SIMULTANEOUS APPLICATION OF THE TRANSPARENCY AND DATA PROTECTION REGULATIONSPROTECTION REGULATIONS

It has already been noted that AG Sharpston suggested that provisions of the two Regulations might not actually be in conflict.⁵⁸³ As mentioned in Chapter I, Zucca emphasizes that genuine constitutional conflicts need to be distinguished from spurious ones,⁵⁸⁴ also noting that conflicts resolved by rational argument must also be distinguished from the genuine conflicts.⁵⁸⁵ If AG Sharpston’s Opinion had been adopted, the dilemma would have been resolved very much in line with Zucca’s thesis; the conflict between these two Regulations being recognized as spurious.

Thus, genuine conflict between rights would not exist and the dilemma could be resolved by recognizing the conflict for what it actually is.

However, both the General Court and the Court of Justice did identify a tension between rights even if they took different approaches to solving it. In relation to the more specific provisions, the main disagreement in the Bavarian Lager case seems to relate to the conflict between Article 6(1) of the Transparency Regulation and Articles 8(a) and 18(a) of the Data Protection Regulation. In addition to this conflict, this case provides an example of the tension between the two Regulations at the level of principles in the Dworkinian sense.⁵⁸⁶ In this case, the conflict of rules is only a surface-level consequence of a tension in the underlying principles. As such, the solution must be deduced from the underlying levels of law.⁵⁸⁷

The General Court concluded that the full minutes, including the names, did not fall under the exception provided in Article 4(1)(b), which concerns the protection of one’s personal data. As this exception was not applicable, the provisions of the protection of personal data Regulation were not applicable either.⁵⁸⁸⁵⁸⁹ Thus, under the judgment of the General Court, it seems that the application of these two Regulations in situations such as that of Bavarian Lager, consists of two steps: first,

583 Opinion of AG Sharpston in Case C-28/08, Bavarian Lager, ECLI:EU:C:2009:624, delivered 15 October 2009, para 104.

584 L. Zucca, Conflicts of Fundamental Rights as Constitutional Dilemmas, in Brems (ed.) Conflicts between Fundamental Rights, (Intersentia, 2008), 24– 26.

585 L. Zucca, Conflicts of Fundamental Rights as Constitutional Dilemmas, in Brems (ed.) Conflicts between Fundamental Rights, (Intersentia, 2008), 24– 28.

586 R. Dworkin, Taking Rights Seriously, (London, 2009) 14–81.

587 For more on the various levels of law, see K. Tuori, Kriittinen oikeuspositivismi, (Helsinki, 2000).

588 Case T-194/04, Bavarian Lager v Commission, ECLI:EU:T:2007:334, paras 133–136, 139.

589 See also H. Kranenborg, “Access to documents and data protection in the European Union: On the public nature of personal data” in Common Market Law Review 45 (2008), 1094–1096.

whether the exception laid down in Article 4(1)(b) is applicable must be evaluated, and second, if it is, the disclosure of personal data must be evaluated under the provisions of this Regulation.⁵⁹⁰

AG Sharpston adopted the General Court’s approach in part. However, unlike the General Court, the AG attempted to provide a more comprehensive approach to solving the dilemma.⁵⁹¹ Given this bold attempt, this Opinion is worth examining, even if the Court of Justice did reject it. The essence of her Opinion seems to lie in the definition of the scope of the Data Protection Regulation and its relation to the Transparency Regulation. Her approach is closely related to the interpretation of Article 3(2) of the Data Protection Regulation. Sharpston notes, for example, that

“the clear implication of Lindqvist is that, as soon as processing of personal data is automatic or partly automatic, it falls within the scope of the data-protection legislation (be that Directive 95/46 or Regulation No. 45/2001). However, a request for disclosure of documents made under Regulation No 1049/2001 is not – as I understand it – treated that way. Rather it is examined individually and manually”.⁵⁹² It is not entirely clear how this should be interpreted. It seems as if the AG is assessing how to define the requests for disclosure of documents, i.e. whether the requests for access are to be considered as processing of personal data that falls within the scope of the Data Protection Regulation.

It should first be noted that the definition of processing of personal data as laid down in Article 2(b) of the Data Protection Regulation clearly covers the functions described above.⁵⁹³ According to Article 2(b), disclosure by transmission, dissemination or otherwise making personal data available are to be considered as processing of personal data, among other things. This would clearly cover the requests for the disclosure of documents as well. The AG’s approach would mean that the disclosure of documents should be considered processing of personal data, which partly falls outside of the scope of the Data Protection Regulation. To decide what documents would fall outside its scope, AG Sharpston created two different categories of requests for documents that include personal data.⁵⁹⁴ In

590 The European Data Protection Supervisor also supported this approach; see, for example, Pleading of the EDPS in Public Hearing in Case C-28/08P (16 June 2009), available on the internet < http://www.edps.europa.

eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Court/2009/09-06-16_pleading_C-28-08P_EN.pdf> [last visited 29.9.2011] as well as European Data Protection Supervisor, Public access to documents containing personal data after the Bavarian Lager ruling.

591 It ought to be mentioned that the Opinion was found quite exceptional among the various stakeholders, which the requests of the Commission and the European Data Protection Supervisor to re-open the case after the Opinion was delivered clearly indicate. See case C-28/08P, Bavarian Lager, ECLI:EU:C:2010:378, paras 35–39.

592 Opinion of AG Sharpston in Case C-28/08, Bavarian Lager, ECLI:EU:C:2009:624, delivered 15 October 2009, para 125. See also Case C-101, Lindqvist, ECLI:EU:C:2003:596.

