Data Protection Cases
The household exception (Lindqvist)
"That exception (the household exception) must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people."
Lindqvist: Facts
(2003 - PRE-GDPR) - Maintenance worker at a Church in Sweden. - Used personal computer to make a website containing information about herself and 18 colleagues at the parish. - Sometimes she put full names, sometimes not. She included jobs, hobbies, family circumstances and mentioned that one colleague was on part-time having injured her foot. - She had not informed colleagues or obtained their consent, although she took it down when she realised they weren't happy.
Satamedia: Facts
(2008 - Pre-GDPR) - Reference for a preliminary ruling re the interpretation of Directive 95/46 EC. - For various years, the Markkinapörssi collected public data from the Finnish tax authorities in order to publish it in a newspaper year (the Veropörssi newspaper). - The information in that newspaper (main purpose of which is to publish tax information) included the name and surname of approximately 1.2 million people whose income exceeded certain thresholds. - It also included the amount of their earned and unearned income and the details related to the wealth tax levied on them. - Information organised in an alphabetical list, according to municipality and income bracket. - Newspaper contained a notice saying that personal data could be removed free of charge. - Markkinapörssi transferred personal data published in the newspaper, in the form of CD-ROM disks, to Satamedia (owned by the same shareholders), so that information could be sent out via a text messaging system. - Mobile phone users could receive this information for a charge of about 2 euros. - After complaints from individuals, the Finnish tax authorities invested the activities of Markkinapörssi and Satamedia - they brought proceedings before the Helsinki Court, and the Court decided to stay the proceedings and make a request for a preliminary ruling. - The case went through long proceedings at national level, then for a preliminary ruling by the CJEU and then finally went to the ECtHR.
Digital Rights Ireland (and Seitlinger and Others): Facts
(2014 - Pre-GDPR) - CJEU called upon to determine the validity of Directive 2006/24/EC, which was published after the 2005 terrorist attacks in London and enabled the use of electronic communications data in the prevention, investigation, detection and prosecution of criminal offences. - Whether or not Member States had domestic legislation requiring data to be retained, the Directive meant various categories of data would have to be retained for between six months and two years. - This included subscriber details for the telephone numbers from which calls given and received, duration of calls, details of unanswered calls, times and periods for which internet services were accessed, and data relating to the location. - Ireland adopted a law which allowed competent authorities of the state to request the disclosure of traffic and location data, who were required to retain this. - Also in Austria. Mr Michael Seitlinger.
Google Spain: Facts
(2014 - Pre-GDPR) - When a search was undertaken on the Google search engine using the applicant's name, the results of the search provided links to old newspaper articles mentioning his connection to bankruptcy proceedings (from the newspaper La Vanguardia). - The applicant considered this to be an infringement on his right to private life and protection of personal data, since the proceedings had been conducted years ago and were now irrelevant. - He requested that La Vanguardia either remove or alter the pages and that Google be required to conceal the information.
Schrems: Facts
(2015 - Pre-GDPR) - Schrems (Austrian citizen) went to the Irish DPO with complaints about Facebook - amongst other things, membership of the safeguard. He filed further complaints after the 2013 Snowdon revelations, complaining that US privacy law did not provide accurate protection. - Safe Harbour a way of getting around the fact that EU privacy law means its citizens' data cannot be transferred somewhere out of the Union unless it is transferred somewhere with adequate protection. - The principles of the Safe Harbour scheme applied only to self-certified US organisations receiving personal data from the European Union, and US public authorities were not required to comply with them. - However, under Article 25(6) of the Directive, the DPO said it could not question the European Commission's provision that the Safe Harbour provided adequate protection. - Schrems argued that they should use their statutory powers in order to find that no adequate protection existed and sought judicial review of the Court's decision not to proceed against Facebook.
Breyer: Facts
(2016 - PRE-GDPR) - German politician and privacy activist Breyer has accessed several websites operated by German Federal Institutions. - These offered topical information to the public. - In order to prevent attacks and prosecute 'pirates,' these websites would store information in logfiles. - These logfiles include the name of a webpage to which access sought, terms entered into search fields, time of access, quantity of data transferred, indication of whether access successful and the IP address from which access was sought. - Mr Breyer objected to the storage of IP addresses. - The German Federal Court's questions were specifically focused on dynamic IP addresses, which are less privacy-invasive than static IP addresses. - IP addresses are assigned by internet service providers and take the form of a series of digits - in practice, don't identify a person but they can be identified with other information. - Difference between static and dynamic IP addresses: dynamic IP addresses change each time there is a new connection to the internet, so they do not enable a link to be established between the given computer and physical network used by the internet service provider.
