Archive for: Art. 6 PPD

Telecommunications law, case I OSK 1079/10

August 3rd, 2010, Tomasz Rychlicki

This is the continuation of a story described in “Personal data protection, case II SA/Wa 1598/09“. The Supreme Administrative Court in its order of 15 July 2010 case file I OSK 1079/10 decided to stay the execution of the decision issued by the Inspector General for Personal Data Protection (GIODO) and ruled that the Polish Act of 16 July 2000, Telecommunications Law – TLA – (in Polish: Prawo telekomunikacyjne), published in Journal of Laws (Dziennik Ustaw) No 171, item 1800 with later amendments, provides broader protection of personal data because of telecommunications confidentiality, than the provisions of the Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), Journal of Laws (Dziennik Ustaw) of 29 October 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with later amendments.

The Court held that the disclosure of IP addresses which enable identification of specific individuals, that was ordered during administrative proceedings initiated with regard to disclosure of such data, while such proceedings did not ended with judgment in force, may violate the provisions of Article 160 of the TLA.

Article 160.
1. An entity participating in the performance of telecommunications activities within public networks and entities cooperating with it shall keep the telecommunications confidentiality.
2. Entities referred to in paragraph 1 shall maintain due diligence, within the scope justified by technical or economic reasons, while securing telecommunications equipment, telecommunications networks and data collections from disclosing the telecommunications confidentiality.
3. A person coming into possession of a message not meant to be read by him/her when using radio or terminal equipment shall keep the telecommunications confidentiality. The provisions of Article 159 (3) and (4) shall respectively apply.
4. The recording of a message acquired in a manner described in paragraph 3 by a body executing control of telecommunications activities in order to document a violation of a provision of the Act, shall not be a violation of the telecommunications confidentiality.

While assessing the validity of the request to stay the execution of GIODO’s decision to disclose the requested IP address at this stage of proceedings, the Court agreed with the author of the cassation complaint, that the execution of the questioned decision at this stage makes it impossible to reverse the actions taken after the disclosure of the IP addresses, and such action should be seen as causing the effects that are difficult to reverse according to Article 61(3) of the Act on the Law on proceedings before administrative courts – PBAC – (in Polish: Prawo o postępowaniu przed sądami administracyjnymi) of 30 August 2002, Journal of Laws (Dziennik Ustaw) No 153, item 1270, with later amendments.

§ 1 Filing a complaint does not stay the execution of the act or actions.

(…)

§ 3 After the delivery of a complaint to the court, the court may issue at the request of the applicant, the order to stay the execution, in whole or in part of the act or actions referred to in § 1, if there is a risk of causing significant damage or cause to be difficult to reverse, with the exception of the provisions of local law which entered into force, unless the special Act excludes the stay of their execution. The refusal to stay the execution of the act or actions by the authority, does not deprive the applicant of action to the court. This also applies to acts issued or adopted in all proceedings conducted within the same case.

The SAC held that if the Supreme Administrative Court would agree with the cassation complaint filed against the judgment of the Voivodeship Administrative Court of 3 February 2010 case file II SA/Wa 1598/09, the effects of the execution of the questioned decision could not be reversed, because the IP address identifying a specific person is available to another participant in the proceedings. Accordingly, the court held that the correct solution at this stage of proceedings, is to stay the execution of the questioned decision also with a view to the impact of which its execution might result in, as well as the nature of the protection of personal data resulting from the relevant regulations such as, inter alia, the TLA.

See also “Polish regulations on personal data protection“, “Polish case law on personal data protection“.

Categories: Art. 159 TLA | Art. 160 TLA | Art. 161 TLA | Art. 5 PPD | Art. 6 PPD | Art. 61 § 3 PBAC | ISP liability | Polish Act on Proceedings Before Administrative Courts | Polish Act on Protection of Personal Data | Polish Act on Telecommunications Law | Polish Supreme Administrative Court | case law | computer law | criminal law | defamation | image | legal regulations on computers networks | personal rights.

