FIRST SECTION

DECISION

Applications nos . 2362/08 and 26271/08 F. J. and E.B. against Austria

The European Court of Human Rights ( First Section ), sitting on 25 March 2014 as a Chamber composed of:

Isabelle Berro-Lefèvre, President, Elisabeth Steiner, Khanlar Hajiyev, Mirjana Lazarova Trajkovska, Julia Laffranque, Paulo Pinto de Albuquerque, Linos-Alexandre Sicilianos, judges, and Søren Nielsen , Section Registrar ,

Having regard to the above applications lodged on 2 January 2008 and 26 April 2008 respectively,

Having regard to the observations submitted by the respondent Government and the observations in reply submitted by the applicants,

Having deliberated, decides as follows:

THE FACTS

1 . The applicant in the first case, Mr F.J., is an Austrian national, born in 1955. The applicant in the second case, Mr E.B., is an Austrian national, born in 1947. The President granted the applicants ’ requests for their identity not to be disclosed to the public (Rule 47 § 3). They are represented before the Court by Mr H. Graupner, a lawyer practising in Vienna.

2 . The Austrian Government (“the Government”) were represented by their Agent, Ambassador H. Tichy, Head of the International Law Department at the Federal Ministry of Foreign Affairs.

A. The circumstances of the case

3. The facts of the case, as submitted by the parties, may be summarised as follows.

1. Application no. 2362/08

(a ) The criminal proceedings against the first applicant

4 . In February 2001 the Vienna Federal Police Department conducted police investigations in respect of the first applicant on suspicion of his having committed homosexual acts with consenting male persons within the age bracket of fourteen to eighteen , an offence under the former Article 209 ( Gleich ­ geschlechtliche Unzucht mit Personen unter 18 Jahren ) of the Criminal Code.

5 . On an unspecified date the Vienna Public Prosecutor ’ s Office charged the first applicant with these offences.

6 . On 2 April 2001 the Vienna Regional Court acquitted him of th e charge.

(b) Proceedings for having the data of the police investigations deleted

7. On 14 December 2001 the first applicant lodged a request with the Vienna Federal Police Department for the deletion of both the electronically processed data and of the data manually processed in paper files concerning the proceedings in his case.

8. On 1 August 2002 the Federal Police Department informed the first applicant that it had deleted the electronically processed data but rejected the request concerning the data processed in paper files. Thereupon the first applicant filed a complaint concerning this decision with the Data Protection Commission.

9. On 2 September 2003 the Data Protection Commission partly allowed the first applicant ’ s complaint, ordering the Federal Police Department to modify the filing cards ( Steckzettelindices ) and filing registers ( Protokoll ­ bücher ) by noting the acquittal while maintaining the reference to Article 209 of the Criminal Code. It dismissed the first applicant ’ s complaint as regards the data processed in ordinary paper files – known as “copy files” ( Kopieakte ) – which contained copies of all the reports and communications generated by the authority and sent to other authorities, such as the public prosecutor, because data processed in paper files did not fall under the definition of filing systems ( Dateien ) within the meaning of the Data Protection Act. The right of deletion set forth in that Act was therefore not applicable.

10. In the Data Protection Commission ’ s view, information held in such information research tools could not be completely deleted or scrambled. In accordance with the relevant provisions of the Security Police Act, all administrative actions by administrative authorities – including police authorities – had to be documented and archived. Only by doing so was it possible to review the lawfulness of the actions of the authorities, which was necessary in a State governed by the rule of law. This was required by the rules regulating the authority ’ s internal mode of operation ( Kanzlei ­ ordnung ). However, such data had to be complete and correct, which meant that subsequent developments – in particular if the person concerned by the investigations had been acquitted – also had to be recorded. The question of whether or not the authority could use such data in its work was distinct from the issue of the archiving and recording of data and required that separate rules on the use of such data be applied.

11. On 21 November 2003 the first applicant lodged a complaint with the Constitutional Court and with the Administrative Court.

12. On 26 January 2006 the Constitutional Court quashed the Data Protection Commission ’ s decision. In the Constitutional Court ’ s view the Data Protection Commission had misinterpreted the applicable law when it had held that only the provisions on the archiving and storage of data for the authority ’ s internal use were applicable because the filing cards at issue did not only contain information of a general character but details about an individual person, such as that person ’ s name and address. Therefore, they recorded not only internal matters of the authority but also sensitive personal data. The authority should therefore have applied the rules for the use and processing of individual data under the Security Police Act ( Sicherheits ­ polizeigesetz ) and should have weighed up the private and public interests accordingly. Since the Data Protection Commission had failed to do so, the Constitutional Court quashed its decision.

