The European Court of Justice (ECJ) has today announced that to come into alignment with new data protection regulations it will begin replacing the names of natural persons with initials in publications concerning requests for preliminary rulings.
As we reported earlier this month, EU institutions aren’t subject to the General Data Protection Regulation (GDPR) but rather a new regulation that’s set to come into force later this year.
Under the new regulation, the European Data Protection Supervisor (EDPS) can, as “a last resort”, fine EU institutions 50,000 EUR per infringement and up to a maximum of 500,000 EUR.
Under the GDPR, private organizations can be fined up to 20 million EUR or 4 percent of revenue, whichever is higher.
Another of our recent reports also discovered the EU is serving third-party content and spreadsheets containing the names and email addresses of hundreds of individuals who have previously attended its events or conferences.
The decision from the ECJ will only apply to natural persons (e.g. individuals), not legal persons (e.g. private or public organizations), and will apply to all requests for preliminary rulings as of 1st July, 2018.
In its announcement (PDF) it also states, “any additional element likely to permit identification of the persons concerned will [also] be removed” and that the Court “may derogate in the event of an express request from a party or if the particular circumstances of the case so justify.”
The initials that will feature on court documents won’t be an individual’s initials but two random letters combined with a “distinctive element in brackets.”
It refers to a case from 26th June 2017, Case C-451/16, MB (Change of gender and retirement pension), as an example of this measure in action.
It also states that new measures “will not affect the way in which cases are handled by the Court or the usual progress of the proceedings.”
In 2017, the EDPS published a paper on the proposal that will govern how EU institutions process data that stated “it is essential that the [new regulation] become fully applicable at the same time as the GDPR i.e. on 25 May 2018.”