*4.3. Relevant ECtHR and CJEU Case Law on Lawful Limitations of Privacy and Personal Data Protection*

Under this rather complicated legislative background, finding relevant case law, seems to be more than vital for a successful interpretation of lawful limitations of privacy

<sup>21</sup> C- 623/17 *Privacy International*, para 47–48.

<sup>22</sup> WP29 apart from these also acknowledges the need for the creation of a national or cross-national information resource to enable individuals to identify the missions and operators associated with individual drones (Working Group on Data Protection in Telecommunication, Working Paper on Privacy and Aerial Surveillance, 54th meeting, Berlin, September 2013. Available online: https://www.datenschutz-berlin.de/infothek-undservice/veroeffentlichungen/working-paper/ (accessed on 5 April 2021).

and personal data protection when using remote sensing technologies for environmental purposes. In this sense, relevant ECtHR and CJEU case law is of high priority.

A first observation is that the structure and wording of ECHR is different than that of the Charter. The Charter as already mentioned above does not use the notion of interferences with guaranteed rights, but contains a provision on limitation(s) on the exercise of the rights and freedoms recognized by the Charter. However, despite different wording, in their case law, the CJEU and the ECtHR often refer to each other's judgments, as part of the constant dialogue between the two courts to seek a harmonious interpretation of data protection rules<sup>23</sup> .

According to the jurisprudence of ECtHR, interference is in accordance with the law if it is based on a provision of domestic law, which must be "accessible to the persons concerned and foreseeable as to its effects". Since very early the ECtHR had judged that the "notion of necessity implies that the interference corresponds to a pressing social need and, in particular, that it is proportionate to the legitimate aim pursued24. In its following jurisprudence the ECtHR considers further an interference "necessary in a democratic society" for a legitimate aim if it answers a "pressing social need" and, in particular, if it is proportionate to the legitimate aim pursued and if the reasons adduced by the national authorities to justify it are "relevant and sufficient"25. More recently, the ECtHR interpreted the requirement of "necessity in a democratic society", as "including whether it is proportionate to the legitimate aims pursued, by verifying, for example, whether it is possible to achieve the aims by less restrictive means" while there is settled an obligation for domestic law for providing "adequate and effective safeguards and guarantees against abuse"<sup>26</sup> .

The jurisprudence of the CJEU also recognizes the same necessity for adequate and effective safeguards and guarantees or in other words the "existence of clear and precise rules" and "minimum safeguards" to protect personal data against the risk of abuse and against any unlawful access and use of that data27. The CJEU also considers that only the objective of fighting serious crime is capable of justifying restrictions in personal data protection such as data retention measures or access to data protected by Articles 7 and 8 of the Charter28. However, the definition of what may be considered to be 'serious crime' is left to the discretion of the member states, since depending on the national legal system, the same offence may be penalized more or less severely. Therefore, it is finally the correlation between the seriousness of the interference and the objective pursued under certain criteria, such as the categories of data concerned and the duration of the period in respect of which access is sought, that is decisive for justifying a potential restriction<sup>29</sup> .

In this sense, the CJEU often<sup>30</sup> refers directly to the principle of proportionality as the appropriate tool for properly balancing the objective of general interest against the rights at issue and underlines that exceptions that allow limitations on the protection of personal data must remain exceptions and not be transformed to the rule. Of special importance is C-73/16, *Peter Puškár* case, where the CJEU judged<sup>31</sup> that the processing of personal data by the authorities of a member state for the purpose of collecting tax and combating tax fraud without the consent of the data subjects is legitimate, provided that, those authorities were invested by the national legislation with tasks carried out in the public interest and

<sup>31</sup> C-73/16, *Peter Puškár* para 112–117.

<sup>23</sup> Handbook on European data protection law. 2018. Available online: https://fra.europa.eu/en/publication/2018/handbook-european-dataprotection-law-2018-edition (accessed on 5 April 2021).

