22 November 2022 – Online conversation
1. Introduction
2. The role and organisation of the administrative justice in the Czech Republic
- two court instances: Regional Courts and the Supreme Administrative Courts (“SAC”)
- three types of claims: (i) review of administrative decisions (most frequent); (ii) petition against “unlawful interference”; and (ii) petition against the failure (of public authority) to issue a decision or a certificate
- SAC – 30+ judges, 10*three judges’ chambers, and specific chambers (7-9 judges’ grand chamber, jurisdiction conflicts chambers etc.)
- apart from appeals against the decisions of regional courts, SAC covers other agendas (elections, local referenda, disciplinary infractions of judges, prosecutors and bailiffs, jurisdiction conflicts etc.)
- no specialisation and very broad agenda across all fields of public administration (fiscal/ taxation matters, immigration law, administrative sector regulation (environment, energy, water etc.), administrative sanctions and – data protection)
- SAC has very limited “filtering” of the cases (asylum agenda, minor administrative offences)
- “historical” jurisprudence; due to various delays within the court system SAC is adjudicating the cases while applying “historical” law → pre-GDPR legislation still subject to deliberation of SAC
- case law depends on the cases brought for resolution to the SAC → disadvantages of case law: complexity & volume, rigidity, illogical distinctions, unpredictability, dependence on chance, unsystematic progression, lack of [sociological] research, retrospective effect [Catherine Elliot, Frances Quinn: English Legal System]
3. Selected cases:
(a) “Bullies in the school”
On 11 March 2019, the Municipal Court in Prague upheld a relatively low fine (CZK 8,000; approximately EUR 300), imposed by the Czech Office for Data Protection (i.e. the Czech national data regulator – the “Office”) on a municipality Moravský Beroun for inappropriate disclosure of personal data in a document addressed to members of the municipal board (zastupitelstvo).
The document was issued by psychologists and concerned an investigation of the case of bullying in a local grammar school (founded by the municipality). The document contained the names of both the bullies and their victim. The court ruled that the identification of persons was inappropriate and unnecessary. The role of the school “founder” is exercised by the municipal council (městská rada) and not by the municipal board. But above all, the identification of the pupils involved was unnecessary if the purpose of the disclosure was information about the issue to the municipal board members. The decision was approved for publication in the Collection of Decisions of SAC.
http://nssoud.cz/files/EVIDENCNI_LIST/2017/14A_89_2017_21_20190624145532_prevedeno.pdf
(b) Former minister as “data controller”
On 17 August 2018, SAC issued the following decision. The plaintiff was a former member of the Czech government who was later prosecuted for certain actions committed while she was in the office. As a part of her defence strategy, she published on her website the records from examination of 37 witnesses in her criminal proceedings. The Office viewed this as administrative offence and imposed a fine of CZK 16,000 (approximately EUR 650).
SAC expressed its views on legality of sanctions, imposed by the Office. The Office substantiated its decision by a breach of duty of confidentiality of parties, cooperating with the data controller (section 15(1) of the then applicable Data Protection Act). However, SAC disagreed and held that the individual was actually processing personal data (also within the meaning of Article 4(2) of GDPR). So she had a status of the data controller and the corresponding duties; at the same time, she cannot benefit from the exemption for the “personal or household activity”. For these reasons, the court quashed both decisions of the Regional Court and the Office and remanded the case back to the Office for further proceedings.
SAC ruled that – in general terms – when deciding on administrative sanctions where the “old” Czech Data Protection Act is still applicable, the Office should apply GDPR if it is more favourable for the perpetrator. But no such favourable provision was identified by SAC in the case at hand.
(c) Building cooperative in Prague
The plaintiff and complainant was “Stavební bytove družstvo”, a building cooperative (legal entity), which owns and administers several thousands of flats in Prague.
SAC sided with the Office and held that the Office needs not to enumerate all data subjects when sanctioning a breach of the data protection regulation. The Court endorsed the situation where the Office defined the relevant data and data subjects only generically and provided a reasonable estimate of their quantity. The Court also confirmed that the data processing in breach of its purpose (section 45(1)(c) of the then applicable Data Protection Act) amounts to a continuing breach and so the liability for it does not expire by the lapse of prescription period, calculated from the commencement of the processing.
In this case, SAC also reviewed the complainant’s argument that the provisions of GDPR are more favourable for it. The complainant contended that, by GDPR coming into effect and due to delay in adopting the implementing Czech legislation, the administrative sanctions should not apply. SAC dismissed this argument because GDPR came into effect only after the complaint was filed and the application of favourable legislation is possible only in the administrative proceedings and/or before the regional courts (under the ruling of the Grand Chamber of SAC).
(d) Car plate number as personal data
The plaintiff challenged as “unlawful interference” the fact that the public authority disclosed his personal data from its administrative files concerning the prosecution of the plaintiff for a minor infraction (traffic rules violation). SAC dismissed his complaint (against the judgment of the regional court which dismissed his petition.
On one hand, SAC held that the car plate number constitutes personal data, if a natural person (as opposed to legal entity) is registered as the operator (provozovatel) of the car. This is because the operator is indirectly “identifiable” on the basis of the plate number. SAC referred to the objective concept of the personal data and referred to the case law of the Court of Justice of the European Union (Google Spain and Patrick Breyer). However, somewhat surprisingly SAC still ruled that the data disclosure to a third party (who submitted a request under the Czech Freedom of Information Act) in the case at hand was lawful because that particular party would be unable to identify the plaintiff from the personal data thus provided. This judgment has been criticised as not appreciating sufficiently the strictness of the objective test. Once the data are attributable to a specific natural person, they must not be disclosed (except if there are specific statutory reasons), irrespective of the (un)ability of that person to identify the data subject in reality.
4. Q&A session
* * *
[IMPORTANT NOTICE: Reading of the above cannot substitute knowledge of the decisions and their reasoning. The above contains only a summary and personal views of the author and, as such, must not be attributed to the Supreme Administrative Court.]