master_admin

Aikaterini Psihogiou

Preliminary ruling of the Court of Justice of the European Union answered the question, if candidates’ written answers in the context of exams and the related corrections of the examiner constitute personal data, as well as whether the candidate has the rights to access and correction of his writing subsequently to the completion of the examination.

The facts of the case

The application for a preliminary ruling was submitted in the context of legal proceedings between Peter Nowak and the Data Protection Commissioner of Ireland, concerning the denial of the Commissioner to allow to P. Nowak to access his corrected test in an examination that he had participated in, on the ground that the information included on it was not personal data. Having doubts whether a written test is personal data, the Supreme Court of Ireland submitted to the CJEU a request for a preliminary ruling on the interpretation of directive 95/46/EC on the protection of individuals with regards to the processing of personal data and the free movement of such data.

Court’s response

To begin with, Directive 95/46/EC defines as personal data “any information related to an identified or identifiable natural person”. An identifiable person is one who “can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”

The use of the expression “any information” lets on, according to the Court, the legislator’s objective to add a broader definition on this term, covering any information either objective or subjective, in the form of opinion or assessment, providing that information relates to the person concerned; in other words, because of its content, its purpose or its result, the information is connected to the specific person.

According to the Court’s reasoning on the said case, the content of the candidate’s written replies in the context of an exam is an indication of the level of knowledge and the candidate’s skills in a given sector, as well as the way of thinking, his/her reasoning and his/her critical eye.

Furthermore, in the event of handwritten exams, the answers provide information relating to candidate’s handwriting.

Moreover, the purpose of collecting these answers is to estimate the candidate’s professional skills and his/her ability to exercise a specific profession.

Lastly, the use of this information is liable to have an impact on the candidate’s rights and interests, as it can determine or affect, for example, the possibilities of access on the profession or his/her desired working position.

As regards the related with candidate’s answers examiner’s corrections, the Court found that they constitute information, which concern the candidate, as the content of these corrections is the examiner’s assessment of the examinee’s capabilities. These corrections are also able to bring him/her consequences.

The Court decided, therefore, that under circumstances such as those in the said case, the candidate’s written answers on exams and the possible relevant corrections of the examiner constitute personal data of the candidate. Accordingly, the candidate has in principle rights of access and correction (Article 9 of the Directive and Article 15,16 of the Regulation 2016/679), both on his written answers and examiner’s rectifications.

The Court, however, clarifies that the right of rectification does not allow the candidate to “correct”, a posteriori, the “wrong” answers, (as the potential mistakes do not constitute an inaccuracy that needs to be corrected, but rather constitute evidence indicating the candidate’s level of knowledge). Finally, the rights of access and correction do not extend to the questions of the exams, which do not constitute candidate’s personal data.

Practically, in Greece, how can a candidate exercise the right of access on his answers and the related examiner’s corrections?

Practically, a candidate can request written or orally from the examining authority to have access to his/her answers and examiner’s corrections. The right of access is exercised free of charge in principle. The candidate could be asked to pay a reasonable charge, if only the request is manifestly ill-founded or excessive (e.g. when it is repeated) or the number of copies that the examining authority is being asked to give is large. The examining authority has no more than one month to satisfy the request -from its submission- and exceptionally this time limit may be extended by up to a further two months.

*Aikaterini Psihogiou, LL.M., CIPP/E, is a Lawyer in Athens, graduate of the Law School of Athens and holder of Master’s degree (Cum Laude) in Law and Technology in Tilburg University. She is CIPP/E certified. She is working as consultant on personal data protection.

Source:http://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=el&mode=lst&dir=&occ=first&part=1&cid=455309

Homo Digitalis supports the important work carried out by the Data Protection Authority. We are optimistic that our action and through continued cooperation we will contribute to its mission.

Homo Digitalis has the honor to host the interview of Nikos Theodorakis, a Greek who excels at both academic and professional level in Europe and America. Mr. Theodorakis is an associate professor at the University of Oxford and a partner at Stanford University, while at the same time practicing law at an American law firm and has served as a consultant to international organizations.

As perceived, he is best suited to talking about the importance of personal data on our business activities, business and everyday life, and we thank him warmly for the interview he gave us.

– You’ve started your academic career in Trade Law, but for some years now you’ve turned to Personal Data and Privacy Protection Law. Is there any relation between trade and personal data?