13. On 28 February 2006 the Administrative Court discontinued the proceedings because the Constitutional Court had already quashed the decision.

14. Meanwhile, the police authorities, taking into account the legal opinion in the Constitutional Court ’ s decision, blanked out entries in the filing register by superimposing black bars over the first applicant ’ s name, date of birth, address and the respective file number and reference to Article 209 of the Criminal Code on the filing cards. This having been done, the applicant maintained his complaint of 10 August 2002 in respect of the data processed in the copy files only.

15. On 9 August 2006 the Data Protection Commission again decided on the first applicant ’ s appeal and rejected his request to delete the data concerning him that had been manually processed in ordinary paper files, the “copy files”. Referring to the Constitutional Court ’ s case-law, it found that the right to deletion of data under the Data Protection Act and the Security Police Act was not applicable to data manually processed in paper files because such files were unstructured compilations of information and did not qualify as filing systems ( Dateien ) under the Data Protection Act.

16. On 26 September 2006 the first applicant again lodged complaints with the Administrative Court and the Constitutional Court.

17. The Constitutional Court dismissed the complaint on 7 March 2007. It rejected the first applicant ’ s argument that Article 8 of the Convention and the case-law of the European Court of Human Rights established a right to deletion of personal data in an ordinary paper file. The cases relied on by the first applicant, namely Amann v. Switzerland (no. 27798/95, ECHR 2000 ‑ II) and Rotaru v. Romania (no. 28341/95, ECHR 2000 ‑ V), had to be distinguished from the present case as they concerned completely different sets of facts. In the Constitutional Court ’ s view, Article 8 of the Convention did not impose a wider right to deletion of data than already contained in section 1 of the Data Protection Act which transformed into domestic law EU Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ( Official Journal L 281, 23/11/1995 ). A lso the Council of Europe Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data of 28 January 1981 only concerned automatically processed data and did not extend to personal data in a conventional copy file or paper file.

18. Moreover, it was apparent and not disputed by the first applicant that, following the blackening out of his name, date of birth and address in the file register and of the reference to the paper files in the index card, the paper files at issue were no longer traceable via these information tools. This reduced the accessibility of his personal data to such an extent that there was no longer any interference with his rights under Article 8 of the Convention. That being so, the Constitutional Court concluded that there had been no breach of the first applicant ’ s rights under Article 13 of the Convention either.

19. On 5 July 2007 the Administrative Court dismissed the first applicant ’ s complaint for the same reasons as those relied on by the Constitutional Court.

2. Application no. 26271/08

(a) The first set of criminal proceedings against the second applicant

20. In March 1999 the Vienna Federal Police Department conducted investigations in respect of the second applicant on suspicion of his having committed homosexual acts with consenting male persons within the age bracket of fourteen to eighteen, an offence under former Article 209 of the Criminal Code, and on suspicion of having committed sexual acts with persons under the age of fourteen years, an offence under Article 207 ( Sexueller Missbrauch von Unmündigen ) of the Criminal Code.

21. On an unspecified date the Vienna Public Prosecutor ’ s Office charged the applicant with those offences.

22. On 1 June 1999 the Vienna Regional Court acquitted him of these charges.

(b) The second set of criminal proceedings against the second applicant

23. In July 1999 the Vienna Federal Police Department conducted investigations in respect of the second applicant on suspicion of his having committed offences under Article 207 and 209 of the Criminal Code.

24. On an unspecified date the Vienna Public Prosecutor ’ s Office charged the second applicant with those offences.

25. On 18 November 1999 the Vienna Regional Court convicted him of having committed homosexual acts with consenting male persons within the age bracket of fourteen to eighteen under former Article 209 of the Criminal Code and sentenced him to one year ’ s imprisonment. He was acquitted of the other charges.

(c) The third set of criminal proceedings against the second applicant

26. In January 2001 the Vienna Federal Police Department conducted investigations in respect of the second applicant on suspicion of his having produced pornographic pictures of persons under the age of fourteen, an offence under Article 207a of the Criminal Code ( Pornographische Darstel ­ lungen Minder ­ jähriger ), and of having committed an offence under Article 209 of the Criminal Code.

27. On an unspecified date the Vienna Public Prosecutor ’ s Office charged the second applicant with an offence under Article 209 of the Criminal Code.

28. On 6 April 2001 the Vienna Regional Court convicted him as charged and sentenced him to one year ’ s imprisonment.

(d) Proceedings for having the data of the police investigations deleted

29. On 8 May 2006 the second applicant lodged a request with the Vienna Federal Police Department for the deletion of the electronically processed data and the data manually processed in files, and held by the police authorities, concerning these three sets of proceedings.

