Latvian regulation does not comply with the provisions of General Data Protection Regulation

On June 22, 221 CJEU adopted a judgment in case No.C 439/19 referring to a request for a preliminary ruling from the Constitutional court of Latvia. In substance, the Constitutional court of Latvia asked CJEU for clarification of meaning of Article 10 of the GDPR in connection with Article 5 (1) (f) of the GDPR. 

According to case materials the Road Safety Directorate of Latvia entered penalty points in the national register of vehicles and their drivers on specific individual, which were imposed as a part of an administrative sanction on account of one or more road traffic offences. Under the Latvian Law on road traffic information relating to the penalty points imposed on drivers of vehicles entered in that register is accessible to the public and disclosed by the Road Safety Directorate of Latvia to any person who so requests, without that person having to establish a specific interest in obtaining that information, including to private operators, e.g. data bases) for re-use. 

Being uncertain about the lawfulness of such data processing, respective individual brought a constitutional claim before the Constitutional Court of Latvia, requesting the court to examine whether the legislation complied with the right to respect for private life. In turn, the Constitutional Court held that, in its assessment of that constitutional law, it must take account of the GDPR, and therefore ask the CJEU to clarify the scope of several provisions of the GDPR with the aim of determining whether the Latvian Law on road traffic is compatible with that regulation which obliges the road safety authority to make the data relating to the penalty points imposed on drivers for road traffic offences accessible to the public.

By its judgment, CJEU explained that the GDPR precludes the Latvian legislation, meaning that it has not been established that disclosure of personal data relating to the penalty points imposed for road traffic offences is necessary, particularly with regard to the objective of improving road safety invoked by the Latvian Government. Furthermore, according to the CJEU, neither the right of public access to official documents nor the right to freedom of information justify such legislation, thus – disclosure of information on data subject’s public offences.

In that regard to the above, the CJEU emphasized that the improvement of road safety, referred to in the Latvian legislation, is an objective of general interest recognized by the EU and that Member States are therefore justified in classifying road safety as a ‘task carried out in the public interest’. However, it is not established that the Latvian scheme of disclosing personal data relating to penalty points is necessary to achieve the objective pursued. Firstly, the Latvian  legislature has a large number of methods which would have enabled it to achieve that objective by other means less restrictive of the fundamental rights of the persons concerned. Secondly, account must be taken of the sensitivity of the data relating to penalty points and of the fact that their public disclosure is liable to constitute a serious interference with the rights to respect for private life and to the protection of personal data, since it may give rise to social disapproval and result in stigmatization of the data subject. 

Furthermore, the CJEU took the view that, in the light of the sensitivity of those data and of the seriousness of that interference with those two fundamental rights, those rights prevail over both the public’s interest in having access to official documents, such as the national register of vehicles and their drivers, and the right to freedom of information. Also, the GDPR precludes Latvian legislation in so far as it authorizes the Road Safety Directorate of Latvia to disclose the data on penalty points imposed on drivers of vehicles for road traffic offences to private operators (i.e., data bases) in order for the data to be reused and disclosed to the public by them.

Taking aforementioned into account, the Constitutional Court of Latvia, most likely, will follow to this CJEU judgment and resolve that existing Latvian regulation must be amended in order to comply with the provisions of the GDPR ensuring privacy of individuals.