OPINION OF ADVOCATE GENERAL
MEDINA
delivered on 15 June 2023(1)
Case C‑333/22
Ligue des droits humains ASBL,
BA
v
Organe de contrôle de l’information policière
(Request for a preliminary ruling from the cour d’appel de Bruxelles (Court of Appeal, Brussels, Belgium))
(Reference for a preliminary ruling – Protection of individuals with regard to the processing of personal data in criminal matters – Exercising the rights of the data subject through the competent supervisory authority – Verification by that authority of the lawfulness of the processing of the data subject’s personal data – Right to an effective judicial remedy against the supervisory authority)
1. Directive (EU) 2016/680, (2) better known as ‘the Law Enforcement Directive’, lays down specific rules on the protection of personal data and the free movement of those data in the fields of judicial cooperation in criminal matters and police cooperation and in essence, reflects the ‘specific nature of those fields’. (3) Directive 2016/680 pursues two policy objectives. On the one hand, the directive is intended to contribute to the accomplishment of an area of freedom, security and justice (AFSJ), (4) allowing for the free flow of personal data between competent authorities for law enforcement purposes. (5) On the other hand, it is intended to ensure a high level of protection of such data. Its legal basis is Article 16(2) TFEU which entrusts the EU legislature to lay down rules relating to the protection of personal data.
2. ‘Reconciling’ those two policy objectives pursued by Directive 2016/680 remains, however, a difficult task. (6) The present case provides the Court with the opportunity to examine a concrete example of the balancing of law enforcement and data protection in the context of the exercise by data subjects of their rights. The directive strengthens the rights of data subjects compared to the previous regime under Council Framework Decision 2008/977/JHA. (7) This strengthening concerns, more particularly, the recognition of a direct right of access by the data subject, which is an essential component of the fundamental right to data protection. As observed in academic literature, the rights of data subjects in the field of law enforcement are ‘an essential tool against informational power asymmetries and unlawful processing operations’. (8) It is therefore essential to ensure that those rights can be exercised effectively.
I. Legal framework
European Union law
Directive 2016/680
3. Article 3 of Directive 2016/680 sets out the following definitions:
‘(8) “controller” means the competent authority which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
…
(15) “supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 41’.
4. Chapter III of Directive 2016/680 is headed ‘Rights of the data subject’. Under that chapter, Article 13, headed ‘Information to be made available or given to the data subject’, provides in paragraphs 3 and 4:
‘3. Member States may adopt legislative measures delaying, restricting or omitting the provision of the information to the data subject pursuant to paragraph 2 to the extent that, and for as long as, such a measure constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and the legitimate interests of the natural person concerned, in order to:
(a) avoid obstructing official or legal inquiries, investigations or procedures;
(b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
(c) protect public security;
(d) protect national security;
(e) protect the rights and freedoms of others.
4. Member States may adopt legislative measures in order to determine categories of processing which may wholly or partly fall under any of the points listed in paragraph 3.’
5. Article 14 of Directive 2016/680, headed ‘Right of access by the data subject’, states:
‘Subject to Article 15, Member States shall provide for the right of the data subject to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
…’
6. Article 15 of Directive 2016/680, headed ‘Limitations to the right of access’, provides:
‘1. Member States may adopt legislative measures restricting, wholly or partly, the data subject’s right of access to the extent that, and for as long as such a partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the natural person concerned, in order to:
(a) avoid obstructing official or legal inquiries, investigations or procedures;
(b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
(c) protect public security;
(d) protect national security;
(e) protect the rights and freedoms of others.
2. Member States may adopt legislative measures in order to determine categories of processing which may wholly or partly fall under points (a) to (e) of paragraph 1.
3. In the cases referred to in paragraphs 1 and 2, Member States shall provide for the controller to inform the data subject, without undue delay, in writing of any refusal or restriction of access and of the reasons for the refusal or the restriction. Such information may be omitted where the provision thereof would undermine a purpose under paragraph 1. Member States shall provide for the controller to inform the data subject of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy.
4. Member States shall provide for the controller to document the factual or legal reasons on which the decision is based. That information shall be made available to the supervisory authorities.’
7. Article 16 of Directive 2016/680, headed ‘Right to rectification or erasure of personal data and restriction of processing’, provides in paragraph 4:
‘Member States shall provide for the controller to inform the data subject in writing of any refusal of rectification or erasure of personal data or restriction of processing and of the reasons for the refusal. Member States may adopt legislative measures restricting, wholly or partly, the obligation to provide such information to the extent that such a restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the natural person concerned in order to:
(a) avoid obstructing official or legal inquiries, investigations or procedures;
(b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
(c) protect public security;
(d) protect national security;
(e) protect the rights and freedoms of others.
Member States shall provide for the controller to inform the data subject of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy.’
8. Article 17 of Directive 2016/680, headed ‘Exercise of rights by the data subject and verification by the supervisory authority’, states:
‘1. In the cases referred to in Article 13(3), Article 15(3) and Article 16(4) Member States shall adopt measures providing that the rights of the data subject may also be exercised through the competent supervisory authority.
2. Member States shall provide for the controller to inform the data subject of the possibility of exercising his or her rights through the supervisory authority pursuant to paragraph 1.
3. Where the right referred to in paragraph 1 is exercised, the supervisory authority shall inform the data subject at least that all necessary verifications or a review by the supervisory authority have taken place. The supervisory authority shall also inform the data subject of his or her right to seek a judicial remedy.’
Belgian law
9. The loi relative à la protection des personnes physiques à l’égard des traitements de données à caractère personnel (Law on the protection of natural persons with regard to the processing of personal data) of 30 July 2018 (Moniteur belge, 5 September 2018, p. 68616) (‘the LPD’) transposes Directive 2016/680 into Belgian law. Title 2, Chapter III of the LPD lays down the rights of the data subject, which consist, in essence, of the right to information, the right of access to data and the right to rectification.
10. Article 42 of the LPD provides:
‘Any request to exercise the rights set out in this chapter with respect to the police services … or to the Inspection générale de la police fédérale et de la police locale [(General Inspectorate of the Federal and Local Police, Belgium)] shall be made to the supervisory authority referred to in Article 71.