30. In a decision of 31 May 2006 the Vienna Federal Police Department informed him that no electronically processed data relating to the above proceedings existed any longer and rejected the request concerning the data processed in paper files.

31. On an unspecified date the second applicant lodged a complaint against that decision with the Data Protection Commission.

32. On 29 November 2006 the Data Protection Commission dismissed the complaint. It found that, as regards the non-electronically processed data stored in ordinary paper files, the Data Protection Act and the right to request a deletion was not applicable as such paper files constituted an unstructured compilation of information but not a filing system ( Datei ) within the meaning of the Data Protection Act. As regards the filing cards and filing registers the Commission noted that on 12 July 2006 the police authorities, after having been invited to comment on the applicant ’ s complaint, had informed the Commission that all references in these research tools to the issues under Article 209 of the Criminal Code had been rendered illegible ( unkenntlich gemacht ). In the filing registers, the name and address of the applicant had also been deleted. Under the storage and deletion rules for the Vienna Federal Police Department ( Skartierungs ­ vorschrift ) copy files were deleted five years following the end of the year of recording, while index cards and filing registers were destroyed after twenty years. In such circumstances the ordinary paper files (“copy files”) relating to investigations in respect of the applicant essentially served the purpose of documenting the activities of the authority and no longer allowed the tracking of sensitive information on the applicant in relation to Article 209 of the Criminal Code. The applicant ’ s complaint was therefore ill-founded.

33. On 2 January 2007 the applicant applied for legal aid in order to lodge a complaint with the Administrative Court. In addition, he proposed that the case be referred to the Court of Justice of the European Communities for a preliminary ruling.

34. On 8 January 2007 the Administrative Court, referring to its case-law in similar cases, dismissed the request for legal aid for lack of prospects of success.

35. On 13 March 2007 the applicant lodged a complaint with the Constitutional Court.

36. On 24 September 2007 the Constitutional Court, referring to its previous case-law (in particular its decision of 7 March 2007 in the first applicant ’ s case – see paragraphs 21-22 above), declined to deal with the case because it lacked any prospect of success.

B. Relevant domestic and European law

1. The Criminal Code

37. Article 209 of the Criminal Code, in force until 14 August 2002, concerned consensual homosexual acts and read:

“A male person who after attaining the age of nineteen fornicates with a person of the same sex who has attained the age of fourteen years but not the age of eighteen years shall be sentenced to a period of imprisonment of between six months and five years.”

38. On 21 June 2002, responding to a request for review made by the Innsbruck Regional Court, the Constitutional Court found that Article 209 of the Criminal Code was unconstitutional.

39. On 10 July 2002, following the Constitutional Court ’ s judgment, Parliament repealed Article 209. It also introduced Article 207b, which penalises sexual relations with persons under sixteen years of age under specific conditions and which is formulated in a gender-neutral way. That amendment, published in the Official Gazette ( Bundesgesetzblatt ) no. 134/2002, came into force on 14 August 2002.

40. A more detailed description of the law, the Constitutional Court ’ s judgments concerning Article 209 of the Criminal Code and its replacement by Article 207b of the Criminal Code can be found in E.B. and Others v. Austria , (nos. 31913/07, 38357/07/ 48098/07, 48777/07 and 48779/07, §§ 48-52, 7 November 2013).

41. Article 207, paragraph 1 of the Criminal Code reads;

“Anyone who performs a sexual act on a person under the age of fourteen or has a sexual act performed on himself or herself by such a person, with the exception of the offence under Article 206, shall be sentenced to a period of imprisonment of between six months and five years.”

42. Article 207a, paragraph 1 of the Criminal Code reads:

“Whoever

1. produces or

2. offers to someone else, procures, leaves to someone else, shows or makes otherwise accessible

a pornographic image of a person under the age of eighteen shall be sentenced to imprisonment for up to three years.”

2. The Data Protection Act

43. The Data Protection Act of 2000 contains the basic provisions governing the protection of personal data including a right of information and a duty to delete (section 27). The Data Protection Act distinguishes between manually recorded data and electronically processed data. Manually recorded data are subject to deletion in so far as they constitute a “filing system”. A “filing system” ( Datei ) is defined as a structured collection of data (section 4, point 6). A certain degree of organisation is necessary for an amount of manually processed data to qualify as a “filing system”. According to the case-law of the Supreme Court (judgment of 28 June 2000, 6 Ob 148) and the Administrative Court (decision of 21 October 2004, 2004/06/0086), card indexes and lists constitute filing systems, but mere files ( Akten ) do not. A “paper file” or “copy file” is therefore not deemed to be a filing system within the meaning of the Data Protection Act and is not subject to the right of deletion under this act (decision of the Administrative Court of 21 October 2004 Collection of Decisions A no. 16477/2004).

