CURIA - Documents

Home > Search form > List of results > Documents

Start printing

Language of document : ECLI:EU:C:2021:822

OPINION OF ADVOCATE GENERAL

BOBEK

delivered on 6 October 2021(1)

Case C‑245/20

Autoriteit Persoonsgegevens

(Request for a preliminary ruling from the Rechtbank Midden-Nederland (District Court, Central Netherlands, Netherlands))

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Competence of the supervisory authority – Processing operations carried out by courts in the exercise of their judicial capacity – Disclosure of procedural documents to a journalist)

I. Introduction

1. ‘Publicity is the very soul of justice. It is the keenest spur to exertion, and the surest of all guards against impropriety. … It is through publicity alone that justice becomes the mother of security. By publicity, the temple of justice is converted into a school of the first order, where the most important branches of morality are enforced …’ (2)

2. Although written at the dawn of the 19th century, (3) the words of Jeremy Bentham have lost none of their traction. Certainly, the context back then was very different. Open justice and its publicity needed to be vindicated not only with regard to certain enlightened monarchs (more often the case, to not very enlightened absolutist monarchs), but also, or rather in particular, vis-à-vis a number of peculiar, yet still lingering, medieval visions of the nature of the law and the judicial process. (4)

3. There is no explicit information on temples of justice being converted into schools in the main proceedings. It nonetheless still appears that, in the Netherlands, the principle of open justice has resulted in the ability of the press to access, at the date of a hearing, certain procedural documents in the cases scheduled before the court for that day. The purpose of that access is to assist journalists in better reporting on a case being heard. (5)

4. The applicants in the present case are natural persons that take issue with that policy. They maintain that they did not consent to the disclosure to a journalist of selected procedural documents relating to their case, heard before the Raad van State (Council of State, Netherlands). The applicants claimed that there had been a breach of various rights and obligations under Regulation (EU) 2016/679 (‘the GDPR’) (6) before the national supervision authority. Nevertheless, the defendant supervisory authority did not deem itself competent to assess that complaint. In its view, the processing at issue was carried out in the national courts’ ‘judicial capacity’, pursuant to Article 55(3) of the GDPR.

5. It is within this context that the Rechtbank Midden-Nederland (District Court, Central Netherlands, Netherlands) seeks guidance primarily on the issue of whether the disclosure to the press of certain procedural documents for the purposes of better media reporting on a case being heard in open court constitutes an activity of the ‘courts acting in their judicial capacity’, within the meaning of Article 55(3) of the GDPR.

II. Legal framework

A. EU law

6. Recital 20 of the GDPR states:

‘While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.’

7. Pursuant to Article 2(1) of the same regulation:

‘This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.’

8. The concept of ‘processing’ is defined in Article 4(2) of the GDPR as:

‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.

9. Article 6 of the same regulation, entitled ‘Lawfulness of processing’, reads, in relevant part, as follows:

‘1. Processing shall be lawful only if and to the extent that at least one of the following applies:

…

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

(a) Union law; or

(b) Member State law to which the controller is subject.’

10. By virtue of Article 51(1) of the GDPR:

‘Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (“supervisory authority”).’

11. However, pursuant to Article 55(3) thereof, ‘supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity’.

B. National law

12. The Uitvoeringswet AVG of 16 May 2016 (‘the UAVG’) implements the GPDR into Netherlands law. Article 6 thereof entrusts the defendant with the obligation to monitor compliance with the GDPR in the Netherlands. The UAVG does not reproduce the exception provided for in Article 55(3) of the GDPR.

13. On 31 May 2018, the president of the Afdeling bestuursrechtspraak van de Raad van State (Administrative Jurisdiction Division of the Council of State, Netherlands), the judicial administrations of the Centrale Raad van Beroep (Higher Social Security and Civil Service Court, Netherlands), and the College van Beroep voor het bedrijfsleven (Administrative Court of Appeal for Trade and Industry, Netherlands) adopted a regulation on the processing of personal data in administrative courts. That regulation established the AVG-commissie bestuursrechtelijke colleges (the GDPR Commission for Administrative Law Tribunals) (‘the GDPR Commission’). That commission is responsible for advising the Raad van State (Council of State), the judicial administrations of the Centrale Raad van Beroep (Higher Social Security and Civil Service Court), and the College van Beroep voor het bedrijfsleven (Administrative Court of Appeal for Trade and Industry) on the handling of complaints relating to the respect of rights guaranteed by the GDPR.

III. Facts, national proceedings and the questions referred

14. On 30 October 2018, the Raad van State (Council of State) heard an administrative law dispute between Z (‘Citizen Z’) and the Mayor of Utrecht (Netherlands) (‘Mayor M’). For the purposes of that dispute, X (‘Lawyer X’) acted as Citizen Z’s representative (collectively, ‘the applicants’). (7)

15. After that hearing, and in the presence of Lawyer X, Citizen Z was approached by a person who introduced himself as a journalist (‘Journalist J’). That journalist had at his disposal several procedural documents from the case file. When asked about those documents, Journalist J stated that he had been given access to those documents by virtue of the right of access to the case file given to journalists by the Raad van State (Council of State).

16. On the same day, Lawyer X wrote to the President of the Afdeling bestuursrechtspraak van de Raad van State (Administrative Jurisdiction Division of the Council of State) (‘President P’) to confirm whether access had been given to the case file – if so, by whom – and whether copies had been made with the knowledge or approval of staff of the Raad van State (Council of State).

17. By letter of 21 November 2018, President P replied that, at times, the Raad van State (Council of State) provides journalists with information relating to hearings. It does so, inter alia, by making that information available for inspection to journalists who are in the building on that day to report on a particular hearing. That information includes a copy of the notice of appeal (or higher appeal), the response, and, in the case of a higher appeal, the decision of the rechtbank (District Court, Netherlands). Those copies are only available for inspection on the day of the hearing itself, meaning that the information is not sent to, nor shared with, the media in advance. The relevant documents cannot leave the premises of the respective court, nor can they be taken home. At the end of the hearing day, employees of the communication department of the Raad van State (Council of State) destroy the copies.

18. Citizen Z and Lawyer X sent enforcement requests to the Autoriteit Persoonsgegevens (Data Protection Authority, Netherlands). The authority found itself not competent and forwarded those requests to the GDPR Commission.

19. The referring court explains that the access policy for journalists adopted by the Raad van State (Council of State) means that third persons, who are not party to the proceedings, have access to certain personal data of parties to court proceedings as well as their authorised representative(s), if any. Those procedural documents may contain personal data deriving, for instance, from the letterhead of an authorised representative which can lead to identification. They may also contain one or more forms of (specific) personal data of the appellant and/or others, such as information relating to criminal records, commercial information or medical information.

20. In the present case, the disclosure of the procedural documents at issue meant that Journalist J was given access to the appeal application, the defence, and the decision of the lower court. Thereby, he had access to some personal data of the applicants in the main proceedings, in particular the name and address of Lawyer X and the ‘citizen service number’ of Citizen Z.

21. The referring court deems such access to procedural documents and the (temporary) provision of copies of those documents to constitute ‘processing’ of personal data within the meaning of Article 4(2) of the GDPR. It notes that such processing took place without the consent of the applicants. However, in order to determine whether the Autoriteit Persoonsgegevens (Data Protection Authority) was in fact able to conclude that it was not competent to review the decision of the Raad van State (Council of State) to provide access to the procedural documents at issue, the referring court must interpret the concept of ‘courts acting in their judicial capacity’, as laid down in Article 55(3) of the GDPR.

22. Harbouring doubts as to whether the Raad van State (Council of State) acted within its ‘judicial capacity’, within the meaning of Article 55(3) of the GDPR, when disclosing documents from the case file of the dispute between Citizen Z and Mayor M to Journalist J for the purpose of the latter better reporting on the hearing in that case, the Rechtbank Midden-Nederland (District Court, Central Netherlands) decided to stay the proceedings and to refer the following questions to the Court for a preliminary ruling:

‘(1) Is Article 55(3) of the [GDPR] to be interpreted as meaning that “processing operations of courts acting in their judicial capacity” can be understood to mean the provision by a judicial authority of access to procedural documents containing personal data, where such access is granted by making copies of those procedural documents available to a journalist, as described in the present order for reference?

(1a) In answering that question, is it relevant whether the national supervisory authority’s supervision of that form of data processing affects independent judicial decisions in specific cases?

(1b) In answering that question, is it relevant that, according to the judicial authority, the nature and purpose of the data processing is to inform a journalist in order to enable the journalist to better report on a public hearing in court proceedings, thereby serving the interests of openness and transparency in the administration of justice?

(1c) In answering that question, is it relevant whether there is any express legal basis for such data processing under national law?’

23. Written observations have been submitted by Citizen Z, the Autoriteit Persoonsgegevens (Data Protection Authority), the Spanish, Netherlands, Polish and Finnish Governments, as well as the European Commission. The Autoriteit Persoonsgegevens (Data Protection Authority), the Spanish and Netherlands Governments, as well as the Commission also presented oral argument at the hearing that took place on 14 July 2021.

IV. Analysis

24. This Opinion is structured as follows. I shall start with a few brief remarks on admissibility (A). Then I shall turn to Article 55(3) of the GDPR and discuss the substantive and institutional elements of that provision (B). Thereafter, I shall apply my considerations to the present case (C). I conclude with several remarks on the central issue, which this case is, and at the same time is not, about: the application of the GDPR to national courts (D).

A. Admissibility

25. Citizen Z submits that the questions referred are of a hypothetical nature and thus inadmissible. He requested an enforcement measure not only by reason of the allegedly GDPR-incompatible access policy, but also due to the failure to notify a data leakage (that is, the disclosure of personal data to a journalist without consent) in due time. Moreover, there are factual flaws in the referring court’s order for reference since the disclosure of the procedural documents at issue was not done by the Raad van State (Council of State) but instead by employees of its communication department. As a result, since the order for reference did not originate from a court within the meaning of Article 55(3) of the GDPR, the Autoriteit Persoonsgegevens (Data Protection Authority) would have been competent to supervise the processing of that department.

26. I suggest that those claims be dismissed.

27. Questions on the interpretation of EU law referred by a national court generally enjoy a presumption of relevance. (8) The Court may refuse to rule on a question referred for a preliminary ruling by a national court only where it is quite obvious that the interpretation of EU law that is sought bears no relation to the actual facts of the main proceedings or its purpose, where the problem is truly hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it. (9) Consequently, where the questions submitted concern the interpretation of EU law, the Court is, in principle, bound to give a ruling. (10)

28. The latter is clearly the case for the dispute in the main proceedings. The referring court is required to apply the GDPR, and in particular Article 55(3) thereof, to determine the extent to which the Autoriteit Persoonsgegevens (Data Protection Authority) indeed had the competence to supervise the processing (if any) of personal data by the Raad van State (Council of State). In so far as it requires guidance on the interpretation of that provision, it is entitled to refer a question for a preliminary ruling to the Court.

