The convergence of public health imperatives and individual data protection rights has come under scrutiny in a recent landmark case delivered on the 5 October 2023 by the European Court of Justice (ECJ),following a request for preliminary ruling made by RK and the Ministerstvo zdravotnictví (Ministry of Health, Czech Republic). The court, in case C-659/22, delved into the complexities surrounding ‘processing’ of personal data under the General Data Protection Regulation.
Legal Context
The General Data Protection Regulation (GDPR) stands as a cornerstone in safeguarding the fundamental rights of individuals concerning the processing of personal data. Personal data under the GDPR refers to any information relating to an identified or identifiable natural person and includes information such as names, identification numbers, location data, online identifiers, or factors specific to an individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.
Data protection law governs situations where personal data is ‘processed’ either manually or by automated means. The processing of personal data involves a wide range of activities performed on a person’s data. It encompasses activities such as collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, disseminating, making available or destroying personal data.
Recital 1 of the GDPR underlines the fundamental nature of protecting individuals where their personal data is concerned. Additionally, Article 8(1) of the Charter of Fundamental Rights of the European Union and Article 16(1) of the Treaty on the Functioning of the European Union emphasizes the right of every person to have their personal data protected.
Case Background
In an effort to mitigate the spread of the COVID-19 virus, the ‘EU Digital COVID Certificate Regulation’ (EUDCC) (EU) 2021/953 (now no longer in force) was implemented. The regulation established a legal ground for processing personal data necessary to issue certificates and to verify and confirm the authenticity of such certificates in compliance with the GDPR. In an effort to facilitate free movement during the pandemic, the Regulation specifically required Member states to issue COVID-19 certificates containing a barcode with information relating to the identity of its holder. The processing of personal data in the certificates under Regulation 2021/953 was however limited to the verification and confirmation of the holder’s vaccination, test result, or recovery. Therefore, in line with the data minimisation principle under the GDPR, personal data had to be limited to the purpose that was strictly necessary and could not be retained by authorities.
The case in request for preliminary ruling emanated from a measure adopted by the Czech Ministry of Health. The measure sought to regulate access to certain indoor and outdoor premises, as well as participation in mass-organised events. Such measure was carried out in an effort to mitigate the spread of the virus. It required operators to conduct COVID-19 certificate checks using the Czech Ministry’s mobile application ‘čTečka’. Such application guaranteed reliable verification of the authenticity and validity of the certificate presented containing a QR code. If an individual failed to show compliance with such checks, the operator was prohibited from allowing the person access to the premises or events.
Challenging the measure, an individual identified as RK initiated legal proceedings, prompting the Supreme Administrative Court of the Czech Republic to seek a preliminary ruling from the European Court of Justice. The central question revolved around whether the validation of EU Digital COVID Certificates using the ‘čTečka’ application constituted automated processing of personal data under Article 4(2) of the GDPR since some of the information contained in the certificate would be considered to be personal data within the meaning of article 4(1) of the GDPR.
The referring court explained that the ‘čTečka’ serves as a tool for verifying the authenticity of EU Digital COVID Certificates, as outlined in Regulation 2021/953. This application facilitated the validation process by scanning the QR code on the certificate through a mobile phone’s camera. Upon scanning, the application provided a preview of essential identification details, including the certificate holder’s surname, first name, and date of birth, along with the certificate’s status (valid or invalid). The referring court explained that by clicking on a specific button of the application, the person conducting the check is able to access the complete set of the information shown in the certificate, such as vaccination, type of vaccine, vaccine manufacturer, number of doses received, date of vaccination, date of first positive result and certificate issuer. The ‘čTečka’ application temporarily displayed such data on the mobile screen of the person conducting the check.
Decision
The question that arose was whether the concept of ‘processing’ of personal data must be interpreted as including the verification, using a national mobile application, of the validity of the COVID-19 vaccination, test and recovery certificate, issued pursuant to Regulation 2021/953. The court, in its ruling, affirmed that certain information accessed during the validation of an EU Digital COVID Certificate qualifies as ‘personal data’ under Article 4(1) of the GDPR and given the broad meaning attributed to the concept of ‘processing’, the Court concluded that the validation process conducted through the ‘čTečka’ application for the EU Digital COVID Certificates does qualify as ‘processing’ under Article 4(2) of the GDPR.
Implications
While COVID-19 may no longer dominate current discussions, this landmark ruling establishes that the process of scanning a certificate by a device—allowing the person conducting the check to consult personal data at the end of the automated process (scanning) and the consequent use of such data to assess whether the situation of the data subject complies with the applicable national health requirements—does constitute ‘processing’ within the meaning of the GDPR. The court further ruled the outcome of the assessment to also be automated. A green check mark is displayed on the device of the person conducting the check when the health requirements are complied with, while a red check mark is displayed if they are not. The court held that this process, involving automated means, is considered ‘processing’ under the GDPR and, therefore, falls within the purview of data protection laws.
The court’s decision resolves a prolonged argument by affirming that generating information on a screen can be considered data processing, even if the data is not stored or shared elsewhere.
Author: Eliza Azzopardi
Disclaimer: Ganado Advocates is responsible for contributing this law report but was not in any way involved as legal advisor for the parties in the judgement being covered in this law report. This article was first published on The Malta Independent on 27/12/2023.