A recent judgement of the European Court of Justice of 7 May 2009 (Case C-553/07) has important consequences for the question how long access logs need to be archived when an application provides access to personal data.
Article 12 of the European Data Protection Directive 95/46/EC dealing with the ‘right of access' states that every data subject has the right to obtain from the controller "without constraint, at reasonable intervals and without excessive delay or expense, confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed". In Belgium this provision has, almost literally, been transposed in Art. 10 of the Law of 8 December 1992.
One of the practical consequences of the data subject's access right is the duty, for controllers, to keep log files in order to be able to provide the list of recipients to whom the data have been disclosed. How essential this obligation is considered in the context of the privacy protection has been demonstrated last year in the judgement of the European Court of Human Rights in the "I v. Finland" case.
An important question is how far backwards in time a data subject can request information as to the recipients or categories of recipients to whom the personal data have been disclosed.
Mr Rijkeboer requested the local administration of the city of Rotterdam to notify him of all instances in which data relating to him from the local-authority personal records had, in the two years preceding the request, been disclosed to third parties. He wished to know the identity of those persons and the content of the data disclosed to them. Mr Rijkeboer, who had moved to another municipality, wanted to know in particular to whom his former address had been disclosed.
Unfortunately for Mr Rijkeboer the Dutch law on personal data held by local authorities (Wet gemeentelijke basisadministratie persoonsgegevens) provides that the local authority is to retain details of any communication of data for one year following that communication. According to this provision the data requested by Mr Rijkeboer dating from more than one year prior to his request were automatically erased.
Mr Rijkeboer lodged a complaint with the local authority against the refusal to give him the requested information relating to the recipients over the two years preceding his request. That complaint having been rejected, the case finally came to the Raad van State which decided to stay the proceedings and to refer a prejudicial question to the European Court of Justice.
In its judgement of 7 May 2009 the ECJ emphasizes first that a data subject should be able to control that his personal data are processed in a correct and lawful manner, that is to say, in particular, that the basic data regarding him are accurate and that they are disclosed to authorised recipients.
With regard to the right to obtain information on the recipients or categories of recipient of personal data and on the content of the data disclosed, the Directive does not make it clear whether that right concerns the past and, if so, what period in the past.
First the ECJ confirms that this right must of necessity relate to the past. If that were not the case, the data subject would not be in a position effectively to exercise his right to have data presumed unlawful or incorrect rectified, erased or blocked or to bring legal proceedings and obtain compensation for the damage suffered.
As to the scope of that right in the past, the Court states, in the second place, that the setting of a time-limit with regard to the right to access to information on the recipients or categories of recipient of personal data and on the content of the data disclosed must allow the data subject to exercise the different rights laid down in the Directive. The length of time the basic data are to be stored may constitute a useful parameter without, however, being decisive. Where the length of time for which basic data are to be stored is very long, the data subject's interest in exercising the rights to object and to remedies, may diminish in certain cases. If, for example, the relevant recipients are numerous or there is a high frequency of disclosure to a more restricted number of recipients, the obligation to keep the information on the recipients or categories of recipient of personal data and on the content of the data disclosed for such a long period could represent an excessive burden on the controller.
Following the judgement of the ECJ a number of parameters may accordingly be taken into account in particular the applicable legal provisions on time-limits for bringing an action, the more or less sensitive nature of the basic data, the length of time for which those data are to be stored and the number of recipients.
In the particular case of Mr. Rijkeboer the ECJ estimates that rules limiting the storage of information on the recipients or categories of recipient of personal data and on the content of the data disclosed to a period of one year and correspondingly limiting access to that information, while basic data is stored for a much longer period, do not constitute a fair balance of the interest and obligation at issue, unless it can be shown that longer storage of that information would constitute an excessive burden on the controller.
In Belgium the law doesn't fix a time-limit for storage of information on the recipients or categories of recipient of personal data. Consequently the controller needs to establish himself a balance between, on the one hand, the interest of the data subject in protecting his privacy and, on the other, the burden which the obligation to store that information represents for the controller.