The storage of personal private information is a complex issue that requires some balance between the data subject's and the controller"s rights. Regarding the data subject’s rights, for instance, what are the data subject’s rights regarding transfer of his/her data to third parties and how long can he/she access the stored data; regarding the controller’s rights, how long can the controller keep personal private information, how it can transfer this data to third parties, and what are the storage rules. The answer to these questions may be easily found in any country’s data protection laws. In the European Union, however, the answers to these questions may vary despite the guidelines of data protection directives. This article presents the European Court of Justice’s decision regarding the right to access and time limit for the storage of personal information; a decision that tried to balance the rights of the data subject and the data controller.
Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281) is the community law that establishes data protection guidelines (hereafter 'the Directive'). Article 12 of the Directive is entitled "right of access,” and it orders member states to guarantee every data subject the right to obtain information from the controller. Information may be obtained without constraint, at reasonable intervals and without excessive delay or expense. The data subject also has the right to know whether data related to him/her is being processed, the category of data concerned, and the recipients or category of recipients to whom the data is disclosed. This article provides the data subject with the right to know about any rectification, erasure, or blocking of data that does not comply with the provisions of the Directive. Controllers have to notify the data subject about notifications controllers have made to third parties to whom they have disclosed information or sent notifications about rectifications, erasure or blocking of the data. The controller must implement technical and organizational measures to ensure a level of security appropriate to the risk represented by the processing and the nature of the data. Article 17(1). Article 22 and 23(1) of the Directive require member states to provide data subjects with the right to judicial remedy for any breach of the rights guaranteed by national law and this Directive.
Thus, regarding access and time limit for the storage of personal information, the Directive sets the basic rights for the data subject and the controller’s obligations; but gives member states the duty to implement these rights and obligations through national legislation.
The European Court of Justice (ECJ) interpreted Article 12(a) -Right to Access- in a 2009 decision, 2009 ECJ EUR-Lex LEXIS 313. In this case, the data subject was a college student and the controller was a public college in the Netherlands. The student requested the college information on the disclosure of his personal data to third parties during the last two years proceedings his request. National law established that controllers had to keep information on data disclosed to third parties or any communication involving people’s personal data for 1 year. Consequently, national law required the controllers to notify the data subject, within four weeks, “whether data relating to him from the local authority personal records have, in the year preceding the request, been disclosed to a purchaser or to a third party.” The student had moved to a new location, and wanted to know to whom the school had provided his previous address. The college provided the student with the pertinent information for the year preceding his request. The student wanted the information for two preceding years. Thus, he filed a complaint, which ultimately was referred to the ECJ for a preliminary ruling on the following question, “'Is the restriction, provided for in the [Netherlands] Law [on local authority personal records], on the communication of data to one year prior to the relevant request compatible with Article 12(a) of [the] Directive --, whether or not read in conjunction with Article 6(1)(e) of that directive and the principle of proportionality?'
The ECJ held that “[A]rticle 12(a) of the Directive requires Member States to ensure a right of access to information on the recipients or categories of recipient of personal data and on the content of the data disclosed not only in respect of the present but also in respect of the past. It is for Member States to fix a time-limit for storage of that information and to provide for access to that information which constitutes a fair balance between, on the one hand, the interest of the data subject in protecting his privacy, in particular by way of his rights to object and to bring legal proceedings and, on the other, the burden which the obligation to store that information represents for the controller.” Thus, the ECJ is clearly given member states the authority to set a time limit for the storage of private data so that it balances the data subject’s and the controller’s rights.
Also, the ECJ held that “[R]ules limiting the storage of information on the recipients or categories of recipient of personal data and on the content of the data disclosed to a period of one year and correspondingly limiting access to that information, while basic data is stored for a much longer period, do not constitute a fair balance of the interest and obligation at issue, unless it can be shown that longer storage of that information would constitute an excessive burden on the controller. It is, however, for national courts to make the determinations necessary.” This means, the ECJ considers that the one-year term to access information by the data subject does not constitute a fair balance between the data subject’s and the controller’s rights, unless keeping data longer becomes an excessive burden on the controller.
In this decision, the ECJ balanced the data subject’s right to know to whom his/her data is transferred or sold and the controller’s rights. A one-year term to access information by the data subject is definitely a short term, which could easily be extended without much expense or burden on the controller.
http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=2344