Tele2 Sverige: Facts
(2016 - Pre-GDPR) - The key issue was whether legislation in Sweden and UK, which imposed an obligation for public communications providers to retain traffic and location data, was compatible with EU law. - These cases were each brought after Digital Rights Ireland, which invalidated the Data Retention Directive. - After this, Tele2 Sverige (one of Sweden's main telecommunications operators) stopped retaining communications data and proposed to delete data they had retained. - Sweden's National Police Board made a formal complaint to the Swedish Post and Telecommunications authority - legal proceedings and the Court referred questions about the general obligation to retain data to the CJEU. - In UK, an application was made for judicial review of DRIPA (Data Retention and Investigatory Powers Act). This required telecommunications providers to retain all communications data for 12 months where required by the Secretary of State. - Preliminary ruling requested from the ECJ. The court was being asked to determine the scope of Digital Rights Ireland.
Wirtschaftsakademie: Facts
(2018 - Pre-GDPR) - Wirtschaftsakademie offered educational services by means of a fan page hosted on Facebook. - Fan pages are user accounts which can be set up on Facebook by individuals or businesses. - Administrators receive anonymous statistical information on visitors to fan pages, which is connected by cookies, each containing anonymous user information. - These cookies are active for two years, and are stored by Facebook on the hard disk of the computer. - The user code (which can be matched with the connection data of users registered on Facebook) is connected and processed when the fan pages are opened. - After the contested decision, Wirtschaftsakademie was told to deactivate the page. Eventually when to the CJEU for a preliminary ruling.
Breyer: Key Rulings
- A dynamic IP address registered by an online media provider is personal data where the media provider has the ability to identify it with extra data. - For this to be applicable, it is not necessary that all the information needed to enable identification must be in the hands of one person. - Article 7(f) must be interpreted as precluding a Member State from making legislation that prevents a media services provider from collecting data without the subject's consent, even only so far as is necessary to facilitate/ charge/ ensure the general operability. - A restrictive reading of the German TMG (which only allows the collection and use of a user's personal data to the extent necessary to facilitate and charge for the use of telemedium without consent) would prevent the storage of IP addresses from being authorised - court has held that Article 7(f) provides a list of situations where processing is lawful. - The German approach too restrictive and they should reconsider the scope - but they could keep their law as long as they used a balancing approach.
Satamedia: Main Rulings (Scope)
- After lengthy proceedings, no violation was found. - Surname, given name and amount of earned and unearned income was held to amount to personal data - relating to identified or identifiable natural data. It counted as processing. - Held that it fell within the scope of the Directive - these were the activities of private companies, not public authorities, and not carried out in the course of a purely household activity.
Google Spain: Arguments
- All parties except Google and the Greek government agreed Google was a controller. - According to Google Spain and Google Inc, the activity of search engines cannot be regarded as processing of the data - search engines process information on the internet without distinguishing between personal information and other information. - Re allocation of responsibility: Google Spain and Google Inc say that, by virtue of the principle of proportionality, any request seeking the removal of information must be addressed to the publisher of the website. - Costeja Gonzalez and the Spanish, Italian and Polish governments submit that the national authority may order the operator of a search engine to withdraw from its indexes.
Article 15(1) of the ePrivacy Directive
- Article 15(1): Application of certain provisions of Directive 95/46/EC. - Member States may adopt legislative measures to restrict the scope of obligations provided for in Article 5 inter alia when such a restriction constitutes a necessary, appropriate and proportionate measure within democratic society.
Google Spain: Significance and Problems
- CJEU has been criticised for focusing so much on the right to privacy that it forgot that other rights are applicable.
Article 5(1) of the ePrivacy Directive
- Confidentiality obligation: confidentiality of the communications. - Member States shall ensure confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications service. - Shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users.
