IP case law Court of Justice

of 24 Mar 2022, C-245/20 (Autoriteit Persoonsgegevens)

General data protection law > Chapter VI - Independent supervisory authorities > Competence

JUDGMENT OF THE COURT (First Chamber)

24 March 2022 (*)

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Competence of the supervisory authority – Article 55(3) – Processing operations of courts acting in their judicial capacity – Concept – Making available to a journalist of documents arising from court proceedings containing personal data)

In Case C-245/20,

REQUEST for a preliminary ruling under Article 267 TFEU from the Rechtbank Midden-Nederland (District Court, Central Netherlands), made by decision of 29 May 2020, received at the Court on the same day, in the proceedings

X,

Z

v

Autoriteit Persoonsgegevens

THE COURT (First Chamber),

composed of K. Lenaerts, President of the Court, acting as President of the First Chamber, L. Bay Larsen, Vice-President of the Court, N. Jääskinen, J.-C. Bonichot (Rapporteur) and M. Safjan, Judges,

Advocate General: M. Bobek,

Registrar: L. Carrasco Marco, Administrator,

having regard to the written procedure and further to the hearing on 14 July 2021,

after considering the observations submitted on behalf of:

–        X and Z, by S.A.J.T. Hoogendoorn, advocaat,

–        the Autoriteit Persoonsgegevens, by G. Dictus and N.N. Bontje, advocaten,

–        the Netherlands Government, by K. Bulterman and C.S. Schillemans, acting as Agents,

–        the Spanish Government, by L. Aguilera Ruiz, acting as Agent,

–        the Polish Government, by B. Majczyna, acting as Agent,

–        the Portuguese Government, by L. Inez Fernandes and by P. Barros da Costa, L. Medeiros and I. Oliveira, acting as Agents,

–        the Finnish Government, by H. Leppo, acting as Agent,

–        the European Commission, by F. Erlbacher, H. Kranenborg and D. Nardi, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 6 October 2021,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of Article 55(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).

2        The request has been made in proceedings between X and Z and the Autoriteit Persoonsgegevens (Data Protection Authority, Netherlands; ‘the AP’) concerning the access of journalists to personal data concerning them, included in a court file, at the hearing held before the Administrative Jurisdiction Division of the Raad van State (Council of State, Netherlands), in proceedings in which Z was a party and represented by X.

 Legal context

 European Union law

3        Recital 20 of Regulation 2016/679 states:

‘While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.’

4        Under Article 2 of that regulation:

‘1.      This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

2.      This Regulation does not apply to the processing of personal data:

(a)      in the course of an activity which falls outside the scope of Union law;

(b)      by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;

(c)      by a natural person in the course of a purely personal or household activity;

(d)      by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

3.      For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 [of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ 2001 L 8, p. 1)] applies. Regulation [No 45/2001] and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.

…’

5        Article 4(2) of the said regulation defines the concept of ‘processing’ as:

‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.

6        Pursuant to Article 51(1) of the same regulation:

‘Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (“supervisory authority”).’

7        Last, Article 55 of Regulation 2016/679 provides as follows:

‘1.      Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.

2.      Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.

3.      Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.’

 Netherlands law

8        For the purposes of implementing Regulation 2016/679, the Kingdom of the Netherlands adopted the wet houdende regels ter uitvoering van Verordening (EU) 2016/679 van het Europees Parlement en de Raad van 27 april 2016 betreffende de bescherming van natuurlijke personen in verband met de verwerking van persoonsgegevens en betreffende het vrije verkeer van die gegevens en tot intrekking van Richtlijn 95/46/EG (algemene verordening gegevensbescherming) (PbEU 2016, L 119) (Uitvoeringswet Algemene verordening gegevensbescherming) (Law laying down the rules for the implementation of Regulation 2016/679 (Law implementing the General Data Protection Regulation)) of 16 May 2018 (Stb. 2018, No 144). Article 6 of that law entrusts the AP with the task of supervising compliance with Regulation 2016/679 in the Netherlands. None of the provisions of that law reproduces the exception provided for in Article 55(3) of Regulation 2016/679.

9        On 31 May 2018, the president of the Administrative Jurisdiction Division of the Raad van State (Council of State), the judicial administrations of the Centrale Raad van Beroep (Netherlands) and the College van Beroep voor het bedrijfsleven (Administrative Court of Appeal for Trade and Industry, Netherlands) adopted the regeling verwerking Persoonsgegevens bestuursrechtelijke colleges (Regulation on the processing of personal data in administrative courts). The latter act created the AVG-commissie bestuursrechtelijke colleges (Data Protection Commission for Administrative Law Tribunals, Netherlands; ‘the GDPR Commission’). The latter is responsible for advising the president of the Administrative Jurisdiction Division of the Raad van State (Council of State), the judicial authorities of the Centrale Raad van Beroep (Higher Social Security and Civil Service Court) and the College van Beroep voor het bedrijfsleven (Administrative Court of Appeal for Trade and Industry) on the handling of complaints relating to respect of the rights guaranteed by Regulation 2016/679.

