Preliminary questions on notion of “personal data” and scope of right of access to data

The District Court of Middelburg has determined that the right of access to personal data pertaining to privacy law is being interpreted differently by two of the highest courts of justice in the Netherlands. That is why the District Court has referred questions to (requested an interpretation by) the European Court of Justice for a preliminary ruling on the purport and scope of both the notion of personal data and right of access to personal data pertaining to privacy law. The issue is of importance to privacy law.

Asylum application rejected

The judgment of the District Court of Middelburg of 15 March 2012 concerns an asylum seeker who submitted an application for a residence permit on 13 January 2009. The application was rejected by the Dutch Immigration and Naturalisation Service (IND) on 9 June 2009. 

Invocation of right of inspection pertaining to privacy law

Subsequently, the asylum seeker asked for permission to inspect the original of the instrument (the legal analysis) on which rejection was based. To that end, the asylum seeker invoked the right of access under the Data Protection Act (Wet bescherming persoonsgegevens or “Wbp”)

Pursuant to Section 35 of the Data Protection Act, everyone has the right “to apply to the controller, requesting that it informs him/her whether the personal data relating to him/her are being processed”. Pursuant to Dutch law, such a request shall in principle be answered with a “complete overview” of the processed personal data, giving “a description of the purpose(s) of the processing of the personal data, the categories of data to which the processing relates, and the recipients or categories thereof, as well as the available information on the origin of the data”. 

Request for permission rejected; appeal currently before the Court

The request to access personal data was rejected by the Dutch Immigration and Naturalisation Service. The IND argued that the original of the instrument did not contain any personal data, but only a legal analysis. The legal analysis itself apparently did not consist of personal data; the analysis apparently only acted in support of a specific decision (that in and of itself does contain personal data, specifically the name of the asylum seeker, etc.). The asylum seeker appealed the refusal of the IND to issue a copy of the original of the instrument. 

District Court: different rulings on right of inspection by highest courts of justice

As proceedings have already been instituted on a regular basis against the invocation of the right of access to personal data within the context of asylum procedures, the District Court first, set out the relevant legal principles in its ruling. I will refrain in this contribution from dealing with all of them.

Nevertheless, it is interesting that the Court has determined that two of the highest courts of justice in the Netherlands ostensibly differ in their rulings on the precise purport of the right of access to personal data. 

Supreme Court: broad right of access to personal data

The Dutch Supreme Court, the court of last resort in civil proceedings, stated specifically in the well-known Dexia rulings that the right of inspection has a broad purport and that the provision of copies of a file can be necessary for the requirements of the right of access to personal data to be met:

3.6 (…) follows that the person concerned has the right to access the data that form the object of a processing and relate to himself, so that he can satisfy himself of the accuracy and the lawfulness of the information concerning him that has been saved. It ensues therefrom that the responsible authorities (within the meaning of the Wbp) should furnish the person concerned with specific information, making it possible for him to properly take note of his data and the manner in which they have been processed. (…) [the person concerned] may expect that the information to be subsequently supplied shall be transparent and complete. Further, in the fulfilment of the obligation imposed on it under Section 35(2) of the Personal Data Protection Act to furnish the person concerned with a complete overview of the personal data processed, it shall be insufficient for the responsible authority to issue general information, but rather it must issue all relevant information on the person concerned, which, depending on the circumstances, shall often – and if necessary on the instructions of the Court, shall have to – take place by issuing copies or extracts. (…) The notion of a “complete overview”, as used in Section 35, must be considered more as a broad indication of the obligation to furnish the data and not as a restriction.

The ruling of the Court of Appeal in the proceedings preceding these, that the person concerned had the right, among others, to a copy of the complete tape recordings of telephone conversations held with the bank, consequently stood up to scrutiny. 

Council of State: restricted right of inspection

By contrast, the Council of State, the court of last resort in many proceedings under administrative law, stated in a ruling of 2 February 2011 that as a basic principle copies of documents need not always be furnished:

As follows from the ruling of the Council of 24 January 2007 in case no. 200600780/1, the Wbp does not provide for a right to inspect documents containing personal data. (…) Communicating personal data, to the extent these documents contain such personal data, suffices. The State Secretary was not obliged pursuant to the Personal Data Protection Act to furnish copies of all requested documents and was for that reason already within his rights to decline furnishing the documents. The fact that the originals of instruments had previously been issued on demand to the persons concerned was irrelevant. The argument was successful to this extent.

In the ruling of 19 October 2011, the Council of State even stated that the invocation of the right of access to personal data was not available if the documents can also be obtained in another manner.

As the Council also previously found (ruling of 24 January 2007 in case no. 200600780/1), the Wbp does not provide for an unrestricted claim to the right to inspect all documents containing personal data. That right of inspection is only called for if notification of those data cannot be adequately provided for in another manner, or notification of the origin thereof, except for application of the grounds for refusal contained in Section 43 of the Personal Data Protection Act.

And in the ruling of 2 November 2011, the Council of State argued that the original of the instrument does not contain any personal data within the meaning of the Wbp:

2.3.1. (…) data that reflect a decision taken regarding a specific person shall be deemed as personal data relating to this person. The reasons expressed in the original of the instrument as to why a basic residence permit for a limited period of time is granted to [the applicant], with the aim of ‘carrying on family life in compliance with Article 8 of the ECHR’, are not personal data within the meaning of the Data Protection Act. The relevant data do not reflect the decision taken on the [applicant] concerning her residence permit. Important in this case is that whereas these data are involved in the formation of the decision eventually taken, they are not part thereof.

District Court doubts correctness of interpretation by Council of State

The asylum procedure concerns proceedings under administrative law. That is to say that if the asylum seeker and/or the Dutch Immigration and Naturalisation Service appeal the ruling of the court, the case shall eventually end up before the Council of State. Given the interpretation quoted above that this court of justice gives to the Wbp, it seems logical that the Court follows the strict doctrine and rejects the request of the asylum seeker. It would seem illogical, after all, for a lower court to interpret a law (in this case the Data Protection Act) more broadly than the superior court had previously done a few times beforehand. Indeed, such a judgment should very likely be quashed on appeal.

The District Court openly doubts, however, the accuracy of the ruling of the Council of State. The reason for this seems primarily to be that the “Article 29 Working Party”, in its Opinion 4/2007 on the notion of personal data, gives a (very) broad interpretation to the notion of “personal data”.

That is why the Court opted to refer questions to the European Court of Justice, the court of last resort in Europe, for a preliminary ruling. That is to say that several questions shall be posed to the ECJ regarding the meaning of the notion of “personal data” and the precise purport and scope of the right of access to personal data. That is (very) interesting, as this way it shall become clear for the first time and in the last instance which authority adheres to the correct interpretation of the privacy directive: the Supreme Court and/or the Council of State and/or the Article 29 Working Party (read: the privacy authorities).

For that matter, it could be up to two years before the European Court of Justice in fact gets round to answering the questions. Until such time, it is a waiting game. We will keep you informed.

Mark Jansen