Data-driven Public Administration and the GDPR: Seeing the Court of Justice's Judgement in Case C-175/20 in a Broader Context

Abstract

Increasingly, public authorities are looking to get the most from their records, with the aid of new technologies that allow them to extract the desired features or patterns from large volumes of data. This could position these authorities well for efficiency and to identify offenders – and, in some cases, future offenders. At the same time, the General Data Protection Regulation lays down the principle of purpose limitation and requires both the European Union and its member states to ensure that the rules by which personal data get processed are foreseeable for the individuals affected. In this context, a distinction must be made between two steps to processing, each with its own issues – the request for or direct access to personal data and mass analysis of the data obtained. The European Court of Justice dealt with several of these after the Latvian tax authority requested ‘big data’ from a private company. The article examines the guidance that the Court issued in this case (C-175/20) to both national legislators and administrations with regard to the distinct stages of mass processing of data, and it considers which questions remain unanswered.