Don’t be a data protection fundamentalist

So, data protection fans, what do you think of this?

“… data protection laws reach into and are employed in rather surprising circumstances. It generates, not just for the uninformed bystander, a certain intellectual unease as to the reasonable use and function of data protection rules.”

That observation was made in an Opinion given yesterday by Advocate General Bobek in Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’.

I think I need a shorthand for that case title, so I will go with Rigas satiksme if that’s okay. Thanks.

AG Bobek’s Opinion is – by the standards of data protection jurisprudence – a remarkable piece of prose.

He begins by explaining the case itself:

“A taxi driver stopped his vehicle at the side of the road in Riga. When a trolleybus belonging to Rīgas satiksme (‘the Respondent’) was passing by, a passenger in the taxi suddenly opened the door. A collision ensued, damaging the trolleybus. Rīgas satiksme asked the police (‘the Appellant’) to disclose the identity of the passenger. It wished to sue him for the damage caused to the trolleybus before the civil courts. The police gave Rīgas satiksme only the passenger’s name. They refused to provide the ID number and address.”

He then addresses the questions referred to the CJEU.

The first was this: does Directive 95/46/EC oblige the data controller to provide the requested personal data in such circumstances, i.e. where the requester seeks it in order to sue the data subject?

Don’t be silly, says AG Bobek: self-evidently it does not. Just read the language of the Directive. Article 7 (implemented in the UK in Schedule 2 to the DPA) sets out conditions under which it is permissible to process personal data, but it imposes no duty to disclose personal data.

The second question was this: if there is no duty to disclose the requested personal data in this case, is it nonetheless permissible to do so?

Yes, of course, says AG Bobek. The requester has a perfectly good legitimate interest in receiving that personal data so that it can sue the data subject. No data protection problem here.

He explains his view through a detailed analysis of Article 7, i.e. the Schedule 2 DPA conditions: what they are for, what they mean, how they work. He focuses in particular on the much-loved catch-all that is, in the UK, condition 6(1) from Schedule 2.

But he bolsters that with a striking “data protection epilogue” based on a common-sense approach to data protection. He starts with the remark I cite at the start of this post. He accepts the importance of data protection: “protection of personal data is of primordial importance in the digital age” [94]. But it is important not to become a data protection fundamentalist. You must keep “the original and primary (certainly, by no means unique, simply primary) purpose of the legislation in mind: to regulate operations on a large scale carried out by mechanical, automated means, and the use and transfer of information obtained from it. By contrast, a much lighter touch is, in my humble opinion, called for in situations when a person is asking for an individual piece of information relating to a specific person in a concretised relationship, when there is a clear and entirely legitimate purpose resulting from normal operation of the law” [98].

His opinion concludes thus, at [99]:

“In sum, common sense is not a source of law. But it certainly ought to guide interpretation of it. It would be most unfortunate if protection of personal data were to disintegrate into obstruction by personal data.”

So there: if you like data protection, use it sensibly. Don’t wreck it by using it is a spurious barrier to common-sense actions. Okay?

We’ll see what the CJEU makes of this Opinion when it gives judgment in Rigas satiksme in due course.

But if you are a data protection lover – or even better, a data protection hater – do read AG Bobek’s Opinion, and his epilogue in particular. You won’t regret it.

Robin Hopkins @hopkinsrobin