29. Moreover, the referring court alone is responsible for defining the factual context pursuant to which it seeks guidance from the Court. (11) Thus, even if a request for a preliminary ruling were to suffer from certain factual shortcomings, it is not for the Court to question the completeness of the referring court’s order, nor for the former to take a position on a certain reading of national law or practice.

30. In any event, the issue of who disclosed what and under whose instructions is, in fact, a point of substance that may be relevant when the GDPR and the guidance issued by this Court are to be applied by the referring court. That issue does not, however, concern the admissibility of the case.

31. Accordingly, the present case is clearly admissible.

B. Article 55(3) of the GDPR

32. It is clear that the GDPR is meant to apply to the courts of the Member States. Indeed, that regulation applies to any operation or set of operations that are performed on personal data. There is no institutional exception made for the courts, or any other specific bodies of the State. (12) The GDPR is, by its design, institution-blind. (13) Any and all activity involving the processing of personal data is caught, irrespective of its nature. Finally, recital 20 of the GDPR confirms that legislative design by expressly stating that it ‘applies, inter alia, to the activities of courts and other judicial authorities’.

33. Separate from the issue of substantive applicability of the rules provided for in the GDPR, but still in a way inextricably linked, is the issue of supervision of compliance with those rules. It is true that, ‘who is to supervise’ can be to some extent detached from the issue of ‘what is to be supervised’. Yet, there is still a necessary link. To begin with, if certain rules were not even substantively applicable, or there were broad exceptions from them, then there would be little need to discuss any issues of supervision. Indeed, there would be nothing to supervise.

34. The issue of supervisory competence is addressed in Article 55 of the GDPR. That provision opens Section 2 (‘Competence, tasks and powers’) of Chapter VI (‘Independent supervisory authorities’) of the GDPR. Within that context, Article 55 thereof attributes three types of competence.

35. First, Article 55(1) of the GDPR requires the Member States to appoint supervisory authorities to ensure compliance with the GDPR and to uphold the obligations for the various actors involved. (14) Each of the national supervisory authorities shall have the powers conferred on it by the GDPR on the territory of its own Member State.

36. Second, Article 55(2) of the same regulation provides for the competence of the supervisory authority of the Member State concerned for processing carried out by public authorities or private bodies acting on the basis of points (c) or (e) of Article 6(1). As such, that provision provides for an exception from Article 56(1), which in turn assigns the competence to a lead supervisory authority in instances of cross-border processing.

37. Third, it is within that context that Article 55(3) of the GDPR singles out another specific type of processing operation, namely processing carried out by courts acting in their judicial capacity. For those activities, the ‘ordinary’ supervisory authorities under Article 55(1) of the GDPR are not competent. Instead, recital 20 of the GDPR explains that ‘it should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State’.

38. I draw two consequences from that legislative design.

39. First, Articles 55 and 56 of the GDPR are primarily concerned with the attribution of competence. Within that context, it could perhaps be argued that Article 55(1) of the GDPR is to be seen as a ‘rule’, while all other provisions, including Article 55(3) of the GDPR, could be seen as ‘exceptions’. However, the Court recently refused to embrace that logic. (15) In my view, for a good reason: Articles 55 and 56 of the GDPR concern the attribution of competence based on territorial, type-based, as well as actor-based, dimensions. It would certainly do no justice to that design if the somewhat blunt logic of ‘all exceptions to be interpreted narrowly’, borrowed from the context of Article 2(2) of the GDPR, were applied to the rather delicate web that is the attribution of competence.

40. Second, the applicability of Article 55(3) of the GDPR is subject to two conditions. There must be a ‘processing operation’ within the meaning of the GDPR (1). Next, it must be carried out by a ‘court acting in their judicial capacity’ (2). Only then can it be established which institution is in charge of supervising compliance of that activity with the GDPR. It is these two conditions to which I now turn.

1. Substantive element: ‘a processing operation’?

(a) The law as it stands

41. The scope of the GDPR is defined broadly. By virtue of Article 2(1) of the GDPR, that regulation applies to ‘processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system’.

42. Article 4(2) adds that ‘processing’ covers ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means’, and mentions, by way of example, ‘disclosure by transmission, dissemination or otherwise making available’. That concept has been interpreted as having regard to the entire chain of transactions involving personal data. (16)

43. Article 4(6) of the GDPR defines a ‘filing system’ as ‘any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis’. Given that broad wording, the Court has held that there are no requirements as to the means or structure of a ‘filing system’, so long as personal data are structured in a way that allows them to be easily retrieved. (17)

44. All those elements taken together mean that processing of personal data within the meaning of the GDPR will take place when there are (i) personal data that (ii) are being processed (iii) by automated means or if part of a filing system. In this light, what then was the processing operation at issue in the present case?

45. It appears from the case file that Citizen Z takes issue with the act of physically showing the three procedural documents to Journalist J so that he would be able to report better on the hearing between Citizen Z and Mayor M. In this manner, personal data contained in (at least some of) those documents were disclosed by the Raad van State (Council of State), acting as controller, without the consent of the data subject, thus amounting to a (presumably unlawful) processing operation within the meaning of Article 4(2) of the GDPR.

46. There appears to be no disagreement on the fact that the procedural documents at issue contained some personal data, within the meaning of Article 4(1) of the GDPR. Information such as the name and address of Lawyer X and the ‘citizen service number’ of Citizen Z obviously ‘relat[e] to an identified or identifiable person’. (18)

47. The parties also do not seem to dispute the presence of a ‘processing operation’, within the meaning of Article 4(2) of the GDPR. This is, nevertheless, where some doubt might emerge. What exactly was the specific processing operation (19) that triggered the application of the GDPR?

48. The most obvious choice in that regard is the ‘disclosure by transmission’, (20) to a third party by employees of the Raad van State (Council of State) of the documents at issue. The case-law supports that proposition, given that the Court has deemed the communication (21) or general disclosure (22) of personal data as constituting ‘processing’ within the meaning of Article 4(2) of the GDPR.

49. However, pursuant to Article 2(1) of the GDPR, that activity must, at least partly, have occurred through the use of automated means. The case file is silent on whether such automated means were involved in that activity. Certainly, in today’s society, there will be, at some point in time, at least some use of automated means. Moreover, given that regard must be had to the entirety of the chain of processing operations, (23) so long as someone, at some point prior to the disclosure of the procedural documents at issue, either scanned, copied, printed, emailed or otherwise extracted those documents from a database, such processing occurred at least partly by use of automated means, within the meaning of Article 2(1) of the GDPR.

50. Alternatively, and in any case, the personal data were apparently extracted from the case file itself for the purpose of their disclosure to Journalist J. That entails, logically, that the Raad van State (Council of State) will have set up such a file through some kind of identifying information (case reference number, date of the dispute, or the names of the parties involved). Such a case file constitutes, one might even say by definition, a ‘filing system’, within the meaning of Article 4(6) of the GDPR, since it establishes a structured set of (personal) data that is accessible according to specific criteria. (24)

51. Thus, even if one were to leave aside the ‘by automated means’ part of the definition of Article 2(1) of the GDPR, it is still rather clear that three documents taken out and copied from a case file before a national court form part of a filing system, in other words the case file itself.

52. Finally, none of the exceptions laid down in Article 2(2) of the GDPR, which must be interpreted narrowly, (25) are applicable in the present case. The disclosure of the documents at issue does not fall ‘outside the scope of EU law’, at least not in the way that turn of phrase has been interpreted by this Court in this specific context. Indeed, it could be considered that the disclosure of procedural documents in proceedings before national courts does not fall within the scope of EU law, certainly not in the conventional sense of being regulated by any act of EU law. However, in the Court’s recent judgment in Latvijas Republikas Saeima (Penalty points), the exception of Article 2(2)(a) of the GDPR was interpreted to apply solely to Member States’ essential State functions in so far as those functions can be classified within the same category as national security. (26) Indeed, if ensuring road safety has not been considered to satisfy recital 16 of the GDPR, (27) it is unlikely that open justice will.

53. Moreover, there is no indication that the disclosure in the present case related to an investigation into criminal offences or the execution of criminal penalties (even if, for whatever distant reason, there was the need to do so in those circumstances). (28) Therefore, the applicability of Article 2(2)(d) of the GDPR is also excluded.

54. In conclusion, under the broad wording and interpretation of Articles 2(1), 4(2) and 4(6) of the GDPR, and the extremely narrow scope of the exceptions under Article 2(2) of the GDPR, it appears that the disclosure of procedural documents in the present case falls within the material scope of the GDPR, either as an operation involving the processing of personal data wholly or partly by automated means or the processing of such data that form part of a filing system.

(b) Does the law stand correctly?

55. Providing a journalist with three procedural documents so that he may better understand the oral proceedings on which he is to report is processing of personal data under the GDPR. That conclusion is as much an answer as it is an articulation of a problem. Humans are social creatures. Most of our interactions involve the sharing of some sort of information, often at times with other humans. Should any and virtually every exchange of such information be subject to the GDPR?

56. If I go to a pub one evening, and I share with four of my friends around the table in a public place (thus unlikely to satisfy the private or household activity exception of Article 2(2)(c) of the GDPR (29)) a rather unflattering remark about my neighbour that contains his personal data, which I just received by email (thus by automated means and/or is part of my filing system), do I become the controller of those data, and do all the (rather heavy) obligations of the GDPR suddenly become applicable to me? Since my neighbour never provided consent to that processing (disclosure by transmission), and since gossip is unlikely ever to feature amongst the legitimate grounds listed in Article 6 of the GDPR, (30) I am bound to breach a number of provisions of the GDPR by that disclosure, including most rights of the data subject contained in Chapter III.

57. At the hearing, faced with such indeed bizarre questions from the Advocate General, the Commission insisted that there are limits to the scope of application of the GDPR. However, it was not able to explain where those limits lie exactly. In fact, it accepted that even incidental ‘processing’ of personal data appears to trigger the application of that regulation, and thus the rights and obligations flowing from it. (31)

58. That is precisely the question that the present case, yet again, brings to the fore: should no substantive limit be placed on the scope of the GDPR? Is every form of human interaction, in which information about other humans is being disclosed, regardless of the way it is being disclosed, supposed to be subject to its rather onerous rules?

