OPINION OF ADVOCATE GENERAL
SZPUNAR
delivered on 17 December 2020(1)
Case C‑439/19
B
joined parties:
Latvijas Republikas Saeima
(Request for a preliminary ruling from the Satversmes tiesa (Constitutional Court, Latvia))
(Request for a preliminary ruling – Regulation (EU) 2016/679 – Processing of personal data – Information relating to penalty points for road traffic offences – Concept of processing of personal data relating to criminal convictions and offences – National rules providing for the disclosure of such information and allowing its re-use)
I. Introduction
1. In 1946, George Orwell commented on the ‘Keep Death off the Roads’ campaign, which a former Member State of the European Union was running at the time, as follows: ‘If you really want to keep death off the roads, you would have to replan the whole road system in such a way as to make collisions impossible. Think out what this means (it would involve, for example, pulling down and rebuilding the whole of London), and you can see that it is quite beyond the power of any nation at this moment. Short of that you can only take palliative measures, which ultimately boil down to making people more careful’. (2)
2. The case at issue before the Satversmes tiesa (Constitutional Court, Latvia), which has turned to the Court by way of the present request for a preliminary ruling, has, at its core, the ‘palliative measures’ referred to above: in order to foster road safety by making drivers more aware and careful, penalty points are recorded against drivers who commit motoring offences. That information is then communicated and transmitted for re-use. The referring court, which is hearing a constitutional complaint that has been brought before it, is seeking to assess the compatibility of the national law in question with Regulation (EU) 2016/679 (3) (‘the GDPR’).
3. This makes the present case an almost classic data protection case in the sense that it is predominantly set in the offline-world and involves a vertical relationship between a State and an individual, placing it seamlessly within a line of cases which have reached the Court since the seminal Stauder judgment, (4) arguably the first case on data protection au sens large. (5)
4. In assessing how far a Member State can interfere with the personal rights of an individual in order to pursue its aim of fostering road safety, I shall propose to the Court that measures such as the Latvian legislation in question are not proportionate to the aim they intend to achieve.
5. But before we get to that point, the present case raises a whole range of fundamental and intricate questions, which will take us through the GDPR at breakneck speed. Fasten your seatbelts. It may save you the odd penalty point.
II. Legal framework
A. EU law
1. The GDPR
6. Chapter I of the GDPR, entitled ‘General Provisions’, contains Articles 1 to 4, which set out the subject matter and objectives, material and territorial scope as well as definitions.
7. Article 1 of the GDPR, entitled ‘Subject matter and objectives’, reads as follow:
‘1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.’
8. Article 2 of the GDPR, entitled ‘Material scope’, provides:
‘1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
(a) in the course of an activity which falls outside the scope of Union law;
(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
(c) by a natural person in the course of a purely personal or household activity;
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
...’
9. Chapter II of the GDPR, which contains Articles 5 to 11, sets out the principles of the regulation: principles relating to processing of personal data, lawfulness of processing, conditions for consent, including a child’s consent in relation to information society services, processing of special categories of personal data and of personal data relating to criminal convictions and offences, and processing which does not require identification.
10. Pursuant to Article 5 of the GDPR, headed ‘Principles relating to processing of personal data’:
‘1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’
11. Article 10 of the GDPR, headed ‘Processing of personal data relating to criminal convictions and offences’, states:
‘Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.’
2. Directive 2003/98/EC
12. Article 1 of Directive 2003/98/EC, (6) headed ‘Subject matter and scope’, reads as follows:
‘1. This Directive establishes a minimum set of rules governing the re-use and the practical means of facilitating re-use of existing documents held by public sector bodies of the Member States.
2. This Directive shall not apply to:
(a) documents the supply of which is an activity falling outside the scope of the public task of the public sector bodies concerned as defined by law or by other binding rules in the Member State, or in the absence of such rules, as defined in line with common administrative practice in the Member State in question, provided that the scope of the public tasks is transparent and subject to review;
(b) documents for which third parties hold intellectual property rights;
(c) documents which are excluded from access by virtue of the access regimes in the Member States, including on the grounds of:
— the protection of national security (i.e. State security), defence, or public security,
— statistical confidentiality,
— commercial confidentiality (e.g. business, professional or company secrets);
(ca) documents access to which is restricted by virtue of the access regimes in the Member States, including cases whereby citizens or companies have to prove a particular interest to obtain access to documents;
(cb) parts of documents containing only logos, crests and insignia;
(cc) documents access to which is excluded or restricted by virtue of the access regimes on the grounds of protection of personal data, and parts of documents accessible by virtue of those regimes which contain personal data the re-use of which has been defined by law as being incompatible with the law concerning the protection of individuals with regard to the processing of personal data;
(d) documents held by public service broadcasters and their subsidiaries, and by other bodies or their subsidiaries for the fulfilment of a public service broadcasting remit;
(e) documents held by educational and research establishments, including organisations established for the transfer of research results, schools and universities, except university libraries and
(f) documents held by cultural establishments other than libraries, museums and archives.
3. This Directive builds on and is without prejudice to access regimes in the Member States.
4. This Directive leaves intact and in no way affects the level of protection of individuals with regard to the processing of personal data under the provisions of Union and national law, and in particular does not alter the obligations and rights set out in Directive 95/46/EC. [(7)]
5. The obligations imposed by this Directive shall apply only insofar as they are compatible with the provisions of international agreements on the protection of intellectual property rights, in particular the Berne Convention [(8)] and the TRIPS Agreement.’ [(9)]
13. Article 2 of Directive 2003/98, headed ‘Definitions’, reads as follow:
‘For the purpose of this Directive the following definitions shall apply:
1. “public sector body” means the State, regional or local authorities, bodies governed by public law and associations formed by one or several such authorities or one or several such bodies governed by public law;
2. “body governed by public law” means any body:
(a) established for the specific purpose of meeting needs in the general interest, not having an industrial or commercial character; and
(b) having legal personality; and
(c) financed, for the most part by the State, or regional or local authorities, or other bodies governed by public law; or subject to management supervision by those bodies; or having an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional or local authorities or by other bodies governed by public law;
3. “document” means:
(a) any content whatever its medium (written on paper or stored in electronic form or as a sound, visual or audiovisual recording);
(b) any part of such content;
4. “re-use” means the use by persons or legal entities of documents held by public sector bodies, for commercial or non-commercial purposes other than the initial purpose within the public task for which the documents were produced. Exchange of documents between public sector bodies purely in pursuit of their public tasks does not constitute re-use;
5. “personal data” means data as defined in Article 2(a) of Directive 95/46/EC.