Personal data protection, case I OSK 667/09

February 13th, 2010, Tomasz Rychlicki

On 15 January 2008, Tomasz W. filed with the General Inspector for Personal Data Protection (GIODO) a complaint concerning an unauthorized processing of personal data carried out by the Polish company Nasza Klasa Sp. z o.o. from Wroclaw, the owner of nasza-klasa.pl website. He informed the GIODO, that this very popular Polish website on classmates, hosts a photo featuring his image together with a list of names of other photographed people attached to it. Tomasz W. has repeatedly appealed to the website administrators with the request to remove his name from the list. However, he received no response from Nasza Klasa company.

As a result of the investigation, the GIODO found that on 31 December 2007, a registered user of nasza-klasa.pl posted classmates’ photo featuring students of a primary school. On the same day, another registered user, placed the names of people who were portrayed at the photograph – including the name and surname of Tomasz W. On 2, 9 and 14 January 2008, Tomasz W. requested Nasza Klasa Sp. z o.o. the removal of his personal data.

In a decision of 27 May 2008, case file DOLiS/DEC-314/08/13239, the GIODO, relying on the provisions of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), Journal of Laws (Dziennik Ustaw) of 29 October 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with later amendments, ruled that information on the applicant’s full name, school and class to which he attended, together with his image, are personal data and the data collector is Nasza Klasa Sp. z o.o.

However, the GIODO also ruled that it should be borne in mind that according to the provision of the Polish Act of 18 July 2002 on Providing Services by Electronic Means – PSEM – (in Polish: ustwa o świadczeniu usłóg droga elektroniczną), Journal of Laws (Dziennik Ustaw) No. 144, item. 1204, as amended, Nasza Klasa sp. z o.o. provides electronic services for registered users of the portal website, consisting of the storage of data of these users in the computer system. This activity is the condition to legalize the processing of personal data in accordance with article 23(1) pt. 5 of the PPD. In addition, the GIODO found that in this case the applicant’s rights have not been violated, because the access to its data was limited to a group of people registered on nasza-klasa.pl website.

Tomasz W. asked the GIODO for the retrial. He pointed out that the reasons for the decision have many contradictions, inconsistencies and is ambiguous. He accused the GIODO of laconic and cursory treatment of his case. He again emphasized that his personal data have been published on the nasza-klasa.pl website without his knowledge or consent, in violation of his civil rights and liberties.

After the rehearing of the case, the GIODO annulled the contested decision, and discontinued the proceedings. GIODO claimed that the re-examination of the case leads to the conclusion that the disputed information about Tomasy W. did not fall within the definition of personal data. The name and surname have been given under his old image from many years ago. Hence, the combination of photos from the past, with a name and surname of a person and a primary school, which such person attended did not allow for the identification of a person without excessive costs and time. The findings that the disputed information is not personal data within the meaning of the PPD caused the proceedings in the matter to be groundless and on the basis of article 105 § 1 of the APC, it had to be discontinued.

Tomasz W. lodged a complaint with the Viovodeship Administrative Court (VAC) in Warsaw. The complainant asked for annulment of the decision of first and second instance. Tomasz W. claimed the violation of the substantive law, i.e. article 6(1) of the PPD, through its improper interpretation, of article 32(1) pt 7 and 8 of that Act, by recognizing that Tomasz W. is not entitled to request cessation of the processing of his data and the right to object, and a breach of article 7 of the APC by not explaining all the relvant facts. Tomasz W. disagreed with the statement of the GIODO that questioned information about his person is not personal data within the meaning of the PPD. He stated that any information about an identified or identifiable individual is personal data. Furthermore, he argued that the claim of the GIODO that the data are available only for specific people – registered users of the portal is not acceptable, because nasza-klasa.pl has no mechanisms for verification of users identity, which makes the questioned data easily accessible for everyone. Moreover, Tomasz W. also argued that a registered user who does not know him would have some difficulty in identifying his person but such obstacles would not happen to a person who knows about Tomasy W., and is looking for additional information.

