to constitute a serious interference with the rights to respect for private life and to the protection of personal data, since it may give rise to social disapproval and result in stigmatisation of the data subject.
Furthermore, the Court takes the view that, in the light of the sensitivity of those data and of the seriousness of that interference with those two fundamental rights, those rights prevail over both the public’s interest in having access to official documents, such as the national register of vehicles and their drivers, and the right to freedom of information.
In the third place, for the same reasons, the Court holds that the GDPR also precludes Latvian legislation in so far as it authorises the CSDD to disclose the data on penalty points imposed on drivers of vehicles for road traffic offences to economic operators in order for the data to be re-used and disclosed to the public by them.
In the fourth and last place, the Court states that the principle of the primacy of EU law precludes the referring court, before which the action has been brought challenging the Latvian legislation, classified by the Court as incompatible with EU law, from deciding that the legal effects of that legislation be maintained until the date of delivery of its final judgment.
( 1 ) Article 141(2) of the Ceļu satiksmes likums (Law on road traffic) of 1 October 1997 (Latvijas Vēstnesis 1997, No 274/276).
( 2 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ 2016 L 119, p. 1).
( 3 ) Article 10 of the GDPR.
( 4 ) Article 2(2)(a) of the GDPR.
( 5 ) Article 2(2)(d) of the GDPR.
( 6 ) Article 3(7) of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ 2016 L 119, p. 89).
( 7 ) Article 10 of the GDPR.
( 8 ) Under Article 6(1)(e) of the GDPR, the processing of personal data is lawful where it is ‘necessary for the performance of a task carried out in the public interest …’.