6. “machine-readable format” means a file format structured so that software applications can easily identify, recognize and extract specific data, including individual statements of fact, and their internal structure;
7. “open format” means a file format that is platform-independent and made available to the public without any restriction that impedes the re-use of documents;
8. “formal open standard” means a standard which has been laid down in written form, detailing specifications for the requirements on how to ensure software interoperability;
9. “university” means any public sector body that provides post-secondary-school higher education leading to academic degrees.’
14. Article 3 of Directive 2003/98, headed ‘General principle’, reads as follows:
‘1. Subject to paragraph 2 Member States shall ensure that documents to which this Directive applies in accordance with Article 1 shall be re-usable for commercial or non-commercial purposes in accordance with the conditions set out in Chapters III and IV.
2. For documents in which libraries, including university libraries, museums and archives hold intellectual property rights, Member States shall ensure that, where the re-use of such documents is allowed, these documents shall be re-usable for commercial or non-commercial purposes in accordance with the conditions set out in Chapters III and IV.’
B. Latvian law
15. Article 141 (2) of the Ceļu satiksmes likums (‘the Law on motoring’) (10) is worded as follows:
‘Information relating to a vehicle owned by a legal person, … to a person’s right to drive vehicles, to fines for the commission of motoring offences which have been imposed on a person but not paid within the time limits laid down by law and other information recorded in the national register of vehicles and their drivers [“the national vehicle register”], as well as in the system of information on means of traction and drivers, shall be regarded as information in the public domain.’
III. Facts, procedure and questions referred
16. B, the applicant in the proceedings before the referring court, is a natural person on whom penalty points were imposed under the Law on motoring and a related decree. (11) The Ceļu satiksmes drošības direkcija (the Road Safety Directorate, Latvia, ‘the CSDD’) is a public body which entered those penalty points in the national vehicle register.
17. Since information relating to penalty points can be communicated upon request and was, according to B, transmitted for re-use to several companies, B filed a constitutional complaint with the referring court, challenging the conformity of Article 141 (2) of the Law on motoring with the right to privacy set out in Article 96 of the Latvijas Republikas Satversme (the Latvian Constitution).
18. Since Article 141 (2) of the Law on motoring was adopted by the Latvijas Republikas Saeima (Latvian Parliament, ‘the Saeima’), that institution participated in the proceedings. The CSDD, which processes the data at issue, was also heard. In addition, the Datu valsts inspekcija (Data Protection Authority, Latvia) – which in Latvia is the supervisory authority within the meaning of Article 51 of the GDPR – and several other authorities and persons were invited to give their opinion as amici curiae before the referring court.
19. The Saeima acknowledges that, under the provision at issue, any person may obtain information about another person’s penalty points either by enquiring directly at the CSDD or by using the services provided by commercial re-users.
20. That being the case, the Saeima considers that the provision at issue is lawful because it is justified by the objective of improving road safety, which requires that traffic offenders be openly identified and that drivers be deterred from committing offences.
21. In addition, the right of access to information, provided for in Article 100 of the Latvian Constitution, should be respected. In any event, the processing of information relating to penalty points takes place under the control of the public authority and in compliance with appropriate safeguards for the rights and freedoms of data subjects.
22. The Saeima further explains that, in practice, communication of the information contained in the national vehicle register is subject to the condition that the person requesting the information provide the national identification number of the driver about whom he or she wishes to enquire. This precondition for obtaining information is explained by the fact that, unlike a person’s name, a national identification number is a unique identifier.
23. The CSDD, for its part, explained to the referring court the functioning of the penalty points system and confirmed that the national legislation does not impose any limits on public access to and re-use of data relating to penalty points.
24. The CSDD also provided details of the contracts concluded with commercial re-users. It pointed out that these contracts do not provide for the legal transfer of data and that re-users ensure that the information transmitted to their customers does not exceed that which can be obtained from the CSDD. In addition, one of the contractual terms stipulates that the acquirer of the information must use it in the manner laid down in the regulations in force and in accordance with the purposes indicated in the contract.
25. The Data Protection Authority expressed doubts as to the compliance of the provision at issue with Article 96 of the Latvian Constitution. It did not rule out the possibility that the processing of the data at issue may be inappropriate or disproportionate.
26. That authority also observed that, although the statistics on traffic accidents in Latvia show a decrease in the number of accidents, there is no evidence that the penalty points system and public access to information relating to it have contributed to this favourable development.
27. The Satversmes tiesa (Constitutional Court) notes, first of all, that the proceedings before it do not concern Article 141 (2) of the Law on motoring in its entirety, but only in so far as that provision makes information relating to penalty points entered in the national vehicle register accessible to the public.
28. That court further considers that penalty points are personal data and must therefore be processed in accordance with the right to respect for private life. It emphasises that in assessing the scope of Article 96 of the Latvian Constitution, account must be taken of the GDPR as well as of Article 16 TFEU and Article 8 of the Charter of Fundamental Rights of the European Union (‘the Charter’).
29. With regard to the objectives of the Law on motoring, the referring court states that it is with the aim of influencing the conduct of vehicle drivers and thus minimising the risks to life, health and property of persons, that offences committed by drivers, which are classified as administrative offences in Latvia, are entered in the national register of convictions and that penalty points are entered in the national vehicle register.