The Voivodeship Administrative Court in a judgment of 3 March 2009, case file II SA/Wa 1495/08, ruled that the GIODO erred in its decisions, because information about the name and surname of Tomasz W., combined with information about the name and address of the primary school and the determination of the class to which he attended in 1978/79, even if it was thirty years ago, are personal data. According to the Court provisions of article 1 of the PPD introduced the principle of autonomy of human information, meaning the protection of information about human being. This provision is a kind of emanation of the general right guaranteed by the Polish Constitution in article 47, according to which “Everyone shall have the right to legal protection of his private and family life, of his honour and good reputation and to make decisions about his personal life”. This means that the protection of personal data is related to the protection of privacy rights. This follows from the wording of article 6 of the PPD, indicating that the personal data concern identified or identifiable natural or legal person and that the identifiable is a person is one whose identity can be determined. From wording of that provisions the VAC concluded that personal data are data that identify a person’s identity.

VAC also relied on the content of recital 12 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which emphasized the protection of all data relating to a person, and therefore also information about someones past.

(12) Whereas the protection principles must apply to all processing of personal data by any person whose activities are governed by Community law; whereas there should be excluded the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses

However, in recital 26 of the abovementioned Directive states that data protection rules must apply to any information concerning an identified or identifiable person. In order to determine whether a person is identifiable, all the means which can be used by the controller or any other person to identify a person, should be taken into the account. The rules of data protection do not apply to data rendered anonymously in such a way that a subject of the data can not be identified. The identification of a given person concerns also past information about a specific human being, by which information one can learn about such person’s identity. Accordingly, the VAC held that European law means the protection of personal data as the protection of all the facts concerning the past of a particular person, which corresponds with the content of article 6(2) of the PDP. So this means that such data would also be protected.

Referring to the foregoing facts of Tomasz W. case, the VAC ruled that that nasza-klasa.pl website published his image and name. In the opinion of the court these are the personal data which are protected by the PPD, because on their basis one is able to identify given person.

Nasza Klasa sp. z o.o. filed a cassation complaint with the Supreme Administrative Court (SAC) challenging in entirety the judgment of the VAC. The Supreme Administrative Court in a judgment of 18 November 2009, case file I OSK 667/09, rejected the complaint.

The SAC held that the primary issue arising in this case was whether a classmates’ picture that was taken thirty years ago, at which Tomasz W. is potrayed, in the circumstances of the case, can be analyzed to determine his identity without necessarily involving excessive resources or time, and therefore, whether the data disclosed in the photo in question, constitutes personal data within the meaning of article 6 of the PPD, and whether it should be protected.

The concept of “personal data” on the Polish law includes any information concerning an individual if it is possible to define its identity and its identification. Personal data is a set of messages about a particular person such integrated that it allows for its individualization. It includes at least information necessary for identification (name, surname, place of residence), but this is not restricted, because it also include further information, strengthening the degree of identification. Such information will also include pictures of the individual, even if they were taken in the past, allowing to identify a person. In a situation where such a photograph is presented with a name and surname of the person portrayed, in a place accessible to an unlimited number of entities, it must be considered that it constitutes personal data subject to protection under the PPD. Mainly, the objective evaluation criteria decides for the qualification of given information as personal data, but it also should comprise of all information, including extralinguistic (context), to which third party may have or has an access. A different approach to the presented issues would maginalize the importance of the laws and it would not relate to its designated function.

Thus it should be considered that the image of Tomasz W. portrayed at the photograph that was taken 30 years ago, affixed with the class, his name and surname, and then published at nasz-klasa.pl website constitutes personal data within the meaning of article 6(2) of the PPD, and the cassation complaint was not justified. The SAC also noted that the consent for the processing of personal data cannot be in any way implied.

The SAC also stressed the fact the Internet as a source of information is increasing on a unknown scale and importance. It provides an access to specific information to a vast number of persons and allows for any of its processing within the meaning of the PPD. At the same time there are not yet developed appropriate mechanisms for the protection of individual rights when those rights have been violated as a result of the disclosure of information on the Internet. Then, it is a great role of law enforcement bodies, including the Inspector General for Personal Data Protection in creating practice to comply with applicable laws also on the Internet. It is an unacceptablr situation in which the entity seeks to remove its image from a particular website, and the administration fails to take action to ensure the protection of civil rights. The image is one of the very personal property rights and lack of consent to its publication, if it is not a public person, is a sufficient reason to believe that regulations of the PPD apply, if the conditions set in the article 6(2) of the PPD have been met.