In the cases referred to in Articles 37(2), 38(2), 39(4) and 62(1), the supervisory authority referred to in Article 71 shall inform the data subject only that the necessary verifications have been carried out.
Notwithstanding paragraph 2, the supervisory authority referred to in Article 71 may communicate certain contextual information to the person concerned.
The King shall determine, following opinion from the supervisory authority referred to in Article 71, the category of contextual information that may be communicated to the person concerned by this authority.’
11. The referring court states that the ‘contextual information’ that the Supervisory Body for Police Information can disclose to the data subject has not yet been specified in a royal decree provided for by the fourth sentence of Article 42 of the LPD.
12. Article 71 of the LPD provides:
‘1. An independent supervisory authority for police information is hereby created at the Chamber of Representatives, under the name Organe de contrôle de l’information policière [(Supervisory Body for Police Information, Belgium)].
…
[It shall be] responsible for: 1. supervising the application of this Title …’
13. Under Title 5 of the LPD, Chapter I is headed ‘Action for an injunction’. Article 209, which is contained in that chapter, reads as follows:
‘Without prejudice to any other judicial, administrative or extra-judicial remedy, the president of the court of first instance, sitting as if hearing interim proceedings, may determine that processing has been carried out which constitutes a breach of the statutory or regulatory provisions on the protection of natural persons with regard to the processing of their personal data, and grant an injunction prohibiting such processing.
The president of the court of first instance, sitting as if hearing interim proceedings, shall hear any application relating to the right granted by or by virtue of the law to obtain access to personal data, as well as any application seeking rectification, erasure or prevention of the use of any personal data which are inaccurate or, having regard to the purpose of the processing, incomplete or irrelevant, or of which the recording, disclosure or storage is prohibited, to the processing of which the data subject has objected or which have been retained for longer than is permitted.’
14. Article 240 of the LPD provides that the Supervisory Body for Police Information:
‘4. shall deal with complaints, investigate the subject matter of the complaint so far as necessary, and inform the complainant of the progress and the outcome of the investigation within a reasonable time, particularly where further investigation or cooperation with another supervisory authority is necessary. …’
II. Facts, procedure and the questions referred for a preliminary ruling
15. In 2016, BA wished to participate in the assembly and disassembly of the installations for the tenth ‘European Development Days’ event in Brussels (Belgium). In order to do so, he had to obtain a ‘security clearance certificate’.
16. By letter of 22 June 2016, the Autorité nationale de sécurité (National Security Authority, Belgium) refused to issue the necessary security clearance certificate. It stated that it was apparent from the information made available to that authority that the person concerned was known for participation in 10 demonstrations between 2007 and 2016, which prevented a security clearance certificate being issued. BA did not challenge that decision by the National Security Authority.
17. The LPD, which creates the Supervisory Body for Police Information, entered into force on 5 September 2018.
18. On 4 February 2020, BA’s legal adviser asked the Supervisory Body for Police Information to identify the controllers responsible for the processing at issue and to order them to provide BA with access to all the information concerning him.
19. By email of 6 February 2020, the Supervisory Body for Police Information replied, indicating that BA had only an indirect right of access, while also stating that it intended to verify the personal data relating to BA with a view to ensuring the lawfulness of any processing of the data in the Banque de données nationale générale (BNG – general national data bank). The Supervisory Body for Police Information stated that it had the power to order the police to erase or amend data, if necessary, and that once the checks had been completed, BA would be informed that ‘the necessary verifications have been carried out’.
20. On 22 June 2020, the Supervisory Body for Police Information wrote:
‘… I inform you, in accordance with Article 42 of [the LPD], that the Supervisory Body has carried out the necessary verifications.
This means that your client’s personal data have been checked against the police data banks with a view to ensuring the lawfulness of any processing.
If necessary, the personal data have been amended or erased.
As I informed you in my email of 2 June, Article 42 of the LPD does not permit the Supervisory Body to provide any further information.’
21. On 2 September 2020, the applicants in the main proceedings, namely BA and the Ligue des droits humains brought an action against the Supervisory Body for Police Information before the President of the tribunal de première instance francophone de Bruxelles (Brussels Court of First Instance (French-speaking), Belgium) on the basis of the second sentence of Article 209 of the LPD. They requested that their action against the supervisory authority be declared admissible. In the alternative, they asked that court whether Article 42 of the LPD is contrary to Article 47(4) and Article 17(3) of Directive 2016/680. In that regard, BA and the Ligue des droits humains submitted that Article 42 of the LPD does not provide for a judicial remedy against decisions taken by the independent supervisory authority nor does it oblige that authority to inform the data subject of his or her right to seek a judicial remedy.
22. With regard to the substance of their action, the applicants requested access to all the personal data concerning BA and requested that the Supervisory Body for Police Information be ordered to identify the controllers and any persons who might have received such data. In the alternative, they asked the referral to the Court of Justice, in essence, of the question whether Article 42(2) of the LPD is compatible with Articles 14, 15 and 17 of Directive 2016/680, read in the light of Articles 8 and 47 and Article 52(1) of the Charter of Fundamental Rights of the European Union (‘the Charter’). In that regard, they complained that Article 42(2) of the LPD provides for a general and systematic derogation from the right of access to personal data.
23. By order of 17 May 2021, the tribunal de première instance francophone de Bruxelles (Brussels Court of First Instance (French-speaking)) declared that it had no jurisdiction with regard to the action of the applicants.
24. By application of 15 June 2021, the main proceedings were brought before the cour d’appel de Bruxelles (Court of Appeal, Brussels, Belgium). The appellants, in essence, reiterated the criticisms they had made against Article 42(2) of the LPD and the requests they had made in the first-instance proceedings.
25. The Supervisory Body for Police Information submitted that the appeal ought to be dismissed.
26. The referring court states that under Belgian law the data processed by the police services are subject to a specific body of rules. Under Article 42 of the LPD, all requests based on rights relating to those personal data are to be made to the Supervisory Body for Police Information. That body simply informs the data subject that ‘the necessary verifications have been carried out’.
