Opinion of the Advocate-General

Opinion of the Advocate-General

I – Introduction

1. The Raad van State (Council of State of the Netherlands) has referred to the Court of Justice for a preliminary ruling a question on the interpretation of Articles 6 and 12 of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. (2) The reference is made in a field of knotty problems, namely, the deletion of personal information held by a local authority which has been disclosed to third parties and the resulting right of access to data relating to the processing of that information.

2. As a rule, the destruction of data is a protective act. However, it may lead to different outcomes, since, when files are deleted, all trace of how they have been used disappears with them. Thus, an individual who appears to be protected may also be harmed because he will never know how the holder of his personal data has used them. (3)

3. With that argument as the context, the Court must determine whether the time-limit for erasing data acts as a temporal restriction on the right of access to information about their processing. If so, the Court must establish whether the period of one year is sufficient and proportionate for the purposes of safeguarding the rights set out in Directive 95/46.

II – The facts

4. The order for reference states that Mr Rijkeboer requested from the College van burgemeester en wethouders van Rotterdam (Municipal Council of Rotterdam; ‘the College’) details, taken from the local-authority records, of disclosure, over the preceding two years, to third parties of information concerning him. By decisions of 27 [October] and 29 November 2005, the College dismissed Mr Rijkeboer’s request in part, providing him only with details relating to the previous year. Disagreeing with the decision of the Municipal Council, Mr Rijkeboer lodged an administrative appeal which, on 13 February 2006, was also dismissed.

5. The Rechtbank Rotterdam (District Court, Rotterdam) allowed the action which Mr Rijkeboer brought once he had exhausted all administrative means of redress. By judgment of 17 November 2006, the Rechtbank Rotterdam annulled the administrative decision refusing in part the applicant’s request and ordered the College to adopt a fresh decision.

6. On 28 December 2006, the College appealed to the Chamber for Contentious Administrative Proceedings of the Raad van State, which, by order of 5 December 2007, stayed the main proceedings and referred a question to the Court of Justice for a preliminary ruling.

III – Legislative framework

A – The relevant provisions of Community law

7. Article 6(1) and (2) EU declares that the Union is bound by fundamental freedoms as follows:

‘ Article 6

1. The Union is founded on the principles of liberty, democracy, respect for human rights and fundamental freedoms, and the rule of law, principles which are common to the Member States.

2. The Union shall respect fundamental rights, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms signed in Rome on 4 November 1950 and as they result from the constitutional traditions common to the Member States, as general principles of Community law.

…’

8. The fundamental right to privacy, as a general principle of Community law, found legislative expression in Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. That legislation, the provisions of which were codified in Article 8 of the Charter of fundamental rights of the European Union, defines the concept of ‘data’ and provides that data must be deleted where it has undergone processing for a period of time. Articles 2(a) and 6 of the directive use the following wording in that regard:

‘ Article 2

...

(a) “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

Article 6

1. Member States shall provide that personal data must be:

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.’

9. To ensure transparency in the processing of data, Articles 10 and 11 of Directive 95/46 lay down requirements for the provision of information to the data subject, which vary according to whether or not the data was collected from the data subject. Inter alia other obligations, the controller is responsible for the following tasks:

‘ Article 10

Information in cases of collection of data from the data subject

Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:

(a) the identity of the controller and of his representative, if any;

(b) the purposes of the processing for which the data are intended;

(c) any further information such as:

– the recipients or categories of recipients of the data,

– whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,

– the existence of the right of access to and the right to rectify the data concerning him

in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.

Article 11

Information where the data have not been obtained from the data subject

1. Where the data have not been obtained from the data subject, Member States shall provide that the controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information, except where he already has it:

(a) the identity of the controller and of his representative, if any;

(b) the purposes of the processing;

(c) any further information such as:

– the categories of data concerned,

– the recipients or categories of recipients,

– the existence of the right of access to and the right to rectify the data concerning him

in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.

…’

10. Subjects whose data is processed may ensure that it is used correctly by exercising the so-called ‘right of access’, the general features of which are set out in Article 12 of Directive 95/46. The first subparagraph of that article is relevant for the purposes of the present proceedings:

‘ Article 12

Right of access

Member States shall guarantee every data subject the right to obtain from the controller:

(a) without constraint at reasonable intervals and without excessive delay or expense:

– confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed;

– communication to him in an intelligible form of the data undergoing processing and of any available information as to their source;

– knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15(1).

…’

11. Member States may restrict the obligation to delete data and the right of access in the cases referred to in Article 13 of Directive 95/46:

‘ Article 13

1. Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6(1), 10, 11(1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard:

(a) national security;

(b) defence;

(c) public security;

(d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions;

(e) an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters;

(f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e);

(g) the protection of the data subject or of the rights and freedoms of others.

…’

B – The relevant provisions of national law

12. Directive 95/46 was transposed into Netherlands law by a general provision, the Wet bescherming persoonsgegevens (Law on the protection of personal data). That legislation is of secondary importance for the purposes of these preliminary-ruling proceedings for, at municipal level, the field is governed by a special legal provision, the Wet gemeentelijke basisadministratie persoonsgegevens (Law on personal data held by local authorities). Article 103(1) sets out the conditions subject to which an individual may access information about the processing of his data:

‘Article 103

1. On request, the College van burgemeester en wethouders shall notify a data subject in writing, within four weeks, whether data relating to him held in the local-authority data base have, in the year preceding the request, been disclosed to a purchaser or to a third party.

…’

IV – The question referred for a preliminary ruling

13. On 12 December 2007 the Court of Justice entered in the register the order for reference from the Raad van State containing the following question:

‘Is the restriction, provided for in the Netherlands Law on personal data held by local authorities, on the communication of data to one year prior to the relevant request compatible with Article 12(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, whether or not read in conjunction with Article 6(1)(e) of that directive and the principle of proportionality?’