Satamedia: Main Rulings (Journalistic Purposes and Balancing)
- Did it count as processing of personal data purely for journalistic purposes? And was that relevant? - Stressed that Directive must be interpreted in line of the aims and principles it establishes. Data protection must be reconciled to some extent with freedom of expression. - Derogations to the data protection rules based on freedom of expression are only allowed when strictly necessary. - In order to do this, Member States must provide for some derogations re journalistic purposes. - The fact done for profit does not exclude it from "solely for journalistic purposes." - The methods of communication: whether paper, radio waves or electronic, this is not determinative as to whether an activity is undertaken "solely for journalistic purposes." - THEREFORE, disclosure of information from public documents like this may be classified as "journalistic activities" if "the sole object of those activities is the disclosure to the public of information, opinions or ideas. Whether that is the case is a matter for the national court to determine."
Digital Rights Ireland: Arguments
- Digital Rights Ireland sought annulment of several measures of domestic law which let Irish authorities adopt measures requiring providers of telecommunications services to retain telecommunications data. Also questioning the validity of Directive 2006/24.
Lindqvist: Commission's Argument
- Directive applies to all processing regardless of the means used. - Internet page could not be seen to fall outside of the scope of the Directive, since not restricted to economic activities. - Commission argued that it was an international transfer, since the information would become accessible to so many people. - Member States cannot make the protection more extensive than that provided for in the Directive.
Wirtschaftsakademie: Significance and Problems
- Holds everyone accountable because otherwise it would be easy to shift responsibilities until no one was accountable. - Avoids that lacuna of responsibility --> effectiveness of protection of individuals. - BUT it's all-encompassing. - Fashion ID is a reminder that teleological interpretation can bring about results which you did not intend. - Importance of independence of data protection supervision: DPAs shall act independently... from independent DPAs? This is rather unusual (cf cooperation mechanism between competition law authorities).
Lindqvist: Significance and Problems
- International data transfers. This created the "Lindqvist loophole." - Household exception: implications for social media? - Broad level of protection.
Digital Rights Ireland: Proportionality
- ESSENCE OF THE RIGHT NOT DESTROYED SO THEY LOOKED TO PROPORTIONALITY. - Court effectively adopted a two-pronged proportionality test: whether measure was appropriate to achieve objectives and did not go beyond which was necessary to achieve them. - Noted that limitations to fundamental rights only applied as far as strictly necessary: data retention only a justified interference if done for the purpose of fighting crime and on the basis of a objective criteria. - By applying to all traffic data of all users of all means of electronic communications, the Directive entailed an 'interference with fundamental rights of practically the entire population' and did not require link between data retained and crime/ security. - Directive did not set out clear safeguards. - Directive also failed to lay down any objective criterion by which to determine the limits of the access of the competent national authorities and the subsequent use. - To be kept for at least 6 months, without distinctions on the basis of Article 5.
Breyer: Significance and Problems
- Expanding scope of personal data. Teleological interpretation. - Personal data if they have the "legal means" of obtaining access - what if not? - White and Case says Court implicitly adopts relative (instead of objective) criteria, where IP address only personal data in some people's hands (would not be if they didn't have the right to lawful access). - Means that, if businesses have one piece of information which legally lets them link to IP address to customer's identity, then they are covered. - Unclear what businesses can do to avoid this. - Blurring the identifiability spectrum.
Tele2 Sverige: Problems and Significance
- For the first time, the Court explicitly states that blanket retention measures are incompatible with EU law, read in light of the Charter. - In the UK, this came too late to prevent UK"s Investigatory Powers Act 2016 - which allowed for bulk interception and hacking. With post-Brexit implications of 'adequacy,' this should be found incompatible with EU law. - Suspects are not known in advance, so data retention which is not universal in its scope is bound to be less effective as a crime reduction measure. - A person whose data has not been retained cannot be exonerated using that data. - The Court seemingly endorsed geographic and group profiling uncritically... although they appeared to recognise this by suggesting that such profiling would need to be strictly evidence-based.
Google Spain: Main Rulings (Territorial Scope)
- Found that there was material scope. - Google Search offered online, offered by Google Inc (parent company of the Google Group) - indexes websites all over the world. Google Spain a subsidiary (with separate legal personality) which promotes the use of advertising space. - "In such circumstances, the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed."
Google Spain: Main Rulings (Material Scope)
- Held that it had to be removed. There was no public interest in having it appear. - The CJEU clarified that Google processes data: "Therefore, it must be found that, in exploring the internet automatically, constantly and systematically in search of the information which is published there, the operator of a search engine 'collects' such data which it subsequently 'retrieves,' 'records' and 'organises' within the framework of its indexing programmes, 'stores' in its servers and, as the case may be, 'discloses' and 'makes available' to its users in the form of lists of search results. - Google is regarded as a controller in the scope of that. Part of ensuring broad protection.