27. The referring court states that Article 17(3) of Directive 2016/680 has not been transposed properly into domestic law. First, Article 42 of the LPD does not provide that the supervisory authority is to inform the data subject of his or her right to seek a judicial remedy. Second, the LPD does not allow for the exercise of a judicial remedy against the Supervisory Body for Police Information.
28. In that regard, the referring court states, in the first place, that the remedy laid down in Article 240 of the LPD, which allows the data subject to lodge a complaint with the supervisory authority, must be exercised against the controller.
29. In the second place, the action for an injunction laid down in Article 209 et seq. of the LPD does not provide BA with an effective remedy against the Supervisory Body for Police Information. In that regard, the referring court states that it follows from those provisions, first, that the action must be brought against the controller. It cannot therefore be brought by BA against the Supervisory Body for Police Information. Second, Article 42 of the LPD does not enable BA to bring such an action against the controller, because the exercise of his rights is entrusted to the Supervisory Body for Police Information. Third, the very succinct information provided by the Supervisory Body for Police Information, pursuant to Article 42 of the LPD, does not enable either BA or a court, in an a posteriori review, to determine whether the Supervisory Body for Police Information has exercised BA’s rights correctly.
30. Finally, although the action for an injunction is laid down in the LPD ‘without prejudice to any other judicial, administrative or extra-judicial remedy’ and without limiting ‘the jurisdiction of the court of first instance and of the president of the court of first instance hearing interim proceedings’ (Articles 209 and 219 of the LPD), any other remedy which BA might seek to exercise would, in the view of the referring court, encounter the same obstacles.
31. In those circumstances, the cour d’appel de Bruxelles (Court of Appeal, Brussels) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Do Articles 47 and 8(3) of [the Charter] require provision to be made for a judicial remedy against an independent supervisory authority such as the Supervisory Body for Police Information where it exercises the rights of the data subject vis-à-vis the controller?
(2) Does Article 17 of Directive 2016/680 comply with Articles 47 and 8(3) of [the Charter], as interpreted by the Court of Justice, in that it obliges the supervisory authority – which exercises the rights of the data subject vis-à-vis the controller – only to inform the data subject “that all necessary verifications or a review by the supervisory authority have taken place” and “of his or her right to seek a judicial remedy”, when such information does not enable any a posteriori review to be conducted as regards the action taken and assessment made by the supervisory authority in the light of the data subject and the obligations of the controller?’
32. Written observations have been submitted by the applicants in the main proceedings, the Belgian Government, the Czech Republic, the European Commission as well as the European Parliament. The Court put a number of written questions to the Belgian Government to be answered in writing. That Government replied on 13 March 2023. The applicants and the defendant in the main proceedings, the French Government as well as the European Commission and the European Parliament participated in the oral hearing that took place on 29 March 2023.
III. Assessment
Preliminary observations
33. The questions submitted for a preliminary ruling concern, in essence, judicial review of the action of a supervisory authority and its scope and effectiveness in the situation where that authority exercises the rights of the data subject on behalf of that data subject, that is to say where the rights are exercised indirectly. The referring court did not question, as such, the structure of the Belgian regime of indirect access by data subjects. However, the right to an effective remedy is necessarily affected by a system in which access by data subjects is practically impossible or excessively difficult. It is therefore important, as a preliminary issue, to describe briefly the structure of data subject rights under Directive 2016/680, before examining how the Belgian indirect access regime fits into that structure.
(a) The rights of data subjects under Directive 2016/680 and limitations to those rights
34. The right of access to data collected and the right to have the data rectified is an essential component of the right to the protection of personal data enshrined in Article 8(2) of the Charter. Generally, the right of access serves two main purposes, namely to ‘enhance transparency and facilitate control’. (9) Indeed, as pointed out in academic literature, it enhances transparency because it provides ‘a second, deeper and more detailed layer of information that the data subject can obtain’. (10) The right of access facilitates control as it constitutes a prerequisite for the exercise of other rights, namely the right to rectification or erasure of personal data or to seek a judicial remedy. (11)
35. It follows from recital 7 of Directive 2016/680 that that directive seeks to achieve the effective protection of personal data throughout the European Union, which requires the strengthening of the rights of data subjects and of the obligations of those who process personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data in the Member States. This is an important step forward compared to the former regime under Framework Decision 2008/977. The scope of that framework decision was limited to cross-border data processing. Moreover, it reflected the ‘specificities of the pre-Lisbon “pillar” structure of the EU’ (12) and left a ‘large room for manoeuvre to Member States’. (13) Compared to that earlier regime, Chapter III of Directive 2016/680 provides for a ‘new architecture of the rights of data subjects, the principle being that they have a right to information, access, rectification, erasure or restriction of processing, unless these rights are restricted’. (14)
36. More particularly, Article 13 of Directive 2016/680 provides that controllers are to provide certain information to data subjects (‘the right to information’). Article 14 establishes that the data subject has the right to obtain from the controller confirmation as to whether or not data concerning him or her are being processed and, where that is the case, to access the personal data and particular information (‘the right of access’). Article 16 provides that the data subject has the right to obtain from the controller the rectification of inaccurate personal data relating to him or her as well as the right to erasure of personal data, or, where applicable, restriction of processing (‘the right to rectification, erasure or restriction of processing’). The data subject can, in principle, exercise his or her rights directly.
37. Directive 2016/680 allows Member States to adopt legislative measures restricting, wholly or partially, the rights of data subjects under the conditions laid down in Article 13(3), Article 15 and Article 16(4) of Directive 2016/680. In essence, such measures are permitted ‘to the extent that, and for as long as’ they constitute ‘a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the natural person concerned’ in order to preserve a specified purpose of public interest, namely, to avoid obstructing official or legal enquiries, investigations or procedures, to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties, to protect public security, national security or to protect the rights and freedoms of others. Member States may, pursuant to Article 13(4) and Article 15(2) of Directive 2016/680, adopt legislative measures in order to determine categories of processing which may wholly or partly fall under any of those purposes.