59. In this new age, where one finds an endless drive towards increased automation, it seems that almost any aspect of any activity may, sooner or later, be connected to a machine which, increasingly, has its own data processing capabilities. Most of the time, the use of such data will be ancillary or ‘de minimis’, so that in many cases no ‘real’ processing activity takes place. However, and still, it would appear that neither the nature of the operation (mere transmission versus effective work on and with the data), the method of the potential disclosure (in writing, manually or electronically, versus orally), nor the amount of the personal data (no de minimis rule, no difference in the disclosure of individualised data relating to a specific person versus work with or on data sets) appear to matter for the applicability of the GDPR.

60. I am certainly not the first to be puzzled about the breadth of what apparently constitutes a ‘processing operation’ for the purposes of the GDPR, or previously Directive 95/46/EC. (32) In her Opinion in Commission v Bavarian Lager, Advocate General Sharpston attempted to suggest that some sort of minimum threshold as a triggering event for the presence of a processing operation should be introduced. (33)

61. A more cautious approach to the concepts of ‘personal data’ and ‘processing’ had also previously been suggested by the Article 29 Data Protection Working Party. (34) It noted that ‘the mere fact that a certain situation may be considered as involving “the processing of personal data” in the sense of the definition does not alone determine that this situation is to be subject to the rules of the [Directive 95/46], in particular pursuant to Article 3 thereof’. (35) It also emphasised that ‘the scope of the data protection rules should not be overstretched’. It even rather wisely foresaw that ‘a mechanistic application of every single provision of the Directive’ could lead to ‘excessively burdensome or perhaps even absurd consequences’. (36)

62. What should then perhaps be required, at a minimum, is a change, alteration, manipulation, or any other processing in the sense of ‘added value’ to, or ‘fair use’ of, the personal data at issue. Alternatively, or in connection, a finer emphasis should be placed on the concept of automated means that would exclude all other forms of mere disclosure by non-automated means, whether that be orally or by a mere inspection of a written document. The addition of such, or any other similar, threshold test could thus help refocus the data protection rules on activities that were supposed to be caught in the first place, (37) while leaving aside those accidental, incidental, or minimal uses of personal data that would otherwise incur the full wrath and force of the GDPR’s rights and obligations.

63. Be that as it may, I am not blind to the fact that the Court, sitting as the Grand Chamber, already rejected not that long ago the adoption of any such test in Commission v Bavarian Lager. (38) In a similar vein, the Court has continued on a rather expansionist course in the interpretation of the scope of Directive 95/46, and that of the GDPR, ever since. (39)

64. For that reason, I am therefore bound to conclude that, also in the present case, processing of personal data within the meaning of Article 2(1) of the GDPR, and thus within the meaning of Article 55(3) of that regulation, has taken place.

65. However, in my view, I suspect that either the Court, or for that matter the EU legislature, might be obliged to revisit the scope of the GDPR one day. The current approach is gradually transforming the GDPR into one of the most de facto disregarded legislative frameworks under EU law. That state of affairs is not necessarily intentional. It is rather the natural by-product of the GDPR’s application overreach, which in turn leads to a number of individuals being simply in blissful ignorance of the fact that their activities are also subject to the GDPR. While it might certainly be possible that such protection of personal data is still able to ‘serve mankind’, (40) I am quite confident that being ignored as a result of being unreasonable does not in fact serve well or even contribute to the authority or legitimacy of any law, including the GDPR.

2. Institutional element: ‘courts acting in their judicial capacity’?

66. Having accepted that there is a ‘processing operation’ within the meaning of Article 55(3) of the GDPR, the second, rather institutional element contained in that provision needs to be explored. How is the concept of ‘courts acting in their judicial capacity’ to be interpreted?

67. That provision seeks to draw a distinction between the activities that ought to be deemed to have been performed in a ‘judicial capacity’ and the activities that fall outside that category, such as, presumably, administrative tasks. A similar distinction can be found in various other legislative contexts, most notably in relation to access to documents and the principle of transparency laid down in the fourth indent of Article 15(3) TFEU. (41) However, upon closer inspection, Article 55(3) of the GDPR appears to be a specific provision in its own right.

68. The Commission argues that the concept of ‘acting in their judicial capacity’ should follow a purely functional approach and be interpreted restrictively. It submits that special regard should be had to recital 20 of the GDPR and the objective of safeguarding the independence of the judiciary. From that perspective, only those activities that have or could have a direct link with judicial ‘decision-making’ should be included within the concept of ‘judicial capacity’, so that only those activities would fall outside the competence of the competent supervisory authorities.

69. All other parties to the present proceedings take the opposite position. In essence, they assert that the use of the word ‘including’, in recital 20 of the GDPR, indicates that the EU legislature did not wish to attach a restrictive reading to the concept of ‘acting in a judicial capacity’ and that the objective of safeguarding the independence of the judiciary must be interpreted broadly.

70. I largely agree with the latter position.

71. Article 55(3) of the GDPR defines the supervisory competence of the competent supervisory authority. It does not, as the Commission correctly pointed out at the hearing, act as an exception to the overall requirement for supervision. Indeed, once a processing operation falls within the material scope of the GDPR, it thus also becomes subject to the requirement of being supervised by an independent authority under Article 8(3) of the Charter of Fundamental Rights of the European Union (‘the Charter’), and Article 16(2) TFEU more generally. That supervision shall occur by a body other than the supervisory authority appointed pursuant to Article 51(1) of the GDPR.

72. In order for the supervision competence to be assigned to a body other than the general supervisory authority under Article 55(1) of the GDPR, Article 55(3) thereof requires, aside from there being a processing operation, first, the involvement of a type of institution (‘courts’) and, second, a specific activity being carried out by those courts (‘acting in a judicial capacity’). This entails the need for a test that takes into account both characteristics.

73. With regard to the former, it is clear that, outside the necessarily autonomous realm of Article 267 TFEU, the concept of ‘court’ implies a body that forms part of the judicial structure of the Member States and is recognised as such. (42) As I have put forward previously, and as the Netherlands Government noted at the hearing, for those types of entities, the ‘judicial’ nature of their activity is the rule, while the performance of any ‘administrative’ activities is to be considered as the exception, given that such activities are ancillary or transitive to their main activity, which is judicial. (43) In other words, if the body concerned is designated a ‘court’ in the judicial system of the Member States, then it will be assumed, by default, that it acts in a ‘judicial capacity’ unless it is proven otherwise in an individual case. (44)

74. With regard to the latter, the functional corrective to that institutional determination then occurs by way of assessment of the type or nature of the given activity. (45) The Autoriteit Persoonsgegevens (Data Protection Authority), and the Spanish and Netherlands Governments, correctly point to recital 20 of the GDPR to emphasise that, in the specific case of Article 55(3) of the GDPR, that corrective must be interpreted broadly.

75. As a preliminary point, I would nonetheless like to stress that the definition under Article 55(3) of the GDPR correctly contains two elements of the definition: the institutional element and the functional corrective (or adjustment). That is so for the reason that it logically wishes to catch certain functions (judicial) within certain institutions (courts). That definition is not and cannot be purely functional. If it were, and if ‘acting in their judicial capacity’ were to prevail over the concept of ‘courts’, then other bodies and authorities in the Member States that do exercise in individual cases some judicial function may seek to be seen as bodies outside of the purview of the supervisory authorities of Article 55(1). However, Article 55(3) of the GDPR is limited to courts acting in their judicial capacity. It is not open to bodies acting in their judicial capacity.

76. Why should, in the second step, the concept of ‘acting in their judicial capacity’ be interpreted broadly, thus more likely including rather than excluding borderline cases?

77. First, unlike the Commission, I do not subscribe to the idea that the relationship between Article 55(1) and (3) of the GDPR should be reduced to the simplistic logic of ‘rule-exception’. As already explained above, (46) Articles 55 and 56 of the GDPR introduce a nuanced system of attributing supervision vis-à-vis certain territories, certain types of processing, and certain actors.

78. Second, it might be recalled that the second sentence of recital 20 of the GDPR states that ‘the competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making’. (47)

79. In that context, the references to ‘in order to’ and ‘including’ indicate the broad interpretation that must be given to the concept of ‘acting in their judicial capacity’.

80. On the one hand, ‘in order to’ in this sentence is an explanation of purpose and not one of limitation. It lays down, through an abstract statement, that the aim of the competence assignment contained in Article 55(3) of the GDPR is the protection of the independence of the judiciary. Indeed, and contrary to what the Commission suggested at the hearing, the reference to ‘in order to’ does not entail that each processing operation must assist the safeguarding of judicial independence. Put simply, recital 20 does not state that, in order to be excluded from the supervision of the supervisory authority under Article 55(1), each processing carried out by the court must individually and concretely safeguard judicial independence. It merely states that, at the systemic level, the specific supervision system was introduced in order to safeguard judicial independence. These are, in my view, very different types of ‘in order to’.

81. On the other hand, the need for a broad interpretation of the term ‘judicial capacity’ is also confirmed by the addition of the word ‘including’ before ‘decision-making’ in the second sentence of recital 20 of the GDPR. Indeed, the link thereby created also indicates that the concept of ‘judicial capacity’ must be interpreted more broadly than mere individual decisions relating to a specific case. Hence, there is again no need to ensure that each individual processing activity must visibly and clearly ensure the task of safeguarding judicial independence. Rather, a court may indeed be considered to be acting in a ‘judicial capacity’ even when it is performing activities that relate to the general functioning of the judiciary or the overall running and administration of the judicial process, be it, for illustration, the assembly and storage of files; the allocation of cases to judges; the joinder of cases; the extension of deadlines; the conduct and organisation at hearings; the publication and diffusion of its judgments for the benefit of the general public (certainly in the case of higher courts); or even the training of new judges.

82. Third, the same conclusion can also be drawn from the stated objective of safeguarding the ‘independence of the judiciary in the performance of its judicial tasks’. Throughout its case-law, in particular its more recent cases, the Court has interpreted the concept of ‘judicial independence’ broadly so as to cover the judges’ ability to exercise their office free from any form of (direct or indirect, actual or potential) pressure. (48)

83. I see no reason why the same interpretation should not be taken as the baseline for understanding the concept of ‘independence of the judiciary’ also for the purposes of the GDPR. In this regard, however, unless one wishes to task the competent supervisory authority to assess, on an individual basis, whether its oversight in a particular case could interfere with that independence, then a restrictive reading of recital 20 and Article 55(3) of the GDPR is certainly not warranted.