Wirtschaftsakademie: Key Rulings
- Held that the definition of controller encompasses the administrator of a fan page: the "creation of a fan page on Facebook involves the definition of parameters by the administrator." They are not all required to have access to the personal data being processed. - Where an undertaking established outside of the EU has several establishments in different Member States, the supervisory authority of a Member State is entitled to exercise the powers conferred on it (by Article 28) - even if that establishment is solely used for marketing etc. - A supervisory authority which is competent under national law is not obliged to adopt the conclusion reached by another supervisory authority in an analogous situation.
Tele2 Sverige: Key Rulings (ePrivacy Directive)
- Held that the question fell within the scope of EU law. - Preliminary point: did national legislation on retention and access to data fall within the scope of the ePrivacy Directive? Held that it did. -Article 15(1) allows for the adoption of of data retention legislation by Member States and Article 1(3) says Directive does not apply to activities concerning public security, defence etc. - Court guided by the general structure of the Directive: court acknowledged that the objectives pursued by Article 1(3) and 15(1) overlap substantially, it held that Article 15(1) of the Directive would be deprived of any purpose if the legislation measures it permits were excluded from the scope of the Directive by Article 1(2).
Google Spain: Main Rulings (Right to be forgotten)
- Held that there was no public interest in having the information appear. - In the light of seriousness of the interference, cannot be justified by merely the economic influence. - Operator of the search engine required to remove the information. -Re scope of data subject's rights: "As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject's name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question."
Schrems: Arguments
- High Court said Snowden revelations showed overreach of power but concerned about assessing the legality of the Commissioner's decision. - Commission argued necessary to take account of the allocation of powers between it and the national data protection authorities. Powers of national data protection authorities focused on the application of legislation in individual cases, whilst general review of application of Decision 2000/520 comes within powers of the Commission. - Commission said Schrems had not put forward any specific arguments indicating he is at imminent risk of grave harm.
Schrems: Main Rulings (Essence of the Right)
- Legislation which permits public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life. - Legislation not providing any possibility for an individual to pursue legal remedies does not respect the essence of the right - judicial review, rectification etc. (basically, the Court wasn't a fan of safe harbour enforcement principles).
Satamedia: Arguments
- Markkinapörssi and Satamedia wished to extend the scope of Article 9 of the Data Protection Directive to cover the entire protected area of freedom of expression. - Commission proposes that national restrictions of data protection should be set aside on account of violation of the right to privacy. - Finland considers that the processing of published personal data is justified by the freedom of expression.
Lindquist: Mrs Lindqvist's Arguments
- Mrs Lindquist argued that it was unreasonable to say that merely mentioning a name on a document on the internet was automatic processing. - She also said that those who make use of their freedom of expression to create internet pages in the course of a non-profit-making or leisure activity are not subject to community law (household exception). - She argued that Directive 95/46 conflicted with freedom of expression.
Wirtschaftsakademie: AG Opinion
- Notes the background of 'web tracking,' which consists in observation and analysis of the behaviour of internet users for commercial and marketing purposes - identify centres of interest on the internet through observation of browsing habits. - AG argues that Wirtschaftsakademie must be regarded as jointly responsible for the phase of data processing. That they are first and foremost a user of Facebook does not mean they can't be responsible for that phase of the processing. -Doesn't see any particular difference between a fan page administrator and the administrator of a website. - Shared responsibility does not imply equal responsibility. - Is German supervisory authority entitled to exercise powers and against which establishment (where parent company established out of the EU has establishments for advertising space etc)?
Digital Rights Ireland: Significance and Problems
- Provided by law, respect the essence of the right, necessity/ proportionality, objectives of general interest. - Invalidity of the Directive a victory for grassroots civil liberties groups. Judgment recognises the dangers posed by aggregated metadata - that it may "allow very precise conclusions to be drawn concerning the private lives of individuals." - Court glosses over the fact it assesses the proportionality against the 'material objective' of crime prevention rather than stated objective of market harmonisation. - Does not look for empirical evidence as to whether data retention an appropriate tool to fight serious crime.