14. Observations were lodged, within the period laid down in Article 23 of the EC Statute of the Court of Justice, by the College, the Netherlands, United Kingdom, Greek, Czech and Spanish Governments, and the Commission.

15. At the hearing on 20 November 2008, oral argument was presented by the legal representatives of the College and Mr Rijkeboer, and by the agents of the Netherlands, Czech, Spanish and United Kingdom Governments, and the Commission.

V – Delimitation of the question in issue

16. This case raises a number of uncertainties the conceptual nature of which is rather complex. Essentially, the referring court asks whether it is possible to have a specific time-limit for deleting information relating to the processing of personal data. When data are deleted in accordance with Directive 95/46, the right of access may no longer be exercised since it is not possible to request information which no longer exists. Accordingly, the dispute concerns the restriction of a right which is also explicitly provided for in Directive 95/46. That tension between deletion and access reveals a conflict within the directive, on which the Court must give a ruling.

17. It is necessary, therefore, to establish whether data relating to processing are subject, or capable of being subject, to the same body of provisions as personal data. It is also necessary to determine whether the time-limit for deletion must, in any event, act as a restriction on the right of access. Those uncertainties have to be resolved in a rather confused factual and legislative framework, since the Raad van State has not stated whether the time-limit laid down for the deletion of data relating to processing is the same as or shorter than that applicable to personal data. Accordingly, both cases must be analysed in order to furnish the referring court with a helpful reply.

VI – A preliminary issue: the weighing up of interests in the light of the fundamental rights of the Union

A – The fundamental right to privacy and its development at Community level

18. In accordance with the provisions of its constitutional charter, (4) the European Union is based on the fundamental rights, the protection of which is overseen by the Court of Justice. (5) After several decades of developments in case-law, beginning with the judgments in Stauder (6) and Internationale Handelsgeselschaft , (7) the Member States gave full force to the structural nature of those rights with the adoption of Article F of the Single European Act, which subsequently became Article 6 EU. That article declares that the Union is to respect fundamental rights, as guaranteed by the European Convention for the Protection of Human Rights (‘ECHR’), (8) and as they result from the constitutional traditions common to the Member States.

19. The right to privacy is part of those traditions. Since the judgment in Stauder many years ago, (9) the Court has treated the protection of privacy as one of the general principles of Community law. Initially, the Court did so when considering the obligation to disclose information, such as a name (10) or medical details, (11) in connection with enforcement of the right under national law (12) and Community law. (13) Shortly afterwards, during the 1990s, the Court held that the right applied to the fields of private life (14) and family life. (15)

20. 1995 saw a turning-point with the adoption of Directive 95/46 on the protection of individuals with regard to the processing of personal data. The Court, whose case-law in that area had, until then, been divergent and delivered on a case-by-case basis, found a more solid foundation on which to base its decisions, since the Directive defines in detail the object, (16) the subject-matter (17) and the remedies available to individuals when their personal data are disclosed. (18) Recital 10 in the preamble to Directive 95/46 expresses the purpose of the directive as an instrument for the protection of the fundamental rights as recognised in the ECHR and the general principles of Community law. (19) In Österreichischer Rundfunk , the Court held that Directive 95/46, while its purpose is to ensure the free movement of personal data, also plays an important role in protecting the fundamental rights. (20)

21. In short, Directive 95/46 develops the fundamental right to privacy in so far as it affects the automatic processing of personal data. (21)

22. As evidence of that codifying aim, suffice it to note that Article 8 of the Charter of fundamental rights of the European Union, (22) which concerns the ‘Protection of personal data’, provides for a right of access and a right to have data processed fairly, and also grants a right of access to data and a right to have them rectified. Although the Charter must be applied with caution, (23) it is difficult to ignore its provisions and to deny that that those elements of the right form part of the constitutional traditions common to the Member States. (24) That view is bolstered by the facts that more than 10 years have passed since the adoption of Directive 95/46 and that effective harmonisation in the field has been achieved. (25)

23. Specifically, Article 8 of the Charter refers to two matters which have a bearing on the case before the Court. Those matters are reflected in Articles 6 and 12 of Directive 95/46 and are, first, the obligation to delete data within a period which does not exceed what is necessary for fulfilling the purposes for which it was collected (Article 6(1)(e)), and, second, the right of access, without constraint, to information about the recipients to whom the data have been disclosed (Article 12(a)). As the Charter refers to those matters and places them at the very heart of the fundamental right to privacy, the question referred for a preliminary ruling by the Raad van State calls for a weighing up of principles and interests in order to arrive at a rational reply which positions those provisions in the applicable constitutional framework. (26)

24. As a preliminary point, when describing the keys to the interpretation of Directive 95/46, it is necessary to examine the teleological element of the provision in order to establish its principal aim.

B – The fundamental right to privacy and its internal tensions

25. This dispute does not concern two fundamental rights but rather two sides of the same coin. Unlike the situation in cases where there is a conflict between, for example, the right to honour and freedom of information or the right to privacy and the right to property, the present dispute concerns two obligations incumbent on the public authorities, namely, the obligation to provide for time-limits for the deletion of files containing personal data and the obligation to guarantee the right of access of the individuals to whom such data relate. That special feature sets Mr Rijkeboer’s circumstances apart from others on which the Court has ruled in the past, such as in Lindqvist (27) and Promusicae , (28) where the right to privacy came into conflict with the right to freedom of religion and the right to property respectively. (29) By contrast, the present case concerns a single right with an internal conflict, which is split between two personalities so that it becomes a form of Dr Jekyll and Mr Hyde, because, as I will demonstrate below, goodness and cold, calculated cruelty live side by side in its heart.

26. The holding of personal data by controllers is a responsibility with a time-limit, since Directive 95/46 provides that such data may be kept for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. That requirement is set out in those stringent terms in Article 6, while it is left to the Member States to set the applicable time-limits by reference to the sectors and objectives which are the basis for the creation and subsequent deletion of the files. Notwithstanding the flexibility which the article allows each national system, Article 13 of Directive 95/46 permits the adoption of exceptions and provides that data may be kept for a longer period than usual when required by public interests, such as national security, the fight against crime, and scientific research.