84. It is in this context that I find it difficult to embrace the Commission’s arguments and understanding of the concept of judicial independence. At the hearing, the Commission kept insisting that, for Article 55(3) of the GDPR to be triggered, there has to be a direct link between the processing of personal data at issue and an actual ongoing judicial procedure. If that were the case, then I find myself puzzled as to what exactly the concept of judicial independence, clearly invoked by the EU legislature, could bring into that equation for defining the scope of judicial activity.

85. If the concept of judicial independence is to have any meaning in this context, then it is above all in the safeguarding of the judicial function against the indirect hints, pressures, or influences. If the more recent case-law of this Court is evidence of anything, then it is that the indirect threats to judicial independence occur in practice more frequently than the direct ones. A notable recent example under this category might include the system of disciplinary proceedings against judges. (49) Strictly speaking, such proceedings (or the possible resort thereto) are not directly linked to individual decision-making by the courts. However, few would contest their relevance as regards the environment in which such decisions are handed down, and are clearly covered by the concept of judicial independence.

86. For all those reasons, I cannot embrace the Commission’s approach to the construction of acting in a judicial capacity under Article 55(3) of the GDPR. It would, in essence, amount to allowing administrative supervision under Article 55(1) of the GDPR for all cases, unless there is a direct link, presumably even some discernible impact, on judicial decision-making. In my view, that approach overlooks what the aim of safeguarding judicial independence ought properly to be. Judicial independence is not (only) about ex post finding out that something has already happened. It is above all about putting in place sufficient safeguards ex ante, so that certain things cannot happen.

87. The same is true for the argument that, naturally, one cannot presume that, even if allowed to review any judicial activities, Article 55(1) supervisory authorities are likely to have any ex ante desire to influence the judicial process. Here, I wish only to agree. However, that is again beside the point if the aim to be achieved is that of safeguarding judicial independence. The interpretation and institution-building in such cases cannot proceed from a factual logic (has it already happened?) but must proceed on a preventative logic (make sure that such things cannot happen, irrespective of the specific behaviour of the actors concerned). (50)

88. Fourth and finally, that legislatively stated purpose of Article 55(3) of the GDPR also provides, in my view, an answer as to how to approach the borderline scenarios, or the grey zone in between clearly judicial, and clearly something else, presumably administrative.

89. In practice, there are naturally a number of borderline activities performed by courts that may not relate directly to a judicial decision in a given case, but which may have a direct or indirect influence on the judicial process. One may take the assignment of cases by a president of a court as an example, provided naturally that a legal system allows a president any discretion in that regard. If one were to adopt a narrow reading of what is deemed to be in a ‘judicial capacity’, then it is unlikely that that activity would be covered by Article 55(3) of the GDPR. A supervisory authority would thus be competent to supervise personal data processing carried out within that activity. Yet, such a decision is not entirely of an administrative nature either. In fact, few would disagree that assigning a case to a reporting judge is an inherently judicial task, the interference with which can have a significant impact on judicial independence.

90. Other activities falling within the same category are, for instance, the layout, the seating order, or the management of court rooms when the court is in session; the use of security measures for visitors, parties and their representatives; video recording or potentially even the video streaming of hearings; dedicated access to hearings by the press; or even the information available on a court’s website about hearings and judgments. None of those (purely illustrative) activities are either purely judicial in the sense of being directly connected to the outcome of an individual case, or just administrative. In a number of such cases, they may, under certain circumstances, have an impact on the judicial independence of a court. Would it be appropriate, therefore, if they were controlled, for potential compliance with the GDPR obligations, by the same authority that may also stand as the defendant before those courts in cases lodged against decisions taken by that authority?

91. At the other end of the spectrum are, on the face of them, purely administrative tasks, such as the maintenance of the court’s buildings, contracting for catering services, or the normal management of supplies and maintenance of an institution and a workplace. It is true that, also within that category, borderline cases might emerge. The payment of salaries of judges or court employees may be an example in point. (51) If those tasks merely involve the mechanical processing of fixed payslips, then they are quintessentially administrative in nature. Supervision of those activities could thus fall within the competence of the supervisory authority appointed pursuant to Article 51(1) of the GDPR. However, as soon as a discretionary element is added to that task, such as deciding the type of holiday pay, Christmas bonus, or installation allowance that a certain judge may receive, then such activity might quickly lose its innocent, merely administrative status. (52)

92. Indeed, it would be incompatible with the logic of recital 20 of the GDPR if those activities were, by mere reason of their general categorisation, reviewed by the Article 51(1) supervisory authority and not the ‘internal’ authority designated specifically for activities with a potential impact on judicial independence. The issue here becomes one of consistency: one cannot decouple the particular policy decision taken in a judicial capacity from its implementation, if a review of the resulting implementing decision, by general administrative staff, would lead to the same problem of undermining the independence of the judiciary. As such, even the implementation of a policy decision taken in a judicial capacity must fall outside the scope of supervision of the competent (administrative) supervisory authority.

93. In conclusion, therefore, and in the light of the legislative intent expressed in recital 20 of the GDPR, the approach to the categorisation of the activities that are carried out in a ‘judicial capacity’ cannot be one that is individual and case-specific, focusing on the potential encroachment on what is ‘judicial’ in the circumstance of an individual case. Such an approach would be by definition factual and circumstantial, sometimes broader and sometimes narrower. The approach taken for the interpretation of that concept must therefore be structural (that is to say, proceeding based on the type of activity) and, by its very nature, preventative. That is why, for the borderline cases of activities carried out by the courts, in view of the principle of judicial independence, if there are doubts surrounding the nature of a type of activity, or if there is the mere potential that supervision of such an activity could have an impact on judicial independence, it ought to be (structurally) outside the competence of the purview of the Article 55(1) supervisory authority.

94. Having provided that answer to the definition of courts acting in a judicial capacity, I would finish by reacting, for the sake of completeness, to three further arguments raised by the various interested parties in the course of these proceedings.

95. First, I find limited practical use in placing any emphasis on the genesis of recital 20 of the GDPR. The referring court explains that the preparatory documents to the GDPR show that the initial version of recital 20 of the GDPR was drafted in a similar way to recital 80 of Directive (EU) 2016/680. (53) The latter limits the concept of ‘acting in their judicial capacity’ to ‘judicial activities in court cases and [does] not apply to other activities where judges might be involved in accordance with Member State law’. However, no such restriction of competence was ultimately retained in the final version of recital 20 of the GDPR. If any lesson can be learnt from that fact, it is rather one of contrast, and not one of analogy. After all, the EU legislature clearly departed from that previous wording, presumably discarding a restrictive reading that distinguishes between different types of ‘judicial activities’.

96. Second, for the purposes of the present case, one cannot simply reproduce the logic underlining the distinctions made in the framework of legislation and case-law on access to documents. The purpose underlining the divide in the fourth indent of Article 15(3) TFEU (protection of the integrity of judicial process and ongoing judicial proceedings) is different from the supposed same divide in Article 55(3) of the GDPR (protecting judicial independence of courts).

97. More specifically, as regards Sweden and Others v API and Commission (54) and Breyer v Commission, (55) on which the Commission sought to rely for the purposes of the present case, those judgments relate to the protection of ‘court proceedings’, which is one of the exceptions falling within Article 4 of Regulation (EC) No 1049/2001. (56) As I have explained in my Opinion in Friends of the Irish Environment, that exception places emphasis on the finite length of an individual dispute rather than the permanent activities of the judiciary. (57) It therefore views the activities under Article 4(2) of Regulation No 1049/2001 primarily through the prism of temporality. However, that temporal exception to disclosure logic is entirely alien to Article 55(3) of the GDPR, which concerns permanent attribution of competence in terms of supervision. Thus, equally in this context, as Advocate General Sharpston aptly noted in Flachglas Torgau, such true judicial activity ‘has no beginning or end in time’. (58)

98. Third and finally, I wish to address why the balancing exercise, proposed by the Spanish Government, between the right to the protection of data and certain other fundamental rights (as is necessary under Article 85 of the GDPR), does not fall within the scope of the assessment under Article 55(3) of that regulation. That is because the objective assessment, for assigning supervisory competence, of whether an activity is carried out in a ‘judicial capacity’, is not contingent on the balancing of fundamental rights. Instead, under Article 55(3) of the GDPR, one must engage in a ‘type assessment’ that is linked, as I have explained in the preceding passages, to the general functioning of the judiciary and policy decisions relating thereto.

99. I am in no way implying that a balancing exercise is not necessary to assess whether a disclosure of documents complies with the right to the protection of personal data. It certainly is, but only later, when assessing whether the disclosure at issue (carried out in a ‘judicial capacity’) was proportional to the aim that it sought to achieve, and thus compliant with the substantive provisions of the GDPR. (59)

100. In summary, I propose that the concept of ‘acting in their judicial capacity’, within the meaning of Article 55(3) of the GDPR be approached from an institutional perspective (‘is it a court?’) that is then potentially corrected by a functional assessment of the type of activity at issue (‘what specific type of activity is the court carrying out?’). In the light of the objective laid down in recital 20 of the GDPR, the latter activity assessment should employ a broad interpretation of the concept of ‘judicial capacity’ that goes beyond mere judicial decision-making in an individual case. It must also cover all activities that may indirectly impact upon the judicial independence of the courts. As such, courts should, by default, be considered to be acting in a ‘judicial capacity’ unless it is established, as regards a specific type of activity, that it is of administrative nature only.

C. The present case

101. Having proposed a general test that flows, in my view, from Article 55(3) of the GDPR, I now turn to the questions raised by the referring court.

102. To recall, Question 1 essentially enquires whether national courts act ‘in their judicial capacity’ within the meaning of Article 55(3) of the GDPR when disclosing certain procedural documents to a journalist so that that person is in a position to report better on a particular case. The remaining questions build upon the answer that this Court is to give to that initial question by requesting guidance on whether the assessment under Question 1 is affected by, first, the possible interference by the national supervisory authority with judicial independence in an individual case (Question 1a); second, the nature and purpose of the data processing, that is to say the informing of a journalist in order to enable that person to report better on a public hearing in court proceedings (Question 1b); or third, whether there is or is not a legal basis for such disclosure of documents (Question 1c).

103. Turning first to Question 1, as I explained in the preceding section of this Opinion, the concept of ‘courts acting in their judicial capacity’, within the meaning of Article 55(3) of the GDPR, should be given an institutional reading that is then readjusted, if need be, by a broad ‘activity-type corrective’.

104. In the present case, the institutional designation is clear. Indeed, the Raad van State (Council of State) serves as a higher court in administrative matters in the Netherlands. Similarly, on the question of whether the activity at issue falls within the category of processing carried out in a ‘judicial capacity’, there is general agreement amongst the interested parties that the disclosure of procedural documents to a journalist so that he or she may better report on a hearing does fall within the type of judicial activity that is covered by Article 55(3) of the GDPR.

