The Court of Justice of the European Union has considered whether there is any obligation to disclose personal data in the context of attempts to identify the driver allegedly responsible for a road traffic accident
In Case C13/16 Valsts policijas Rigas regiona parvaldes Kartibas policijas parvalde v Rigas pašvaldibas SIA ‘Rigas satiksme’, the Second Chamber of the CJEU had to consider a reference from Latvia involving the Latvian traffic police and a trolleybus company in the city of Riga which related to a request for ‘disclosure of data identifying the perpetrator of an accident’.
The question referred was whether the Data Protection Directive, Article 7(f) must be interpreted as imposing the obligation to disclose personal data to a third party in order to enable him to bring an action for damages before a civil court for harm caused by the person concerned by the protection of that data, and if the fact that that person is a minor has a bearing on the interpretation of that provision.
The basic facts were that in December 2012 a road accident occurred in Riga when a taxi driver had stopped his vehicle at the side of the road and, as a trolleybus passed, his passenger opened a door, which scraped against and damaged the trolleybus. The taxi driver’s insurer refused any compensation on the basis that the accident had occurred due to the conduct of the passenger not the driver and stated that civil proceedings should be brought against that passenger.
When the trolleybus company applied to the national police for information including the first name and surname, identity document number, and address of the taxi passenger, it indicated to the national police that the information requested would be used only for the purpose of bringing civil proceedings. The request for information was accepted in part, namely by providing the first name and surname of the taxi passenger but refusing to provide the identity document number and address of that person or the statements given by the persons involved in the accident. The partial refusal was based on the company’s status as a non-party – it had not applied to be a ‘victim’ for the purposes of the administrative proceedings.
The referring court had doubts as to the interpretation of the concept of ‘necessity’ referred to in Article 7(f) and asked ‘Must the phrase "is necessary for the purposes of the legitimate interests pursued by the … third party or parties to whom the data are disclosed" in Article 7(f) of Directive 95/46/EC, be interpreted as meaning that the national police must disclose to Rigas satiksme the personal data sought [by the latter] which are necessary in order for civil proceedings to be initiated?’
The CJEU ruled that Article 7(f) ‘must be interpreted as not imposing the obligation to disclose personal data to a third party in order to enable him to bring an action for damages before a civil court for harm caused by the person concerned by the protection of that data. However, Article 7(f) of that directive does not preclude such disclosure on the basis of national law’.
As regards the second issue referred, namely whether the person being a minor affected the issue, the CJEU felt that it did not appear to be justified, in the circumstances in question, to refuse to disclose to an injured party the personal data necessary for bringing an action for damages against the person who caused the harm, or, where appropriate, the persons exercising parental authority, on the ground that the person who caused the damage was a minor.