30. The national register of convictions constitutes a single register of convictions of persons who have committed offences (whether criminal or administrative), with the aim of, inter alia, facilitating the review of the penalties imposed. By contrast, the national vehicle register makes it possible to keep track of road traffic offences and to implement measures depending on the number of such offences committed. The penalty points system aims to improve road safety by distinguishing vehicle drivers who, systematically and in bad faith, disregard road traffic rules from drivers who occasionally commit offences, and by influencing the conduct of road users in a deterrent manner.
31. The referring court observes that Article 141 (2) of the Law on motoring gives any person the right to request and obtain from the CSDD the information in the national vehicle register relating to the penalty points imposed on drivers. In practice, information on penalty points is provided to the person requesting it as soon as the person indicates the national identification number of the driver concerned.
32. The Satversmes tiesa (Constitutional Court) subsequently clarifies that penalty points, by virtue of their classification as publicly available information, fall within the scope of the Law on the disclosure of information and may therefore be re-used for commercial or non-commercial purposes other than the original purpose for which the information was created.
33. In order to interpret and apply Article 96 of the Latvian Constitution in conformity with EU law, the referring court wishes to know, first, whether penalty points such as those imposed under Latvian law, fall within the scope of Article 10 of the GDPR. In particular, the referring court seeks to ascertain whether Article 141 (2) of the Law on motoring infringes the requirements contained in Article 10 of the GDPR that the processing of the data referred to in that provision may be carried out only ‘under the control of official authority’ or under ‘appropriate safeguards for the rights and freedoms of data subjects’.
34. That court observes that Article 8(5) of Directive 95/46, which left it to each Member State to assess whether the special rules on data relating to offences and criminal convictions should be extended to data relating to administrative offences and penalties, was implemented in Latvia by Article 12 of the Fizisko personu datu aizsardzības likums (Law on the protection of data of natural persons), according to which personal data relating to administrative offences could, like data relating to criminal offences and convictions, be processed only by the persons, and in the circumstances, provided for by law.
35. It follows from this that for more than a decade similar requirements have been applied in Latvia for the processing of personal data relating to criminal offences and convictions and of personal data relating to administrative offences.
36. That court also observes that the scope of Article 10 of the GDPR must, in accordance with recital 4 of that regulation, be assessed taking into account the function of fundamental rights in society. It considers, in this respect, that the objective of ensuring that a person’s private and professional life is not unduly adversely affected as a result of a previous conviction could apply both to criminal convictions and to administrative offences.
37. The Satversmes tiesa (Constitutional Court) seeks to ascertain, secondly, the scope of Article 5 of the GDPR. In particular, it wonders whether, in the light of recital 39 of that regulation, the Latvian legislature has complied with the obligation, set out in Article 5(1)(f) of the GDPR, to ensure that personal data are processed with ‘integrity and confidentiality’. It observes that Article 141 (2) of the Law on motoring, which, by allowing access to information on penalty points, makes it possible to determine whether a person has been convicted of a road traffic offence, has not been accompanied by specific measures ensuring the security of such data.
38. The referring court wishes to know, thirdly, whether Directive 2003/98 is relevant to the assessment of whether Article 141 (2) of the Law on motoring is compatible with Article 96 of the Latvian Constitution. It points out that, pursuant to that directive, the re-use of personal data may be permitted only if the right to privacy is respected.
39. Fourthly, in the light of the Court’s case-law according to which the interpretation of EU law provided in preliminary rulings has erga omnes and ex tunc effects, the referring court wonders whether it could nevertheless, if Article 141 (2) of the Law on motoring is found to be incompatible with Article 96 of the Latvian Constitution, read in the light of EU law as interpreted by the Court, rule that the legal effects of Article 141 (2) will be maintained until the date of delivery of its judgment in which it declares that that provision is unconstitutional, on the basis that a large number of legal relationships will be affected by its judgment.
40. In this respect, the referring court explains that, pursuant to Latvian law, an act which is declared unconstitutional is to be considered void from the day of publication of the Satversmes tiesa’s (Constitutional Court) judgment, unless that court decides otherwise. It also explains its practice of seeking to strike a balance between the principle of legal certainty and the fundamental rights of the various parties concerned when determining the date from which the provision declared unconstitutional will no longer be in force.
41. It is against this background that, by order of 4 June 2019, received at the Court on 11 June 2019, the Satversmes tiesa (Constitutional Court) referred the following questions for a preliminary ruling:
‘(1) Must the expression “processing of personal data relating to criminal convictions and offences or related security measures”, used in Article 10 of the GDPR, be interpreted as meaning that it includes the processing of information relating to penalty points recorded against drivers for motoring offences as provided for in the provision at issue?
(2) Irrespective of the answer to the first question, can the provisions of the GDPR, in particular the principle of “integrity and confidentiality” referred to in Article 5(1)(f) thereof, be interpreted as meaning that they prohibit Member States from stipulating that information relating to penalty points recorded against drivers for motoring offences falls within the public domain and from allowing such data to be processed by being communicated?
(3) Must recitals 50 and 154, Article 5(1)(b) and Article 10 of the GDPR and Article 1(2)(cc) of Directive 2003/98 be interpreted as meaning that they preclude the legislation of a Member State which allows information relating to penalty points recorded against drivers for motoring offences to be transmitted for the purposes of re-use?
(4) If any of the foregoing questions is answered in the affirmative, must the principle of the primacy of EU law and the principle of legal certainty be interpreted as meaning that it might be permissible to apply the provision at issue and maintain its legal effects until such time as the decision ultimately adopted by the Satversmes tiesa (Constitutional Court) becomes final?’
42. Written observations were submitted by the Latvian, Dutch, Austrian and Portuguese Governments and by the European Commission.