105. I agree. A policy, such as that in the present case, of disclosing selected procedural documents to the press in order to make the work of the courts more transparent and comprehensible goes to the heart of the right to a fair trial, (60) and clearly relates to acting in a ‘judicial capacity’. That disclosure forms part of the larger task of the modern judiciary to keep the public informed as to how justice was achieved in their name. (61)

106. Contrary to what Citizen Z alleges, under that line of reasoning, it does not matter that it was the communication department of the Raad van State (Council of State), which I understand is composed of court staff other than judges, that released the documents at issue. Apart from the fact that, by reason of the institutional independence of the courts, that institution itself decides on the internal distribution of tasks, the referring court explains, as was confirmed at the hearing by the Netherlands Government, that the disclosure at issue occurred under the supervision of President P.

107. However, even if the disclosure decision at issue were not taken by a department within the national court, but rather by an external body generally under the control of the national court, the result would be the same. For one, that is because if the type of activity is covered, then the designation as to who performs that activity under national law does not matter. For another, diversity in structures at national level cannot lead to a different outcome in a situation where a particular activity serves as merely the corrective to a simple institutional designation. (62) Otherwise, a supervisory authority such as the Autoriteit Persoonsgegevens (Data Protection Authority) would gain control over the press policy of the Raad van State (Council of State), which, indirectly, would allow it to review a substantive decision taken by that court as regards the publicity of justice in an individual case.

108. That brings me to Question 1a. Here, the referring court wonders whether it must determine in each specific case whether supervision affects judicial independence.

109. The answer is ‘no’. As I have explained above, (63) the reference to ‘judicial capacity’ in recital 20 of the GDPR should not be understood as requiring an examination into whether in each individual case there is a threat to the independence of the judiciary. Rather, it represents the overall statement of purpose behind the provision of Article 55(3) of the GDPR, which is of an institutional nature. That statement of purpose leads to a rather preventative inclusion of all types of court activities, the supervision of which, as to their compliance with the GDPR, may even have an indirect impact on judicial independence under the scope of Article 55(3) of the GDPR.

110. On the more practical side, it might be added that, apart from arguments of a structural, constitutional nature, such a solution is also the only reasonable and practical one. Indeed, would anybody seriously suggest that a national supervisory authority under Article 55(1) of the GDPR must carry out, in relation to deciding on its competence to deal with a matter at all, a full-scale individualised assessment of each type of processing operation? Should such authorities really embark on the unenviable task of determining, on a case-by-case basis, for which processing operations the exercise of supervision could affect the independence of the national court in question, and for which not, and immediately filter what they are allowed to look at accordingly?

111. This relates to the answer to be given to Question 1b. Indeed, the exact nature and purpose of a particular processing operation is not conclusive for answering the structural issue of when the court is acting in a ‘judicial capacity’. Certainly, open justice and its administration are particularly important to the tasks of the modern judiciary in a democratic society. However, those considerations do not play a role for the assessment under Article 55(3) of the GDPR, so long as the processing operation at issue is inherent in the broader concept of ‘judicial capacity’. Indeed, any other conclusion would surreptitiously re-establish the type of restrictive reading proposed by the Commission of Article 55(3) of the GDPR.

112. Incidentally, that very point highlights precisely why safeguarding the independence of the judiciary can only relate to the overall, structural aim fuelling the introduction of Article 55(3) of the GDPR, and not a condition to be established in each individual case. (64) Were it to be otherwise, then it would be rather clear that ‘interests of openness and transparency in the administration of justice’, stated as the relevant purpose for the given data processing in the present case by the referring court, are different from ‘safeguarding judicial independence’.

113. Only two argumentative avenues would then be open. First, one would have to conclude that the openness of justice is a different aim to the independence of the judiciary. Then, disclosure to journalists would fall outside the scope of Article 55(3) of the GDPR, an outcome that all the interested parties, including the Commission for that matter, say simply cannot be the case. Second, one would then have to overinflate the (already not very narrow) concept of ‘judicial independence’, so as to include also judicial openness and transparency, and possibly any other value, turning everything and anything occurring in the judicial forum into an interest or value which is inherent in judicial independence. Yet, that would, in turn, amount to flipping the entire structure on its head. Judicial independence is not a goal in itself. It is not an intrinsic value. It is itself a transitive value, a means to an end that is to be achieved by having independent judges: fair and impartial dispute settlement.

114. This is not to say that an enquiry into the nature and purpose of a processing activity could never be of use. Of course it is. However, not at the stage of deciding on the scope of Article 55(3) of the GDPR, but instead at the stage of deciding on the lawfulness of processing under Article 6(1) of the GDPR, or any other substantive provisions of that regulation. It might, in fact, be quite relevant to assess why a particular processing activity occurred when determining whether that activity was, say, ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ within the meaning of Article 6(1)(e) of the GDPR. Similarly, the nature and purpose of a processing operation will naturally fall into an assessment of compliance with the principles laid down in Article 5 of the GDPR.

115. Here is where Question 1c attaches to and continues in the same type of discussion. The enquiry of whether there is a need for a legal basis in national law, and the type of legal basis needed, again goes to the very merits and the issue of the lawfulness of the processing. That is an issue to be assessed under Article 6 of the GDPR. However, while the case file generally mentions that the UAVG ‘implements’ the GDPR, it is silent on any discussion of how Article 6 of the GDPR has been taken into account in the processing at issue in the present case. In addition, the lawfulness of the processing is not a question directly raised by the referring court.

116. In general, I cannot but refer to the observations recently made on this issue in my Opinion in Valsts ieņēmumu dienests. (65) Indeed, any national legal basis set up pursuant to Article 6 of the GDPR need only cover what is, as to its substance, a general and ongoing practice of disclosing documents to the press. Where such a general legal basis is available, I fail to see either the purpose or the proportionality behind an individual decision being required for each and every processing operation. (66)

D. A coda: the GDPR and the judicial function

117. This case is like an onion. It has many layers. If one remains at the outer layer of the questions raised by the referring court, taking and answering them indeed literally, then one, including the Court, can indeed stop at this stage. The answer to the central issue faced by the referring court, contained in its first question, relating to Article 55(3) of the GDPR, would have been provided.

118. I believe that it would be possible, and in the context of the present case entirely justified, to remain at that outer layer. No peeling of onions unless expressly asked for.

119. However, at the same time, there is no disguising the fact that, as regards the genuine content of the questions raised, the referring court gradually slides from the issue of competence under Article 55(3) of the GDPR to the substantive assessment of the case possibly under Article 6 of the GDPR, in particular by its Questions 1b and 1c. Certainly, all that sliding and crossing over might be attributed to the novel question raised by the referring court and the unclear contours of interpretation of Article 55(3) of the GDPR. Once that interpretation is provided, all the issues become clear and those considerations redundant.

120. Nevertheless, all this may in fact also be taken as an indication of something else: namely, that it is rather difficult to separate neatly the issue of competence under Article 55(3) of the GDPR from considerations of substance and the scope of application of the entire instrument in the first place. Indeed, if the GDPR were not applicable to certain types of activities at all, then what would be the point in deliberating over who is to supervise that? (67) The same goes for a situation in which a Member State were lawfully to exclude the courts from the obligations under the GDPR: no substantive obligations imposed would mean that there is nothing to be supervised in the first place.

121. At the same time, concerning to a greater extent the institutional and procedural layer of the case, in his written observations, Citizen Z raised doubts as regards the compatibility of Article 55(3) of the GDPR with Articles 8(3) and 47 of the Charter. He considers Article 55(3) of the GDPR invalid to the extent that that provision excludes the competences of the (generally competent) Article 55(1) supervisory authority without, simultaneously, imposing on the Member States the requirement to establish another independent authority in line with the wording of Article 8(3) of the Charter and Article 16(2) TFEU. That legislative lacuna is also bound to create breaches of Article 47 of the Charter and potentially even Article 19(1) TEU. It is said to deprive Citizen Z of any effective remedy before an independent tribunal.

122. However, due account being taken of all those points, in view of the fact that none of those issues have in fact been expressly raised by the referring court, but also in view of the scope, the context, and the arguments discussed in the course of the present proceedings, I believe it is best to leave those issues for another case, should that need indeed arise.

123. I shall therefore simply conclude with several remarks on the legislative design of the GDPR with regard to the judicial function of courts. I have endeavoured to understand the legislative thinking behind the arrangement of substance, exceptions, supervision of compliance with the GDPR. I, nonetheless, remain perplexed as to what exactly was supposed to be achieved by submitting the judicial activity of courts to the obligations arising out of the GDPR. That is in relation to the inherent nature of that activity (1), but also with respect to who should be tasked with monitoring the judicial compliance with the GDPR (2).

1. The substance: all is legal

124. What does the GDPR, once applied to courts, change in the way the judicial function is to be carried out? Given the apparently borderless scope of the GDPR, it may seem surprising that the resulting obligations on that function appear to be surprisingly light. The substantive provisions of the GDPR either already foresee that any normal processing for judicial purposes is lawful; refer to complementary (and possibly limiting) provisions of the Member States; or, at the very least, allow for a generous balancing against certain fundamental rights and principles of a democratic society that will yet again allow for just about any derogation as regards the judicial function.

125. Article 6(1)(e) of the GDPR provides an example in this regard. That provision considers any processing operations ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in’ a national court as ‘ex lege’ lawful. A similar (although more express) derogation arises from Article 9(2)(f) of the same regulation for the processing of special categories of personal data. Where either of those provisions applies, no consent by the data subject is necessary, with the Member States to specify more precisely how processing should take place in such a situation. (68) In other words, and subject to the principles of data processing laid down in Article 5 thereof, (69) the GDPR itself provides a legal basis to consider lawful any processing of personal data carried out by the national courts that is necessary for the performance of their official tasks.

126. In addition, by virtue of Article 23(1)(f) of the GDPR, Member States are also allowed to restrict the scope of the rights and obligations provided for in Articles 12 to 22 and 34 of the GDPR, as well as, in some instances, Article 5 thereof, in order to protect ‘judicial independence and judicial proceedings’. At the hearing, the Commission explained that Article 23(1)(f) of the GDPR must be understood as functioning similarly to Article 52(1) of the Charter, and should not be viewed as yet another provision limiting the competence of the supervisory authority.

127. I agree with the Commission on this point: Article 23(1)(f) of the GDPR does not have direct connection to Article 55(3) of the GDPR. (70) It nonetheless allows for a wholesale derogation, by the Member States, from all rights of the data subjects under Chapter III of the GDPR for what appears also to be some type of judicial activity (‘judicial independence and judicial proceedings’).