Lindqvist: Key Rulings
- Referring to people on an internet page could be classified as the processing of personal data wholly or partly by automatic means. - It did not fall under any of the exceptions in Article 3(2) of Directive 95/46. Not economic activity but charitable and religious, and the the household exception must be considered as referring to activities carried out in the course of private or family life. - Information that a named colleague has injured her foot and is on part-time on medical grounds is sensitive information - "data concerning health" given broad meaning to cover physical and mental health. - There is no transfer of data to a third country when an individual loads information onto an internet page - not directly transferred between people but hosted on a computer infrastructure. - The principles of the Directive do not themselves bring about conflict with freedom of expression or other freedoms and rights - it is for national authorities and courts applying the Directive to achieve balance. - Nothing prevents a Member State from extending the scope of national protection beyond the Directive.
Lindqvist: Intervening Governments' Arguments
- Swedish Government argued that the processing of personal data wholly or partially by automatic means covers all processing as soon as personal data is processed by a computer. Netherlands similar. - Swedish Government said that, when they implemented the Directive into national law, the Swedish legislature took the view that publishing data to an indeterminable number of people on the internet could not be regarded as a household activity. - The Swedish Government said putting information on a website counted as international data transfer because would become accessible to many people. - Netherlands thinks putting information on a website does not count, and UK says it concerns the transfer to other countries and not their accessibility from those countries. - Swedish Government says the Directive enables interests to be balanced - Netherlands gov says no hierarchy among rights protected and UK stresses proportionality. - Sweden also said the Directive was not confined to fixing minimum conditions and not empowered to provide greater or later protection. Netherlands said it does not preclude them from providing greater protection.
Tele2 Sverige: Arguments
- Tele2 Sverige felt that the obligation to retain data conflicted with the fundamental rights of the Charter and was inconsistent with Digital Rights Ireland. - Watson, Brice and Lewis argued that DRIPA was incompatible with Articles 7 and 8 of the Charter and Article 8 of the ECHR. - On the issue of data security, the Court held that Article 15(1) does not allow Member States to derogate from the Directive's data security provisions, which require providers to take appropriate technical and organisational measures to ensure the effective protection of retained data. - Emphasised link between independent supervision and availability of a legal remedy for subjects. - Talked about how EU law not precluded from providing extensive protection under the GDPR.
Digital Rights Ireland: Key Rulings
- The CJEU held that EU legislature had exceeded the principle of proportionality (Articles 7, 8, 52) in adopting the Data Retention Directive. - Even though it pursued a legitimate aim, the interference with rights to personal data and private life was serious and not limited to what was strictly necessary. - It conducted the assessment in three parts. - First, it examined relevance of Charter provisions to the validity of the Data Retention Directive. - Second, it asked if there was an interference with Articles 7 and 8 of the Charter. Wide-ranging and serious interferences. - Thirdly, they considered whether these interferences were justified. According to Article 52(1) of the Charter, for limitations to be justified, they must (1) be provided for by law, (2) respect the essence of the rights and (3) subject to the principle of proportionality, limitations must be genuinely necessary to meet the requirements of general interest. - With regard to whether the interference satisfies an objective of general interest, the Court distinguished between the Directive's 'aim' and 'material objective.'
Schrems: Key Rulings (International Data Transfers)
- The CJEU invalidated the EU-US Safe Harbour arrangement and broadly agreed with the decision of the Advocate General. - Article 25(6) DPD did not prevent DPAs from examining claims relating to the adequacy of protection under a European Commission decision - national courts can consider the validity, although they cannot actually declare it to be invalid. - Based on Charter, the term "adequate level of protection" must be understood to mean "a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter." - This does not require the level of protection to be identical to that under EU law. - Assessing the level of protection requires the European Commission to "take account of all the circumstances surrounding a transfer of personal data to a third country" (paragraph 75), to check periodically whether the adequacy assessment is still justified (paragraph 76), and to take account of circumstances that have arisen after adoption of the decision (paragraph 77)." - Why not adequate? Court observed that it applied only to self-certified US companies and public authorities not required to comply. Safe harbour decision also contained insufficient findings re the measures by which the UD ensured an adequate level of protection of fundamental rights and freedoms.