<sup>24</sup> ECHR *Leander v Sweden* No. 9248/81, 26 March 1987, para 50 and 58.

<sup>25</sup> *S. and Marper v the UK* (GC), 30562/04 & 30566/04, 4 December 2008, para 101.

<sup>26</sup> *Roman Zakharov v. Russia* (GC), 47143/06, 4 December 2015, Para 260, 236, *Szabo and Vissy v. Hungary*, 37138/14, 12 January 2016, para 57, *P.N v. Germany*, 74440/17, 11 June 2020, para 74.

<sup>27</sup> C-293/12 and C-594/12 *Digital Rights Ireland* para 54, C-203/15 and C 698/15 *Tele 2* para 109.

<sup>28</sup> C-203/15 and C 698/15 *Tele 2* para 102, C-207/16 *Ministerio Fiscal* para 56 and 57.

<sup>29</sup> C-746/18, *H. K. v. Prokuratuur* para 87–97.

<sup>30</sup> C- 623/17 *Privacy International*, para 64, 67, Joined cases C-511/18 *La Quadrature du Net and Others,* C- 512/2018 *French Data Network and Others* and C- 520/2018 *Ordre des barreaux francophones et germanophone and Others.*

the principle of proportionality is respected. According to the decision such processing is proportionate only if there are sufficient grounds to suspect the person concerned for the alleged crimes. The court stated in this decision that the protection of the fundamental right to respect for private life at the European Union level requires that derogations from the protection of personal data and its limitations should be carried out within the limits of what is strictly necessary. In order to prove that such limitations are carried out within the limits of what is strictly necessary the CJEU requires from the national court to ascertain that there is no other less restrictive means in order to achieve the authority's objectives.

To sum up, it stems from all previous mentioned decisions of ECtHR and CJEU that limitations of privacy and personal data protection are lawful as long as they are proportionate to the legitimate aims pursued and they are imposed with sufficient safeguards against abuse or in other words as long as they are proportionate in so far as they apply only as it is strictly necessary under clear and precise rules with sufficient guarantees of the effective protection of privacy and personal data against the risk of misuse. Finally, it is obvious that although the objective of fighting serious crimes clearly justifies restrictions of privacy or personal data in areas of prevention, investigation, detection and prosecution of criminal offences, the condition of proportionality and strong safeguards to guarantee the rights are to be the same time fulfilled.

In regards with remote sensing technologies, although no ad hoc case law concerning the balance between the right for a high level of Environmental Protection and the rights for privacy and personal data exists, the use of the previously mentioned ECtHR and CJEU case law by analogy seems more than appropriate. Consequently, remote sensing technologies can be used for environmental purposes, especially for combatting serious environmental crime, however with sufficient guarantees for the effective protection of privacy and personal data, provided that no other less restrictive means exist.

In the following section, recent developments and first "concrete" steps in Greek legislation regarding the reconciliation of remote sensing technologies with personal data and privacy protection are presented, as well as their application perspectives in environmental law, in an attempt of a primary approach. However, it must be underlined even from this early point, that the new Greek regulatory framework is limited to certain crimes, covering thus only a small part of environmental crime, that is below analyzed. Police and Criminal Justice Authorities Directive (and its harmonization national law) as well as GDPR still regulate the majority of emerging legal issues from the use of remote sensing technologies for environmental monitoring and environmental law enforcement in Greece. Nonetheless, despite the limited scope of the new legislation, its value remains of great importance since it opens the path and the dialogue for a consistent regulatory framework of remote sensing technologies in national level.

## **5. The Case of Greece**

## *5.1. The Special Features of Greece*

Greece can be considered as a most interesting case for applying remote sensing technologies for environmental purposes. This is not only due to the natural features of Greece but also due to rules of constitutional protection of the environment, of privacy and personal data constitutional protection as well as due to the recent introduction of a specific regulatory framework for the use of remote sensing technologies in public places.