See also my posts entitled “Polish regulations on personal data protection” and “Polish case law on personal data protection“.

Categories: Art. 1 PPD | Art. 105 § 1 APC | Art. 14 PSEM | Art. 23 PPD | Art. 29 PPD | Art. 47 Constitution | Art. 6 PPD | Art. 7 PPD | Directive 95/46/EC | ISP liability | Inspector General for Personal Data Protection | Polish Act on Protection of Personal Data | Polish Act on Providing Services by Electronic Means | Polish Administrative Proceedings Code | Polish Supreme Administrative Court | Voivodeship Administrative Court | computer law | image | legal regulations on computers networks | personal data | personal rights.

Personal data protection, case II SA/Wa 1085/04

February 11th, 2010, Tomasz Rychlicki

In July 2003, the Inspector General for Personal Data Protection (GIODO) received a complaint in which a natural person, known as W.K. (personal data of the parties are removed from Polish courts’ judgments), requested the GIODO to issue an order to the Polish Internet company to reveal personal data of persons, against which the applicant wanted to initiate legal proceedings. The complaint showed that the online forum operated by the Internet company hosted defamatory content posted by persons using only nicknames.

W.K. proved that he had requested the Company to disclose full IP addresses of computers from which persons using only nicknames have sent messages to the online forum. The applicant also pointed out that the Regional Prosecutor’s Office refused to determine the perpetrators of the alleged defamation. The refusal was also upheld by the District Prosecutor’s Office.

W.K. pointed out that he brought a private accusation based on article 212 § 1 of the Criminal Code – CRC – (in Polish: Kodeks Karny) of 6 June 1997, Journal of Laws (Dziennik Ustaw) No 88, item 553, with later amendments, to the Regional Court in K., against the persons who used given nicknames. The Court has issued an order in which it considered the private accusation legally ineffective because it included error in the form – i.e., no indication of names of defendants and their addresses, and W.K. did not clear these errors.

The GIODO has found that the purpose for which W.K. has applied for, i.e. the access to personal data, to assert his rights before the court, is legally justified. The use of these data by the applicant in the proceedings could not be considered as a violation of the rights and freedoms of persons whos personal data was collected because after the initiation of criminal or civil proceedings, personal data would be in a disposition the court.

The Company filed a complaint to the Voivodeship Administrative Court (VAC) in Warsaw. The Court in a judgment of 9 February 2005, case file II SA/Wa 1085/04, annulled the contested decision. The VAC held that the complaint was based on article 23(1) pt. 5 of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), Journal of Laws (Dziennik Ustaw) of 29 October 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of 6 July 2002, No. 101, item 926, with later amendments.

1. The processing of data is permitted only if:
5) processing is necessary for the purpose of the legitimate interests pursued by the controllers or data recipients, provided that the processing does not violate the rights and freedoms of the data subject.

The court did not accept that the wording of this provision can be interpreted as a rule requiring a data controller to reveal personal data at the request of the person whose requested data does not concern. The basis for such claims available for third parties for purposes other than inclusion in the data collection, was provided in the article 29(1) and (2) of the PPD. This provision being in force until 1 May 2004, did not give rise to demand release of the data, if the controller/administrator of the data were private sector.

The Court also held that the imposition of the duty of the data controller can only be done when the information being available to the controller falls into the category of personal data as defined in article 6(1) of the PPD.

personal data shall mean any information relating to an identified or identifiable natural person.

The requested information related to IP addresses of computers from which the messages were posted by certain people using certain nicknames. The Company argued that it does not require users of its forum to identify themselves in order to post information, what causes that, the IT administration system of the portal website hosting different forums, registers only IP address of computers of persons using the system, and it does not produce other data for identifying the user of a forum. Only a request to the operator of the telecommunication network could lead to the identification of the computer which was connected to the server hosting the portal and its forums. The Court cited English and Polish comentators and found that information, that without extraordinary and disproportionate effort can be “linked” with a specific person, especially by using readily and widely available sources, also deserve credit for their category of personal data. The identifiable person is defined in article 6(2) of the Polish Act of August 29, 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), Journal of Laws (Dziennik Ustaw) of October 29, 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of July 6, 2002, No. 101, item 926, with later amendments.