Undoubtedly! Personal data, which are frequently called the “oil” of the 21st century, is an integral part of every commercial activity. Either as the very centre of online services, or assisting at the contractual supply of goods, personal data is the driving force behind every commercial activity. In the past, trade was a relatively decentralised procedure, however, nowadays, data is used in every commercial activity. Therefore, to me, the transition, in fact the conjugation, from trade law to personal data protection law was a rational and probably necessary choice, taking into consideration the every-increasing importance of data.

– You are working both as a professor and researcher in some of the most important universities internationally and as a lawyer in a large law firm. How is it possible to combine an academic career with practising law?

I have to admit that is a very demanding combination, among other things because it entails frequent travelling between Oxford, Brussels, Athens and New York for academic and professional contributions. However, this “balancing act” really satisfies me as every sector offers you something different: academy is a forum for the exchange of ideas, where you constantly learn, horizontally from your colleagues and vertically from your students, while dealing with legal issues, which need further examination and resolution from the scientific community. Practicing law is more intense, active and pressing as you are requested to solve your client’s problem as soon as possible, in a practical way, while the legal strategy you create is dynamic. The combination of these two contrary occupations makes me evolve, so for now the weariness is certainly worth trying out!

– You are cooperating with very important universities in the US. What is their stance towards GDPR? Should we feel lucky that it exists in Europe or does it simply cause more problems?

The truth is that the Regulation has been largely discussed in the academic community and the legal community in the US, due to the large number of American firms that operate in Europe, through their physical or web presence, and due to the extraterritorial application of the regulation, under conditions. I can say that the dialogue during the last years on the other end of the Atlantic was really productive; actually in recent discussions I had with my colleagues at the law schools of Stanford and Columbia universities, I observe an increasing interest and knowledge on the subject. In fact the Regulation led to an intensive debate of respective initiatives of federalist nature in USA. The first indications have already appeared at the new consumer protection legislation of California and the Cloud Act.

– What do you think is the level of compliance with the GDPR for Greek companies and organisations? Where do we stand comparatively with other countries?

This is a complicated question because we have to distinguish between companies, which have fully complied and those which have taken the basic measures required, probably superficially, leading to a “compliance theatre”. One of the Regulation’s negative effects is that the market has been flooded with professionals who were not experts and were promising that they could help a company to comply fully with the Regulation at a very low cost. However, this is a process that takes time, total structural adjustment regarding the use of data and creation of a substantial way of thinking in support of the data protection. I would say that the minority of companies has substantially complied, a large majority has superficially complied –which leaves for possible risks- and finally a big percentage of companies hasn’t complied at all yet – which is very dangerous.

– Which is the role of the citizens in achieving companies’ and organisation’s compliance with the GDPR?

The role of civil society is to be aware and show interest in their rights -as the right to be forgotten and to portability- and exercise them in good faith if they have any doubt or question about how companies process their data. Citizens are the best guardians of this new legislation, as they have to use their strength for improvement and transparency in the use of data. They could also be organised in a coordinated manner, through an organisation like Homo Digitalis, and condemn possible infringed behaviour to the competent body of our country, the Greek Data Protection Authority.

– Can the conferred by the GDPR rights help Greek citizens in practice?

Certainly, as citizens can exercise a series of rights, which give them more and substantial control of their data. The user’s increased control on his data was one of the main reasons, which led to the Regulation, in view of the fact that companies collect and process a wealth of data for us from various sources; accordingly the user must control who is processing his/her data, why and where it is transferring this data. Overall, the rights that the Regulation offers result in augmented transparency and accountability for using Greeks -and European- citizens’ data.

– Both as a professor and a researcher, so as a lawyer you come up against new challenges. Which of them do you think that we will face in Greece and what would you like to be the action of an organisation like Homo Digitalis according to them?

I believe that in the foreseeable future we will face challenges such as data leakage and networks confidentiality breach, massive hacking in conjunction with ransom demands extortion in cryptocurrency, lack of companies’ ability to cope efficiently with users’ requests for exercising their rights, spot checks from prosecution authorities and complexity on how blockchain and artificial intelligence interact, or conflict with the Regulation. An organisation like Homo Digitalis can adopt working documents and organise workshops for the examinations of these challenges.

– How do you expect the relation of technology and human in the future?

It is a fact that the relation between technology and human will continue to be made increasingly complex through the evolution of artificial intelligence and the Internet of Things. Therefore, developments that a few decades ago were figments of scientific imagination are now much closer than we may think.

By Lefteris Chelioudakis

On 4 November 2018, the European Court of Human Rights (ECHR) adjudged unanimously in its decision in the case Magyar Jeti Zrt v. Hungary that the prohibition to use hyperlinks leading to libelous content may violate the right of freedom of expression.