44. Section 1 of the Data Protection Act reads:

“(1) Everybody shall have the right to secrecy regarding the personal data concerning him, especially concerning his private and family life, in so far as he has an interest deserving such protection. Such an interest is precluded when data cannot be covered by the right to secrecy because of their general availability or because they cannot be traced back to the data subject ( Betroffener ).

(2) In so far as personal data are not used in the vital interests of the data subject or with his consent, restrictions of the right to secrecy are permitted only to safeguard the overriding legitimate interests of another; specifically, in the event of an intervention by a public authority, the restriction shall only be permitted on the basis of laws necessary for the reasons stated in Article 8 § 2 of the Convention. Such laws may provide for the use of data ( Verwendung von Daten ) deserving special protection only in order to safeguard substantial public interests and shall provide suitable safeguards for the protection of the data subjects ’ interest in secrecy. Even in the case of permitted restrictions, the intervention with the fundamental right shall be carried out using only the least intrusive of all effective methods.

(3) In so far as personal data concerning an individual are destined for automated processing or for manual processing (that is, in filing systems with no automated processing), everybody shall have, as provided for by law:

1. the right to obtain information revealing who processes what data concerning him, where the data originated, the purpose for which they are used, and to whom the data are transmitted;

2. the right to rectification of incorrect data and the right to deletion of illegally processed data.

(4) Restrictions of the rights set out in subsection (3) shall be permitted only under the conditions laid out in subsection (2).”

45. Section 4 of the Data Protection Act, – which contains a number of definitions, reads, in so far as relevant:

“For the subsequent provisions of this Federal Act the terms listed below shall mean:

1. ’ data ’ ( ‘ personal data ’ ): information relating to data subjects ... who are identified or identifiable; data are ‘ only indirectly personal ’ for a controller ( Auftrag ­ geber ) ..., a processor ( Dienstleister ) ..., or a recipient of a transmission ( Empfänger einer Ãœbermittlung ) ... if the data relate to them in such a manner that the controller, processor or recipient of a transmission cannot establish the identity of the data subject by legal means;

2. ’ sensitive data ’ ( ‘ data deserving special protection ’ ): data relating to natural persons concerning their racial or ethnic origin, political opinion, trade union membership, religious or philosophical beliefs, and data concerning health or sex life;

...

6. ’ filing system” ( Datei ): structured collection of data accessible via at least one search criterion;”

46. Section 27 of the Data Protection Act, which concerns the deletion of data, reads, in so far as relevant:

“(1) Every controller shall rectify or delete data that are incorrect or have been processed contrary to the provisions of this Federal Act

1. on his own initiative, as soon as the incorrectness of the data or the inadmissibility of the processing becomes known to him, or

2. on a well-founded application by the data subject ( Betroffener )

The obligation to rectify data under subsection 1 shall apply only to those data of which the correctness is significant for the purpose of the data application ( Daten ­ anwendung ). The incompleteness of data shall justify a claim to rectification only if such incorrectness, with regard to the purpose of the data application, results in the information being incorrect in its entirety. As soon as data cease to be needed for the purpose of the data application, they shall be regarded as illegally processed data and shall be erased unless their archiving is legally permitted and the access to these data is specially secured. Any further use for another purpose shall be legitimate only if transmission ( Ãœbermittlung ) of the data for this purpose is legitimate; the legitimacy of further uses for scientific or statistical purposes is laid down in sections 46 and 47.

(4) The application for rectification or erasure shall be complied with within eight weeks of receipt and the applicant shall be informed thereof, or a reason in writing shall be given as to why the requested erasure or rectification was not carried out.

(5) Within the sphere of the executive agencies responsible for the fields described in section 26 ..., the following procedure shall apply as regards applications for rectification or erasure, in so far as this is required to safeguard those public interests that require secrecy: the rectification or erasure shall be carried out if, in the opinion of the controller, the demands of the data subject are justified. The requisite information for the purposes of subsection 4 shall in all cases be that a check of the controller ’ s data files ( Datenbestand ) with regard to the application for rectification or erasure has been performed. The legality of this course of action is subject to review by the Data Protection Commission ( Datenschutzkommission ) ... and the special complaint procedure before the Data Protection Commission pursuant to section 31 (4).”

3. The Security Police Act

47. The Security Police Act regulates the powers and duties of the authorities dealing with matters of public security and their officers in exercising their functions.