Satamedia: The Finnish Court Decision
- The Court developed a proportionality test mixing minimum standards of protecting freedom of expression as resulted from the CJEU ruling with the maximum standard of protection of the other fundamental right at issue (right to privacy, as developed by the ECtHR in the Hannover and Axel Springer Case). - Court pointed out that the balance requires that, for the most part, that information provided to the audience must be important to society and not just serve curiosity. - They said that the text messaging service could not qualify as processing for journalistic purposes under the data protection act - they directly applied the proportionality test under Art 8 ECHR. - They therefore sent the case back to the Data Protection Board, obliging the Board to send a refusal back to Satamedia on their continued publishing of the data (BOTH the publications and the SMS service) - they said that the Finnish Personal Data Act is not in line with the way in which the CJEU has interpreted the scope of application of the Directive. - The two companies lodged a claim before the ECtHR for the violation of Art 10 ECHR.
Tele2 Sverige: Main Rulings (Mandatory Requirements of DRI)
- The Court had just established the incompatibility of generalised data retention legislation with EU law. - They then considered whether EU law precludes national data retention and access to legislation if that legislation does not restrict access solely to the objective of fighting serious crime, does not require access to be subject to prior review by a court or independent body and, if it does not require that data should be retained in the EU. - They stressed that only objective of fighting SERIOUS crime would justify retained data.
Tele2 Sverige: Key Rulings (General and indiscriminate data retention)
- The Court then considered the important substantive point in the judgment: the compatibility of 'general and indiscriminate' data retention with the provisions of EU law. - Recalled that the overarching aim of the ePrivacy Directive is to offer users of electronic communications services protection against the risks to fundamental rights brought about by technological advances. - Emphasised the general principle of confidentiality of communications in Article 5(1) of the Directive and the related safeguards for traffic data and location data (in Articles 6 and 9) - Court acknowledged Article 15(1) allows for exceptions to these principles by restricting their scope, but held that the provision must be interpreted strictly - THE EXCEPTION TO THE DIRECTIVE'S CONFIDENTIALITY OBLIGATION CANNOT BECOME A RULE, AS THIS WOULD RENDER THE CONFIDENTIALITY OBLIGATION MEANINGLESS. - Court also emphasised that Article 15(1) must be interpreted in light of general principles of EU law, thus including fundamental rights in the EU Charter importance of the rights to privacy and data protection. - Having established the scope of the retention obligation, Court emphasised the revealing nature of this data and stressed the DRI finding that data 'taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained' [98]. - General and indiscriminate data retention legislation particularly serious invasion to privacy and data protection - feeling of constant surveillance and the chilling effect. - Only the objective of fighting serious crime could justify national data retention legislation. - Although fight against serious crime may depend upon modern investigative techniques, this cannot in itself justify finding that general and indiscriminate data retention legislation is necessary in the fight against crime. - In particular, the legislation applies to people for whom "there is no evidence capable of suggesting their conduct might have a link, even an indirect or remote one, with serious criminal offences." - National legislation exceeds the limits of what can be considered justified under Article 15(1) read in the light of the Charter. - But the Court did not deem all data retention unlawful - said it must be targeted and limited to what is strictly necessary in terms of the categories of data retained. - Legislation should indicate in what circumstances and under which conditions a data retention measure could be adopted as a preventative measure. - Data retention legislation should meet an objective criteria which connects the data to be retained and the object pursued. - Must be evidence-based: objective evidence should make it possible to 'identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences' [111].
Satamedia: Main Rulings (ECtHR)
- The ECtHR found no violation of the right to freedom of expression and information. - They approved the approach of the Finnish authorities in denying the applicants' claim to rely on the exception of journalistic activities within the law of personal protection of personal data. - The most relevant issue was whether the interference was necessary in a democratic society, being sufficiently and pertinently motivated and proportionate in its dimension or impact. - Affirms that journalistic purposes derogation is intended to allow journalists to access, collect and process in order to ensure that they can perform their journalistic activities. - Contribution to a debate of public interest: "..the existence of a public interest in providing access to, and allowing the collection of, large amounts of taxation data did not necessarily or automatically mean that there was also a public interest in disseminating en masse such raw data in unaltered form without any analytical input." - They implied that if the publication does not contribute to public interest, it cannot enjoy a privileged position.
Schrems II
- The Irish High Court decided to refer questions on the adequacy of standard contractual clauses to the Court of Justice of the European Union. - After Schrems I, Facebook switched to 'standard contractual clauses' to transfer EU data to the US - to which Schrems responded by updating his complaint with the DPC to include this new transfer mechanism. - In 2016, the DPC issued a draft decision resolving its investigation of Schrems' revised complaint, finding against the social media giant and indicating that "standard contractual clauses provide insufficient protection to EU Citizens." - However, because the DPC alleged it lacked the authority to suspend data transfers on its own, it referred the case to Irish High Court who subsequently referred it to the CJEU.