27. The preamble to Directive 95/46 does not refer to that fact and does not attribute greater significance to the periods for keeping data. Therefore, only Articles 6 and 12 refer to that obligation and, in accordance with the wide discretion which Directive 95/46 confers on the Member States, I conclude that the matter was not the focus of the Community legislature’s attention, as demonstrated by a comparison of the provisions governing the matter with those governing the right of access. (30)

28. The right of a data subject to manipulate his personal data, and to request their rectification, erasure and blocking, is one of the essential aspects of Directive 95/46. Recitals 38 and 40 in the preamble to the directive illustrate that view, not only because they confirm the importance of the right of access but also because of the link that right constitutes between the information which the data subject has and the processing of that information. Indeed, for the rights conferred in Article 12 to be practicable, it is necessary to rely on a number of fundamental principles since, otherwise, the safeguards referred to in the article would be rendered ineffective. Recital 41 in the preamble to the directive expresses it with great clarity, stating that ‘any person must be able to exercise the right of access to data relating to him which are being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing’. The so-called ‘principles relating to data quality’, referred to in Chapter II, Section I of Directive 95/46, which also include the obligation to keep data ‘for no longer than is necessary for the purposes for which the data were collected’, are relevant in that regard. (31) The duty to destroy data is an integral part of the duty to process data ‘fairly and lawfully’ and of the duty to guarantee the quality of data so that it is adequate, relevant, not excessive and accurate. (32)

C – Article 6 is secondary to Article 12 of Directive 95/46

29. I am aware of the difficulty involved in identifying which of Articles 6 and 12 of Directive 95/46 takes precedence. There are powerful reasons for arguing that deletion is the key to the system laid down by Directive 95/46, under which a right of access is conferred which enables individuals to ensure that deletion is effected. In the same way, the right to protection is laid down in Article 12, since access is the true subjective dimension of the directive which, in short, enables individuals to react in defence of their interests.

30. That puts me in mind of the old debate about the chicken and the egg. Which of the two came first? Is it possible to ask that question for eternity and admit that there will never be a solution because, as Aristotle wrote, the two concepts are eternal realities? (33)

31. Courts do not enjoy the same freedom of thought as the philosopher and must strive to provide a solution, even if it is not always the soundest. Accordingly, in the same way as some scientists have adopted a position in the never-ending battle between chickens and eggs, (34) I find I must propose a way out of the conflict between Articles 6 and 12 of Directive 95/46.

32. From the considerations set out in points 29 to 35 of this Opinion, I conclude that, in Directive 95/46, the obligation to delete data is secondary to the right of access. The articles concerned confer a right which is born when the file is created and dies when it is deleted. Accordingly, the erasure of personal data is merely a moment in the life of the right of access , a feature which is determined and justified by Article 12.

33. Taking that view further, I am convinced that the aim of the right of access is to ensure that a data subject is aware of the information that is held about him. That view may be taken even further if regard is had to the purpose of his request. In many cases, the holder of the right seeks to ascertain whether the processing of his data is lawful. Directive 95/46 imposes on controllers certain principles in carrying out their activity, while also focusing its efforts on protective measures, including the right of access as a means for a data subject to oversee and enforce observance of the law.

34. Thus, as the crux of the system of guarantees laid down in Directive 95/46, Article 12 would be devoid of logic if those who hold other people’s personal data were not subject to any rules. As the Commission rightly pointed out at the hearing, it is precisely because there are principles relating to processing (Article 6) that the right of access, which is a basic pillar of the directive, exists, (35) as evidenced by Article 12 which uses the qualification ‘without constraint’. (36) In line with the protective purpose of Directive 95/46, which focuses all its efforts on the protection of data subjects, it is clear that the obligation relating to the keeping of data is secondary to the right of access. Its solid subjective dimension and aim of safeguarding fundamental rights (on this occasion, the right to privacy) support that view and situate the underlying interests of Article 6 at a lower legislative level.

35. That reasoning is borne out by the scheme of Article 8 of the Charter of fundamental rights of the European Union, the interpretative value of which is beyond doubt, (37) and which refers to the right of access in its first paragraph. Paragraph 2 goes on to list the principles applicable to data processing, but that hierarchical order, where the right of data subjects takes precedence over the responsibilities of those who use personal data, is clear there too.

36. In the light of those circumstances, and drawing the attention of the Court to the subjective dimension of Directive 95/46, Article 12 of which takes special precedence over Article 6, I will now go on to analyse the question referred by the Council of State of the Netherlands.

VII – Personal data and data relating to processing

37. As I explain in points 16 and 17 of this Opinion, it is appropriate to carry out a separate examination of two hypotheses, whose application depends on the circumstances of each case, analysing the lawfulness of the time-limit, on the one hand, where that limit is less than that fixed for the main data and, on the other, where the time-limit for accessing data relating to processing is the same as that for obtaining the main data. In the first hypothesis, it has to be established whether those separate rules of access are compatible with the Directive, on the basis of the type of data requested. In the second hypothesis, the difficulty arises of determining whether access is possible after deletion.

38. In order to reply comprehensively to the question referred by the Raad van Staat, it is essential to ascertain first of all whether the periods fixed for deletion must be applied collectively to all data , including data relating to processing, or whether a differentiation may be made according to the type of personal data concerned. There is a fundamental difference deriving from the aims pursued by each type of information.

39. The Greek Government and, at the hearing, the Czech Government have pointed out that each type of data relates to a different purpose. It is important to explain below the advantages and disadvantages of that reasoning, together with its consequences for the case before the Court.