48. Section 53 of the Security Police Act reads:

“Admissibility of processing data

(1) The police authorities may investigate and further process personal data

1. for the purpose of fulfilling the duty to provide initial general assistance (section 19);

2. for the purpose of averting criminal connections (section 16, subsection 1 (2), and section 21);

2a. for extended threat investigation (section 21, subsection 3) under the prerequisites of section 91c subsection 3;

3. for the purpose of averting dangerous assaults (section 16, subsections 2 and 3, and section 21, subsection 2), including the investigation necessary for averting a threat (section 16, subsection 4, and section 28a);

4. for preventing potential dangerous assaults endangering life, health, morals, freedom, property or the environment (section 22, subsections 2 and 3) or for preventing dangerous assaults by means of a crime analysis if – because of the type of the assault – repeated commission is likely;

5. for the purpose of a search (section 24);

6. in order to be able to maintain public order during a specific event.

(2) The police authorities may investigate and further process data already processed by them in the implementation of federal or regional laws for the purpose of and subject to the prerequisites of subsection 1; they must not, however, compare electronic data within the meaning of Article 141 of the Code of Criminal Procedure. Existing transmission prohibitions remain unaffected.”

49. Section 57(1) of the Security Police Act reads:

“ The security police authorities may establish as data a person ’ s name, sex, former name, nationality, date of birth, place of birth, address, name of parents and other names and data used by that person and further process these data in a centralized information data base as well as the reason for gathering these data and, if necessary, the reason why the authority has intervened and infor m other authorities thereof, if

6. criminal justice investigations have been instituted against the person concerned.”

50. Section 58 (1) of the Security Police Act reads:

“ Access by the security police authorities as controller to p ersonal data which are stored and kept accessible in accordance with Section 57 (1) must be blocked

6. as regards no. 6 if there is no longer a suspicion of having committed an offe n ce against the person concerned, at latest five years after entering of the data into the centralized information data base, in case of more than one entry pursuant to no. 6 five years afte r the latest;”

51. Section 61 of the Security Police Act reads:

“Admissibility of updating data

The police authorities are entitled to update the personal data used by them if they have lawfully verified more recent data.”

52 . Section 63 of the Security Police Act reads:

“Duty of correction or deletion

(1) If it is found that data which are incorrect or have been investigated contrary to the provisions of this federal Act are being stored, these data shall be corrected or deleted immediately. In the same way, personal data shall be deleted if they are no longer needed for the fulfilment of the task for which they have been used, unless there is a special regulation concerning their deletion.

(2) The police authorities shall examine electronically processed personal data which have remained unchanged for six years to find out whether they need to be corrected or deleted pursuant to subsection 1. For data processed in the Central Information Register, sections 58 and 59 shall apply.”

53 . In a judgment of 16 March 2001 the Constitutional Court found that under Section 63 of the Security Police Act the police authorities had the obligation to supplement and correct data they ha d collected pursuant to Section 57 (1) 6. of that act and in particular to add the information whether the public prosecutor h a d discontinued the criminal investigations or the person concerned had been acquitted of the charges as otherwise the data stored must be considered incorrect. In addition, Section 63 and Section 57 (1) 6. of the Security Police Act must be interpreted in conformity with the Federal Constitution, in particular the right t o data protection under Section 1 of the Data Protection Act , which means that there exists also the obligation to delete such data once they are no longer necessary for the purpose of criminal justice even before the t ime-limit set un section 58 (1) 6. of the S ecurity Police Act has expired.

4. The Storage and Deletion Rules for the Vienna Federal Police Department

54 . The Storage and Deletion Rules for the Vienna Federal Police Department ( Skartierungs ­ vorschrift ), an instruction ( Erlass ) by the Federal Minister for the Interior of 18 September 1992, regulate the elimination and destruction of all documents which were no longer of any use for operational purposes of the Vienna Federal Police Authority. This is done by fixing time limits for storing different categories of documents and the modalities for disposing of the se documents afte r expiry of th e time limit. According to Section 5 of the Rules copy files were deleted five years following the end of the year of recording, while index cards and filing registers wer e destroyed after twenty years.

5. European law

55 . At the supranational level there are two basic instruments which regulate the protection of personal data in Europe. The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1 981 (European Treaty Series no. 108) and the European Union D irective 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Official Journal L 281, 23/11/1995).

56 . The Council of Europe Convention of 28 January 1981 secures in Article 1 “ for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him ("data protection")”. Under Article 3 the scope of this Convention is restricted to “automated personal data files and automatic processing of personal data in the public and private sectors”. However according to Article 3 (2) of the Convention “a ny State may ... give notice by a declaration addressed to the Secretary General of the Council of Europe: (c) that it will also apply this convention to personal data files which are not processed automatically ” . Article 6 of the Convention provides that “p ersonal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life, may not be processed automatically unless domestic law provides appropriate safeguards. ” Article 6 also provides that “t he same shall apply to personal data relating to criminal convictions ” .

