By Jacqueline Clover
The Court of Justice of the European Union (‘CJEU’) has ruled that an analysis produced by an administrative agency to inform and support the agency’s formal decisions (‘legal analysis’) is not of itself “personal data” as defined under Directive 95/46/EC (the ‘EU Data Protection Directive’). This is the case even where the legal analysis contains information that is clearly “personal data”, such as an individual’s name, date of birth, nationality and gender. The ruling of 17 July 2014 in Joined Cases C-141/12 and C-372/12 YS v. Minister voor Immigratie, Integratie en Asiel, and Minister voor Immigratie, Integratie en Asiel v. M, S, is available here.
It is an important decision for two reasons. First, it clarifies the boundaries of what constitutes “personal data” under EU law. And, second, it clarifies that a data subject’s right of access under the EU Data Protection Directive does not necessarily require access to the actual records containing personal data. In some cases, a full summary of the personal data in an intelligible form suffices.
The CJEU handed down its ruling in the context of two Dutch cases that involved applications from third country nationals for residency permits in the Netherlands. As part of its decision-making and review process, the Dutch immigration ministry produced a legal analysis of each application, which contained the ministry’s reasons and justifications for its decision on the applicant’s case. The legal analysis was a supporting document, it was not appended to the decision and it was intended only for internal use. In both cases, the ministry rejected each applicant’s request to access the legal analysis. National-level litigation followed and eventually resulted in a referral to the CJEU. In the referral, the Dutch government asked the CJEU:
1) whether the legal analysis was “personal data” as defined in the EU Data Protection Directive, and therefore subject to its data subject access request regime; and
2) if an applicant does have a right to access the legal analysis itself, or personal data contained in the legal analysis, then how should the Dutch immigration ministry respond to the request?
On the first question, the applicants had contended that because, and in so far as, the legal analysis referred to a specific natural person and was based on the person’s situation and individual characteristics, the legal analysis itself was information relating to the applicant and therefore was “personal data”. The CJEU rejected this argument. The CJEU found instead that the legal analysis was, at most, information about the Dutch immigration ministry’s assessment and application of immigration laws to the applicant’s situation, albeit the applicant’s situation was established partly by using personal data. The Dutch government had also asked the CJEU to confirm that some of the data contained in the legal analysis was personal data. The answer to this question was straightforward: yes. The legal analysis contained typical examples of personal data, such as name, date of birth, nationality and gender.
On the second question, the applicants had asserted their access rights as data subjects under the EU Data Protection Directive in an attempt to access the legal analyses. Because of its answer to the first question, the CJEU found that an applicant did not have a right to access the legal analysis itself. But for content contained in the legal analysis that was “personal data”, the Dutch immigration ministry could have responded to an applicant’s access request by providing a full summary of the personal data in “an intelligible form”. In other words, a summary that allows the applicant to become aware of the data, to check that they are accurate and to check that the data have been processed in compliance with the EU Data Protection Directive.