Breyer: Germany's Arguments
- The data stored does not enable Mr Breyer to be directly identified - he can only be identified if information is communicated by his internet service provider. - They stated that German law does not allow the internet service provider to directly transmit to the online media services provider the information necessary to identify the data subject. - They stress that this is to do with data protection law.
Breyer: Mr Breyer's Arguments
- There is the possibility that a dynamic IP address could be combined with other information in order to identify the user. (Note German attitude towards data protection - Breyer is saying there shouldn't be further processing and data should be promptly deleted. - According to Breyer, personal data include those which it is possible to combine from a theoretical point of view, where there exists an abstract potential risk of combination. - German Government says IP addresses do not reveal an 'identified' person - should use a subjective criteria and take account of the means reasonably likely to be used. - The Commission says IP addresses count as personal data. 2nd Q - Breyer argues that the national legislation is compatible with Article 7(f) - public website has no interest in retaining personal data/ because the interest in protecting anonymity carries greater weight. - German government says not necessary to address this question, since it is only raised if the answer to Q1 is affirmative. - Austrian Government says that Directive does not preclude in general the retention of data like that in the case at hand when essential to ensure proper functioning of electronic media. - Commission says legislation implementing Article 7(f) of the Directive must define the objectives of processing in such a way that they are predictable for the individual concerned - German law does not comply with that. Should preclude provision allowing data collection without their consent.
Wirtschaftsakademie: Arguments
- Verwaltungsgericht - Facebook's data processing operations could not be attributed to it. - Wirtschaftsakademie - ULD should have made the claim directly against Facebook instead of against them. - According to the referring Court, Wirtschaftsakademie is not a 'body collecting, processing or using personal data on his or its own behalf.'
Fashion ID
-Fashion ID dealt mainly with the issue of 'joint controllership' between Facebook and website operators using Facebook's 'Like' button on their website. - CJEU held that operator of the website can be a controller jointly with Facebook re the collection and transmission to Facebook of the personal data of visitors to the website, but not in respect of subsequent processing. · ....In the understandable desire to secure the effective protection of personal data, the recent case-law of the Court has been very inclusive when being asked to define, in one way or another, the notion of (joint) controller. So far, however, the Court has not been faced with the practical implications of such a sweeping definitional approach with regard to the subsequent steps of exact duties and specific liability of parties who are classified as joint controllers. Since this case offers precisely such an opportunity, I would suggest seizing it in order to enhance the preciseness in the definitions that ought to be exist for the notion of (joint) controller. (para 72)
Article 1 of the ePrivacy Directive
1(1) explains it harmonises provisions of member states to ensure an equivalent level of protection of fundamental rights and freedoms, especially the right to freedom. - 1(2) Provisions complement the DPD. - 1(3) explains that Directive does not apply to activities which fall outside of the scope of the Treaty. - Directive will not apply to activities which fall outside the scope of the Treaty establishing the European Community - activities determining public security, defence, State security, the activities of the State in areas of criminal law.
Schrems II: Advocate-General
AG Henrik Saugmandsgaard Øe - Analysis guided by balance between desire to show reasonable degree of pragmatism in interaction with other parts of the world and, on the other hand, the need to assert the fundamental values recognised in the legal orders of the Union and its Member States (and especially the Charter). - Reaffirms sufficiency of standard contractual clauses. The appropriate safeguards offered by contractual means guarantee the appropriate level of protection. - The compatibility of SCCs with the Charter depends on whether they are sound enough to ensure that any transfers based on them are prohibited where the SCC clauses would be breached or impossible to honour. - But calls into question US protections for personal data in the national security context. - Stressed that any finding as to the validity of the Privacy Shield decision could not influence the outcome of the dispute in the main proceedings. - Note the decision perpetuates uncertainty, because the suggestion is that it will be decided on a case-by-case basis.