57 . Following the Council of Europe Convention of 28 Januar y 1981 there has also been adopted Recommendation No. R(87)15 of the Committee of Ministers to Member States Regulating the Use of Personal Data in the Police Sector (17 September 1987), which deals with the collection and processing of particular sensitive personal data including necessary safeguard measures. As the Convention the Regulation only applies to “the collection, storage, use and communication of personal data for police purposes which are the subject of automatic processing”, but it also provides that “manual processing of data should not take place if the aim is to avoid the provisions of this recommendation”.

58 . Within the European Union Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data , as in force at the relevant time, regulates the protection of personal data. According to Article 1 “ Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data ” . Personal data within the meaning of the directive are any information relating to an identified or ident ifiable natural person (Article 2 (a)) and "processing of personal data" is “any operation or set of operations which is performed upon personal data, whether or not by automatic means” (Article 2 (b)). Article 3 delimits the scope of the Directive, this provision reads as follows:

“ 1. This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

2. This Directive shall not apply to the processing of personal data:

in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law;

by a natural person in the course of a purely personal or household activity.”

COMPLAINTS

59 . The applicants complained under Article 14 read in conjunction with Article 8 of the Convention that data in files concerning proceedings against them under Article 209 of the Criminal Code were being stored by the police authorities even though the Court had found that provision to be discriminatory and the Austrian Constitutional Court had repealed it.

60 . Under the same provision, the second applicant complained about the storage of data processed in files concerning criminal investigations in respect of him under Articles 207 and 207a of the Criminal Code, even though he had been acquitted of those charges.

61 . Furthermore, the applicants complained under Article 13 of the Convention that they had no effective remedy at their disposal against the above breaches of the Convention.

62 . Under Article 6 § 2 of the Convention, the second applicant complained that the storage of the above data also violated the principle of the presumption of innocence.

THE LAW

A. Joinder of the applications

63 . Given that the two applications concern similar facts and raise essentially identical issues under the Convention, the Court will join them (see Rule 42 § 1 of the Rules of Court).

B. The Government ’ s request to strike the second application out of the list

64 . The Government informed the Court that the second applicant, Mr E.B., had died on 14 September 2008 and asked the Court to strike the application out of the list. They submitted that his application, which essentially concerned complaints under Article 14 read in conjunction with Article 8 of the Convention, related to his private life and could not be transferred to an heir.

65 . On 26 April 2010 the second applicant ’ s lawyer submitted that Mr E.B. ’ s heir, his daughter S.B., had informed him that she wished to pursue the application before the Court, as the case also had a moral dimension and concerned important questions of general interest.

66 . The Court does not find it necessary to examine whether the conditions for striking the case out of the list of pending cases, as set out in Article 37 § 1 of the Convention, have been met since the application is in any event inadmissible for the reasons set out below.

C. Alleged violation of Article 8 of the Convention

67 . The applicants complained that data in files concerning proceedings against them under Article 209 of the Criminal Code were being stored by the police authorities even though the Court had found that provision to be discriminatory and the Austrian Constitutional Court had repealed it. The second applicant also complained about the storage of data processed in files concerning criminal investigations under Articles 207 and 207a of the Criminal Code. The applicants alleged that the storage of such data constituted discrimination on the grounds of their sexual orientation in breach of Article 14 read in conjunction with Article 8 of the Convention. Article 14 of the Convention reads:

“The enjoyment of the rights and freedoms set forth in [the] Convention shall be secured without discrimination on any ground such as sex, race, colour, language, religion, political or other opinion, national or social origin, association with a national minority, property, birth or other status.”

Article 8 of the Convention reads:

“1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”

68 . The Government submitted that there had been no interference with the applicants ’ rights under Article 8 of the Convention. All entries in the record book which could have made the paper file retrievable had been rendered illegible by blackening out their personal data such as name, date of birth, and address, and the reference to the offence under Article 209 had been blackened out on the filing card. The copy file was therefore no longer retrievable under the applicants ’ names and was merely identifiable via the file number. Access to the copy file was therefore reduced to such an extent that there was no interference with the applicants ’ rights under Article 8.

69 . Even assuming that there had been an interference with Article 8 of the Convention, such interference was justified. The collection, use and storage of police investigation data was regulated by law precisely and in detail. The recording and storage by the authorities of internal documents such as paper files served a legitimate aim, namely the documentation of administrative acts. In a State governed by the rule of law this was indispensable for reviewing the lawfulness of actions of the authorities, and also served other aims such as evidence for the settlement of official liability claims and effective accounting and management control. The interference with the applicants ’ rights was also necessary in a democratic society, and had been kept to a minimum. Besides deleting all electronically processed data, the data recorded on paper – such as the filing cards and records referring to the paper file – had to a large extent been deleted. Lastly, paper files were subject to strict storage and deletion regulations ( Skartierungs ­ vorschriften ) which specified time limits for the storage of paper files that were no longer needed, after which date they were destroyed.

