Having recently received a telling off after being caught on camera whilst channeling Baby Driver on the school run, I read the ECJ's latest data protection judgment with interest (and no little relief).
That’s because the ECJ found that the Latvian law permitting the publication of a public register of traffic offences is incompatible with the GDPR. In Latvia, the Road Traffic Safety Directorate is required to maintain a register containing details of drivers’ penalty points, which can be made available to anyone on request, whether or not for commercial purposes.
According to the ECJ, the disclosure of this information is not (1) covered by the exemption for processing personal data in criminal matters under Article 2(2)(d) of the GDPR, or (2) necessary to achieve the objective pursued — namely, improving road safety. Whilst that objective is in the public interest, and rightly so, the court found that there are less intrusive ways to achieve the objective, particuarly given the serious interference with an individual’s rights that may result from being listed in the database.
This may also give rise to “social disapproval and result in stigmatisation of the data subject” — and whilst anyone who’s experienced my driving knows that only too well, the point is clear and applicable more widely: processing of any kind needs to be proportionate to the aims pursued, especially where those aims could be achieved in a less intrusive or restrictive way.
The Court holds that the GDPR precludes the Latvian legislation. It notes that it has not been established that disclosure of personal data relating to the penalty points imposed for road traffic offences is necessary, particularly with regard to the objective of improving road safety invoked by the Latvian Government