38. In case of limitation to the right of access, the controller must inform the data subject, pursuant to Article 15(3) of Directive 2016/680, without undue delay, in writing of any refusal or restriction of access and of the reasons for the refusal or the restriction. Such information may be omitted where its provision would undermine a public interest purpose referred to in Article 15(1) of the directive. The controller must inform the data subject of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy. Additionally, under Article 15(4) of Directive 2016/680, where the right of access is restricted or refused, the controller must document the factual or legal reasons on which the decision is based and make that information available to the supervisory authorities.
39. It follows from the structure of the rights of the data subject laid down in Chapter III of Directive 2016/680 that the general rule is that, in the area of law enforcement, data subjects have rights concerning the protection of their data and they may exercise those rights directly. Any limitation to those rights is an exception. In accordance with settled case-law, an exception to a general rule must be the subject of a strict interpretation. (15) Moreover, there are limitations to the restrictions pertaining to the obligation to state reasons for the restrictions imposed and on informing the data subject accordingly. It is only by way of exception that such information may be omitted.
40. The same interrelation between rule and exception applies also with regard to the possibility given to Member States of determining ‘categories of processing’ which may wholly or partially qualify as public interest purposes, thus allowing the limitation to the exercise of the rights of data subjects under Article 13(3) or Article 15(1) of Directive 2016/680. As essentially pointed out by the Article 29 Working Party (16) in its Opinion on Directive 2016/680, the possibility given to Member States of determining such categories of processing does not allow for ‘blanket restrictions’ on data subjects’ rights to information and access. (17) Such blanket restrictions would give the exception precedence over the rule, rendering largely meaningless the provisions enshrining the rights of the data subject. (18)
(b) Indirect exercise of the rights of the data subject
41. The right of the data subject to contact the controller directly in order to exercise his or her rights is an important feature of Directive 2016/680. That directive guarantees the direct exercise of the rights by data subjects ‘as a matter of principle’. (19) Data subjects have the right of direct access unless a restriction applies. Where a restriction applies and the right of direct access is therefore no longer available, the data subject may exercise his or her rights indirectly through the competent supervisory authority, pursuant to Article 17(1) of Directive 2016/680.
42. As the French Government as well as the Commission pointed out, and as is also underlined by the Article 29 Working Party in its Opinion on Directive 2016/680, the indirect exercise of rights through the competent authority is an additional guarantee offered to data subjects in the circumstances where limitations apply. (20) The framing of indirect exercise of rights as an additional guarantee represents an important step forward in comparison with the previous situation under Framework Decision 2008/977. (21) Indeed, under that framework decision, indirect access was on an equal footing with direct access. (22) It would be contrary to the entire purpose of the harmonisation pursued by Directive 2016/680 if Member States, despite the directive’s developments relating to the structure of data subject rights, were to make the provision of indirect access not an additional avenue available for data subjects but rather the sole avenue available for data subjects.
(c) The indirect exercise regime laid down in Article 42 of the LPD
43. Article 17 of Directive 2016/680 is transposed in Belgian law by Article 42 of the LPD. The first sentence of Article 42 of the LPD provides that data subjects must address all requests to exercise their rights in relation to police services to the Supervisory Body for Police Information. The second sentence of Article 42 of the LPD provides that where the controller restricts or refuses access, that supervisory authority is to inform the data subject only that all necessary verifications have been carried out.
44. It appears to me that Article 42 of the LPD establishes a regime which derogates from the principle of direct exercise of the rights of data subjects with regard to all data processed by police services. Indeed, in view of the extremely broad scope of the data to which the regime of derogation applies, that regime establishes a blanket exemption to the direct right of access. As explained in the preliminary observations above, such a broad and blanket exemption to the right of direct access may not be considered compatible with Directive 2016/680. (23) As the Conseil d’État (Council of State, Belgium) has essentially stated in its opinion with regard to the draft of the LPD, to move from the person concerned having the option to exercise indirectly his or her rights to instead allowing the legislature to require such rights to be exercised indirectly is contrary to Article 17 of Directive 2016/680. (24)
45. Substituting direct access for indirect access under Article 42 of the LPD is even more problematic when viewed in the light of the limited powers of the Supervisory Body for Police Information. When questioned on this point at the hearing, counsel for that authority confirmed that in the context of indirect exercise of rights of the data subject, the Supervisory Body for Police Information may only inform the data subject that all necessary verifications have been carried out. However, it must be recalled that the regime of indirect access is the exception, which presupposes that the rights of data subjects are limited in accordance with the conditions set out in Directive 2016/680. By contrast, under the Belgian system, the data subject is obliged to request the supervisory authority to exercise his or her rights with regard to data processed by police services. He or she may not access the data concerning him or her and may not obtain more than a confirmation that all necessary verifications have been carried out. The national legislature appears to have established an underlying assumption, departing from Directive 2016/680, that – with regard to all data processed by police – the rights of data subjects are always limited and direct access is not possible.
46. In light of the above considerations, I take the view that Article 42 of the LPD establishes a regime of indirect exercise of rights which is incompatible with the manner in which the rights of data subjects are exercised as set out in Directive 2016/680. The questions for preliminary ruling will be examined in light of that consideration.
First Question
47. First of all, it should be recalled that, in accordance with settled case-law, under the procedure laid down by Article 267 TFEU, which provides for cooperation between national courts and the Court of Justice, it is for the latter to provide the national court with an answer which will be of use to it and enable it to determine the case before it. Thus, if necessary, the Court may have to reformulate the questions referred to it. To that end, the Court may extract from all the information provided by the national court, in particular from the reasons in the order for reference, the points of EU law which require interpretation in view of the subject matter of the dispute in the main proceedings. (25)
48. In the present case, it is clear from the order for reference that by its first question, the referring court seeks an interpretation of Article 17 of Directive 2016/680. It asks, in essence, whether that provision, read in the light of Article 47 and Article 8(3) of the Charter, must be interpreted as requiring that the data subject must have available to it a judicial remedy against an independent supervisory authority where he or she exercises his or her rights through the supervisory authority.