43. Against the background of the spread of the SARS-CoV-2 virus, the Court decided to vacate the hearing of this matter which had been listed for 11 May 2020. By way of measures of organisation of procedure and as an exceptional step, the Court decided to replace that hearing with questions to be answered in writing. The Latvian and Swedish Governments and the Commission answered the questions put to them by the Court.
IV. Assessment
44. This request for a preliminary ruling raises a number of fundamental questions about the GDPR. All of these questions, however, presuppose the applicability of the GDPR to the case at issue. (12) I raise this point given the fact that the European Union has not legislated in the area of penalty points for driving offences.
A. On the material scope of the GDPR – Article 2(2)(a)
45. Pursuant to Article 2(2)(a) of the GDPR, that regulation does not apply to the processing of personal data in the course of an activity which falls outside the scope of EU law. It is apparent that while Article 2(1) of the GDPR positively formulates what falls under that regulation, (13) Article 2(2) excludes four types of activity from its scope. As an exception to the general rule, Article 2(2) of the GDPR must be interpreted strictly. (14)
46. The EU legislature has chosen to use a regulation as the form of legal instrument in order to increase the degree of uniformity of EU data protection law, in particular in order to create a level playing field among (economic) operators within the internal market, regardless of where those operators are based. (15)
47. Article 16 TFEU not only contains the legal basis for the adoption of texts such as the GDPR, but also constitutes, more generally, forming part of Part One, Title II, of the FEU Treaty, (16) a horizontal provision of a constitutional character which must be taken into account in the exercise of any EU competence.
48. Just as its predecessor, Directive 95/46, did, the GDPR seeks to ensure a high level of protection of the fundamental rights and freedoms of natural persons, in particular the right to privacy, with respect to the processing of personal data. (17)
49. The wording of Article 2(2)(a) of the GDPR essentially mirrors that of Article 16(2) TFEU, (18) which constitutes the legal basis of that regulation under primary law. According to Article 16(2) TFEU, the EU legislature is to lay down the rules relating to the protection of individuals with regard to the processing of personal data by the Member States ‘when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data’. (19) That provision is, therefore, declaratory in nature. Accordingly, the analysis which follows applies to Article 2(2)(a) of the GDPR and Article 16(2) TFEU in equal measure.
50. The first thing to note is that the wording of Article 2(2)(a) of the GDPR (‘an activity which falls outside the scope of Union law’) differs from that of Article 51(1) of the Charter, (20) according to which ‘the provisions of the Charter are addressed to … the Member States only when they are implementing Union law’. (21)
51. If one were to see this as an indication that the wording of Article 2(2)(a) of the GDPR is wider than that of Article 51(1) of the Charter, (22) given that the Court has interpreted Article 51(1) of the Charter to mean that the Charter applies ‘where national legislation falls within the scope of European Union law’, (23) there is no substantial difference between the wording of these two provisions as interpreted by the Court. (24)
52. That said, I do not think that analogies with the Court’s case-law on the field of application of the Charter should be drawn. (25) That would be too restrictive and would be counter to the objective pursued by Article 16 TFEU and by the GDPR. Indeed, the logic of the Charter is wholly different from that of the GDPR: the Charter seeks to domesticate the exercise of power by the EU institutions and Member States when they operate within the scope of EU law and, conversely, provide a shield for individuals to assert their respective rights. By contrast, the protection of personal data is more than a fundamental right. As is demonstrated by Article 16 TFEU, (26) data protection constitutes an EU policy field in its own right. The very purpose of the GDPR is that it is to apply to any form of processing of personal data, regardless of the subject matter involved – and this, incidentally, whether carried out by Member States or individuals. Interpreting the terms of Article 2(2)(a) of the GDPR restrictively would completely frustrate that objective. The GDPR, which was intended to be a tiger for data protection, would turn out to be a domestic kitten.
53. The mere existence of a provision such as Article 10 of the GDPR, which will be interpreted in detail below in my analysis of the referring court’s first question, is a case in point in this respect. If the GDPR deals with ‘processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1)’ of the GDPR, (27) at a time when criminal convictions and offences are almost exclusively determined under national and not EU law, short of Article 10 of the GDPR being invalid, that regulation cannot have the accessory function which is proper to the Charter.
54. The same applies to the existence of Article 87 of the GDPR, which allows Member States to further determine the specific conditions for the processing of a national identification number. (28)
55. Moreover, account should be taken of recital 16 of the GDPR which, in the non-prescriptive but nevertheless instructive part of that regulation, mirrors Article 2 of the GDPR. Here, national security is mentioned as an example of an area falling outside the scope of EU law. The same goes for the equally non-binding declaration on Article 16 of the FEU Treaty (29) where it is declared that ‘whenever rules on protection of personal data to be adopted on the basis of Article 16 [TFEU] could have direct implications for national security, due account will have to be taken of the specific characteristics of the matter’ and where it is recalled that ‘in particular Directive 95/46 … includes specific derogations in this regard’. (30)
56. This explicit focus on national security is a clear indication of what both the FEU Treaty authors (Article 16 TFEU) and the EU legislature (Article 2(2)a of the GDPR) had in mind when they drafted the respective passages.
57. The EU legislature has specified elsewhere, still in the context of data protection, that national security is in this context to be understood as ‘State security’. (31)
58. In this connection, Article 2(2)(a) of the GDPR should be seen against the background of Article 4(2) TEU, which provides that the European Union is to respect Member States’ essential State functions (32) and in this respect specifies, by way of example, that ‘national security remains the sole responsibility of each Member State’. Article 2(2)(a) of the GDPR does nothing more than reiterate this constitutional requirement of what must be guaranteed for a State to function. (33)
59. On the basis of the preceding analysis, I have no grounds to believe that Article 2(2)(a) of the GDPR introduces a test with a high threshold to be met in order to trigger the applicability of the GDPR, nor that this would have been the intention of the EU legislature.