40. The destruction of personal data is designed to protect the data subject, since the erasure of information removes any risk of unlawful processing. There is a certain logic to the fact that Article 6 of Directive 95/46 does not set a time-limit, because each file serves its own purpose and, in accordance with the principle of subsidiarity, the national legislature is better placed to decide the period of time available to controllers before data must be destroyed. However, the erasure of information relating to processing fulfils different objectives; it does not protect the data subject, since that individual loses the information trail and is unable to exercise the right of access because the data in question are no longer held by the controller, while third parties who have obtained the data benefit from deletion, in that their identities and intentions have been erased.

41. That approach highlights the conceptual difficulties underlying this case. It is indeed possible to differentiate between the deletion of personal data and the deletion of data relating to processing . (38) The legal rights affected are different as are the autonomous functions, in respect of which Directive 95/46 lays down separate rules. However, when taken to extremes, that interpretation leads to undesirable consequences. First, the difference is not covered by the wording of Directive 95/46, since Article 6 concerns deletion of personal data in their entirety, while Article 12, although referring to a number of different types of information, does so in order to give substance to the right of access, rather than to provide a detailed list. (39) Second, the right of access is designed to be exercised ‘without constraint’, so having a broad meaning. As I shall explain below, the degree of protection afforded to that right may be delimited according to the circumstances, but the wording of Article 12 precludes the existence of first- and second-class access. Third, as the Commission, the Kingdom of Spain and the United Kingdom pointed out at the hearing, both types of data form a technological unit, are usually dealt with in the same files, and their joint manipulation does not present a particularly onerous task for controllers.

42. Accordingly, I do not believe that data relating to processing exist separately and are governed by their own body of legal rules. Such information concerns personal data undergoing processing, in that it explains the manner and the conditions in which personal data have been manipulated, which leads me to conclude that it is an essential part of the Community definition of ‘personal data’ for the purposes of Article 2(a) of Directive 95/46. In order to provide the referring court with a helpful reply, that assertion must be qualified in the light of the two hypotheses I describe in points 16 and 17 of this Opinion.

VIII – First hypothesis: a shorter period for the deletion of data relating to processing

43. The question referred by the Raad van State appears to refer to this case: Netherlands law provides that personal data may be kept for a long time but lays down a shorter period of one year for the deletion of data relating to processing. However, the order for reference does not provide details of the data in dispute in the main proceedings, and therefore I venture to propose this initial reply by turning to the case mentioned above.

44. For the reasons explained in paragraphs 37 and 42 of this Opinion, I take the view that Directive 95/46 does not distinguish personal data from data relating to processing. Conscious of the difficulties of storage which such an approach would entail, I believe that the time-limit for deletion laid down in Article 6 of Directive 95/46 is the same for both types of data. Even though the purpose of deletion varies according to the data concerned, I find it difficult to envisage different sets of provisions based on such an artificial separation, particularly where a fundamental right is affected.

45. As I argue in points 29 to 35 of this Opinion, the legislation gives priority to the right of access, to which the obligations relating to deletion are secondary. To fulfil that objective, both personal data and data relating to processing are better protected if they are kept for the same period.

46. There are times when it is necessary to store personal data for long periods but such periods must be justified in the general interest, which applies equally to the extended storage of data relating to processing. Where storage lasts for an unjustifiably long time, because the files are for historical, statistical or scientific use, Directive 95/46 requires Member States to adopt specific measures which provide for the use of such files in accordance with the criteria which justify their lengthy storage. (40) Accordingly, it is necessary to lay down other measures which ensure that data subjects are protected but which take specific account of the historical and cultural uses referred to in Article 6[(1)](e) of Directive 95/46.

47. Further, as the College states in its written observations and confirmed at the hearing, there are other restrictions on that obligation to store data relating to processing for the same periods as those applicable to personal data. To my mind, the example given by the College is conclusive as concerns the protection of information relating to third parties, which, in turn, must also be protected under Directive 95/46, although that does not mean that the original subject whose data were disclosed must be left without any protection at all. That condition implies, with regard exclusively to the recipient’s personal data, that the original data subject is bound by the same restrictions as any other recipient for the purposes of Directive 95/46.

48. Accordingly, if personal data and data relating to processing are subject to the same time-limit for deletion, there is no need to assess whether the period of one year laid down in the Netherlands legislation is proportionate. If the period for keeping personal data is longer than the period laid down for data relating to processing, the reply to the question referred for a preliminary ruling would conclude here.

49. If the legal framework applicable to the case were different, the reply to the question referred would also be different, provided that the time-limits were the same and the data subject requested access to information which had already been destroyed.

IX – Second hypothesis: a common time-limit for the deletion of both types of data

A – The wording of Article 12 of Directive 95/46

50. The Kingdom of Spain, the Czech Republic and the Netherlands maintain that Article 12 creates a link between the right of access and the deletion required by Article 6, in the light of the wording of the second subparagraph of Article 12(a). That provision calls on Member States to guarantee the right to obtain from the controller communication in an intelligible form of the data undergoing processing and of any available information as to their source. The Governments concerned conclude from that wording that Directive 95/46 restricts the right of access to information which is being processed, thereby excluding that right where a request is made once processing has finished, in other words, after deletion of the data. In their view, that interpretation is bolstered by a comparison of the different linguistic versions of the provision, which vary in the rigour with which they refer to the temporary and fixed nature of the right.

51. That argument is unconvincing, since, although the English-language version refers to data ‘undergoing processing’, (41) the Spanish version is more ambiguous in tone. I acknowledge that a strict interpretation of the provision would be more consistent with the obligation to delete data laid down in Article 6. However, I do not believe that a comparison provides any conclusive guidance, especially since there are reasons, which I shall set out below, for disregarding the grammatical construction of Article 12. (42)

52. Nor do I agree with the contention of the Kingdom of Spain to the effect that another exception must be applied to Article 12, in addition to the ones laid down in Article 13 of Directive 95/46. (43) After acknowledging that access is restricted to data undergoing processing, the Spanish Government goes on to argue that, in addition to the restrictions referred to in Article 13, there is another restriction which is tacit in nature, the tenor of which is derived from the obligation in Article 6 of Directive 95/46. I am not persuaded by that argument, which gives significant support to the view which it seeks to counter: if Article 13 lays down a set of exceptions to a broad right of access, those exceptions must be interpreted strictly. Since it is not appropriate to permit a wide [interpretation] of those restrictions, then the creation of new categories would be even more unacceptable.