128. Finally, all that is possible without (yet) even having entered into a type of balancing exercise with fundamental rights or interests other than data protection, which would pertain to the assessment of lawfulness of individual processing operations (and the minimisation-proportionality requirement embedded therein). Given the imperatives of judicial transparency and open justice, those are likely to cover any normal uses of personal data for the purposes of judging.

129. The result appears self-defeatist: EU law superimposes an all-encompassing data protection framework on the judicial function, which must be complied with, while at the same time allowing for so many substantive exits. Add to that the ‘competence capture’ introduced by Article 55(3) of the GDPR and the law in effect comes full circle to retaining the ‘modus operandi’ of national courts prior to the introduction of those rules. That begs the question: why then was there the need for such a patchwork of rules if, in reality, those rules have changed very little at national level?

130. This is not to say that such an outcome is not to be welcomed. In my view, I entirely agree that it cannot be otherwise. That is not only in order to accommodate the various judicial and constitutional traditions of the Member States as regards the publicity of justice. (71) It is above all inherent in the judicial function itself. Judging means individualised detail brought to the public forum. I would very much like to stress both elements of that proposition.

131. On the one hand, the basis for judicial legitimacy in an individual case are its facts and details. The judge settles an individual case. His or her job is not to draft abstract, general, and anonymous rules detached from individual facts and situations. That is the job of a legislature. The more a judicial decision departs from or hides the factual background to a public court case, or if it is later reported with significant limitations, the more often it becomes incomprehensible, and the less legitimate it becomes as a judicial decision. (72)

132. On the other hand, ever since the Roman age, but presumably already earlier, if a claimant asked for the help of the community or later the State to have his claim upheld and enforced by the State, he was obliged to step into the public forum and let his case be heard there. In classical Roman times, the applicant was even entitled to use violence against the respondent who refused to appear in the public (the North Eastern part of the Roman Forum called comitium), before the magistrate (seated on a rolling chair on a tribune higher than the general public – hence indeed tribunal), when called before a court (in ius vocatione). (73)

133. It is true that, later on, there were other visions of the proper administration of justice and its publicity. They are perhaps best captured by a quote from a judge in the Parlement de Paris writing in 1336 instructions to his junior colleagues, and explaining why they should never disclose either the facts found or the grounds for their decision: ‘For it is not good that anyone be able to judge concerning the contents of a decree or say “it is similar or not”; but garrulous strangers should be left in the dark and their mouths closed, so that prejudice should not be caused to others. … For no one should know the secrets of the highest court, which has no superior except God …’ (74)

134. In the modern age, returning to the opening quote of Jeremy Bentham, it is again believed that even garrulous strangers should be allowed to see and understand justice. Certainly, with the arrival of modern technologies, a number of issues must continuously be re-evaluated so that garrulous strangers cannot cause prejudice to others.

135. However, any such change, in particular those touching upon the openness and transparency of the administration of justice, must be limited to the strictly necessary, without knocking over the foundations of the entire structure. (75) Judging is and remains individualised decision-making that requires a degree of personal detail and data, which must take place, certainly in terms of its outcome, in the public forum.

136. Closing in this regard with a specific example already alluded to in this Opinion, (76) in my view, the GDPR does not contain any right to an ‘anonymous trial’. In view of all that has been outlined above, it appears bizarre and dangerous to think that claimants stepping into the public agora for the resolution of their conflict, where judges speak on behalf of the community and act under the watchful eyes of their fellow citizens, should have a right for their identity to be kept secret and their case anonymised by default, including from the court deciding the case itself, without there being any specific and weighty reason for such anonymity. (77)

137. Naturally, the publicity of justice is not absolute. There are well-grounded and necessary exceptions. (78) The simple point to keep in mind here is: what is the rule and what is the exception. Publicity and openness must remain the rule, to which naturally exceptions are possible and sometimes necessary. However, unless the GDPR were to be understood as imposing a revival of the best practices of the Parlement de Paris of the 14th century, or other elements of the Ancien Régime or the Star Chamber(s) for that matter, (79) it is rather difficult to explain why, in the name of the protection of personal data, that relationship must now be reversed: secrecy and anonymity were to become the rule, to which openness could perhaps occasionally become the welcome exception.

138. In conclusion and in general, one cannot but wonder again, as far as the overall legislative design of the GDPR application vis-à-vis judicial activities of courts is concerned, why the system would be designed (at first) to include everything and then (later on) effectively to exclude the effects of that broad coverage under the individual substantive provisions, or potentially wholly under Article 23(1)(f) of the GDPR. Should then national courts, in the course of ‘acting in their judicial capacity’, not have been simply excluded from the scope of the GDPR altogether?

2. The institutions and procedures: quis custodiet ipsos custodes?

139. To the substantive layer connects the institutional one. That issue adds to the already rather heavy substantive ‘why’ the question of ‘how’. How, in practical terms, are courts acting in their judicial capacity to be supervised in terms of their compliance with the GDPR and by whom exactly? Indeed, if the national courts are to apply the GDPR, and yet the competent supervisory authorities are not to take charge of supervising activities ‘in their judicial capacity’ as per Article 55(3) of the GDPR, who is there to uphold the fundamental right to the protection of a person’s personal data, guaranteed by Article 8(1) and (3) of the Charter?

140. This is where, in my view, the link between Article 55(3) and recital 20 of the GDPR causes some problems.

141. All parties to the present proceedings explain that Article 55(3) of the GDPR must be read in the light of recital 20 of the GDPR. That recital states that, when national supervisory authorities monitor and enforce the GDPR, those tasks should nonetheless not interfere with the principle of judicial independence to supervise the processing operations of ‘courts acting in their judicial capacity’. The third sentence of recital 20 of the GDPR then notes that ‘it should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State’.

142. Nonetheless, is the approach suggested in recital 20 compatible with the ‘independence’ criterion of Article 8(3) of the Charter? Indeed, how can any ‘supervisory court’, thusly established by the Member States within their national judicial structures to ensure compliance with the GDPR, act as an independent third from the very courts that allegedly committed a GDPR infringement? Does that not raise an issue of Article 47 of the Charter?

143. Contemplating an appropriate institutional and procedural structure for this type of situation quickly turns into a déjà vu, reminiscent of discussions opened up by Köbler. (80) Who is to decide on State liability for judicial breaches of EU law? Other ‘normal’ courts within the judicial system, with the danger of one day the supreme court deciding on its own liability? Or a specially established super-court? What if that super-court also gets it wrong? In this regard, recital 20 of the GDPR brings yet again to the fore the very issue that the Member States decried in Köbler: that is, compromising ‘real’ judicial independence through an enforceable external right to review judicial acts or omissions against the rules on data protection. (81)

144. However, by contrast with Köbler, where I assume a number of reasonable minds were able to make sense of the principle that Member States should be obliged to make good damage caused by a court of last instance handing down a decision that infringes EU law, (82) it is not at all apparent why such ‘real’ independence should be sacrificed on the altar of supervising compliance with an instrument of secondary legislation, such as the GDPR, which provides for other means of enforcement already. There is certainly no denying that that instrument has solid primary law foundations in Articles 8 of the Charter and Article 16 TFEU. The point is rather that a remedy and damages against the courts as controllers separately exist pursuant to Articles 79 and 82 of the GDPR and irrespective of Article 55(3) thereof.

145. At the same time, a possible solution might be found if the third sentence of recital 20 of the GDPR were not taken too literally. Indeed, after all, it is merely a recital and not a free-standing and thus binding legislative provision. (83) If that were the approach, indeed apparently embraced in some Member States, then the substantive provisions of the GDPR would just be seen as establishing rights that should be capable of being relied upon before the national courts, within the normal judicial proceedings available in that Member State. (84)

146. If that were indeed the institutional and procedural route chosen, then one might prevent both the problem of allowing a ‘dependent third’ to control the activities of the judiciary and the need to establish a super-court in order to monitor other courts. That being said, under that approach, one would still likely fall short of the requirement of Article 8(3) of the Charter to have an ‘independent’ authority supervise the compliance with the right to the protection of personal data. (85)

147. From that perspective, the ‘internal court’ solution appears to be the only workable option to the above-outlined conundrum of fitting the GDPR superstructure into the rather specific world of the national judiciary. (86)

148. Yet, even if one supposed that the only Charter-compatible way would be to proceed with such an ‘internal review’ authority, what precisely that authority is supposed to supervise still seems somewhat unclear.

149. First, as explained in the previous section of this Opinion, the GDPR presumes that court processing operations are lawful and allows, in addition to that generalised presumption, for certain rights and obligations, as well as foundational principles relating to the processing of personal data, to be restricted through national legislative measures.

150. Second, in most if not all Member States, the national judicial codes of procedure incumbent on judicial proceedings regulate in far greater detail the handling of personal data in all the individual stages of judicial proceedings: namely, what a specific document must and may not contain, who has access to what, under which conditions what information may be removed/corrected, which confidentiality limitations apply, what information and data a judicial decision is supposed to contain, and so on. (87)

151. Third, the disregard of those rules by national judges is already subject to control and potential sanctions, of at least two types. On the one hand, there are the sanctions against the decision itself, leading to its potential annulment. On the other hand, there are regimes of personal liability of judges in disciplinary proceedings.

152. In view of such a legislative environment, one would imagine the GDPR to contain provisions on its interaction with other legislative frameworks. What is the ‘lex specialis’ and how are various institutional and procedural frameworks supposed to coexist? How are any possible normative conflicts to be resolved? Alas, the GDPR does not provide any rules on such conflict, therefore giving rise to the separate question of whether the GDPR is indeed to be understood as overriding national procedural rules or to be read as complementary to them.

153. If that were the case, does that mean that data subjects could apply to the national courts to ‘rectify’ their pleadings outside of national procedural deadlines (under Article 16 of the GDPR)? (88) What if a litigant, in the face of a negative outcome in a case, managed to satisfy the threshold of invoking his or her ‘right to be forgotten’ (under Article 17 of the GDPR) to remove a judgment or record of proceedings from the collective judicial memory after that judgment were handed down? (89)

154. In the light of all those many intricacies, it is perhaps not entirely surprising that a number of Member States have encountered understandable difficulties in the setting up of appropriate institutional structures pursuant to Article 55(3) of the GDPR that are nonetheless compliant with Article 8(3) of the Charter. (90)

155. Both of those elements addressed in this section combined, that is to say, elements of substance and those of institutions and procedures, leave a sense of puzzlement already mentioned at the outset of Section D. In view of the continued existence of such systemic problems, why create such half-hearted but remarkably sweeping superstructures in the first place? To enforce, in so far as the judicial activity of courts is concerned, almost non-existent substantive rights? Is all that really worth the candle?