 The dispute in the main proceedings and the question referred for a preliminary ruling

10      At the hearing held on 30 October 2018 before the Administrative Jurisdiction Division of the Raad van State (Council of State) in court proceedings in which Z was a party, represented by X, those two persons were approached by a journalist. During their conversation, X noted that that journalist had at his disposal documents from the case file concerned – including documents that he himself had drafted – showing his name and address in particular as well as Z’s national identification number. That journalist told him that those documents had been made available to him under the right of access to the case file which the Administrative Jurisdiction Division of the Raad van State (Council of State) grants to journalists.

11      By letter of 21 November 2018, the president of the Administrative Jurisdiction Division of the Raad van State (Council of State) confirmed to X that that division was providing the media with a certain number of documents on pending cases. He informed him that, on the day of the hearing, the communication department of the Raad van State (Council of State) made available to the journalists present documents intended to enable them to follow hearings, namely a copy of the notice of appeal, a copy of the response and, where appropriate, a copy of the contested judicial decision, those documents being destroyed at the end of the day.

12      X and Z then requested the AP to adopt with regard to the Raad van State (Council of State) ‘enforcement measures’ in respect of the rules on the protection of personal data. By their requests – which were akin to complaints – they claimed that, by allowing journalists to have access to personal data concerning them, originating from the documents in a court file, the Raad van State (Council of State) had infringed Regulation 2016/679.

13      In response to those requests, the AP stated that, pursuant to Article 55(3) of Regulation 2016/679, it was not competent to supervise processing operations of the personal data concerned, carried out by the Raad van State (Council of State). It subsequently forwarded the requests of X and Z to the GDPR Commission, which in turn forwarded them to the president of the Administrative Jurisdiction Division of the Raad van State (Council of State).

14      The president of the Administrative Jurisdiction Division of the Raad van State (Council of State) assessed the requests of X and Z as complaints relating to his letter of 21 November 2018 and, after having consulted the GDPR Commission, formulated a new policy on access to documents from court files, which was published on the website of the Raad van State (Council of State).

15      X and Z challenged, before the referring court, the Rechtbank Midden-Nederland (District Court, Central Netherlands), the decision by which the AP had found itself not competent to hear their requests.

16      According to that court, giving a journalist access to the documents in a court file containing personal data and making them temporarily available to him or her constitutes ‘processing’ of personal data within the meaning of Article 4(2) of Regulation 2016/679, to which, in this case, X and Z had not consented. With a view to determining whether the AP was indeed not competent to rule on the requests of X and Z, the referring court questions, however, the interpretation that should be given to Article 55(3) of that regulation, which provides that the supervisory authority is not competent to supervise processing operations of courts ‘acting in their judicial capacity’.

17      It is against this background that the Rechtbank Midden-Nederland (District Court, Central Netherlands) decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling:

‘Is Article 55(3) of [Regulation 2016/679] to be interpreted as meaning that “processing operations of courts acting in their judicial capacity” can be understood to mean the provision by a judicial authority of access to procedural documents containing personal data, where such access is granted by making copies of those procedural documents available to a journalist, as described in the order for reference?

–        In answering that question, is it relevant whether the national supervisory authority’s supervision of that form of data processing affects independent judicial decisions in specific cases?

–        In answering that question, is it relevant that, according to the judicial authority, the nature and purpose of the data processing is to inform a journalist in order to enable the journalist to better report on a public hearing in court proceedings, thereby serving the interests of openness and transparency in the administration of justice?

–        In answering that question, is it relevant whether there is any express legal basis for such data processing under national law?’

 Consideration of the question referred

18      By its question, the referring court asks, in essence, whether Article 55(3) of Regulation 2016/679 must be interpreted as meaning that the fact that a court makes temporarily available to journalists documents from court proceedings containing personal data falls within the exercise, by that court, of its ‘judicial capacity’, within the meaning of that provision. In that context, it asks whether, in order to answer that question, it is necessary to take into account the interference which the supervisory authority’s exercise of its powers might have with the independence of the judges in the judgment of specific cases. It also asks whether it is necessary to take into consideration the nature and purpose of that making available of procedural documents – to enable journalists better to report on the course of court proceedings – or indeed whether that making available has an explicit legal basis in domestic law.