60. Finally, a quick glance at the remaining three exceptions to the material scope of the GDPR, contained in Article 2(2)(b) to (d), confirms this analysis. The GDPR thus does not apply to the processing of personal data by the Member States when carrying out activities within the scope of the EU’s common foreign and security policy, (34) by a natural person in the course of a purely personal or household activity, (35) and by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. (36)
61. The exclusion of the common foreign and security policy, which remains predominantly intergovernmental, is only logical. (37) Purely personal and household activities of natural persons are in any event, in principle, outside the scope of EU law since they are not governed by primary or secondary law. The same applies, in principle, to the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. Nevertheless, the reason for this last exception is that the Union has adopted a specialised directive, (38) incidentally on the same date on which the GDPR was adopted. In addition, it is apparent from Article 23(1)(d) of the GDPR that the processing of personal data carried out by individuals for the same purposes falls within the scope of the GDPR. (39)
62. Accordingly, if they are to have any normative legal significance, the last two exceptions cannot be held to fall outside the scope of EU law within the meaning of Article 2(2)(a) of the GDPR.
63. Finally, it should be pointed out that there is no discernible evidence that the Court would, as a matter of principle, apply a strict test as to the scope of the GDPR or Directive 95/46 under Article 2 of the GDPR and Article 3 of Directive 95/46, respectively. (40) On the contrary, the Court tends to stress that ‘the applicability of Directive 95/46 cannot depend on whether the specific situations at issue in the main proceedings have a sufficient link with the exercise of the fundamental freedoms guaranteed by the Treaty’. (41)
64. To conclude this preliminary part of the analysis, on a proper construction of Article 2(2)(a) of the GDPR, that regulation applies to the processing of personal data in or by a Member State, unless that processing is carried out in an area where the European Union does not have competence.
65. As a consequence, the GDPR is applicable to the case at issue and must be taken into account by the referring court in examining the validity of the national law.
B. On Article 86 of the GDPR
66. For the sake of completeness, I would like briefly to address the provision of Article 86 of the GDPR in the case at issue.
67. Pursuant to that article, personal data in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with EU or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal data pursuant to the GDPR.
68. All that provision does is acknowledge the importance of public access to official documents. Moreover, as the Commission has rightly pointed out, no further guidance is given in that provision on how public access to official documents should be reconciled with data protection rules. (42) The provision is rather declaratory in nature, which is more akin to a recital than a prescriptive provision of a legal text. (43) As a consequence, I would submit that the ‘narrative norm’ of Article 86 of the GDPR does not have any bearing on the analysis that follows.
C. First Question: Penalty points under Article 10 of the GDPR
69. By its first question, the referring court seeks to ascertain whether Article 10 of the GDPR is to be interpreted as meaning that it covers situations of processing of information relating to penalty points recorded against drivers for motoring offences as provided for by national law.
70. Pursuant to that provision, processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) of the GDPR (44) is to be carried out only under the control of official authority. (45) Any comprehensive register of criminal convictions is to be kept only under the control of official authority.
71. In view of the fact that the CSDD appears to be an official – in the sense of ‘public’ – authority, one may question the pertinence of the first question and wonder whether it is hypothetical in the sense of the Court’s case-law on admissibility. Nevertheless, I would dispel such doubts by pointing out that the present case concerns both the communication of penalty points (by the CSDD) and the re-use of that data by other bodies. To the extent that the first question refers to those other bodies, it is, in my view, admissible.
1. Personal data
72. Article 4(1) of the GDPR stipulates that ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or online identifier or to one or more factors specific to the physical physiological, genetic, mental, economic cultural or social identity of that natural person.
73. There is no reason to doubt that information relating to penalty points recorded against drivers for motoring offences constitutes personal data within the meaning of Article 4(1) of the GDPR.
2. … relating to criminal convictions and offences or related security measures
74. As regards the ‘offences’ mentioned in Article 10 of the GDPR, it should be noted that it is not entirely clear in all language versions of that provision whether it refers to criminal offences only or whether it also covers administrative offences. The most natural and intuitive interpretation of the English language version is that the term ‘criminal’ has been placed, so to speak, before the bracket and refers to both ‘convictions’ and ‘offences’. In this connection, some language versions (46) do not leave any room for doubt: ‘offences’ within the meaning of Article 10 of the GDPR are to be construed as ‘criminal’. Other language versions (47) are ambiguous in that they are open to more than one interpretation. The Latvian language version (saistītiem drošības pasākumiem), which, it is to be presumed, is the language version the referring court is most familiar with, is also ambiguous. Here, not only is it not specified whether ‘offences’ (pārkāpumi) are to be criminal in nature, but it is also left open whether ‘convictions’ (sodāmība) are to be criminal in nature. (48)
75. Even if the different language versions may appear variegated, some conclusions can nevertheless be drawn at this point.
76. All the official languages of the European Union are the authentic languages of the acts in which they are drafted and, therefore, all the language versions of an act of the European Union must, as a matter of principle, be recognised as having the same value. (49) An interpretation of a provision of EU law thus involves a comparison of the different language versions. (50) Moreover, the various language versions of a text of EU law must be given a uniform interpretation. (51)
77. In those circumstances, it is the meaning of the more ‘precise’ language versions which must be taken to be correct, in particular since this more precise meaning is also one of the possible interpretations under the less precise language versions, where one possibility is that ‘offences’ are interpreted as only ‘criminal’ in nature. I can therefore provisionally conclude at this stage that, on the basis of a comparative reading of the different language versions of Article 10 of the GDPR, the term ‘criminal’ refers both to ‘convictions’ and ‘offences’. (52)
78. Moreover, that proposed interpretation of Article 10 of the GDPR retains the distinction made in its precursor, Article 8(5) of Directive 95/46. Under that previous provision, the control of official authority was required for the processing of data relating to criminal convictions and offences, (53) whereas for administrative sanctions there was the possibility of making the processing of data subject to the control of official authority. (54) If under Article 8(5) of Directive 95/46 the term ‘offences’ had been understood to encompass ‘administrative offences’, then the second limb of that provision would have been redundant.