49. As a preliminary issue, it must be pointed out that the referring court asks that question since it considers that Belgian law does not provide for a right to seek judicial review against a supervisory authority when the latter exercises indirectly the rights of the data subject. In that regard, it states, first, that that provision has not been correctly transposed into national law, since Article 42 of the LPD does not provide for an obligation on the part of the supervisory authority to inform the data subject of his or her right to seek a judicial remedy. Second, the referring court is of the view that no other provision of the LPD, particularly Articles 209 et seq. and 240 thereof, allows the data subject to introduce an action against the supervisory authority in case of indirect exercise of his or her rights. (26)
50. The Belgian Government, in its written submissions, asserted that, irrespective of the interpretation of the second sentence of Article 209 of the LPD, the Belgian legal system provides for effective judicial review in the circumstances of the main proceedings. In that regard, it submits that the specific remedies in the LPD are without prejudice to the general jurisdiction of the civil courts. That being said, the Belgian Government is correct in pointing out that, in accordance with settled case-law, the Court is empowered only to give rulings on the interpretation or the validity of an EU provision on the basis of the facts which the national court or tribunal puts before it. By contrast, it falls exclusively to the referring court to interpret national legislation. (27)
(a) The remedies available to the data subject
51. In order to determine whether a data subject has the right to seek a judicial remedy against the supervisory authority in case of indirect exercise of his or her rights, it must be recalled that Directive 2016/680 sets out, in Chapter VIII, a number of remedies available to data subjects. Data subjects have the right to lodge a complaint with a supervisory authority pursuant to Article 52 of Directive 2016/680. Article 53(1) of Directive 2016/680 provides that data subjects are to have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them. Article 53(2) provides that each data subject is to have the right to an effective judicial remedy where the supervisory authority does not handle a complaint or does not inform the data subject within three months of the progress or outcome of the complaint. In addition, data subjects have the right to an effective judicial remedy against a controller or processor where they consider that their rights have been infringed as a result of unlawful processing of their personal data. All those provisions state that each of those remedies is available ‘without prejudice to any other administrative or non-judicial remedy’.
52. As regards the right to an effective judicial remedy against the supervisory authority, recital 86 of Directive 2016/680 states that that right can be exercised against a ‘decision of a supervisory authority which produces legal effects concerning that person’. The same recital states that such a decision concerns, in particular, the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints, but that the right to an effective judicial remedy does not encompass ‘other measures of supervisory authorities which are not legally binding, such as opinions issued or advice provided by the supervisory authority’.
53. It follows from Article 53(1) of Directive 2016/680, read in the light of recital 86 thereof, that the data subject has the right to challenge a decision or a measure by a supervisory authority which produces binding legal effects.
54. In that regard, it must be recalled that the right to an effective judicial remedy, enshrined in Article 47 of the Charter, must be accorded to any person relying on rights or freedoms guaranteed by EU law against a decision adversely affecting him or her which is such as to undermine those rights or freedoms. (28)
55. Next, it must be pointed out that acts adversely affecting a person are ‘acts or measures which produce binding legal effects capable of directly and immediately affecting the appellant’s interests by bringing about a distinct change in his or her legal position’. (29) In that regard, it is necessary to examine the substance of that act and to assess those effects on the basis of objective criteria, such as the content of that act, taking into account, as appropriate, the context in which it was adopted and the powers of the institution which adopted the act. (30)
(b) The powers of the supervisory authority in the context of the indirect exercise of rights
56. In the light of the elements determining an act adversely affecting a person, in order to determine whether a supervisory authority adopts a legally binding decision, when it exercises indirectly the rights of the data subject, in accordance with Article 17 of Directive 2016/680, it is necessary to examine the content or the substance of the act of a supervisory authority, taking into account the context of the act and the powers of that authority.
57. As regards, in the first place, the substance of the act of the supervisory authority, it must be clarified at the outset that the ability of an act to affect directly the legal position of a natural or legal person cannot be assessed solely by reference to the fact that that act takes the form of an email (as was the case in the main proceedings), since that would amount to giving precedence to the form of the act which is the subject of the action over the actual substance of that act. (31)
58. Article 17(1) of Directive 2016/680 provides that the rights of the data subject may be exercised ‘through’ the competent supervisory authority. Recital 48 of that directive states that the supervisory authority acts ‘on behalf’ of the data subject. According to Article 17(3) of that directive, the supervisory authority is to ‘inform’ the data subject at least that all necessary verifications or a review by the supervisory authority have taken place.
59. The Supervisory Body for Police Information argues that it follows from the wording of those provisions, that a supervisory authority does nothing more than exercise a mandate on behalf of the data subject and act as a ‘messenger’ who simply provides information to the data subject. Therefore, the act which that authority adopts may not be regarded as producing binding legal effects on the data subject. The Czech Government puts forward a similar argument.
60. I would not disagree that the wording used in relation to the exercise of rights of the data subject ‘through’ the supervisory authority or the supervisory authority acting ‘on behalf of’ the data subject, taken alone, could be understood as suggesting that the supervisory authority has a mandate simply to provide information.
61. However, I consider that an examination of the context of the act and the powers of the supervisory authority do not support the thesis of a simple mandate. In the context of the indirect exercise of the rights of the data subject, the supervisory authority’s role goes beyond acting in a way similar to an ‘agent’ of a data subject, as a ‘messenger’ or an intermediary. As I will demonstrate, the EU legislature has, by contrast, granted the supervisory authority a leading and active role in the verification of the lawfulness of data processing which can be carried out solely by a public authority.
62. More specifically, as the Commission and the Belgian Government have argued, Article 17 of Directive 2016/680 must be read together with the provisions of Section 2 of Chapter VI of that directive, which sets out the rules on the competence, the tasks and the powers of the independent supervisory authorities. Article 46(1)(g) of that directive provides that the supervisory authority is to ‘check the lawfulness of processing pursuant to Article 17, and inform the data subject within a reasonable period of the outcome of the check pursuant to paragraph 3 of that Article or of the reasons why the check has not been carried out’.
63. The Belgian Government has correctly pointed out in its response to a written question put by the Court that the specific task of checking the lawfulness of the processing demonstrates that the role of a supervisory authority is not confined to acting as a simple ‘messenger’ between the data subject and the controller. Instead, that authority carries out a proper legal assessment of the lawfulness of the processing.
