Having recently received a telling off after being caught on camera whilst channeling Baby Driver on the school run, I read the ECJ's latest data protection judgment with interest (and no little relief).
That’s because the ECJ found that the Latvian law permitting the publication of a public register of traffic offences is incompatible with the GDPR. In Latvia, the Road Traffic Safety Directorate is required to maintain a register containing details of drivers’ penalty points, which can be made available to anyone on request, whether or not for commercial purposes.
According to the ECJ, the disclosure of this information is not (1) covered by the exemption for processing personal data in criminal matters under Article 2(2)(d) of the GDPR, or (2) necessary to achieve the objective pursued — namely, improving road safety. Whilst that objective is in the public interest, and rightly so, the court found that there are less intrusive ways to achieve the objective, particuarly given the serious interference with an individual’s rights that may result from being listed in the database.
This may also give rise to “social disapproval and result in stigmatisation of the data subject” — and whilst anyone who’s experienced my driving knows that only too well, the point is clear and applicable more widely: processing of any kind needs to be proportionate to the aims pursued, especially where those aims could be achieved in a less intrusive or restrictive way.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.