79. This finding still leaves open the question of what exactly is to be understood by the term ‘criminal offences’.
80. The first issue here is whether that term constitutes an autonomous term of EU law or whether the interpretation of the term is left to the Member States.
81. According to settled case-law of the Court, the need for a uniform application of EU law and the principle of equality require that the wording of a provision of EU law which makes no express reference to the law of the Member States for the purpose of determining its meaning and scope must normally be given an autonomous and uniform interpretation throughout the European Union. (55) That interpretation must take into account the wording, objectives and legislative context of the provision in question as well as the provisions of EU law as a whole. The origins of a provision of EU law may also provide information relevant to its interpretation. (56)
82. Here, it is clear that, in principle, criminal legislation and rules of criminal procedure are matters for which the Member States are responsible. (57) As a consequence, Member States will be in a position to determine what constitutes an offence. (58)
83. However, once the EU legislature has chosen the legal form of a regulation, as opposed to a directive, I would submit that a uniform interpretation throughout the European Union of the terms of that regulation should be the norm, so as to ensure its general application and direct applicability in all Member States, in line with Article 288(2) TFEU.
84. In a similar vein, there are indications that the Union legislature did not wish to refer to national law(s) as regards the interpretation of the term ‘offences’. Thus, recital 13 of Directive 2016/680 (59) states that a criminal offence within the meaning of that directive should be an autonomous concept of EU law as interpreted by the Court of Justice of the European Union. In a spirit of a maiore ad minus, I would submit that such a statement also applies to the GDPR which, as stated above, constitutes, as a regulation, a legal act which automatically possesses a higher degree of integration and centralisation.
85. The second issue, which consists in establishing whether the personal data in question relates to criminal convictions and offences or related security measures within the meaning of Article 10 of the GDPR, is more difficult.
86. The Court has previously had occasion to rule on the definition of a ‘criminal offence’ in the context of the ne bis in idem principle (60) under Article 50 of the Charter. (61)
87. Here, the Court draws on case-law of the European Court of Human Rights, (62) according to which three criteria are relevant in defining the term ‘criminal proceedings’: the legal classification of the offence under national law, the very nature of the offence, and the nature and degree of severity of the penalty that the person concerned is liable to incur. (63)
88. Penalty points such as those imposed under the national law in question do not, in my view, qualify as a criminal offence under that case-law as they do not fulfil those criteria. In particular, they are not very severe in nature. (64)
89. Finally, I should like to point out that, as a result of this analysis, there is no need to examine the delimitation between Article 10 of the GDPR and the provisions of Directive 2016/680, since that directive is not applicable to the case at issue.
3. Proposed reply
90. I therefore propose to answer the first question to the effect that Article 10 of the GDPR is to be interpreted as meaning that it does not cover situations of processing of information relating to penalty points recorded against drivers for motoring offences as provided for by a national law such as Article 141 (2) of the Law on motoring.
D. Second Question: Communicating penalty points
91. By its second question, the referring court seeks to ascertain, in essence, whether the provisions of the GDPR preclude a Member State from processing and communicating information relating to penalty points recorded against drivers for motoring offences.
92. Although the referring court points, by way of example, to the principle of integrity and confidentiality contained in Article 5(1)(f) of the GDPR, (65) the question is worded in broad terms, since it refers to the provisions of that regulation as a whole. (66) The analysis below will therefore extend to provisions of the GDPR other than that mentioned by the referring court in its question.
93. All processing of personal data must comply, first, with the principles relating to data quality set out in Article 5 of the GDPR and, second, with one of the criteria governing the legitimacy of data processing listed in Article 6 of that regulation. (67) We can infer from the wording of those two provisions that the former are cumulative (68) and the latter alternative in nature. (69)
94. The second question relates to the data quality principles. The referring court appears – quite rightly – to assume that the CSDD processes data and it does not question the recording of the penalty points as such, but the communication of the points on request.
95. The CSDD is undeniably a ‘controller’ within the meaning of Article 4, point 7, of the GDPR, which processes personal data within the meaning of Article 4, point 2, of that regulation by recording the penalty points in the national vehicle register.
96. Suffice it to point out that the Court has held, with respect to a publicly held ‘companies register’, that by transcribing and keeping information in that register and communicating it, where appropriate, on request to third parties, the authority responsible for maintaining that register carries out ‘processing of personal data’ for which it is the ‘controller’, within the meaning of those definitions set out in Directive 95/46, (70) which constitute the precursors to the definitions set out in Article 4, points 2 and 7, of the GDPR. (71)
1. On Article 5(1)(f) of the GDPR: Integrity and confidentiality
97. This raises the question whether the principles of integrity and confidentiality set out in Article 5(1)(f) of the GDPR – a provision to which the referring court itself refers in its question – have been respected.
98. Pursuant to Article 5(1)(f) of the GDPR, personal data is to be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
99. As is clear from its wording, this provision concerns security, technical and organisational measures used in connection with the processing of personal data. (72) We are dealing here with general formal requirements regarding security of data. (73)
100. By contrast, the referring court is seeking guidance which is more fundamental and which relates to the legal possibility of such processing. Put differently and in more figurative terms, it seeks guidance on the if of the processing of personal data, whereas Article 5(1)(f) of the GDPR deals with the how of such processing. As a consequence, Article 5(1)(f) of the GDPR is not of relevance for the case at issue.
2. On Article 5(1)(a) of the GDPR: Lawfulness, fairness and transparency
101. Pursuant to Article 5(1)(a) of the GDPR, personal data is to be processed lawfully, fairly and in a transparent manner in relation to the data subject.
102. It should be noted that the term ‘lawfulness’ appears both in Article 5(1)(a) and in Article 6 of the GDPR. Reading the detailed requirements of Article 6 into Article 5 of that regulation would make little sense from the perspective of legislative drafting if Article 5 were also to contain the criteria of Article 6 of the GDPR.
