According to clause 35 of the Dutch Data Protection Act (Wet bescherming persoonsgegevens; “DDPA”) a person (“data subject”) has the right to access the personal data that a party processes about him. This right is an elaboration of the principle of transparency and enables a person to check whether the processing complies with the DDPA. It is not necessary for a data subject to explain why he wants access to his personal data nor does he need to prove any particular interest therein.
In practice, an appeal based on the right to access often has little to do with privacy protection. Usually it is used in a dispute to obtain certain documents from the other party. Since the DDPA came into effect in 2001 several legal cases have been conducted on the right to access. The following categories highlight some of the common issues likely to arise such as: (i) which documents fall within the scope of the right to access, and in particular whether the data therein qualify as personal data (data that is directly or indirectly traceable to an individual); and (ii) questions with regard to the actual exercise of the right to access, particularly whether or not copies of documents containing personal data should be provided.
With regard to this last question, the Dutch courts differed sharply. The highest civil court, the Supreme Court, held that the right to access should be interpreted broadly: in principle, copies of documentation should be provided to anyone who requests access. On the other hand, the highest administrative court, the Administrative Jurisdiction Division of the Council of State, as a starting point, stated that the right to access must be interpreted narrowly and that copies do not always have to be provided. It suffices to provide an overview of the personal data processed.
To clarify which line should be followed in the Netherlands, both the Middelburg District Court and the Administrative Jurisdiction Division have independently asked preliminary questions to the Court of Justice of the EU in Luxembourg. This has been possible since the right to access in the DDPA is an implementation of the European Privacy Directive 95/46/EC.
Both cases dealt with refused residency permits. The applicants requested access to the minutes containing the grounds for refusal. The Minister for Immigration, Integration and Asylum refused to provide a copy of the minutes because a legal analysis would not qualify as personal data. A data subject requesting access receives an overview of his personal data, its origins and the bodies with which the information is shared. In short, the main questions submitted to the Court were as follows:
- Is the legal analysis recorded in the minutes to be regarded as personal data?
- Must a copy of the minutes be provided to fulfil the obligations under the right to access?
The Court consolidated both cases and ruled on 17 July.
According to the Court it is possible that a legal analysis recorded in the minutes may contain personal data, but the minutes as such do not qualify as personal data. The legal analysis is not to be regarded as information on the applicant because it relates to the interpretation and application of the law on the merits of the case. According to the Court, this is in line with the origin of the right to access, which stems from the notion that a person whose personal data are processed, must be able to verify that this is done in a correct and lawful manner. In a legal analysis, the data subject cannot verify this nor can the analysis be corrected by relying on the right of correction since this right exists to verify whether your personal data are processed correctly and not to review a legal analysis. The purpose of the Privacy Directive is to ensure the privacy of the data subject and is not a means of providing a right of access to administrative documents. It is remarkable that so far, both the Supreme Court and the Administrative Jurisdiction Division were of the opinion that if a person appealed using the right to access, the purpose behind the application was irrelevant. The Court qualifies this position slightly: the intention of the European legislator when drafting the Privacy Directive must be taken into account: the purpose of the data subject must match this intention.
With regard to dealing with a request to access, the Member States are free to determine in what manner access must be provided, as long as the information is provided in an understandable form. This means that the data subject must be able to inspect the information and must be able to check whether the information is processed in accordance with the Privacy Directive. Applying this approach means he can exercise his right to correct inaccurate information. The restrictive interpretation of the right to access, as advocated by the Administrative Jurisdiction Division, thus appears to be the accepted route. If a copy is provided, then all information which does not qualify as personal data can be removed.
In practice, it will still be a challenge to determine which information in a document should be regarded as personal data. It will therefore be interesting to see how future case law will deal with this issue.
The joint cases C-141/12 and C-372/12 can be found on http://www.curia.eu