64. Moreover, in order to carry out its role of making an independent check of the lawfulness of processing, each supervisory authority has certain enforcement powers in accordance with Article 47 of Directive 2016/680. Those powers are ‘effective investigative powers’, which include at least the ‘power to obtain from the controller and processor access to all personal data that are being processed’ and also ‘corrective’ powers including the power to order the rectification or erasure of personal data or restriction of processing. Moreover, according to Article 47(5), the supervisory authorities have the power to engage in legal proceedings in order to enforce the data protection rules adopted pursuant to Directive 2016/680. I agree with the Commission, which pointed out, in that regard, that the supervisory authority may exercise those powers only on its own account as a public authority and not as a simple agent or in the name of the data subject.
65. When the supervisory authority informs the data subject of the outcome of the check it has carried out pursuant to Article 17(3) and Article 46(1)(g) of Directive 2016/680, it has necessarily reached the end of a decision-making process with regard to the lawfulness of the processing. The legal position of the data subject is therefore affected by (i) whether the supervisory authority has correctly carried out the task incumbent upon it of ‘check[ing] the lawfulness of processing pursuant to Article 17’ and (ii) the conclusion made by that authority following that process.
66. Recognising the supervisory authority as having an autonomous role under Article 17 of Directive 2016/680, as opposed to the role of a simple intermediary, is corroborated by an interpretation of the directive in the light of the Charter. Article 8(3) of the Charter entrusts to an independent authority the review of compliance with the rules on data protection and more specifically with the right of access to data. The role of data protection authorities is vested with constitutional significance by virtue of being referred to in the Charter. The role of monitoring and enforcing the application of Directive 2016/680 lies with the supervisory authority. An interpretation under which that authority acts separately from the person concerned when it exercises indirectly the rights of the data subject promotes the constitutional role of the supervisory authority.
67. In addition, if it were accepted that the supervisory authority acts in a way similar to an ‘agent’ of a data subject, then that authority would be required to report to the data subject as its principal. However, the Supervisory Body for Police Information argues that it does not have the power to provide further information to the data subject. That approach leads to a peculiar situation where an agent would be more knowledgeable than its principal.
68. At the hearing, the French Government argued, in essence, that, contrary to the situation in which a supervisory authority deals with complaints, under Article 46(1)(f) of Directive 2016/680, that authority has no powers against the controller, under Article 46(1)(g). In the view of the French Government, since the data subject does not have powers against the controller when he or she exercises his or her rights directly, he or she cannot have those powers when he or she exercises those rights indirectly via the supervisory authority. The French Government maintained that Article 47 of Directive 2016/680 concerns only the powers exercised by the supervisory authority on its own account but not the competences exercised on behalf of the data subject.
69. The view of the French Government relies, in essence, on the thesis that the supervisory authority acts simply as an intermediary of the data subject. For the reasons explained above, I do not share such a reductive interpretation of the role of the supervisory authority. The indirect exercise of the rights of a data subject must have an added value, constituting an additional guarantee and a safeguard for the data subject. If the authority were simply to confirm, in all circumstances, that the necessary verifications have been carried out without being able to exercise its powers, its role in verifying the lawfulness of processing would have limited added value.
70. In that regard, Article 17 of Directive 2016/680 provides that the supervisory authority is to inform the data subject ‘at least’ that all necessary verifications have taken place. That means that there can be circumstances in which the supervisory authority can or must go beyond such minimum information. That interpretation is supported by Article 46(1)(g) of Directive 2016/680 which tasks the supervisory authority with checking the lawfulness of processing pursuant to Article 17 of Directive 2016/680 and informing the data subject of the outcome of the check pursuant to paragraph 3 of that article. The ‘outcome of the check’ includes but is not always restricted to providing the minimum information.
71. As the Commission has pointed out, Article 17 of Directive 2016/680 confers a discretion on the supervisory authority. It does not confer a discretion on the Member States to reduce the role of the authority to that of a messenger or to remove entirely the margin of discretion of such authority by providing that it is to provide only the minimum information. Indeed, if a Member State were able to deviate from Directive 2016/680 and confer fewer powers on supervisory authorities, that would seriously undermine the objective of strengthening of the rights of data subjects and of harmonising the powers for monitoring and ensuring compliance with the data protection rules in Member States. It would also undermine the aim of enhancing transparency and control pursued by that directive.
72. At the hearing, the Supervisory Body for Police Information expressed concern regarding the recognition of a role going beyond that of simply exercising a mandate on behalf of the data subject. It argued that in the framework of Article 17 of Directive 2016/680, the supervisory authority may not decide whether an act by the controller is expedient and it may not balance the interests involved in communicating the relevant information. That authority argued that if that were not the case, it would be obliged to take the place of the controller, which would run contrary to its independence.
73. In that regard, the discretion of the supervisory authority under Article 17 of Directive 2016/680 should not be understood as a power to take the place of the controller and give automatic access to the information which the controller refused to disclose. By virtue of its independence, the supervisory authority engages in a confidential dialogue with the controller in order to verify the lawfulness of processing. As the Commission has essentially argued, that dialogue can be inferred from the obligation of the controller laid down in Article 15(4) of Directive 2016/680 to make available to the supervisory authority the factual or legal reasons on which the decision to limit the right to access is based.
74. In the context of that dialogue, if the supervisory authority takes the view that the limitations to the rights of the data subject are not justified, it must give the controller the opportunity to redress that situation. Following that dialogue, Article 17(3) affords the supervisory authority a margin of discretion as to the extent of the information it may disclose to the data subject concerning the outcome of its verification. The determination of the extent of the information it may disclose must be assessed on a case-by-case basis in accordance with the principle of proportionality. Moreover, the supervisory authority must be able to ensure compliance with the rules of Directive 2016/680 and exercise the powers set out under Article 47 thereof. That provision lays down no limitation regarding the exercise of those powers in the context of Article 17 of that directive. On the contrary, the effective powers of the supervisory authority are a necessary and strong counterweight to the limitation to the data subject’s right to access.