70 . The applicants submitted that there were still detrimental effects resulting from the past investigations conducted in respect of them on suspicion of their having committed offences under Article 209 of the Criminal Code, even though that provision had been repealed. The Convention, however, prohibited States from attaching further negative consequences to prior human rights violations even in cases where those violations have not been challenged. Sexual autonomy and the prohibition of discrimination on grounds of sexual orientation were general principles of European law, and the Government were therefore under an obligation to provide sound reasons to justify the necessity of prolonging the negative consequences attaching to criminal investigations under Article 209 of the Criminal Code.

71 . The Court observes in the first place that the applicant relied on Article 14 read in conjunction with Article 8 of the Convention as he had done in the case of E.B. and Others v. Austria (nos. 31913/07, 38357/07, 48098/07, 48777/07 and 48779/07, 7 November 2013). That case concerned the refusal of the Austrian authorities to delete references to the applicants ’ convictions under Article 209 of the Criminal Code from their criminal records. While Article 209 of the Criminal Code had been quashed by the Austrian Constitutional Court and therefore is no longer in force, the present cases not only concern police investigations under this provision against the first and second applicant but also investigations against the second applicant E.B. in respect of other offences, Articles 207 and 207a of the Criminal Code which still are in force. Thus, the essence of the applicants ’ complaint is not an issue of discrimination on the ground of sexual orientation in b r each of Article 14 of the Convention read in conjunction with Article 8 but whether the continued storing of certain data relating to these investigations constituted a justified interference with the applicants ’ right to respect for their private life as guaranteed by Article 8 of the Convention. The Court therefore considers that this complaint falls to be examined under Article 8 alone. It reiterates that the storage by a public authority of information relating to an individual ’ s private life amounts to an interference within the meaning of Article 8. The subsequent use of the stored information has no bearing on that finding (see Leander v. Sweden , 26 March 1987, § 48, Series A no. 116, and S. and Marper v. the United Kingdom [GC], nos. 30562/04 and 30566/04, § 67, ECHR 2008).

72 . The Court therefore finds that the police authority ’ s storage in paper files of data concerning the criminal investigations in respect of the applicants constituted an interference their rights under Article 8 of the Convention. Such interference will be in breach of Article 8 of the Convention unless it can be justified under paragraph 2 of Article 8 as being “in accordance with the law”, pursuing one or more of the legitimate aims listed therein, and being “necessary in a democratic society” in order to achieve the aim or aims concerned.

73 . As regards the justification of the interference, the Court reiterates that the protection of personal data is of fundamental importance to a person ’ s enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention. The domestic law must therefore afford appropriate safeguards to prevent any such use of personal data as may be inconsistent with the guarantees of this Article (see, mutatis mutandis, Z . v. Finland , 25 February 1997, § 95, Reports of Judgments and Decisions 1997 ‑ I). In line with its findings in S. and Marper ( cited above, § 103), the Court takes the view that the need for such safeguards is all the greater where the protection of personal data undergoing automatic processing is concerned, not least when such data are used for police purposes. The domestic law should, in particular, ensure that such data are relevant and not excessive in relation to the purposes for which they are stored and that they are preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored. The domestic law must also afford adequate guarantees to ensure that retained personal data are efficiently protected from misuse and abuse (see Gardel v. France , no. 16428/05, § 62, ECHR 2009).

74 . In the present case, police investigations in respect of the applicants were conducted on the suspicion of their having committed an offence under Article 209 and Articles 207 and 207a of the Criminal Code. The results of these enquiries – which were destined for the public prosecutor and the criminal courts – were also stored in paper files. These data were collected and put into the copy files in accordance with the rules of the Security Police Act, in particular section s 53 and 57 of that Act, and in conformity with Austria ’ s obligations according to European law . T his was not disputed by the applicants. The Court therefore finds that the interference was in accordance with the law.

75 . In the applicants ’ view, after the termination of the criminal proceedings for which the investigations were intended, there had been no further need to store the data in the copy files. In the Government ’ s view the storage of these copy files until the date for their destruction in accordance with the storage and deletion regulations served a useful purpose, namely reviewing the lawfulness of the actions of the authorities, the settlement of potential official liability claims and effective accounting and management control. The Court therefore considers that the storage of the copy files pursued a legitimate aim within the meaning of Article 8 § 2 of the Convention.

