The Court of Justice of the European Communities gave judgment this morning in Case C‑553/07, College van burgemeester en wethouders van Rotterdam v M.E.E. Rijkeboer, a reference for a preliminary ruling from the Raad van State (Netherlands).
Back in October 2005 Mr Rijkeboer asked the College of the Board of Aldermen of Rotterdam to notify him of all instances in which data relating to him from the local authority personal records had, in the two years preceding the request, been disclosed to third parties. He wanted to know the identity of those persons and the content of the data disclosed to them. Having moved to another municipality, he also wanted to know in particular to whom his former address had been disclosed. The College complied with his request in part — notifying him only of the data relating to the period of one year preceding his request, in compliance with the 1994Law on personal data held by local authorities. It was apparent from the reference that the data requested and which dated from more than one year prior to his request was automatically erased.
Mr Rijkeboer’s initial complaint was rejected, but the Rechtbank Rotterdam upheld his action, taking the view that the restriction on the right to information on provision of data to the year before the request was contrary to Article 12 of Directive 95/46 (‘Right of access’) and that the exceptions referred to in Article 13 were not applicable.
The College appealed against that decision to the Raad van State, which noted that Article 12 did not specify any time period within which it must be possible for those rights to be exercised. In its view, that article did not necessarily, however, preclude Member States from imposing a time restriction in their national legislation on the data subject’s right to information concerning the recipients to whom personal data have been provided. Having doubts in that regard, the court stayed the proceedings and referred the following question to the Court for a preliminary ruling:
‘Is the restriction, provided for in the [Netherlands] Law [on local-authority personal records], on the communication of data to one year prior to the relevant request compatible with Article 12(a) of [the] Directive …, whether or not read in conjunction with Article 6(1)(e) of that directive and the principle of proportionality?’
Today the Court ruled as follows:
“Article 12(a) … requires Member States to ensure a right of access to information on the recipients or categories of recipient of personal data and on the content of the data disclosed not only in respect of the present but also in respect of the past. It is for Member States to fix a time-limit for storage of that information and to provide for access to that information which constitutes a fair balance between, on the one hand, the interest of the data subject in protecting his privacy, in particular by way of his rights to object and to bring legal proceedings and, on the other, the burden which the obligation to store that information represents for the controller.
Rules limiting the storage of information on the recipients or categories of recipient of personal data and on the content of the data disclosed to a period of one year and correspondingly limiting access to that information, while basic data is stored for a much longer period, do not constitute a fair balance of the interest and obligation at issue, unless it can be shown that longer storage of that information would constitute an excessive burden on the controller. It is, however, for national courts to make the determinations necessary”.
This appears to be a typical European Court of Justice “balance” ruling, which throws back to the national courts the responsibility — having established the facts — for giving them their proper weight in all the circumstances. In this sort of exercise, relative terms like “excessive burden” make it difficult to predict with confidence how the balance should be established even where case law offers comparators. Burdens may be imposed by constraints of money, time, availability of hardware and software and ability to charge — and “excessive” can be measured in relation to the benefit to the data subject, the objectives which the data controller seeks to achieve and the legal duties which he seeks to discharge.