(c) Hierarchy of judicial remedies
75. Lastly, the Supervisory Body for Police Information and the Czech Government have put forward an argument concerning the hierarchy of judicial remedies. They maintain, in essence, that in the context of indirect exercise of rights through the supervisory authority, the right to seek a judicial remedy must be exercised against the controller, in accordance with Article 54 of Directive 2016/680 rather than against the supervisory authority, unless the latter fails to act.
76. In that regard, it must be observed, that it does not follow from any of the provisions of Directive 2016/680 that the remedies provided for in that directive are mutually exclusive. Instead, it follows from the wording of Articles 52, 53 and 54 of Directive 2016/680 referred to above (32) that those provisions offer different remedies to persons claiming that that regulation has been infringed, it being understood that each of those remedies must be capable of being exercised ‘without prejudice’ to the others. (33) It must be recalled that with regard to the relationship of the remedies provided for under Regulation (EU) 2016/679, (34) the Court has ruled in the judgment in Nemzeti that that regulation ‘does not provide for any priority or exclusive competence or jurisdiction or for any rule of precedence in respect of the assessment carried out by the authority or by the courts referred to therein as to whether there is an infringement of the rights conferred by that regulation’. (35)
77. Contrary to the position of the French Government and the Supervisory Body for Police Information, I take the view that the reasoning in the judgment in Nemzeti applies by analogy with regard to the remedies provided for under Directive 2016/680. First, the remedies available to the data subject against the supervisory authority and the controller under Regulation 2016/679 and Directive 2016/680 are similar. Second, recital 7 of Directive 2016/680 states that effective protection of personal data throughout the Union requires the strengthening of the rights of data subjects. (36) Making a number of remedies available strengthens the objective also set out in recital 85 of Directive 2016/680 of guaranteeing the right to an effective judicial remedy in accordance with Article 47 of the Charter in respect of every data subject who considers that his or her rights under the provisions adopted pursuant to that directive have been infringed.
78. It must also be pointed out that the remedy against the supervisory authority and the remedy against the controller have different purposes. On the one hand, as the Commission correctly observed, the purpose of an action against the decision of the controller to limit the rights of the data subject is to obtain judicial review of whether Article 13(3), Article 15(3) and Article 16(4) of Directive 2016/680 were applied correctly. On the other hand, the purpose of an action against the supervisory authority is to obtain judicial review of whether Article 17 and Article 46(1)(g) of Directive 2016/680 were applied correctly, which involves considering whether that supervisory authority carried out correctly its task of verifying the lawfulness of processing.
79. It must also be observed that the system of judicial protection would be incoherent and incomplete if the data subject were able to challenge only the supervisory authority’s inaction whereas its actions and the manner in which the authority discharged its obligations were excluded from judicial review.
80. In any event, in the main proceedings, it appears to be impossible to bring an action against the controller. It follows from the order for reference that data subjects are not able to bring an action against the controller since the exercise of all their rights is entrusted to the Supervisory Body for Police Information. The Ligue des droits humains submitted, moreover, that under the Belgian system of police databases, it is very difficult for the data subject even to identify the controller. In such circumstances, the data subject risks being deprived completely of effective judicial protection as he or she does not know who the controller is and even if this was known, he or she has no right to address the controller directly. In addition, he or she cannot challenge the action of the Supervisory Body for Police Information. It appears to me that the data subject is faced with a system in which ‘all doors are closed’ to him or her, which runs contrary Directive 2016/680.
81. In view of the above considerations, I consider that Article 17 of Directive 2016/680, read in combination with Article 46(1)(g) of that directive and in the light of Article 47 and Article 8(3) of the Charter, must be interpreted as requiring the data subject to have available to him or her a judicial remedy against an independent supervisory authority where that data subject exercises his or her rights through that authority in so far as that remedy concerns that supervisory authority’s task of checking the lawfulness of processing.
Second question
82. By its second question, the referring court asks, in essence, whether Article 17 of Directive 2016/680 is compatible with Article 8(3) and Article 47 of the Charter in so far as it obliges the supervisory authority to inform the data subject only (i) ‘that all necessary verifications or a review by the supervisory authority have taken place’ and (ii) of ‘his or her right to seek a judicial remedy’, whereas such information does not allow any review a posteriori of the action taken and the assessment made by the supervisory authority concerning that data subject in the light of the obligations of the controller.
83. It should be noted, as a preliminary point that, in accordance with a general principle of interpretation, an EU act must be interpreted, as far as possible, in such a way as not to affect its validity and in conformity with primary law as a whole and, in particular, with the provisions of the Charter. Thus, if the wording of secondary EU legislation is open to more than one interpretation, preference should be given to the interpretation which renders the provision consistent with primary law rather than to the interpretation which leads to its being incompatible with primary law. (37)
84. As was explained in the context of the preliminary observations and in the analysis of the first question, Article 17 of Directive 2016/680 provides that indirect exercise of the rights of the data subject is possible through the competent supervisory authority where the rights of the data subject are limited pursuant to Article 13(3), Article 15(3) and Article 16(4) of Directive 2016/680. The limitations to the data subject’s rights are permitted only if they constitute a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the natural person concerned in order to safeguard a specific public interest purpose set out in those provisions.
85. The question raised is to what extent the content of information provided by the supervisory authority exercising indirectly the rights of the data subject permits the data subject to exercise his or her right to an effective judicial remedy under the first paragraph of Article 47 of the Charter.
86. In that regard, it has already been recalled in the analysis of the first question that the right to an effective judicial remedy, enshrined in Article 47 of the Charter must be accorded to any person relying on rights or freedoms guaranteed by EU law against a decision adversely affecting him or her which is such as to undermine those rights or freedoms. (38)
87. However, it must be borne in mind that the right to effective judicial protection is not an absolute right and that, in accordance with Article 52(1) of the Charter, limitations may be placed upon it, on condition that (i) those limitations are provided for by law, (ii) they respect the essence of the rights and freedoms at issue, and (iii) in compliance with the principle of proportionality, they are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others. (39)
88. In the context of the indirect exercise of rights through the supervisory authority, it must be pointed out that the possibility of indirect exercise is triggered by the limitation to the rights of the data subject. The supervisory authority is tasked with acting in the situation where, as an exception, a right is limited, including where, depending on the circumstances, information regarding the reasons for that limitation is omitted by the controller. (40) As demonstrated at length in the analysis of the first question, in carrying out that task, the role of the supervisory authority is not to act as a simple ‘messenger’ but rather to ensure the lawfulness of processing.
