Introduction

In a 21 March judgment, the Estonian Supreme Court referred a case to the European Court of Justice (ECJ) for preliminary ruling on the issue of the intersection of a law enforcement directive and the EU legislation on personal data. Initially, a data subject requested information concerning him from the Money Laundering Reporting Bureau (the Bureau) but was denied with the reason that they could not disclose suchinformation as it was received while performing their duties. The Bureau based its reason on Section 60 of the Money Laundering and Terrorism Financing Prevention Act and the Public Information Act, which provides that “only an official of the Financial Intelligence Unit has access to and the right to process the information in the Financial Intelligence Unit database”. Apparently, the data subject was not an official.

This denial triggered the data subject to appeal to the Supreme Court against such restriction. With the case pending before the Supreme Court and now being referred to the EU Court of Justice for determination of such intersection of laws, there are a few lessons to be picked from the case.

1. Observing the right of access of data subjects under the law

Generally, the right of access of a data subject to personal data is guaranteed by the EUlegislation on personal data, in this case, the GDPR. This should be observed by controllers or processors of personal data. Consequently, as enshrined in Article 15(1) of the GDPR, data subjects can request for access to their personal data to ascertain whether their personal data is being processed by a controller. Another reason a data subject requires access may be to confirm or amend the authenticity of informationrelating to them. It suffices to say that the EU Parliament envisaged such intention by data subjects as seen in the referenced case. In that case, the data subject applied to the Bureau to confirm if any information about him was given to any Estonian or foreign credit institutions or authorities in respect of any suspicions of money laundering. This was denied on the basis that the law does not allow them to disclose such information.

Similarly, section 24 of the Estonian Personal Data Protection Act gives data subjects the right to obtain a confirmation of information and personal data concerning them fromlaw enforcement authorities.

Regardless of whether the processor or controller of personal data is in the private or public sector, the law confers on the data subject the right of access. The GDPR allows personal data in official documents held by public authority or body to be disclosed by the authority in accordance with the EU or member state law.

It does not also matter whether the data was processed with the consent of the data subject, the data subject still has access to it. The Administrative Chamber of the Supreme Court, in a case on data subject’s right to familiarize him/herself with data, stated that the law allows administrative authorities to process personal data without the consent of the data subject and without notifying them, while complying with statutory obligations in fulfilment of a public duty. However, the court emphasized that such does not mean that the data subject does not have the right to access information and personal data and as well request its amendment. 

A controller or processor of personal data in a company or public office would need toadhere to this unless expressly prohibited to disclose by law. 

2. Where right of access may be denied

It is known that every right has a limitation, there is no absolute right. Data subjects must be aware that their right of access may be restricted in certain circumstances.While the law may give a free hand to citizens, it also ensures full protection of personal data. The law wishes to achieve a balance between the right to privacy and the right to access public information. The Estonian Data Protection Inspectorate (DPA) in the case of Estonian Civil Engineers Association NGO OÜ vs. Law Firm Tehver & Partners held.

“When responding to requests for access to information, professional entities must carry out a thorough balancing exercise to assess whether the personal data they hold is of public interest or is covered by the inviolability of private life, justifying any restriction to the access to information.”

For information held by a professional organization, the court further held that although information provided to professional organizations should be regarded as public, it is not applicable to all kinds of data.

The GDPR grants the EU or member states the right to make laws restricting the rights of the data subjects for appropriate reasons. Such reasons include national security, public security, protection of judicial proceedings and independence, prevention,investigation and prosecution of criminal offences, etc. Additionally, such request toaccess data should not damage the rights and freedom of other persons.

Controllers of information may act based on the specific laws guiding it, however such law is not to conflict with the GDPR or EU law. On the contrary, for scopes not covered by the GDPR, certain provisions may restrict the right. An instant is processing of data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This may be a defense for the Bureau’s refusal to disclose information to the data subject.

Upon refusal, the Controller is to inform the data subject and the reasons for it. In an event of refusal of access, the data subject can appeal to the Estonian Data Protection Inspectorate (DPA) or court against the decision of the controller.

A data subject can access his right of access in any organization, public or private as provided under the law. This right can be denied for certain reasons, whatever the reason could be, the data subject has the right to lodge complaint with the appropriate body as the law provides where any of his rights is violated. The court will determine thelegality of such refusal and the extent of the legal rights. In other words, data subjects can appeal to the appropriate body to seek redress.