593 This did not change with the entry into a force of the EU Institutions’ Data Protection Regulation.

594 Opinion of AG Sharpston in Case C-28/08, Bavarian Lager, ECLI:EU:C:2009:624, delivered 15 October 2009, paras 158–166.

essence, she distinguished “real requests” from “disguised requests” based mostly on the amount of personal data that the documents covers.⁵⁹⁵ However, the Court of Justice stated quite clearly in the Satakunnan Markkinapörssi case that all exceptions to the protection of personal data must be carried out as narrowly as strictly necessary.⁵⁹⁶ Excluding some processing of personal data entirely from the scope of the Regulation seems to create even more limitations on the protection of personal data than the broad interpretation of exceptions. It seems to follow that the scope of the Regulation should be interpreted broadly rather than narrowly as suggested in the AG’s Opinion. Furthermore, it is not obvious which functions other than requests for access to documents should be excluded if the AG’s approach were to be adopted. It appears that there must be other functions containing processing of personal data individually and manually. Such questions could potentially arise at national level. Just consider a bank assessing an application for a loan; it would seem quite risky to state that this processing of personal data falls outside of the scope of the Data Protection Directive as its Article 3(1) is similar to Article 3(2) of the Data Protection Regulation.⁵⁹⁷

AG Sharpston argued in favour of the narrow interpretation that a broad interpretation would unnecessarily restrict the application of Transparency Regulation.⁵⁹⁸ While this concern is justified, the correct balance between the two Regulations can be achieved by other means. For instance, one of the founding principles of the Transparency Regulation is that all exceptions are laid down in the Regulation itself. In accordance with well-established case-law, since all these exceptions are to be interpreted narrowly,⁵⁹⁹ the provisions of the Data Protection Regulation should be interpreted in light of the founding principles of the Transparency Regulation when a case is examined under its provisions. Thus, simultaneous application of both Regulations should not be read as setting aside the provisions or principles of the Transparency Regulation as such. Furthermore, the distinction between “real” and “disguised” requests for documents does not seem to solve the problem but rather create a new one, since it would be rather difficult to separate the so-called disguised access to document requests from the real ones.

While AG Sharpston’s Opinion offers an interesting alternative for solving the dilemma of this thesis, the Court of Justice chose the approach of setting the full

595 Ibid.

596 Case C-73/07, Satakunnan Markkinapörrsi and Satamedia, ECLI:EU:C:2008:727, para 56.

597 The same applies regarding the GDPR and new EU institutions’ Data Protection Regulation.

598 Opinion of AG Sharpston in Case C-28/08, Bavarian Lager, ECLI:EU:C:2009:624, delivered 15 October 2009, para 149.

599 See, to that effect, Case T-20/99, Denkavit Nederland v Commission, ECLI:EU:T:2000:209, para 45; Case C-64/05 P, Sweden v Commission and Others, ECLI:EU:C:2007:802, para 66; Joined cases C-39/05 P and C-52/05 P Sweden and Turco/ Council, ECLI:EU:C:2008:374, para 36.

application of both Regulations as a founding principle.⁶⁰⁰ Despite the merits of the two-step approach adopted by the General Court, the Court of Justice did not accept this approach either, providing its own interpretation of the relationship between the two Regulations. In essence, the focal point in both the General Court and the Court of Justice judgments, and the point of disagreement between the two courts, was the relationship between the Transparency and the Data Protection Regulations.

The Court of Justice found that the General Court had limited the application of Article 4(1)(b) of the Transparency Regulation to only those cases where the privacy or the integrity of the persons concerned were at stake, and in doing so had not taken the EU legislation regarding the protection of personal data properly into account.

The Court of Justice went further, stating that “in acting that way, the General Court disregards the wording of Article 4(1)(a) of Regulation No 1049/2001, which is an indivisible provision and requires that any undermining of privacy and the integrity of the individual must always be examined and assessed in conformity with the legislation of the Union concerning the protection of personal data, and in particular with Regulation No 45/2001”. Before coming to this conclusion, the Court of Justice had also noted that the two Regulations had been adopted around the same time and neither included any provision that would justify displacing the other Regulation.⁶⁰¹ If this had been the case, the legislator would have resolved the tension between two different principles in favour of one, and drafted the provisions accordingly. Thus, no collision of rules would exist, simply an exception to the main rule.⁶⁰²

Thereafter, the Court of Justice concluded that in applying the Transparency Regulation in situations where the documents to which the applicant is seeking access include personal data, the Data Protection Regulation becomes applicable as well. The Court of Justice underlined that all of its provisions will apply in these cases in their entirety, including Articles 8 and 18. The Court of Justice concluded that the General Court had dismissed the application of these articles in its judgment.⁶⁰³ Thus the Court of Justice decided to set aside General Court’s decision as far as it annulled the Commission’s decision and adopted an entirely different approach to solving the dilemma.

600 Case C-28/08P, Bavarian Lager, ECLI:EU:C:2010:378, para 56.

601 Case C-28/08P, Bavarian Lager, ECLI:EU:C:2010:378, paras 56, 58–59.

602 As earlier noted, exceptions do not lead to conflict in the Dworkinian sense.

603 Case C-28/08P, Bavarian Lager, ECLI:EU:C:2010:378, paras 63, 64.

1.1.3 THE DATA SUBJECT’S RIGHT TO OBJECT TO THE PROCESSING OF DATA