53. In summary, the wording of the articles leads me to reject a reductionist appraisal of the right of access. Those arguments do not support the view that there is a single time-limit, since, according to the internal hierarchy of Directive 95/46, the right of access takes precedence over the obligation to delete data. Thus, the erasure of a file constitutes a restriction of access which is lawful only when certain guarantees are fulfilled. In other words, it is appropriate to make the exercise of the right subject to certain conditions (for example, by the adoption of a time-limit), provided that the data subject has not been protected by other means. If that were not the case, there would be time-limits for deletion which are unlawful on the grounds that they restrict the right of access, but that does not mean that it is necessary to differentiate between the types of information and require controllers to keep data relating to processing forever. On the contrary, it means that the time-limit for deletion must be extended so that access may be guaranteed.

54. Accordingly, it is my view that the time-limit for deletion also constitutes a restriction of the right laid down in Article 12 of Directive 95/46. However, that time-limit is liable to infringe the directive where it renders the aims pursued by the article excessively difficult.

B – An exception to the rule: information provided to the data subject

55. For the reasons set out, I maintain that the time-limit for deletion acts to restrict the exercise of the right of access, although there are circumstances where an imbalance is created between the time-limit for deletion and the time-limit for access. By using the word imbalance, I refer to the possibility of the time-limit being proportionate for deletion but disproportionate for access or vice-versa. I am aware of the practical difficulties of that approach, but a similar outcome may arise in a very specific situation, namely, where a data subject has not been sufficiently informed of his rights.

56. That outcome is reached when, in line with the argument put forward by the Hellenic Republic and the Commission, there is evidence of a lack of information, to the detriment of the data subject. To illustrate that point, it must be recalled that Articles 10 and 11 of Directive 95/46 lay down the obligation to communicate to and require from the person concerned a number of pieces of information and/or authorisations, including details of any disclosure of data to third parties. That obligation is couched in vague terms and each Member State is afforded considerable latitude. The reply in a case such as the one before the Court depends on the manner in which each national legislature has implemented those obligations. There is nothing to prevent an individual who has not been informed, prior to disclosure, of the identity of the recipient, or of the time-limits for exercising the right of access, from being afforded a higher level of protection. (44) That corollary is compatible with the primacy which Directive 95/46 attaches to the subjective right of the individual to whom the data relate, the restriction of which must arise in such a way that, even where deletion has occurred, the exercise of the right is guaranteed.

57. In some cases, through the application of that doctrine, proceedings may lead to a judgment which it is impossible to execute. If the College has destroyed on its own initiative all data relating to Mr Rijkeboer which are more than one year old, the applicant’s claim is liable to be fruitless. It is clear that the Municipal Council of Rotterdam is not in a position to give what it no longer has. It is likely that the same difficulty affects other national systems, albeit only for the period until the amendment of legislation which is incompatible with Community law. However, in the meantime, the applicant still has one remedy at his disposal, which is to bring an action for financial liability against the State for an infringement of the Community provisions. In the absence of enforcement to the full satisfaction of the individual concerned, those provisions at least provide for financial reparation which the national courts are involved in upholding. (45)

58. In short, the present proceedings must be resolved, to use the United States term, by a ‘hard look’ review of proportionality, (46) if the Raad van State finds a lack of information in the main proceedings. In such cases, it is essential that the time-limit for deletion does not operate automatically as a barrier to the right of access. The review of proportionality must be performed at its highest protective level, and it would be unlikely to endorse a time-limit as short as one year.

59. In those circumstances, I agree with those who argue that deletion and access are elements of a single reality and must therefore be treated as one for the purpose of setting the time-limits applicable to them. Deletion under Article 6 of Directive 95/46 covers all aspects of information, including information about disclosure to third parties. As a result, the time-limit for deletion also acts, indirectly, as a time-limit restricting the duration of the right of access. Distinguishing one type of data from the other for the purposes of access is tantamount to imposing a distinction which is not found in Directive 95/46, and which, moreover, does not have any obvious effect. (47)

60. There are exceptions to that position when there is a lack of transparency at the time an individual is notified of his rights. In those circumstances, the time-limit for deletion must be extended in order to preserve the right of access.

C – The time-limit of one year and the principle of proportionality

61. The Netherlands legislation lays down special rules for the processing of personal data by local authorities, of which, for the purposes of the present case, attention must be drawn to the general time-limit of one year for deletion. I have already explained the reasons why it is appropriate to consider that period in accordance with both Article 6 and Article 12 of Directive 95/46. At this juncture, it is necessary to establish whether that time-limit is compatible with the principle of proportionality, the applicability of which is a requirement of Articles 6 and 12, since both give substance to a fundamental right.

62. The United Kingdom, Spanish and Czech Governments have made every endeavour to in explain the difficulties of guaranteeing the right of access when data have been deleted. On that premiss, those Governments have paid little attention to the time-limit under discussion. However, in their observations, the Greek Government and the College examine the implications of the Netherlands time-limit in the light of Directive 95/46 and the principle of proportionality. In the opinion of the Greek Government and the Commission, that period is excessively short and, therefore, incompatible with Community law. The College claims that the time-limit is lawful, invoking the special features of the Netherlands system which compensates for the shortness of the period by means of other safeguards designed to protect data subjects.

63. It is appropriate to offer some preliminary guidance in connection with the review of the proportionality of the national time-limit, since the Court has examined similar time-limits on other occasions. It is clear from case-law that the approach should vary according to the context of each case, and that the level of thoroughness of the review depends on the circumstances. (48) Where there is a possibility that fundamental rights are affected, there must be a scrupulous examination of the time-limit for the exercise of those rights. (49) Nevertheless, that examination depends on a number of factors.

