Data Protection Laws and Freedom of Expression Report: Cyprus
Constitutional/Primary Law Background - see also ECHR and EU Charter
Article 19 of the Constitution of Cyprus (as revised 2013) sets out protections for, and conditions for limitations of, freedom of expression which broadly conform to article 10 of the ECHR. It also specifically provides that seizure of printed matter requires the permission of the Attorney-General and must be confirmed within 72 hours by a competent court. Article 15,16 and 17 respectively sets out right to, and limitations of, the right to respect for private and family life, the inviolability of the home and respect and secrecy of correspondence (through means not prohibited by law). Whilst permissible limitations in article 15 are equivalent to that in the ECHR, the limitations clauses found in Article 16 and 17 are more specifically enumerated.
All of the above provisions date from the Constitution as enacted in 1960.
First-Generation Statutory Law
Cyprus did not adopt a first-generation data protection statute.
|
Second-Generation Statutory Law
Cyprus adopted its Data Protection Act on 23 November 2001 with a view to implementing Directive 95/46 into domestic law. It joined the European Union 1 May 2004.
Special Expression Derogations
Cyprus did not exclude the special expression from the application of the data quality principles. It did, however, unconditionally exempt the media from compliance with the proactive direct and indirect transparency rules (art. 11(5)). The reactive transparency rule (subject access), in contrast, remained fully applicable. Cyprus constructed the scope of the derogation more narrowly than the Directive by excluding literary (but not artistic) expression. As regards sensitive data, the Cypriot Data Protection Law contained an open-textured exemption based on a strict public interest test (art. 6(2)(i)). No specific derogation was provided from the legitimating ground condition, the notification of processing condition or the data export condition.
Broad Expression Derogation
No special provision was adopted.
Personal Exemption
The processing of personal data, which is performed by a natural person in the course of a purely personal or household activity was excluded from the application of the Act (art. 3(2)).
Knowledge Facilitation Framework
No derogations were provided from the data quality principles for knowledge facilitation purposes. However, the law stated that the Commissioner might, by a reasoned decision, allow the preservation of personal data for historical, scientific or statistical purposes ʻif he considers that the rights of the data subjects or third parties are not affected’ (art. 4(1)(e)). Furthermore, no exemptions were granted from the proactive direct or indirect or the reactive transparency rules, the need for a legitimating ground, notification of processing or data export conditions. Exemption from proactive transparency in the case of indirect collection on grounds of disproprotionate effort required a license and statistical, historical and scientific research purposes were explicitly mentioned in this regard (art. 11(3)(b)). The processing of sensitive data was allowed under the condition that ‘all the necessary measures are taken for the protection of the data subjects’ (art. 6(2)(h)).
|
Third-Generation Statutory Law
Cyprus adopted the ‘Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018 (125(1)/2018)’ implementing the GDPR on 31 July 2018 and repealed the ‘Processing of Personal Data Law’ of 2001.
Special Expression Derogation
Cypriot law provides for an exemption from the proactive transparency rule where data has not been collected from the data subjects themselves and also from reactive transparency rule (subject access) which depends on a threshold of minimal substantive strictness. In sum, an exemption will apply whenever these provisions even affect the right to freedom of expression and information (art. 29(2)). Otherwise, the law sets out an overarching derogation whose precise relationship with the GDPR’s provisions remains somewhat unclear. This derogation establishes that processing of both ordinary and sensitive personal data is ‘lawful’ provided that it is ‘analogous’ to the intended objective and it respects the ‘essence’ of the rights defined in the EU Charter, European Convention on Human Rights, and the national constitution. As a result of its reference to lawfulness, this balancing test clearly applies directly both to the general need for a legal basis for processing and, in relation to sensitive data, the rules which require a special legal basis to lift the presumptive ban which otherwise may apply here (art. 29(1)). These provisions only ambiguously establish the priority of the special expression derogation over the knowledge facilitation framework.
Broad Expression Derogation
No special provision adopted.
Personal Exemption – see GDPR, art. 2(2)(c)
Knowledge Facilitation Framework - see also GPDR, art. 5(1)(b) (compatibility), art. 5(1)(e) (time limits) and art. 89(1) (appropriate safeguards)
Art. 31 appears to require that processing for the purpose of public interest archiving, scientific and historical research, and statistical purposes not be used for taking a decision which produces legal effects concerning the data subject or similarly significantly affects him or her. Beyond what is established in the GDPR itself, no derogation in favour of knowledge facilitation is set out.
|