According to the facts of the case the applicant company (444.hu), which maintains a news website has been found guilty of disposal of libelous material by the national courts of Hungary. The main cause was that they had published an article that was hosting a hyperlink to an interview on Youtube, which was later found to contain libelous content.

Specifically, the bus that was transferring a group of hooligans, on its way to attend a football match, had parked in front of a school. The school had mostly Roma students, and the hooligans started shouting racist chants against them, throwing beer bottles, while one of the hooligans peed in front of the school. The children’s teacher called the police and the hooligans left only when the police arrived in point.

On the same day, the Head of the local Roma community gave an interview for the incident stating that the hooligans were members of the extremely right-wing Hungarian political party “Jobbik”.

The said interview has been made accessible on YouTube. The day after, 444.hu published an article on its website on the incident, attaching a hyperlink to the relevant interview.

In its decision, the ECHR underlined the importance of hyperlinks for the proper functioning of the Internet and made a distinction of hyperlinks from traditional publications, as the ones guide the users to available material and the others provide material.

The Court also found that the Hungarian law on strict liability for libelous material dissemination had excluded the possibility of any substantial assessment of the applicant company’s right on freedom of expression. Therefore, national courts should have examined the case more closely, as the relevant provisions could undermine the flow of information on the internet, preventing the use of hyperlinks by creators and issuers.

Moreover, the ECHR recalled that, for journalists, the protection of the right on freedom of expression of article 10 depends on the principle of good faith and the accuracy of factual elements, so that “reliable and precise” information are provided, according to journalistic ethics. Consequently, the protection provided from the specified right does not cover the possibility of spreading false news.

Lastly, the ECHR stressed that when third-party rights are at stake, it is necessary to achieve a fair balance between freedom of expression, as protected by Article 10 and the right to privacy as protected under Article 8 of the European Convention of Human Rights.

More information on the case can be found on the website The IPKat.

By Anastasia Karagianni

The murder of the 21-year old Eleni at Rhodes urged the Greek society to finally face the real “scale” that rape can reach. Rape is not only the sexual contact without the consent of the other person. It is the force to sexual intercourse, the physical violence or a serious and imminent threat, that are undertaken to commit this inadvertent sexual intercourse. Rape can result in death, as we have seen.

Nevertheless, sexual harassment exists also in the digital world. How? In recent times it takes place due to personal data breach. Specifically, studies show that 4% of the adolescents aged 12-17 admit that they have sent sexual messages, which depicted them naked or half-naked, to other users, and 15% of the adolescents confess that they have received such material. This is called “sexting”, namely, the exchange of photographs and messages with mainly sexual content using applications installed in smartphones or other electronic devices. However, sometimes the exchange of these messages is carried out without the consent of the depicted person. In this case, the right to privacy of the person depicted is violated.

What are these personal data? Personal data are information related to a person. They might contain “sensitive” or “non-sensitive” information. This information is becoming personal when connected, directly or indirectly, with the specific person. It therefore concerns different information, which, if gathered together, can lead to identification of an individual. This information, therefore, characterize the biological, physical and mental existence of the person as well as its social, political, financial and cultural existence. In this connection, because of the sexual content of the message, the naked/half-naked picture of the person is considered personal data, as it concerns the user’s sex life.

But how can the infringement of personal data lead to sexual exploitation? Since a picture appears in the internet, it is difficult to control its circulation. In most cases, these photographs are sent within the framework of a confidential relation between the sender and the recipient. So far, this does not create any problem. Problems arise when this relationship is harmed or based on false information. The circulation of this material in a secondary level without the consent of the person depicted, and several times without him/her knowing, to other users, constitutes an infringement of his/her priveacy and violation of his/her sexual integrity, when it takes place in view of leacher acts, and the trafficking of pornographic material.

About two years ago, Lina, 22-years old, committed suicide, falling from the ninth floor of her Student Residence in Thessaloniki. A prosecutor’s investigation has been ordered in order to make an online investigation for traces of possible criminal behaviour for observation, retention and processing of personal data, threats via the Internet for action or tolerance and committing felony association, as it seems that the girl regularly received threats that her personal pictures would be published on the Internet.

The New Regulation for the Protection of Personal Data of the European Union safeguards the right to be forgotten , the right to information and access to data, the right to correction and to objection against their processing.

The Greek legislation and the case-law provides a high level of protection. It only remains to be understood from us.

*If you face problems on the Internet and you are under 18 years old, call 2106007686. Trust the helpline of the National Centre for Safe Internet.