64. As I argue in paragraphs 55 to 60 of this Opinion, it is necessary to assess the amount of information received by the data subject while his data are processed, and, in that regard, the following criteria may be set out.

65. In accordance with Articles 10 and 11 of the directive, the data subject is entitled to be notified of a number of facts, including in particular, the identity of ‘the recipients or categories of recipients of the data ... in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing’. The two articles differentiate between information collected from the data subject and information collected from another source, although information about disclosure of data to third parties must be furnished in both cases.

66. National legislatures have considerable latitude when it comes to implementing the obligation imposed in Articles 10 and 11, but the aim pursued by those articles is to inform an individual that his data have been disclosed and to provide him with the opportunity, should he so wish, to access data relating to processing and to ensure that processing is carried out in observance of the principles of Article 6 of Directive 95/46. However, the information varies according to the circumstances and it is for the referring court to establish whether Netherlands law, and the corresponding practices of the Municipal Council, observe the requirements of Articles 10 and 11. It would be useful to know whether Mr Rijkeboer was notified of any disclosure of his data and informed of the one-year period granted to him for exercising the right of access. The Member States are not required to communicate the time-limit, since Articles 10 and 11 do not call upon them to do so. (50) However, when assessing the length of the time-limit, it is extremely important to ascertain whether that information was communicated to the individual concerned. Otherwise, in the absence of further information from the controller, it would be difficult to find a period as short as one year to be compatible with the principle of proportionality and, accordingly, with Directive 95/46.

67. Also of particular importance is the type of information disclosed, since, as the directive provides, the information to be notified includes the identities of the recipients and also the ‘categories of recipients’. That second alternative means that the details provided do not always reveal who has had access to the files and leaves the data subject in a disadvantageous position when exercising the right of access. It falls to the national court to determine the extent to which Mr Rijkeboer was informed of the recipients of the data and the parameters within which that took place. When that analysis is carried out, there must be a more stringent review of the time-limit in cases where the identities of third parties were not provided, since the individual to whom the data relate may be concerned that the data have not been processed in accordance with the principles of Article 6.

68. Finally, it is necessary to set out a number of rules relating to the burden of proof. As the holder of a fundamental right, Mr Rijkeboer has had to bring legal proceedings in order to ascertain how his personal data have been processed. (51) Compatibility with Directive 95/46 depends on a number of factors which vary according to the circumstances and which are inherent in national law and in the practices of the municipal authority. Mr Rijkeboer has brought the proceedings in order to assert his fundamental right but he ought not to be obliged to prove the shortcomings of the law of his own Member State in that connection, for the wording of Directive 95/46 indicates, in line with the considerations set out in paragraphs 29 to 35 of this Opinion, that the right of access is paramount and any exceptions to it must be assessed with extreme caution. Therefore, since the subjective dimension of Community provisions on data protection takes precedence, it is for the controller to prove that the legal context of, and practices prevailing in, the processing of data provide guarantees which justify a time-limit as short as one year for the exercise of the right laid down in Article 12 of Directive 95/46.

69. The College has adduced some evidence in that regard in the observations submitted in these preliminary-ruling proceedings. The national legislation establishes a system of checks and balances (as graphically stated by the College) which harmonises the right of access with certain safeguards, such as restrictions on recipients, the linking of certain cases to specific purposes, prior authorisation by the data subject, and a monitoring system entrusted to an independent authority. Further, the College contends that the data subject is informed of the one-year time-limit both individually and collectively (on the internet and in leaflets made available to residents). (52)

70. I am aware of the repercussions this case may have for controllers of data governed by the directive. However, the overriding importance of protecting individuals leads me to conclude that the effective manipulation of data must be compatible with the principle of protection of rights. Accordingly, Articles 6 and 12 of Directive 95/46 must be interpreted as meaning that the time-limit of one year for exercising the right of access to data relating to processing is unlawful, if:

– the data subject was not notified of the disclosure of his data, or

– the data subject was notified but was not informed of the length of the period fixed, or

– the data subject was notified but was not given sufficient details about the identities of the recipients.

71. A fundamental right being at stake, the College must prove that the national provisions and administrative practices provide for an adequate level of information to be supplied to the data subject, so that he is able to exercise his right of access without constraint.

72. It is for the Raad van State to apply Articles 6 and 12 of Directive 95/46 in the light of the criteria put forward and the legal and factual evidence adduced in both the preliminary-ruling proceedings and the main proceedings, as explained in paragraphs 70 and 71 of this Opinion.

X – Conclusion

73. In the light of all of the foregoing considerations, I propose that the Court of Justice should reply to the questions referred for a preliminary ruling by the Raad van State, declaring that:

Data relating to processing, including data concerning disclosure to third parties, are personal data for the purposes of Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In order to ensure the effectiveness of Directive 95/46, the time-limit for deletion applicable to data relating to processing is the same as that laid down for personal data, without prejudice to the rights and obligations which the directive confers on third parties to whom the data is disclosed.

The time-limit of one year for exercising the right of access to data relating to processing is incompatible with Articles 6 and 12 of Directive 95/46 if:

– the data subject was not notified of the disclosure of his data, or

– the data subject was notified but was not informed of the length of the period fixed, or

– the data subject was notified but was not given sufficient details about the identities of the recipients.

It is for the controller to prove that the national provisions and administrative practices provide for an adequate level of information to be supplied to the data subject, so that he is able to exercise his right of access without constraint.

(1) .

(2)  – Directive of the European Parliament and of the Council of 24 October 1995 (OJ 1995 L 281, p. 31).