103. Instead, lawfulness within the meaning of Article 5(1)(a) of the GDPR should be read in the light of recital 40 of that regulation, (74) which requires processing to be based on either consent or another legal basis, laid down by law. (75)
104. That being so (there is a legal basis under national law), I see no reason to question the lawfulness of the processing in the case at issue. (76)
105. I therefore agree with the submissions of the Austrian Government (77) that this principle is not relevant to the facts of the case at issue.
3. On Article 5(1)(b) of the GDPR: Purpose limitation
106. Article 5(1)(b) of the GDPR lays down the principle of ‘purpose limitation’ by stating that personal data is to be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. (78)
107. The referring court explains that the provision at issue, Article 141 (2) of the Law on motoring, pursues the aim of road safety by exposing drivers who are in contravention of the rules. As such, communication of the penalty points appears to be a specified, explicit and legitimate purpose. Moreover, the processing of personal data does not appear incompatible with that purpose.
4. On Article 5(1)(c) of the GDPR: Data minimisation
108. Pursuant to Article 5(1)(c) of the GDPR, the principle of data minimisation requires personal data to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Correspondingly, recital 39 of the GDPR states that personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
109. As with the other principles enshrined in Article 5(1) of the GDPR, I understand this principle to reflect the principle of proportionality, (79) which is why I consider it appropriate to examine at this stage whether the national law in question is proportionate to the objective it seeks to achieve.
110. It is settled case-law that the principle of proportionality, as a general principle of EU law, requires that measures implemented by acts of the European Union are appropriate for attaining the objective pursued and do not go beyond what is necessary to achieve it. (80)
111. Indeed, Article 141 (2) of the Law on motoring must be appropriate and necessary in order to pursue its purported aim, namely to enhance road safety.
(a) Appropriateness
112. The first purported objective of the national law at issue is to identify vehicle drivers who systematically disregard the rules of the road traffic system. It is clear that the identification of road traffic rule offenders does not depend in any way on the public nature (generally available) of the penalty points imposed on the perpetrator of an offence. It is the sole responsibility of a public authority accurately to identify such offenders and to keep records of the penalty points imposed on them so that the appropriate legal consequences follow and relevant sanctions can be applied.
113. The second objective of the national law provision authorising the disclosure of the personal data in question, invoked by the Saeima, is to influence the conduct of road users in order to discourage possible offenders from committing further offences. Here, it could be accepted that giving any person the opportunity to know who is breaking traffic rules is likely to have some deterrent effect: many drivers would object to such information about them being disclosed to the general public, so as not to be labelled as lawbreakers.
114. That aim is also clearly stated in Article 431 of the Law on motoring as the objective pursued by the introduction of the penalty points system. It is quite obvious that making penalty points public may, to a certain extent, constitute an additional deterrent factor. The provision at issue would thus, in principle, be in line with the general interest pursued, namely to promote road safety and avoid traffic accidents.
115. That said, if the personal data in question are made available only on request and if the applicant provides the personal identification number of the person concerned, this raises the question of how difficult it is to obtain that number. Indeed, the more difficult it is to obtain such data, the less dissuasive the disclosure regime will be, since whether that data are publicly available will depend on other factors that are difficult to predict.
116. It is for that reason that I have grave doubts as to the appropriateness of the national law in question.
117. It is for the referring court to decide, in the light of all the circumstances of the case, whether Article 141 (2) of the Law on motoring is genuinely appropriate for achieving the legitimate objective of improving road safety.
(b) Necessity
118. As regards the question of necessity, that it to say, the requirement that the measure in question must not go beyond what is necessary to achieve the objective pursued, the situation appears more clear-cut.
119. Again, it is for the referring court to decide, in the light of all the circumstances of the case, whether the provision at issue is genuinely necessary. However, on the basis of the information available, I do not see how that provision could on any view be regarded as necessary.
120. Although the objective of promoting road safety is important, it is necessary to strike a fair balance between the different interests involved and, consequently, it is for the national legislature to decide whether the disclosure of the personal data in question goes beyond what is necessary to achieve the legitimate objectives pursued, having regard in particular to the infringement of fundamental rights generated by such disclosure.
121. The order for reference does not indicate whether the Saeima, prior to the adoption of the provision at issue, considered other means of achieving the objective of promoting road safety which would have led to less interference with the right of individuals to data protection. Furthermore, the legislature must be able to demonstrate that the derogations and limitations to data protection would be in strict compliance with the limits imposed. A careful assessment of the impact on data protection should be carried out before publishing a data set (or before adopting a law requiring its publication), including an assessment of the possibilities for re-use and the potential impact of re-use.
122. The existence and accuracy of such information is essential for deciding whether the objectives of fostering road safety and reducing traffic accidents can be achieved by measures which would be less detrimental to the rights of the persons concerned and thus avoid or at least mitigate a breach of the protection afforded by Article 8 of the Charter.
123. The invasion of privacy caused by the publication of data on offences and penalties imposed is, in itself, particularly serious: it discloses to the general public information about offences committed by an individual. Moreover, it cannot be excluded that such data processing inherent in the publication of the data in question may lead to the stigmatisation of the offender and other negative consequences. Therefore, such ‘blacklists’ must be strictly regulated.
124. Finally, as stated by the Data Protection Authority, the preventive nature of the provision at issue and the statistics indicating favourable trends, namely a reduction in the number of traffic accidents, do not show that that reduction is linked to the introduction of the penalty points system per se or to the fact that information relating to the penalty points recorded is publicly accessible.
5. Proposed reply
125. My proposal to the Court as to the reply to the second question is, accordingly, that a national law such as Article 141 (2) of the Law on motoring which allows for the processing and communicating of information relating to penalty points recorded against drivers for motoring offences is precluded by Article 5(1)(c) of the GDPR.