19      As a preliminary point, Z submits, first, that the question referred is hypothetical and that it is, as such, inadmissible. In his view, contrary to what the request for a preliminary ruling indicates, the processing of the data concerned is a matter not for the Administrative Jurisdiction Division of the Raad van State (Council of State), but for the latter’s communication department, which is not a court or tribunal. The request is also vitiated by several other errors or inaccuracies, in particular as regards the status of the person who approached X and Z at the end of the hearing and the exact content of the requests forwarded by the AP to the president of the Administrative Jurisdiction Division of the Raad van State (Council of State).

20      In that regard, it should be recalled that, according to settled case-law, questions relating to EU law enjoy a presumption of relevance. The Court may refuse to rule on a question referred by a national court for a preliminary ruling only where it is quite obvious that the interpretation of EU law that is sought bears no relation to the actual facts of the main action or its purpose, where the Court does not have before it the legal or factual material necessary to give a useful answer to the questions submitted to it or where the problem is hypothetical (see judgment of 24 November 2020, Openbaar Ministerie (Forgery of documents), C-510/19, EU:C:2020:953, paragraph 26 and the case-law cited).

21      What is more, in proceedings under Article 267 TFEU, which are based on a clear separation of functions between the national courts and the Court, the national court alone has jurisdiction to find and assess the facts in the case before it (see judgment of 26 April 2017, Farkas, C-564/15, EU:C:2017:302, paragraph 37 and the case-law cited).

22      It is apparent from the request for a preliminary ruling that the referring court is bound to take a position on the application of Article 55(3) of Regulation 2016/679 to the making available of procedural documents containing personal data at issue in the dispute in the main proceedings to determine whether or not the review of the lawfulness of the latter fell within the AP’s competence. It follows moreover from the case-law cited in the preceding paragraph of the present judgment that Z cannot rebut the presumption enjoyed by the question asked by the referring court merely by disputing the facts it mentions in its request, on which it is not for the Court to take a position. It follows that the plea of inadmissibility raised by Z must be rejected.

23      Second, Z submits that Article 55(3) of Regulation 2016/679 should be declared invalid by the Court on the ground that the lack of competence of the supervisory authority concerned as regards processing operations carried out by courts ‘acting in their judicial capacity’, provided for by that provision, is not coupled with the obligation for the Member States to lay down specific supervisory arrangements in respect of those processing operations, which he argues is contrary to the requirements arising from the right to an effective remedy.

24      However, such a line of argument cannot succeed since, as is apparent from recital 20 of Regulation 2016/679, the EU legislature, in enacting Article 55(3) of that regulation, did not intend to shield from all supervision processing operations carried out by courts ‘acting in their judicial capacity’, but merely ruled out the entrusting of the supervision of those operations to an external authority.

25      In order to answer the question asked by the national court, summarised in paragraph 18 above, it must first of all be noted that Article 2(1) of Regulation 2016/679 provides that that regulation applies to any ‘processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system’, without any distinction being made according to the identity of the person who carried out the processing concerned. It follows that, subject to the cases mentioned in Article 2(2) and (3) thereof, Regulation 2016/679 applies to processing operations carried out both by private persons and by public authorities, including, as recital 20 thereof indicates, judicial authorities, such as courts.

26      That reading is supported by the fact that several of the provisions of Regulation 2016/679 are subject to adjustments to take account of the specificities of the processing operations carried out by courts. That is particularly the case with Article 55(3) of that regulation, which excludes any competence of the supervisory authority in respect of processing operations carried out by courts ‘acting in their judicial capacity’.

27      Regulation 2016/679 can be distinguished in that regard from Directive 2003/4/EC of the European Parliament and of the Council of 28 January 2003 on public access to environmental information and repealing Council Directive 90/313/EEC (OJ 2003 L 41, p. 26), which does not apply to courts and tribunals (judgment of 15 April 2021, Friends of the Irish Environment, C-470/19, EU:C:2021:271, paragraphs 34 to 40).

28      In order to determine the scope of the concept of processing operations carried out by courts acting in their judicial capacity, within the meaning of Article 55(3) of Regulation 2016/679, it must be recalled that the interpretation of a provision of EU law must consider not only its wording, but also the context in which it occurs and the objectives pursued by the legislation of which it is part (see, to that effect, inter alia, judgment of 6 October 2020, Jobcenter Krefeld, C-181/19, EU:C:2020:794, paragraph 61 and the case-law cited).

29      In that regard, it is apparent from Article 55 of Regulation 2016/679 that the purpose of that article is to define competence in matters of supervision of the processing of personal data and, in particular, to delimit the competence vested in the national supervisory authority.