(3)  – The recovery of memory, like the protection of lawfully and unlawfully processed data, is a delicate task. The removal of traces of the past must be approached with caution, as Proust asserted when he defended the evocative power of memory, since ‘[t]he places we have known do not belong only to the world of space on which we map them for our own convenience. They were only a thin slice, held between the contiguous impressions that composed our life at that time; the memory of a particular image is but regret for a particular moment; and houses, roads, avenues are as fugitive, alas, as the years.’ Proust, M., In Search of Lost Time. Volume I. Swann’s Way, translated by Scott Moncrieff, C.K. and Kilmartin, T., Vintage, London, 2002, p. 513.

(4)  – Case 294/83 Les Verts v Parliament [1986] ECR 1339, paragraph 23, and Case C‑402/05 P Kadi v Council and Commission [2008] ECR I‑00000, paragraph 281.

(5)  – Case 29/69 Stauder [1969] ECR 419, paragraph 7.

(6)  – Cited in the previous footnote.

(7)  – Case 11/70 Internationale Handelsgesellschaft [1970] ECR 1125.

(8)  – Case 4/73 Nold v Commission [1974] ECR 491, and Case 222/84 Johnston [1986] ECR 1651, paragraph 18.

(9)  – Cited in footnote 5.

(10)  – Case 145/83 Adams v Commission [1984] ECR 3539, paragraph 34.

(11)  – Case 140/86 Strack v Commission [1987] ECR 3939, paragraphs 9 to 11.

(12)  – Case C‑62/90 Commission v Germany [1992] ECR I‑2575, paragraph 23.

(13)  – Case C‑404/92 P X v Commission [1994] ECR I‑4737, paragraphs 17 and 18.

(14)  – Joined Cases 46/87 and 227/88 Hoechst v Commission [1989] ECR 2859, and Case C‑94/00 Roquette Frères [2002] ECR I‑9011.

(15)  – Case C‑60/00 Carpenter [2002] ECR I‑6279, paragraph 38, and Case C‑459/99 MRAX [2002] ECR I‑6591, paragraph 53.

(16)  – Articles 1 to 3 of Directive 95/46.

(17)  – Article 2 of Directive 95/46.

(18)  – Articles 10 to 24 of Directive 95/46.

(19)  – ‘Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community.’

(20)  – Judgment in Joined Cases C‑465/00, C‑138/01 and C‑139/01 Österreichischer Rundfunk and others [2003] ECR I‑4989, paragraph 70. In that connection, Advocate General Tizzano argued in his Opinion that the principal aim of Directive 95/46 is the free movement of personal data and not the protection of fundamental rights. The Court did not agree with that argument and took a protective approach vis-à-vis the data subject. That view was later upheld in the judgment in Case C‑101/01 Lindqvist [2003] ECR I‑12971, paragraph 96 of which stated that Directive 95/46 is intended to ensure free movement of personal data while guaranteeing a high level of protection for the rights and interests of the individuals to whom such data relate.

(21)  – Guichot, E., Datos personales y Administración Pública, Civitas, Madrid, 2005, pp. 43 to 47.

(22)  – Instrument solemnly proclaimed on 7 December 2000 by the European Parliament, the Council and the Commission (OJ 2000 C 364, p. 1 et seq.).

(23)  – A document which, although it does not form part of the current Community legal order, undoubtedly displays its effects as a provision of soft law . On the Charter and its legal consequences, I refer to my Opinion in Case C‑303/05 Advocaten voor de Wereld [2007] ECR I‑3633, paragraphs 78 and 79.

(24)  – Alonso García, R., The General Provisions of the Charter of Fundamental Rights of the European Union, Harvard Jean Monnet Working Paper no 4/02, pp. 22 and 23.

(25)  – The Communication from the Commission to the European Parliament and the Council on the follow-up of the Work Programme for better implementation of the Data Protection Directive, adopted by the Commission on 7 March 2007 (COM, 2007 87 final, p. 5), confirms that all the Member States have transposed Directive 95/46.

(26)  – The practice of balancing principles and interests is used often by the Court when resolving cases concerning fundamental rights. In the sphere of data protection, the judgments in Lindqvist , paragraph 82, and Case C‑275/06 Promusicae [2008] ECR I‑271, paragraph 66, are illustrative. Groussot, X., ‘Comentario a la sentencia Promusicae’, Common Market Law Review , number 6, vol. 45, 2008, analyses that balancing exercise.

(27)  – Cited in footnote 20.

(28)  – Cited in footnote 27.

(29)  – In addition to the judgments in Lindqvist and Promusicae , I refer to the Opinion of Advocate General Kokott delivered on 8 May 2008 in Case C‑73/07 Tietosuojavaltuutettu, pending judgment, where she explains, in paragraphs 99 to 105, the manner in which the Court undertakes the balancing exercise in the field with which I am concerned in the present Opinion.

(30)  – In line with Article 6, Article 12 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (OJ 2002 L 201, p. 37) also refers to the deletion of data, albeit in less stringent terms and making it conditional on a request from the data subject.

(31)  – Emphasis added.

(32)  – Adjectives used in Article 6(1) of Directive 95/46.

(33)  – The New Enyclopedia Britannica , vol. 12, Chicago, London, Toronto, Geneva, Sydney, Tokyo, Manila, Seoul, 1973, p. 24.

(34)  – Hawking, S., A Brief History of Time, Bantam, New York, 1988, p. 193, argues in favour of the egg. That decision entails obvious teleological consequences which, naturally, it is not appropriate to discuss here.

(35)  – That point is made by Herrán Ortiz, A.I., El derecho a la intimidad en la nueva Ley Orgánica de protección de datos personales, Dykinson, Madrid, 2002, p. 153, and Arenas Ramiro, M., El derecho fundamental a la protección de datos personales en Europa, Tirant lo Blanch, Valencia, 2006, p. 305.

