Data relating to penalty points imposed on drivers due to road traffic offences should not be divulged to the public, the Court of Justice of the European Union (CJEU) has recently affirmed. This would be in breach of the EU’s General Data Protection Regulation (GDPR), which regulates the processing of personal data relating to individuals.
The processing of personal data belonging to EU citizens is regulated by the GDPR, which is directly applicable in all member states. Personal data refers to any information that relates to an identified or identifiable living individual. Processing covers a wide range of operations performed on personal data, both by manual and automated means. It includes, among others, the collection, recording, organisation, storage, adaptation or alteration, use and disclosure of personal data.
Personal data can only be lawfully processed if one of the grounds provided for in the GDPR subsists, such as, where there is the consent of the individual concerned, or where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation.
The GDPR provides for enhanced protection in so far as processing of personal data relating to criminal convictions and offences is concerned. Such processing can only be carried out only under the control of official authority or when the processing is authorised by law while providing for appropriate safeguards for the rights and freedoms of data subjects.
The GDPR itself makes provision for some instances where this regulation is not applicable, such as where there is processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding public security.
The facts of this case were briefly as follows:
Penalty points were imposed on an individual due to some road traffic offences. The Latvian Road Safety Directorate (CSDD) entered these penalty points in the national register of vehicles and their drivers. Latvian law provides that information relating to penalty points imposed on drivers of vehicles entered in this register is accessible to the public and disclosed to any person who so requests it, without that person having to establish a specific interest in obtaining such information.
The individual concerned filed a court case before the national courts, requesting the latter to assess whether the Latvian legislative measure complied with the constitutional right to respect for private life. The Latvian government raised the argument that the objective of the Latvian law was that of improving road safety. The national court seized of the case filed a preliminary reference before the CJEU, requesting its guidance on the applicability or otherwise of the GDPR to the case at hand.
The CJEU affirmed that information relating to penalty points is personal data and that its disclosure by the authorities to third parties constitutes processing which falls within the material scope of the GDPR.
The court went on to confirm that such processing is not covered by the exceptions which would render the GDPR inapplicable. It explained that the designated exceptions exclude from the scope of the GDPR, the processing of personal data carried out by state authorities during an activity which is intended to safeguard national security, or a similar activity intended to protect essential state functions and the fundamental interests of society.
The CJEU maintained that actions relating to road safety do not pursue such an objective and consequently cannot be classified in the same category as activities intended to safeguard national security. Neither can the disclosure of penalty points be considered as falling outside the purview of the GDPR, due to its classification as “processing of personal data by competent authorities in criminal matters”. The CSDD cannot be categorised as being such a “competent authority”, the court opined.
A serious interference with rights to respect for private life and protection of personal data
The CJEU then went on to examine whether access to data relating to penalty points amounts to processing of personal data relating to ‘offences’, which would benefit from enhanced protection in terms of the GDPR.
The court affirmed that reference was made to criminal offences. It alluded to the three relevant criteria to be taken into consideration when assessing whether an offence is criminal in nature, namely the legal classification of the offence under national law, the nature of the offence and the degree of severity of the penalty incurred. The CJEU then proceeded to apply these criteria to the facts at hand.
The court affirmed that, even if offences are not classified as ‘criminal’ by national law, the nature of the offence and, in particular, the punitive purpose pursued by the penalty that the offence may give rise to, may still result in an offence being considered to be criminal in nature. It went on to conclude that penalty points for road traffic offences are intended to have such a punitive purpose.
The court observed that only road traffic offences of a certain seriousness entail the giving of penalty points, and such points are often awarded in addition to the actual punishment. The accumulation of such points themselves has legal consequences which may even extend to a driving ban. Hence, the CJEU concluded that the data at issue did classify as data relating to an ‘offence’ within the meaning of the GDPR, and hence benefitted from enhanced protection.
The CJEU overruled the improvement of the road safety objective raised by the Latvian government. It maintained that while road safety may be classified as a ‘task carried out in the public interest’ in terms of the GDPR, which could in turn serve as a legal ground on which to process data, it could not be concluded that the Latvian scheme of disclosing personal data relating to penalty points was necessary to achieve the objective pursued. There were other methods entrenched in Latvian legislation which would have enabled it to achieve such an objective by means which are less restrictive of the fundamental rights of the persons concerned.
The court acknowledged that the public disclosure of penalty points is liable to constitute a serious interference with the rights to respect for private life and to the protection of personal data, since it may give rise to social disapproval and result in stigmatisation of the data subject.
The promulgation of the GDPR did much to enhance the protection of personal data of EU citizens. Both competent authorities and private entities must ensure that any processing of data belonging to individuals is carried out in full compliance with the rules entrenched in the said regulation. Any illegal processing of such data may indeed give rise to the imposition of hefty fines by the relevant data protection authorities.
Mariosa Vella Cardona, freelance legal consultant
Independent journalism costs money. Support Times of Malta for the price of a coffee.