89. The level of information which the supervisory authority can disclose to the data subject necessarily depends on the reasons which triggered the limitation to the right of access. The more serious the reasons for limitation and, possibly for omission of information, the less information the supervisory authority will be able to provide. Contrary to the presumption underlying the wording of the question for preliminary ruling, it does not follow from Article 17(3) of Directive 2016/680 that the supervisory authority can ‘only’ confirm, in all circumstances, that all necessary verifications have been carried out. Instead, under that provision the supervisory authority states ‘at least’ that all necessary verifications or a review by the supervisory authority have taken place.
90. It follows that the information to be provided by the supervisory authority cannot be pre-determined. In other words, the minimum content set out in Article 17(3) is not the only possible content. As the Commission pointed out, the level of information must be determined on a case-by-case basis and may vary depending on the circumstances and on the balancing of interests at stake in light of the principle of proportionality. To provide an illustration, as correctly observed in the academic literature, (41) it would appear unproblematic for the supervisory authority to indicate to the data subject that a spelling mistake caused the name of that data subject to be found in a police data base.
91. It must be observed that the Commission Proposal for a Directive on Law Enforcement provided that the supervisory authorities, in addition to the minimum information, were required to inform the data subject ‘of the result as regards the lawfulness of the processing in question’. (42) That last item of information – namely the result as regards the lawfulness of the processing – was not included in Article 17 of Directive 2016/680. However, that does not mean that potential infringements of data protection rules can be tolerated. In my analysis of the first question, I pointed out that the supervisory authority engages in a confidential dialogue with the controller. If the supervisory authority considers that the processing is unlawful, it provides the controller with the opportunity to redress the situation. However, if the situation is not redressed, the supervisory authority has enforcement powers under Article 47 of Directive 2016/680 which must be exercised. In such a situation, it is not sufficient, in my view, that the supervisory authority reports to the national parliament, as the Supervisory Body for Police Information suggested at the hearing. It must exercise its power to bring infringements of data protection rules to the attention of the judicial authorities and where appropriate, to commence or otherwise engage in legal proceedings in accordance with Article 47(5) of Directive 2016/680.
92. The interpretation under which the supervisory authority has a margin of discretion when it exercises indirectly the rights of the data subject is also corroborated by the constitutional importance of the role of independent supervisory authorities enshrined in Article 8(3) of the Charter.
93. That being said, there can be circumstances in which the supervisory authority considers that it may not go beyond disclosing the minimum information, namely that all necessary verifications have been carried out. In such circumstances, the exercise of judicial review would be impossible unless the court entrusted with the review of the decision of the supervisory authority is able to examine all the grounds on which that decision is based, as well as the decision by the controller to limit access.
94. In that regard, it must be pointed out, first, that Article 15(4) of Directive 2016/680 provides that the controller must document the factual or legal reasons on which the decision regarding limitation to the right of access is based and must make that information available to the supervisory authorities. As the European Parliament has pointed out, it must be accepted that if that information is available to the supervisory authority, it should also be made available to the judicial authority where the data subject exercises his or her right to seek review of the decision of the controller and/or the decision of the supervisory authority.
95. Second, in the exceptional cases in which the controller does not provide information regarding the reasons for refusal or for limitation to the rights of the data subject and the supervisory authority provides only the minimum information, namely that all necessary verifications have been carried out, the court with jurisdiction in the Member State concerned must have at its disposal and apply techniques and rules of procedural law which accommodate, on the one hand, legitimate public security or public interest considerations regarding the nature and sources of the information taken into account in the adoption of such a decision and, on the other hand, the need to ensure compliance with the person’s procedural rights, such as the right to be heard and the adversarial principle. (43)
96. To that end, in accordance with the reasoning in the case-law following from the judgment of 4 June 2013, ZZ (C‑300/11, EU:C:2013:363), the Member States are required, first, to provide for effective judicial review both of the existence and validity of the reasons invoked by the national authority and, second, to prescribe techniques and rules relating to that review, as referred to in the preceding point of the present Opinion. (44)
97. At the hearing, the French Government argued that the background to the judgment in ZZ was different from the background in the main proceedings, since the judgment in ZZ concerned the judicial review of a decision refusing a citizen of the European Union admission to a Member State on public security grounds. In that regard, it must be pointed out that the reasoning of the Court in the case-law following from the judgment in ZZ, which relies on the judgment in Kadi (45), is based on the requirement to strike an appropriate balance between the requirements flowing from State security and the requirements of the right to effective judicial protection. When questioned at the hearing, counsel for the French Government accepted that it follows essentially from that case-law that there is no secrecy before the judge. I consider, therefore, that that case-law should also apply, by analogy, in the context of Directive 2016/680 when the competent authorities take the view that reasons of national security or any other public interest ground capable of justifying a limitation to the rights of data subjects impede precise and full disclosure of the grounds of such a decision to apply a limitation.
98. It follows from the above that Article 17 of Directive 2016/680 is compatible with Article 8(3) and Article 47 of the Charter in so far as (i) the supervisory authority may, depending on the circumstances, go beyond stating that all necessary verifications have been carried out and (ii) there is available to the data subject a judicial review of the action taken and the assessment made by the supervisory authority concerning that data subject in the light of the obligations of the controller.
99. In view of the above, the validity of Article 17 of Directive 2016/680 is not called into question.
III. Conclusion
100. In the light of the foregoing, I suggest that the Court reply to the cour d’appel de Bruxelles (Court of Appeal, Brussels, Belgium) as follows:
(1) Article 17 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, read in combination with Article 46(1)(g) of that directive and in the light of Article 47 and Article 8(3) of the Charter of Fundamental Rights of the European Union,
must be interpreted as requiring the data subject to have available to him or her a judicial remedy against an independent supervisory authority where that data subject exercises his or her rights through that authority in so far as that remedy concerns that supervisory authority’s task of checking the lawfulness of processing.
(2) The validity of Article 17 of Directive 2016/680 is not called into question.