Last Updated on August 30, 2022 by LawEuro
Information Note on the Court’s case-law 265
August-September 2022
Judgment 30.8.2022 [Section III]
Article 8
Positive obligations
Article 8-1
Respect for private life
Authorities’ failure to adequately protect confidentiality of applicant’s health data and to investigate its disclosure through a database being sold in a market: violation
Facts – The applicant, who is HIV-positive and suffers from hepatitis, purchased a database from a Moscow market containing personal data in respect of more than 400,000 people registered as living in that city and its region, as well as information on people with HIV, AIDS and hepatitis. It also contained a compilation of the applicant’s personal data, including his health data. The applicant complained to the Investigative Committee of the Russian Federation (“Investigative Committee”) which refused to carry out a pre-investigation inquiry. His judicial complaint against that decision was dismissed.
Law – Article 8: As the database purchased by the applicant had contained a compilation of his personal data, including his health data, the circumstances of the present case fell within the scope of the applicant’s private life protected under Article 8 § 1. Further, the mere storing of data relating to the private life of an individual amounted to an interference within the meaning of Article 8.
It was uncontested that only the authorities had access to most of the data on the database, such as criminal records and preventive measures that had been applied, and that, in the past, in the context of criminal proceedings against the applicant, the investigator in charge had sought information about the applicant’s health condition from the Hospital for Infectious Diseases. Although it was in dispute whether the Ministry of the Interior had compiled the database, in the context of the case, there was no explanation other than that the State authorities, who had access to the data in question, had failed to prevent a breach of confidentiality. As a result, that data had become publicly available, thus engaging the responsibility of the respondent State. The circumstances of this major privacy breach had never been elucidated. The Court had repeatedly stressed the importance of appropriate safeguards to prevent the communication and disclosure of health data. The authorities had therefore failed to protect the confidentiality of the applicant’s health data, also in breach of the relevant domestic provisions.
Furthermore, whilst in cases concerning alleged privacy violations, a criminal-law remedy was not always required, and civil-law remedies could be seen as sufficient, no civil remedy had been available to the applicant prior to lodging his application with the Court. In addition, the applicant’s allegations had concerned the disclosure of his health data, as a part of the compilation of a vast amount of data and had been supported by prima facie evidence. In the face of such a major privacy breach, in practical terms, the applicant acting on his own, without the benefit of the State’s assistance in the form of an official inquiry, had no effective means of establishing the perpetrators of these acts, proving their involvement and bringing proceedings against them in the domestic courts. Accordingly, the complaint to the Investigative Committee could not be considered an inappropriate avenue of protection of his rights.
The authorities had never investigated the matter despite the evidence at hand, the existence of a legal framework for prosecuting intrusion into one’s private life and the absence of any reasons precluding an investigation.
Consequently, the authorities had failed to comply with their positive obligation to ensure adequate protection of the applicant’s right to respect for his private life.
Conclusion: violation (unanimously)
Article 41: EUR 7,500 in respect of non-pecuniary damage.
Leave a Reply