(36)  – Directive 95/46 aims to go further than Council of Europe Convention No 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data. Recital 11 in the preamble to the Directive confirms that by stating: ‘the principles of the protection of the rights and freedoms of individuals, notably the right to privacy, which are contained in this Directive, give substance to and amplify those contained in the Council of Europe Convention of 28 January 1981 ...’ (emphasis added). Sound evidence of that is the subject-matter of the Community legislation which is broader in a number of respects than Convention No 108, including, particularly significantly, with regard to the definition of the right of access. Directive 95/46 provides that the right must be exercised ‘without constraint’ whereas Article 8 of Convention No 108 merely provides that access must be enabled ‘at reasonable intervals’. The Community legislation seeks to extend the right and therefore enshrines it in substantially broader terms than those used in the Council of Europe instrument, emphasising that the intention of Directive 95/46 is to protect individuals.

(37)  – Case C‑540/03 Parliament v Council [2006] ECR I‑5769, paragraph 38; Case C‑432/05 Unibet [2007] ECR I‑2271, paragraph 37; Advocaten voor de Wereld , cited in footnote 23, paragraph 46; and Kadi v Council and Commission , paragraph 335.

(38)  – The Commission maintains that such a differentiation may be made in its observations (paragraphs 31 and 32).

(39)  – Although Article 12 of Directive 95/46 refers to matters relating to access, it concerns other matters connected to processing rather than personal data. That assertion helps to lead to the conclusion that, with regard to personal data, the right of access is unrestricted. However, processing is a different matter and that demonstrates that Directive 95/46 has taken account of the difficulties inherent in an all-inclusive interpretation of Article 12.

(40)  – Article 6(1)(e) qualifies the obligation to delete data, as follows: ‘Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.’ Although it is not explicitly framed as an exception to the obligation to delete, the Directive provides that those who carry out the activities in the general interest referred to are exempt from the obligations laid down but it does not provide that the Community provisions are inapplicable because those activities must satisfy the special features of historical, statistical or scientific research.

(41)  – The French- (‘sont traitées’ and ‘sont communiquées’) and German- (‘an die Daten übermittelt werden’) language versions are equivalent to the English-language version.

(42)  – Unlike the College in its submissions, I do not take the view that Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ 2001 L 8, p. 1), which lays down an obligation to set a time-limit for keeping data, provides guidance as to the correct interpretation of Articles 6 and 12. The regulation is the statutory translation of Directive 95/46 in its application to the Community institutions. It is logical that its subject-matter should be more detailed than that of an instrument of harmonisation addressed to the Member States. The reference to the time-limit, set out in Articles 11 and 12 of the regulation, is not an indication that Directive 95/46 seeks an adverse effect or that it imposes that effect on the Member States. Taken in the round, the silence of the Directive is merely evidence of the organisational discretion prevailing in each national legal system, which does not amount to an acceptance of any time-limit or of its capacity to restrict the right of access.

(43)  – Observations of the Kingdom of Spain (paragraph 25).

(44)  – That interpretation of Articles 10 and 11 is favoured by Bainbridge, D., EC Data Protection Directive, Butterworths, London-Dublin-Edinburgh, 1996, p. 139.

(45)  – It is appropriate to recall that Article 23 of Directive 95/46, which concerns liability for infringement of the provisions of the Directive, provides, in paragraph (1): ‘Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.’

(46)  – According to that doctrine, a court carries out a more intensive review of decisions of the public authorities where there appears to be no solid foundation justifying those decisions. The doctrine originated in the judgment of the United States Supreme Court in SEC v. Chenery Corp., (318 U.S. 80 (1943)), and was subsequently developed in Citizens to Preserve Overton Park v. Volpe (401 U.S. 402 (1971)). See also Breyer, S.G., Stewart, R.B., Sunstein, C.R. and Vermeule, A., Administrative Law and Regulatory Policy, Aspen, New York, 2006, pp. 349 to 368. On the ‘hard look’ review at Community level, in the sphere of both Community and national law, see Craig, P., EU Administrative Law, Oxford University Press, 2006, pp. 477 to 481.

(47)  – Notwithstanding those technical complexities, the United Kingdom pointed out at the hearing that its national law explicitly provides for measures which guarantee the right of access to data relating to processing, even after the deletion of personal data . However, the agent of the United Kingdom Government did not elaborate on that point but did assert that the practice is exceptional in nature, and I am therefore minded to be cautious. Furthermore, it is my view that if Directive 95/46 had provided for that situation, it would have done so explicitly.

(48)  – Case 286/85 McDermott and Cotter [1987] ECR 1453, paragraph 15; Case C‑208/90 Emmott [1991] ECR I‑4269, paragraph 18; Case C‑338/91 Steenhorst-Neerings [1993] ECR I‑5475, paragraph 19; Case C‑410/92 Johnson [1994] ECR I‑5483, paragraph 26; Case C‑260/96 Spac [1998] ECR I‑4997, paragraph 32; Joined Cases C‑279/96, C‑280/96 and C‑281/96 Ansaldo Energia and others [1998] ECR I‑5025, paragraphs 19 to 21; and Case C‑255/00 Grundig Italiana [2002] ECR I‑8003, paragraph 37.

(49)  – In the following judgments, the Court ruled on the review of national rules in the light of fundamental Community rights: Case 5/88 Wachauf [1989] ECR 2609, paragraphs 17 to 22; Joined Cases C‑20/00 and C‑64/00 Booker Aquaculture [2003] ECR I‑7411, paragraphs 88 to 93; and Case C‑144/04 Mangold [2005] ECR I‑9981, paragraph 75.

(50)  – Unlike Regulation (EC) No 45/2001, Articles 11(1)(f)(ii) and 12(1)(f)(ii) of which provide that the institutions must notify the data subject of the time-limits for storing the data.

(51)  – Although Directive 95/46 is silent in that regard, in contrast with the situation in other provisions of secondary legislation (such as Council Directive 2000/78/EC of 27 November 2000 establishing a general framework for equal treatment in employment and occupation (OJ 2000 L 303, p. 16)), I believe that, when fundamental rights are in issue, any qualification of the obligations relating to evidence must comply with general principles of Community law.

(52)  – Observations of the College (paragraphs 65 to 70).