Judgment 2800/16

Applicant type Legal Person
Number of applicants 3
Country Netherlands
Application no. 2800/16 
Date 16/05/2023
JudgesPere Pastor Vilanova, President,
Yonko Grozev,
Jolien Schukking,
Darian Pavli,
Peeter Roosma,
Ioannis Ktistakis,
Andreas Zünd
Institution Court
Type Judgement
Outcome Art. 8 No violation
Reason Necessary (economic well-being)
Type of privacy Informational privacy
Keywords Margin of appreciation; quality of law; transfer of data
Facts of the caseAround 2007 suspicions arose that local government officials had been bribed by building contractors desirous of winning government contracts for infrastructure projects. The Public Prosecution Service, assisted by the National Police, began an investigation. An investigating judge authorised the interception of the telephone conversations of some of the applicant companies’ employees. The Netherlands Competition Authority was granted access to data that contained indications of price-fixing. Subsequently, NMA inspectors visited the business premises of one of the applicant companies and requested access to the books and questioned employees. The companies requested a civil court to order the return of their data by the NMA to the Public Prosecutor’s Office under Article 8 ECHR, but that request was denied. When the NMA imposed a sanction on the companies for violating the Competition Act, the companies lodged an appeal with the administrative court, again pointing to a violation of Article 8 ECHR. The lower court agreed with the companies, because criminal data had been shared without appropriate evaluation of the privacy interests concerned. On further appeal, however, the Supreme Administrative Court for Trade and Industry did not follow the Regional Court’s opinion that the transmission of criminal data must be based on a weighing of interests by the public prosecutor that is known and can be assessed by the court. The availability of written reasoning from the public prosecutor at the time of the transmission may simplify the verification of compliance with the law, but neither the law nor legislative history suggests that the unavailability of written reasoning at the time of transmission means that the requirements for transmission have not been met. That is why it found no violation of Article 8 ECHR on this point.
AnalysisThis case should be read in light with two other cases, namely 2799/16 and 3124/16 and 3205/16, all issued on the same day. This case is interesting for a number of reasons:
1.     The ECtHR has traditionally been reluctant to declare applications brought by legal persons admissible under Article 8 ECHR, because it found that the right to privacy, more than most other rights under the Convention, has a personal and private character. Slowly, starting with the Stes Colas Est judgement, it also allowed legal person’s to directly invoke Article 8 ECHR. Since then, the ECtHR has accepted a dozen or so cases in which it declared admissible the privacy complaints of legal persons. By and large, these consisted of either of two types of complaints. First, complaints where the business premises of a legal person was entered by governmental officials, which amounted to an interference of the ‘home’ of the legal person. Second, mass surveillance cases where the Court let go of the victim requirement, and allowed anyone to complain not of their own interests being affected, but of the validity of the legal regime in place. In the case at hand, the Court grants a rather unspecific right to the legal persons, which it links to the secrecy of correspondence, but could also be read as a more general right to data protection, because the main issue of the case is not the interception of private correspondence, but the subsequent transfer of the intercepted data to third parties and the re-use of those data for secondary purposes. Consequently, this case might be the first step in the ECtHR attributing a right to data protection to legal persons, which would be remarkable for two reasons. First, because there is no right to data protection explicitly enshrined in the Convention. While the Council of Europe has adopted Convention 108+ , data protection was traditionally linked to the right to private life and the right to correspondence, as engrained in Article 8 ECHR. This step would be a next step in the recognition of the right to data protection, which is recognised as a separate fundamental right in the EU Charter, and the data protection principles as laid down in the EU General Data Protection Regulation, the transfer of personal data and the purpose limitation principle being fundamental pillars of that regime. Second, this would have the Council of Europe go one step further than the EU, because the right to data protection only applies to data about natural persons, not of legal persons. What makes this second point complex is that the data that were intercepted concern the activities of the legal person, but obviously, it were natural persons (employees) that communicated those data. The Court does not make clear to what extent (1) the companies have an independent right to data protection, which was in play because data concerning their conduct was processed and transferred, (2) the interests of the company and the employees were intrinsically linked so that it was impossible to separate those interests, (3) the companies have an indirect right to data protection, the direct victims being the natural persons whose correspondence was monitored, (4) there are two rights at stake in this case, namely on the one hand the right to the privacy of correspondence of natural persons and on the other hand the right to data protection of the legal persons, the latter bringing a case, or (5) the legal persons’ claim should read in a representative way: they are defending the rights of natural persons, namely their employees. The ‘Court accepts that the transmission to the NMA of data obtained in the “Cleveland” criminal investigation against the applicant companies through tapping of their employees’ telephones constituted an interference with those companies’ rights under Article 8 of the Convention. (§45)’ Finally, it is interesting that the Court points out that the margin of appreciation of Member States is bigger with respect to potential interferences with rights of legal persons than with those of natural persons.