30      Article 55(3) of Regulation 2016/679 thus provides that processing operations carried out by courts ‘acting in their judicial capacity’ fall outside the competence of that supervisory authority.

31      Recital 20 of Regulation 2016/679, in the light of which that Article 55(3) must be read, states that it should be possible to entrust supervision of processing operations carried out by the courts ‘acting in their judicial capacity’ to specific bodies within the judicial system of the Member State concerned rather than to the supervisory authority under the authority of that Member State, in order to ‘safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making’.

32      As the Advocate General observed in points 80 and 81 of his Opinion, it is apparent from the very wording of recital 20 of Regulation 2016/679, and in particular from the use of the expression ‘including’, that the scope of the objective pursued by Article 55(3) of that regulation, consisting in safeguarding the independence of the judiciary in the performance of its judicial tasks, cannot be confined solely to guaranteeing the independence of the judges in the adoption of a given judicial decision.

33      After all, safeguarding the independence of the judiciary presupposes, in general, that judicial functions are exercised wholly autonomously, without the courts being subject to any hierarchical constraint or subordinate relationship and without taking orders or instructions from any source whatsoever, thus being protected from any external intervention or pressure liable to jeopardise the independent judgment of their members and to influence their decisions. Observance of the guarantees of independence and impartiality necessary under EU law requires rules in order to dispel any reasonable doubt in the minds of individuals as to the imperviousness of the body in question to external factors and its neutrality with respect to the interests concerned (see, to that effect, inter alia, judgments of 27 February 2018, Associação Sindical dos Juízes Portugueses, C-64/16, EU:C:2018:117, paragraph 44; of 25 July 2018, Minister for Justice and Equality (Deficiencies in the system of justice), C-216/18 PPU, EU:C:2018:586, paragraph 63; of 24 June 2019, Commission v Poland (Independence of the Supreme Court), C-619/18, EU:C:2019:531, paragraph 72; and of 21 December 2021, Euro Box Promotion and Others, C-357/19, C-379/19, C-547/19, C-811/19, C-840/19, EU:C:2021:1034, paragraph 225).

34      Accordingly, the reference in Article 55(3) of Regulation 2016/679 to processing operations carried out by courts ‘acting in their judicial capacity’ must be understood, in the context of that regulation, as not being limited to the processing of personal data carried out by courts in specific cases, but as referring, more broadly, to all processing operations carried out by courts in the course of their judicial activity, such that those processing operations whose supervision by the supervisory authority would be likely, whether directly or indirectly, to have an influence on the independence of their members or to weigh on their decisions are excluded from that authority’s competence.

35      In that regard, while the nature and purpose of the processing carried out by a court relate principally to the examination of the lawfulness of that processing, they may constitute indicia that that processing falls within the exercise, by that court, of its ‘judicial capacity’.

36      On the other hand, the question whether the processing has an explicit legal basis in domestic law or whether the personal data contained therein may lawfully be disclosed to third parties relates exclusively to the examination of the lawfulness of the processing, those elements being irrelevant to determining whether the supervisory authority is competent to ensure the supervision of that processing operation on the basis of Article 55 of Regulation 2016/679.

37      As regards processing such as that at issue in the main proceedings, it must be held that, without prejudice to compliance with the substantive obligations laid down by Regulation 2016/679, the processing of personal data carried out by courts in the context of their communication policy on cases before them, such as those consisting in the temporary making available to journalists of documents from a court case file in order to enable them to cover it in the media, inter alia, falls outside the competence of the supervisory authority, pursuant to Article 55(3) of that regulation.

38      The determination, having regard to the subject matter and context of a given case, of the information from a court case file that may be provided to journalists in order to enable them to report on the course of court proceedings or to shed light on one or other aspect of a decision delivered is clearly linked to the exercise, by such courts, of their ‘judicial capacity’, the supervision of which by an external authority would be liable to undermine, in general, the independence of the judiciary.

39      In the light of all the foregoing considerations, the answer to the question referred is that Article 55(3) of Regulation 2016/679 must be interpreted as meaning that the fact that a court makes temporarily available to journalists documents from court proceedings containing personal data in order to enable them better to report on the course of those proceedings falls within the exercise, by that court, of its ‘judicial capacity’, within the meaning of that provision.

 Costs

40      Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (First Chamber) hereby rules:

Article 55(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that the fact that a court makes temporarily available to journalists documents from court proceedings containing personal data in order to enable them better to report on the course of those proceedings falls within the exercise, by that court, of its ‘judicial capacity’, within the meaning of that provision.

[Signatures]

*      Language of the case: Dutch.


Disclaimer