V. Conclusion

156. I propose that the Court answer the questions referred for a preliminary ruling by the Rechtbank Midden-Nederland (District Court, Central Netherlands, Netherlands) as follows:

Question 1

Article 55(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted to mean that the practice of the disclosure of procedural documents to a journalist for the purpose of better covering a public hearing is carried out by courts ‘acting in their judicial capacity’.

Question 1a

Article 55(3) of Regulation 2016/679 does not require a determination of whether a processing operation of the national courts ‘acting in their judicial capacity’ affects independent judicial decision-making in each specific case.

Question 1b

The determination of the nature and purpose of a particular processing operation does not form part of the criteria to be taken into account, under Article 55(3) of Regulation 2016/679, when establishing whether the national courts were acting ‘in their judicial capacity’.

Question 1c

For the purposes of determining whether a processing operation of the national courts was carried out ‘in their judicial capacity’, within the meaning of Article 55(3) of Regulation 2016/679, it is not relevant whether those courts acted pursuant to an express legal basis in national law.

1 Original language: English.

2 Burton, J.H. (ed.), Benthamiana: or select extracts from the works of Jeremy Bentham, Lea & Blanchard, Philadelphia, 1844, p. 139.

3 The quoted text was originally published in Bentham, J., Draught of a New Plan for the organisation of the Judicial Establishment in France: proposed as a Succedaneum to the Draught presented, for the same purpose, by the Committee of Constitution, to the National Assembly, December 21st, 1789, London, 1790.

4 For illustration, in the practice of the Parlement de Paris in the 14th century, the facts and grounds for a decision had to be kept secret. They were seen as part of the judicial deliberation process, which was to be kept confidential. See Dawson, J.P., The Oracles of the Law, The University of Michigan Law School, 1968, pp. 286-289. In detail, see also Sauvel, T., ‘Histoire du jugement motivé’, 61(5) Revue du droit public, 1955.

5 See, by way of background information, the Dutch Judiciary Press Guidelines of 2013, available at: https://www.rechtspraak.nl/SiteCollectionDocuments/Press-Guidelines.pdf, Article 2.3 and the explanatory notes on pages 6 and 7 thereof.

6 Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).

7 The names of the main parties have been slightly amended better to guide the reader in a more digestible form through the labyrinth of generalised pseudo-anonymisation adopted by the Court since 2018 (see press release of the Court of Justice of the EU of 29 June 2018, ‘From 1 July 2018, requests for preliminary rulings involving natural persons will be anonymised’ https://curia.europa.eu/jcms/upload/docs/application/pdf/2018-06/cp180096en.pdf). Indeed, if the future judicial prose of this Court is to look like a Kafka novel, then why not embrace some of Kafka’s positive literary elements as well?

8 Judgment of 10 December 2018, Wightman and Others (C‑621/18, EU:C:2018:999, paragraph 27).

9 Judgment of 18 May 2021, Asociaţia “Forumul Judecătorilor din România” and Others (C‑83/19, C‑127/19, C‑195/19, C‑291/19, C‑355/19 and C‑397/19, EU:C:2021:393, paragraph 116 and the case-law cited).

10 Judgment of 16 July 2020, Facebook Ireland and Schrems (C‑311/18, EU:C:2020:559, paragraph 73 and the case-law cited).

11 See, for example, judgments of 18 July 2007, Lucchini (C119/05, EU:C:2007:434, paragraph 43); of 26 May 2011, Stichting Natuur en Milieu and Others (C165/09 to C167/09, EU:C:2011:348, paragraph 47); and of 26 April 2017, Farkas (C564/15, EU:C:2017:302, paragraph 37).

12 See Articles 2(1) and 4(2) of the GDPR.

13 Contrast in this regard with, for instance, Article 2(2) of Directive 2003/4/EC of the European Parliament and of the Council of 28 January 2003 on public access to environmental information and repealing Council Directive 90/313/EEC (OJ 2003 L 41, p. 26).

14 To that effect, judgment of 15 June 2021, Facebook Ireland and Others (C‑645/19, EU:C:2021:483, paragraph 47 and the case-law cited).

15 With regard to the relationship between Article 55(1) and Article 56(1), see judgment of 15 June 2021, Facebook Ireland and Others (C‑645/19, EU:C:2021:483, paragraphs 47 to 50).

16 See, for instance, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points) (C‑439/19, EU:C:2021:504, paragraphs 71 to 72 and 76 to 77), deeming both the disclosure of certain personal data to the public as well as the access of the public to a database holding those personal data a ‘processing operation’ in relation to Article 2(1) of the GDPR; and judgment of 17 June 2021, M.I.C.M. (C‑597/19, EU:C:2021:492, paragraphs 97 to 123), assessing two different types of processing of personal data, by two different companies, taking place ‘upstream’ and ‘downstream’. To that effect, see also judgment of 16 January 2019, Deutsche Post (C‑496/17, EU:C:2019:26, paragraphs 60 to 69), concerning multiple processing activities by different authorities relating to the tax data of natural persons.

17 Judgment of 10 July 2018, Jehovan todistajat (C‑25/17, EU:C:2018:551, paragraph 62).

18 See Article 4(1) of the GDPR. On the broad interpretation of the concept of personal data, see, for example, judgment of 20 December 2017, Nowak (C‑434/16, EU:C:2017:994, paragraph 62).

19 Indeed, that ought to be the starting point for assessing any rights and obligations of the parties under the GDPR. See judgment of 29 July 2019, Fashion ID (C‑40/17, EU:C:2019:629, paragraphs 72 and 74), as well as my Opinion in Valsts ieņēmumu dienests (Data processing for tax purposes) (C‑175/20, EU:C:2021:690, point 42).

20 As Article 4(2) of the GDPR itself provides.

21 See, for example, judgments of 29 June 2010, Commission v Bavarian Lager (C‑28/08 P, EU:C:2010:378, paragraph 69), and of 19 April 2012, Bonnier Audio and Others (C‑461/10, EU:C:2012:219, paragraph 52).

22 See, for example, judgments of 29 January 2008, Promusicae (C‑275/06, EU:C:2008:54, paragraph 45), and of 6 October 2020, Privacy International (C‑623/17, EU:C:2020:790, paragraph 41), in the context of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (OJ 2002 L 201, p. 37). See also judgment of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650, paragraph 45), in the context of transfers of data to a third country.

23 See above, point 42 of this Opinion. However, see also point 47 and the need to be clear in terms of the specific processing operation for ascertaining the rights of obligations flowing therefrom.

24 See judgment of 10 July 2018, Jehovan todistajat (C‑25/17, EU:C:2018:551, paragraphs 57). However, see Opinion of Advocate General Sharpston in Commission v Bavarian Lager (C‑28/08 P, EU:C:2009:624, points 142 to 150).

25 See, for example, judgment of 9 July 2020, Land Hessen (C‑272/19, EU:C:2020:535, paragraph 68).

26 Judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points) (C‑439/19, EU:C:2021:504, paragraph 66 and the case-law cited).

27 With that recital, itself much narrower than Article 2(2)(a) of the GDPR, being interpreted in addition in a strikingly reductionist way – see judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points) (C‑439/19, EU:C:2021:504, paragraphs 66 to 68).

28 See recitals 16 and 19 of the GDPR.

29 Which, in addition, is to be, yet again, interpreted narrowly, and therefore must be limited to purely (in terms of exclusively) personal or household activity – see, for example, judgment of 11 December 2014, Ryneš (C‑212/13, EU:C:2014:2428, paragraph 30).

30 Certainly, I could always try to go for Article 6(1)(c) (to gossip in a pub is a legal obligation to which I am subject by social convention) or for Article 6(1)(d) of the GDPR (the vital interest of my friends, in other words another natural person, to have something to talk about in a pub necessitates the information being transmitted). I suspect, however, that a national data-protection authority would not be impressed by such innovative reasoning.

31 Which may have been one of the motives why, for reasons of ‘commonsense and justice alike’, the Court of Appeal (England & Wales) (United Kingdom) held that the act of anonymising personal data does not itself qualify as ‘processing’ under the UK Data Protection Act 1998. See judgment of 21 December 1999 in Regina v Department of Health, Ex Parte Source Informatics Ltd [1999] EWCA Civ 3011 at [45].

32 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).

33 Opinion of Advocate General Sharpston of 15 October 2009 in Commission v Bavarian Lager (C‑28/08 P, EU:C:2009:624, points 135 to 146).

34 An advisory body established by Article 29 of Directive 95/46, now replaced by the European Data Protection Board, set up under Article 68 of the GDPR (‘the Article 29 Data Protection Working Party’).

35 See Article 29 Data Protection Working Party in its Opinion 4/2007 on the concept of personal data (01248/07/EN WP 136, 20 June 2007, pp. 4 and 5).

36 Ibid., p. 5.

37 Historically, nobody had a problem with the processing of personal data unless a filing system and databases with large data sets were first created, allowing for new knowledge and new data to be created by automated data aggregation and/or easy access to those data. Should that historical experience and need not also guide the present interpretation of the laws created for that specific purpose?

38 Judgment of 29 June 2010 in Commission v Bavarian Lager (C‑28/08 P, EU:C:2010:378, paragraphs 70 and 71).

39 In further detail, see also my Opinion in Valsts ieņēmumu dienests (Data processing for tax purposes) (C‑175/20, EU:C:2021:690, points 35 to 41).

40 Recital 4 of the GDPR.

41 For the outline of various other areas of law featuring such a divide, see, respectively, my Opinions in Friends of the Irish Environment (C‑470/19, EU:C:2020:986, points 71 to 75 and 81 to 82), and in Commission v Breyer (C‑213/15 P, EU:C:2016:994, points 52 to 64).

42 See my Opinion in Pula Parking (C‑551/15, EU:C:2016:825, points 85 and 86).

43 See my Opinion in Friends of the Irish Environment (C‑470/19, EU:C:2020:986, point 87).

44 Take, by way of example for such a situation, judgment of 16 December 2008, Cartesio (C210/06, EU:C:2008:723, paragraph 57 and the case-law cited).