2.     The Court refers to its established jurisprudence on the Quality of Law, meaning that the law must be sufficiently clear on when, how and by whom competences can be used, to avoid arbitrary use of power. This doctrine has been used and developed at least since the early 90ties of the previous century, but in recent years has been expanded by the Court in particular in relation to intelligence agencies and special police units whose operation remain wholly or partially secret. The ECtHR has developed an elaborate framework ensuring these operations adhere to the minimum standards of the rule of law. The Court points out in this case that it has not yet provided specific guidance for sharing data between organisations, except in the special context of sharing intelligence material by a European organisation to a foreign state or international organisations. Different from other cases also, the Court points out, this cases revolves primarily around the transfer of data, not so much around their collection, the collection of the data by the law enforcement authorities not being the main dispute, but their subsequent transfer to the NMA. In a difficult to follow reasoning, the Court points out that the ‘transmission of data was derivative of an interference which already provided for safeguards against arbitrariness and which the Court assumes was in accordance with Article 8. For this reason already, the power to transmit the data obtained by that interference was not “unfettered”. (§54)’ It finds that the legal framework provided for adequate safeguards against the abuse of power, which is why it found that the interference was prescribed for by law. What makes this reasoning remarkable is that normally, both the gathering and the subsequent transfer of data are considered the processing of data, which need to have an adequate legal basis and adhere to all standards provided under privacy and data protection law. Here, it seems as though the ECtHR finds that because the initial collection of data was adequately regulated, the subsequent transfer was also adequately regulated, while the opposite seems true. There may be very strict guidelines for when and how an agency can collect data, but no or very few guidelines for subsequent transfer.
3.     Under the question of whether the interference was necessary in a democratic society, the ECtHR pays particular attention to the fact that there was extensive ex post facto judicial oversight in place. This is remarkable at least for two reasons. First and foremost, this seems to be part of the prescribed by law criterion and the related sub-criteria laid down by the Court under its Quality of Law doctrine. Second, the quality of law criteria are primarily geared at preventing arbitrary use of power, not remedying them, although adequate ex-post facto oversight and complaints procedures have always been important pillars in the approach of the Court. The Courts point out that in this case, the oversight was adequate and that this matter differed from the Sanoma case, also involving the Netherlands, which concerned the vital importance to press freedom of the protection of journalistic sources and of information that could lead to their identification, and did not concern transmission of lawfully obtained data between law enforcement authorities. ‘Given the nature and extent of the interference in the present case, in combination with the safeguards that were in place under the domestic legal framework, including the precautions taken when communicating the data obtained through interception of communications to another public authority, the Court is satisfied that the system was adequately capable of avoiding abuse of power and finds that Article 8 did not require ex ante authorisation by a court in the context at issue. (§70)’ Finally, the Court found the sharing of data proportionate because it only concerned 2% of the intercepted telephone conversations.
4.     In their joint Dissenting Opinion, judges Grozev, Pavli and Ktistakis find that although Member States are allowed a ‘somewhat’ larger margin of appreciation with respect to interfering with the rights of legal persons than with those of natural persons, this should be a pragmatic point rather than a paradigmatic difference. They also point to the fact that the judgement of today is almost exclusively based on references to earlier jurisprudence of the Court on secret surveillance, while mostly ignoring data protection principles as set out, inter alia, in the General Data Protection Regulation. In particular, they point out that judicial authorisation was granted to law enforcement agencies for the collection of data in light of criminal investigations, not for by-catch data that could be used for establishing a violation of competition law. They bring to the fore a point that the Court usually makes with respect to the transfer of data between various agencies, but not in this case, and that is the risk of law circumvention. The idea is simple and often practiced. Suppose agency A and agency B are subject to different legal regimes. Agency A has broader powers to collect data. If agency A, on its own initiative or on a direct or indirect request or suggestion of agency B, collects data that are relevant for agency B, it may be legally authorised, and sometimes even required, to forward those data to agency B. Agency B may have thus obtained data that it would itself had not had the authority to collect. The judges suggest that the ECtHR’s jurisprudence on this point is underdeveloped and feel that as a minimum, national law should set a certain minimum level of gravity of potential breaches of the law the investigation of which can justify the further transfer of criminal investigation data, especially if such non-criminal infringements are not capable of triggering the use of secret surveillance measures on their own. Furthermore, they suggest that there should be ex ante judicial control, not mere ex post judicial oversight, and stress that a properly reasoned decision for sharing data should be a minimum condition under Article 8 ECHR. The fact that there was no reasoned decision that could be reviewed by an independent institution meant that ex ante control was difficult to impossible. The national regime provided no explicit guidance on the execution of the proportionality assessment and the appreciation of the various data protection standards. Finally, they were not persuaded that the ex post facto judicial review conducted by the Supreme Administrative Court for Trade and Industry was in line with Article 8 standards, pointing out that the court missed out on a number of important considerations, inter alia the fact that the Competition Authority has no legal powers to request secret surveillance measures suggests that it is normally considered to be capable of fulfilling its competition law enforcement functions without resorting to surveillance, and that exceptional circumstances would be needed to justify such use.
Other Article violation? No violation 13+8
Damage awarded
Documents Judgment