76 . In assessing the necessity of the interference in a democratic society, the Court will give due consideration to these elements. It notes in the first place that all electronically processed data concerning the police investigations in respect of the applicants were deleted. However, for the purposes of the present applications it is also important to understand how the traditional paper filing system of the Vienna Federal Police Department was organised at the material time. On the one hand there were the copy files, which according to the case-law of the Administrative Court comprised an unstructured collection of paper documents. In addition to the copy files, there were the index cards – containing a person ’ s basic personal data such as name, age, and address – on which the file number of the copy file was registered, and these cards were supplemented by a third search tool, the record book, in which incoming documents and the manner in which they had been processed was recorded for every calendar year, allowing a chronological search.

77 . The Court will also take into account the sensitivity of data and the manner in which they are stored. In this connection it reiterates that domestic law must afford appropriate safeguards to prevent any use of personal data that may be inconsistent with the guarantees of Article 8 of the Convention and that the need for such safeguards is all the greater where the protection of personal data undergoing automatic processing is concerned, not least when such data are used for police purposes (see Garde l v. France , cited above, § 62).

78 . Following the striking down of Article 209 of the Criminal Code. the Austrian authorities substantially restricted access to the documents in the copy files, at the applicants ’ request, by deleting cross-references to these files in the files record and the index cards, as a result of which the copy file was not traceable using these research tools. These practical measures were accompanied by the general rules on use and consultation of data in the Security Police Act. Thus, the storage of data in the paper files , which were unstructured paper files for internal documentation of procedural steps, was re duced to systematic documentation and archiving of the acts of the police authorities in the interests of good administration without further consequences to the applicants . Moreover, as is apparent from the relevant provisions of the Storage and Deletion Rules for the Vienna Federal Police Department and the Data Protection Commission ’ s decision of 29 November 2006, the storage of this information was for a limited period only, with copy files being stored for five years following the end of the year of recording, and index cards and filing registers for twenty years.

79 . The Court therefore finds that in these particular circumstances the storage of data on the police investigations in respect of the applicants on suspicion of their having committed criminal offences struck a fair balance between the competing private and public interests that were at stake. There is accordingly no appearance of a violation of Article 8 of the Convention.

80 . The Court concludes that this part of the application is manifestly ill ‑ founded and must be rejected in accordance with Article 35 §§ 3 (a) and 4 of the Convention.

D. Alleged violation of Article 13 of the Convention

81 . The applicants complained that they did not have, as required by Article 13 of the Convention, an effective remedy at their disposal in order to complain about the refusal to delete data concerning criminal investigations in respect of them contained in paper files. Article 13 of the Convention reads:

“Everyone whose rights and freedoms as set forth in [the] Convention are violated shall have an effective remedy before a national authority notwithstanding that the violation has been committed by persons acting in an official capacity.”

82 . The Government contested that argument and the applicants did not comment on this point.

83 . The Court reiterates that Article 13 guarantees the availability at national level of a remedy to enforce the substance of the Convention rights and freedoms in whatever form they may happen to be secured in the domestic legal order. The effect of Article 13 is thus to require the provision of a domestic remedy to deal with the substance of an “arguable complaint” under the Convention and to grant appropriate relief (see, for example, Kudła v. Poland [GC], no 30210/96, § 157, ECHR 2000-XI).

84 . Referring to the foregoing considerations under Article 8, the Court notes that in the present case the applicants have no “arguable complaint” under that provision.

85 . It follows that their complaint under Article 13 must be rejected in accordance with Article 35 §§ 3 and 4 of the Convention.

E. Alleged violation of Article 6 of the Convention

86 . The second applicant complained that the storage in files on the police authorities ’ premises of the data concerning investigations in respect of him on suspicion of having committed the offence of Article 209 of the Criminal Code violated the principle of the presumption of innocence. He relied on Article 6 § 2 of the Convention, which reads:

“Everyone charged with a criminal offence shall be presumed innocent until proved guilty according to law.”

87 . The Government argued that the second applicant had not exhausted domestic remedies as he had not invoked Article 6 § 2 of the Convention at all before the domestic courts or other domestic authorities.

88 . The second applicant did not comment on this point.

89 . The Court observes that the second applicant did not raise the issue he is complaining about before the Court in the domestic proceedings and therefore finds that he has failed to exhaust domestic remedies. It follows that this part of the application must be rejected in accordance with Article 35 §§ 1 and 4 of the Convention.

For these reasons, the Cou rt , unanimously ,

Decides to join the applications;

Declares the applications inadmissible.

Søren Nielsen Isabelle Berro-Lefèvre Registrar President