45 See my Opinion in Friends of the Irish Environment (C‑470/19, EU:C:2020:986, point 71).

46 See above, point 39 of this Opinion.

47 My emphasis.

48 See judgments of 27 February 2018, Associação Sindical dos Juízes Portugueses (C‑64/16, EU:C:2018:117, paragraph 44); of 25 July 2018, Minister for Justice and Equality (Deficiencies in the system of justice) (C‑216/18 PPU, EU:C:2018:586, paragraph 38); of 24 June 2019, Commission v Poland (Independence of the Supreme Court) (C‑619/18, EU:C:2019:531, paragraph 72); of 2 March 2021, A.B. and Others (Appointment of judges to the Supreme Court – Actions) (C‑824/18, EU:C:2021:153, in particular paragraphs 117 to 119); and of 18 May 2021, Asociaţia “Forumul Judecătorilor din România” and Others (C‑83/19, C‑127/19, C‑195/19, C‑291/19, C‑355/19 and C‑397/19, EU:C:2021:393, paragraph 188).

49 Most recently judgment of 15 July 2021, Commission v Poland (Disciplinary regime for judges) (C‑791/19, EU:C:2021:596), and order of 14 July 2021, Commission v Poland (C‑204/21 R, EU:C:2021:593).

50 Naturally, assuming that Federalist No 51 (‘If men were angels, no government would be necessary. If angels were to govern men, neither external nor internal controls on government would be necessary’) remains applicable also within the GDPR.

51 In its central record of processing activities (available at: https://curia.europa.eu/jcms/jcms/p1_3301336/en/), established pursuant to Article 31(5) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ 2018 L 295, p. 39), the Court itself lists processing operations for the payment of salaries as an ‘administrative activity’. See https://curia.europa.eu/jcms/upload/docs/application/pdf/2021-01/paie.pdf.

52 Thus perhaps becoming another possible element of indirect pressure – it is no coincidence that, in a number of legal systems, judicial salaries are strictly determined by law, intentionally thus excluding any potential for influence to be exercised in this manner.

53 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ 2016 L 119, p. 89).

54 Judgment of 21 September 2010, Sweden and Others v API and Commission (C‑514/07 P, C‑528/07 P and C‑532/07 P, EU:C:2010:541).

55 Judgment of 18 July 2017, Commission v Breyer (C‑213/15 P, EU:C:2017:563).

56 Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ 2001 L 145, p. 43).

57 See my Opinion in Friends of the Irish Environment (C‑470/19, EU:C:2020:986, points 90 to 92).

58 Opinion of Advocate General Sharpston in Flachglas Torgau (C‑204/09, EU:C:2011:413, point 73).

59 See, in this regard, the application of that assessment in judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points) (C‑439/19, EU:C:2021:504, paragraphs 104 to 116).

60 To that effect, in relation to Article 6(1) of the European Convention on Human Rights (ECHR), see judgments of the ECtHR of 8 December 1983, Axen v. Germany (CE:ECHR:1983:1208JUD000827378, § 32); of 22 February 1984, Sutter v. Switzerland (CE:ECHR:1984:0222JUD000820978, § 26); of 14 November 2000, Riepan v. Austria (CE:ECHR:2000:1114JUD003511597, § 27); of 12 July 2001, Malhous v. Czech Republic (CE:ECHR:2001:0712JUD003307196, § 62); and of 28 October 2010, Krestovskiy v. Russia (CE:ECHR:2010:1028JUD001404003, § 24).

61 See, in that regard, judgment of the ECtHR of 26 April 1979 Case of the Sunday Times v. the United Kingdom (CE:ECHR:1979:0426JUD000653874, § 67).

62 Consider, in this regard, if the communication department were not part of the court but rather were set up as part of a separate institution, as was the case for archiving activities in judgment of 15 April 2021, Friends of the Irish Environment (C‑470/19, EU:C:2021:271, paragraph 43). For further assessment, see my Opinion in Friends of the Irish Environment (C‑470/19, EU:C:2020:986, point 107).

63 Points 76 to 86 of this Opinion.

64 As set out in general already above in points 84 to 86 of this Opinion.

65 See my Opinion in Valsts ieņēmumu dienests (Data processing for tax purposes) (C‑175/20, ECLI:C:2021:690).

66 Ibid., points 83 to 85.

67 That is also why this Opinion logically has to start (in point 32 hereof) with the general affirmation that the GDPR is in principle applicable to courts.

68 See recitals 40 and 52, Article 6(2) and (3), and Article 9(2) and (3) of the GDPR.

69 Judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points) (C‑439/19, EU:C:2021:504, paragraph 96 and the case-law cited).

70 In terms of the normative scope of both provisions. In practice, as already alluded to in point 120 of this Opinion, there is little difference between a limit to supervision by reason of competence (under Article 55(3) of the GDPR) and a limit to supervision by reason of restriction of substance in relation to certain activities (under Article 23(1)(f) of the GDPR).

71 It is no secret that different Member States place different emphasis on, or at least feature competing visions of, judicial transparency. See, for example, with regard to video and audio recordings of judicial proceedings, Hess, B. and Koprivica Harvey, A., ‘Open Justice in Modern Societies: What Role for Courts?’, in Hess, B. and Koprivica Harvey, A., Open Justice: The Role of Courts in a Democratic Society, Nomos, 2019, pp. 30-35. With regard to the varied traditions (mostly long predating the GDPR) on anonymisation of parties to judicial proceedings for the purposes of subsequent publication of the judgment, see Directorate-General for Library, Research and Documentation, Research Note, ‘Anonymity of the parties on the publication of court decisions’ (March 2017, amended in January 2019), available at: https://curia.europa.eu/jcms/upload/docs/application/pdf/2021-02/ndr_2017-002_neutralisee-en.pdf, pp. 9 and 10).

72 Incidentally, in some legal systems in the past, supreme courts did make sweeping normative pronouncements detached or completely outside of individual cases. This is still being done in certain systems today. It tends to be, however, heavily contested from the point of view of separation of powers and judicial legitimacy. See, to that effect, Kühn, Z., ‘The Authoritarian Legal Culture at Work: The Passivity of Parties and the Interpretational Statements of Supreme Courts’, Croatian Yearbook of European Law and Policy, vol. 2, 2008, p. 19.

73 Bartošek, M., Dějiny římského práva, Academia, Prague, 1995, p. 81, or Sommer, O., Učebnice soukromého římského práva. I. díl, Všehrd, Prague, 1946, pp. 121 and 122. See also Harries, J., Law and Empire in Late Antiquity, Cambridge University Press, 1999, pp. 101, 104 and 105.

74 Dawson, J.P., The Oracles of the Law, The University of Michigan Law School, 1968, pp. 288 and 289.

75 See in this regard for instance McLachlin, B., ‘Courts, Transparency and Public Confidence – to the Better Administration of Justice’, Deakin Law Review, vol. 8(1), 2003, pp. 3 and 4. See also Bingham, T., The Rule of Law, Penguin, 2010, p. 8.

76 See above, footnote 7 of this Opinion.

77 On the problem of over-anonymisation of judicial decisions, see Wiwinius, J.C., ‘Public hearings in judicial proceedings’, in Hess, B. and Koprivica Harvey, A., Open Justice: The Role of Courts in a Democratic Society, Nomos, 2019, pp. 98 and 101.

78 Such as the protection of vulnerable persons, children, victims of violence, business secrets, national secrets, and so on. However, in all those cases, well known to all national legal systems, there tend already to be specific procedures in place in the respective national rules of procedures, allowing for the exclusion of the public from certain or all stages of judicial proceedings and judgment, including full anonymity, in view of the specific needs of each individual case.

79 See Krynen, J., L´État de justice France, XIIIe–XXe siècle: L’idéologie de la magistrature ancienne, Gallimard, 2009, p. 79 et seq., and Van Caenegem, R.C., Judges, Legislators and Professors: Chapters in European Legal History, Cambridge University Press, 1987, p. 159.

80 Judgment of 30 September 2003, Köbler (C‑224/01, EU:C:2003:513).

81 Ibid., paragraph 42.

82 Ibid., paragraph 59. At least those minds from within the legal systems that previously accepted, as a matter of principle, State liability for judicial wrongs. For the others, judicial liability for last-instance decisions could still amount to, as the title of one notable article had it, thinking the unthinkable – see Toner, H., ‘Thinking the Unthinkable? State Liability for Judicial Acts after Factortame (III)’, Yearbook of European Law, vol. 17, 1997, p. 165.

83 Which keeps being repeated by this Court as a point of principle – see, for example, judgments of 12 July 2005, Alliance for Natural Health and Others (C‑154/04 and C‑155/04, EU:C:2005:449, paragraphs 91 and 92); of 21 December 2011, Ziolkowski and Szeja (C‑424/10 and C‑425/10, EU:C:2011:866, paragraphs 42 and 43); or of 25 July 2018, Confédération paysanne and Others (C‑528/16, EU:C:2018:583, paragraphs 44 to 46 and 51). It is fair to acknowledge that the interpretative practice, as in fact already illustrated by the last decision quoted, is in reality nonetheless somewhat more varied.

84 Thus, in concrete terms, a complaint against the data processing by a lower court would be treated by the appellate court in the same way as any other complaint against a procedural step taken by the lower court, and so on.

85 The case-law on ‘independence’ under Article 28(1) of the GDPR now also being aligned with the general understanding of ‘independence’ in EU law. Compare judgment of 16 October 2012, Commission v Austria (C‑614/10, EU:C:2012:631, paragraphs 41 to 44) and the case-law cited in footnote 48 of this Opinion.

86 While intentionally not aborting the endless issue of whether the control of that court would have to occur by means of a ‘super-internal’ court, which would then be controlled by a ‘super-super-internal court’, and so on. For a solution adopted by the Court of Justice itself, see Decision of the Court of Justice of 1 October 2019 establishing an internal supervision mechanism regarding the processing of personal data by the Court of Justice when acting in its judicial capacity (OJ 2019 C 383, p. 2).

87 See, as regards the law in England & Wales, France, Germany, Italy, Poland and Sweden, Research and Documentation Directorate, Research Note, ‘Methods of management of confidential data in the context of national judicial proceedings’ (October 2018), available at: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-11/ndr_2018-007_neutralisee-en.pdf, p. 2.

88 See judgment of 20 December 2017, Nowak (C‑434/16, EU:C:2017:994).

89 With all due respect to judgment of 13 May 2014, Google Spain and Google (C‑131/12, EU:C:2014:317), the Internet is unlikely to forget if ordered to do so by decree. The subsequent case-law, especially the strand relating to the territorial reach and enforcement of the ‘right to be forgotten’, therefore increasingly resembles tilting at windmills.

90 See Directorate-General for Research and Documentation, Research Note, ‘Supervision of courts’ compliance with personal data protection rules when acting in their judicial capacity’ (July 2018), available at: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-11/ndr_2018-004_synthese-neutralisee-en.pdf, p. 3.