2. An identifiable person is the one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
3. A piece of information shall not be regarded as identifying where the identification requires an unreasonable amount of time, cost and manpower.

See also my posts entitled “Polish regulations on personal data protection” and “Polish case law on personal data protection“.

Categories: Art. 212 CRC | Art. 23 PPD | Art. 29 PPD | Art. 6 PPD | Inspector General for Personal Data Protection | Polish Act on Protection of Personal Data | Polish Administrative Proceedings Code | Polish Criminal Code | Polish courts | Polish law | Voivodeship Administrative Court | defamation.

Personal data protection, case II SA/Wa 1598/09

February 5th, 2010, Tomasz Rychlicki

According to lawyers representing the singer Maryla Rodowicz, on the forum of one of the Polish portal websites appeared entries with the content which allegedly violated her personal rights (interests). The lawyers requested the owner to reveal IP addresses of users who posted these entries. The administrator of the portal website deleted the disputed entries but did not reveal any of the IP addresses. Lawyers filed a request to the Inspector General for Personal Data Protection (GIODO), who ordered the portal to disclose IPs on the grounds that these numbers are personal data. The owner of the portal again refused. The case went to the Voivodeship Administrative Court (VAC) in Warsaw, which in a judgment of 3 February 2010, case file II SA/Wa 1598/09 upheld the decision of the GIODO. The company who owns the portal may file a cassation to the Supreme Administrative Court (SAC). The VAC judgment provides the interpretation that IP address is a personal data, in accordance with the statutory definition included in article 6 of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), Journal of Laws (Dziennik Ustaw) of October 29, 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of July 6, 2002, No. 101, item 926, with later amendments.

Article 6
1. Within the meaning of the Act personal data shall mean any information relating to an identified or identifiable natural person.
2. An identifiable person is the one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
3. A piece of information shall not be regarded as identifying where the identification requires an unreasonable amount of time, cost and manpower.

The VAC also noted that the IP address is personal data if it is permanently assigned to the specified device and that is used or operated by a specified entity. This dependence makes certain in given situations that there is the possibility of identifying such entity. The Court said that it is true that the same IP address is not sufficient to identify a person who use it, but together with other information a person can be identified.

This judgment is not yet final. A cassation complaint may be filed to the Supreme Administrative Court. There was another court’s decision with regard to the aforementioned case and the disclosure of IP addresses. See “Telecommunications law, case I OSK 1079/10“.

The U.S. courts and judges have quite different views on this issue. Read for example Johnson v. Microsoft Corp., 2009 WL 1794400 (W.D. Wash. June 23, 2009).

See also “Polish regulations on personal data protection” and “Polish case law on personal data protection“.

Categories: Art. 6 PPD | ISP liability | Inspector General for Personal Data Protection | Polish Act on Protection of Personal Data | Polish courts | Polish law | Voivodeship Administrative Court | computer law | defamation | digital economy | e-law issues | legal regulations on computers networks | personal data | personal rights.

My history, my personal data

March 30th, 2009, Tomasz Rychlicki

There is a really fresh judgment of the Voivodeship Administrative Court in Warsaw of 3 March 2009, case file II SA/Wa 1495/08 regarding the protection of personal data and providing and operating online services such as websites about users’ classmates.

It is therefore assumed that in accordance with article 6(2) of the Polish Act of 29 August 1997 on the Protection of Personal Data (in Polish: Ustawa o ochronie danych osobowych) not only information on the current situation of an individual decide whether we are dealing with personal data, but also information relating to what one did and who one was in the past. It means that such data are protected under the Act on Protection of Personal Data.

See also my posts entitled “Polish regulations on personal data protection” and “Polish case law on personal data protection“.

Categories: Art. 6 PPD | EU law | Inspector General for Personal Data Protection | Polish Act on Protection of Personal Data | Polish courts | Polish law | Voivodeship Administrative Court | legal regulations on computers networks | personal data | personal rights | telecommunication law.