E. Third Question: Re-use of personal data
1. On Directive 2003/98
126. As set out in Article 1(1) of Directive 2003/98, that directive establishes a minimum set of rules governing the re-use and the practical means of facilitating re-use of existing documents held by public sector bodies of the Member States.
127. We can assume, for present purposes, that penalty points in Latvia are recorded in documents held by the CSDD as a public sector body within the meaning of that provision.
128. However, we are not within the scope of Directive 2003/98, given that Article 1(2)(cc) thereof states that that directive is not to apply to documents access to which is excluded or restricted by virtue of the access regimes on the grounds of protection of personal data. (81) Moreover, by virtue of Article 1(4) of Directive 2003/98, that directive leaves intact and in no way affects the level of protection of individuals with regard to the processing of personal data under the provisions of EU and national law, and in particular does not alter the obligations and rights set out in the GDPR. (82)
129. It follows from those provisions that the processing of the personal data in question must be assessed in the light of EU rules on data protection, namely the GDPR, and not Directive 2003/98. (83)
2. On re-use
130. As the referring court rightly notes, if information relating to penalty points recorded against drivers for motoring offences can be communicated to anyone, including re-use operators, it will not be possible to identify the purposes of the further processing of the data or to evaluate whether personal data are being processed in a manner that is incompatible with those purposes.
131. Against that background, my analysis of the second question referred fully applies not only mutatis mutandis but also a fortiori: private companies might be tempted to exploit personal data for commercial purposes, that is to say, for purposes that are incompatible with the purpose of the processing, which is to increase road safety.
132. Moreover, the possibility of third parties being able to process the personal data clearly goes beyond the purpose limitation established by Article 5(1)(b) of the GDPR.
3. Proposed reply
133. Accordingly, I propose to reply to the third question to the effect that a national law such as Article 141 (2) of the Law on motoring, which allows for the processing and communicating, including for the purposes of re-use, of information relating to penalty points recorded against drivers for motoring offences, is not governed by the provisions of Directive 2003/98. It is, moreover, precluded by Article 5(1)(c) of the GDPR.
F. Fourth Question
134. By its fourth question, the referring court seeks to ascertain whether – if it is established that the national law in question is contrary to EU law – it would be possible to apply the provision at issue and maintain its legal effects until such time as the decision ultimately adopted by the Satversmes tiesa (Constitutional Court) becomes final.
135. The referring court therefore requests that the legal effects of the provision at issue be maintained until it has given a final ruling.
136. According to settled case-law, the interpretation which, in the exercise of the jurisdiction conferred on it by Article 267 TFEU, the Court gives to a rule of EU law clarifies and defines the meaning and scope of that rule as it must be or ought to have been understood and applied from the date of its entry into force. (84) It follows that the rule as thus interpreted may, and must, be applied by the courts to legal relationships which arose and were established before the judgment ruling on the request for interpretation, provided that in other respects the conditions for bringing a dispute relating to the application of that rule before the courts having jurisdiction are satisfied. (85) It is only quite exceptionally that the Court itself may, in application of the general principle of legal certainty inherent in the EU legal order, be moved to restrict for any person concerned the opportunity of relying on a provision which it has interpreted with a view to calling into question legal relationships established in good faith. (86)
137. In any event, it is solely the Court which could determine the conditions of a possible suspension (87) and this for a good reason: otherwise, a national court could defer the effects of that decision, thereby affecting its erga omnes character, the primary objective of which is to ensure the uniform application of EU law and legal certainty in all Member States and create a level playing-field for Member States, citizens and economic operators. In this connection, rules of national law, even of a constitutional order, cannot be allowed to undermine the unity and effectiveness of EU law. (88)
138. Two essential criteria must be fulfilled before such a limitation can be imposed, namely that those concerned should have acted in good faith and that there should be a risk of serious difficulties. (89)
139. It should be added that it is only exceptionally (90) that the Court has chosen such a solution and this only in quite specific circumstances: where there was a risk of serious economic repercussions owing in particular to the large number of legal relationships entered into in good faith on the basis of rules considered to be validly in force and where it appeared that individuals and national authorities had been led to adopt practices which did not comply with EU law by reason of objective, significant uncertainty regarding the implications of EU provisions, to which the conduct of other Member States or the Union may even have contributed. (91)
140. In the present case, the information referred to in the order for reference does not make it possible to conclude that a large number of bona fide legal relationships based on the contested provision would have been affected and, consequently, that it would be particularly difficult to ensure ex tunc compliance with the preliminary ruling of the Court declaring that provision incompatible with EU law.
141. Accordingly, there is no need to limit the temporal effects of the Court’s judgment in the present case.
142. I therefore propose to reply to the fourth question that it is not possible to apply the provision at issue and maintain its legal effects until such time as the decision ultimately adopted by the Satversmes tiesa (Constitutional Court) becomes final.
V. Conclusion
143. In the light of the foregoing, I propose that the Court answer the questions referred by the Satversmes tiesa (Constitutional Court, Latvia) as follows:
(1) Article 10 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), is to be interpreted as meaning that it does not cover situations of processing of personal data relating to penalty points recorded against drivers for motoring offences as provided for by a national law such as Article 141 (2) of the Ceļu satiksmes likums (the Law on motoring).
(2) Article 5(1)(c) of Regulation 2016/679 precludes a Member State from processing and communicating personal data relating to penalty points recorded against drivers for motoring offences.
(3) Article 5(1)(b) and (c) of Regulation 2016/679 precludes a Member State from processing and communicating personal data relating to penalty points recorded against drivers for motoring offences when that communication is for the purposes of re-use.
(4) Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public sector information does not govern the processing and communicating, including for the purposes of re-use, of personal data relating to penalty points recorded against drivers for motoring offences.
(5) It is not possible to apply the provision at issue and maintain its legal effects until such time as the decision ultimately adopted by the Satversmes tiesa (Constitutional Court) becomes final.