Google Spain: AG Opinion
AG Jaaskinen - Mentions Warren and Brandeis' argument about recent developments in photography --> protecting personal data and privacy of individuals have become increasingly important. - Necessary to strike a correct, reasonable and proportionate balance between the protection of personal data, the coherent interpretation of the objectives of the information society and legitimate interests of economic operators and internet users at last. - Territorial scope: the Court should approach this question from the perspective of the business model of search engine providers. - Processing of personal data carried out in context of activities of establishment - this is the case if that establishment acts as the bridge for the referencing service to the advertising market of that Member State. - Material scope: talks about how Google's search engine crawler function, 'googlebot,' crawls on the internet constantly and systematically. Also an elaborate algorithm. These activities definitely count as processing. - The Article 29 Working Party correctly notes that '[t]he concept of controller is a functional concept, intended to allocate responsibilities where the factual influence is, and thus based on a factual rather than a formal analysis' - AG notes that Google is not the controller of personal data on third party web pages - therefore, thinks approach of the Article 29 Working Party is adequate because it draws a line between the entirely passive and intermediary functions of search engines and situations where their activity represents real control over the personal data processed. - But the internet search engine cannot be considered a controller, provided that they do not index pages against the requests of the publisher of the website. - Right to be forgotten: talks about balancing individual cases case-by-case. Data subject has the right to address himself to a search engine service provider in order to prevent indexing of information relating to him personally.
Satamedia: AG Opinion
AG Kokott: - Starting point for the interpretation of Article 9 of the Data Protection Directive should be that exceptions to a general principle must be interpreted strictly in order not to undermine the general principle unduly. - Article 9 exception can apply only to processing operations which serve journalistic purposes alone - if there are other purposes at the same time which are not to be regarded as journalistic, the media privilege will not be applicable. - AG pointed put that exemptions and derogations don't only apply to media undertakings but also to every person working in journalism. (Note: this test differs to the one provided by the ECtHR in the Hannover and Axel Springer cases, where the Court set out various criteria relevant to balancing competing rights under Arts 8/10 of the ECHR). - Consideration of private and public interests must be carried out with caution. - "the margin of discretion cannot lead to the legitimation of manifestly disproportionate interference in the right to privacy by exceptions to data protection." - The personal data files in question fall within the scope of the DPD.
Tele2 Sverige: AG Opinion
AG Saugsmand Øe: - Advocate General noted that data retention could help authorities examine the past, and he refused to declare general retention measures per se unlawful. - He preferred instead to assess the compatibility of data retention legislation against strict proportionality requirements. - Approach can be said to have been more nuanced and systematic than that of the Court. - For national courts to weigh the benefit of examining the past with the potential it would provide to abuse this power by using metadata to catalogue entire populations. - AG also departed on another point: according to the AG, DRI set out mandatory requirements, whilst the Court did not.
Lindqvist: AG Opinion
Advocate General Tizzano: - There appears to have been "no doubt" that there was processing of personal data. - Does it fall into one of the exceptions? - Cannot be household exception: these must be private and confidential activities which are intended to be confined to the personal or domestic circle of those concerned. - BUT agrees with Mrs Lindquist that the processing was carried out in the course of an activity which falls outside the scope of community law. It was set up without any intention of economic gain, so AG thinks it falls out of the cope of EU law. - Finds the AG's reasoning contrived when it argues that the activity falls within the scope of Community law.
Schrems: AG Opinion
Advocate General Yves Bot: Held that the Safe Harbour decision of the European Commission should be held to be invalid. - Refers to the challenge of allowing data flows between the European Union and the United States whilst maintaining a high level of protection. - AG did not share Commission's opinion - the existence of the Commission's decision cannot reduce the national supervisory authorities' powers under Article 28. Right to be heard by the supervisory authority. - If national supervisory authorities absolutely bound by decisions adopted by the Commission, that would inevitably limit their independence - they should be able to sit with complete independence. - After investigation, they have the power to suspend the transfer of data in question, irrespective of the general assessment made by the Commission in its Decision. -"[T]he existence of a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46 does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data." - Concept of an adequate level of protection: need for adequate guarantees and a sufficient control mechanism. - US: "such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter." - Safe Harbour scheme does not contain appropriate guarantees for preventing mass and generalised access to the transferred data.
Schrems: Problems and Significance
KUNER - COME BACK TO THIS.
Wirtschaftsakademie: Joint Controllership
Mere fact of making use of Facebook does not make a Facebook user a joint controller - BUT the administrator of a fan page, by making the page, gives Facebook the opportunity to put cookies on that person's computer. This is why "Wirtschaftsakademie, must be regarded as taking part, by its definition of parameters depending in particular on its target audience and the objectives of managing and promoting its activities, in the determination of the purposes and means of processing the personal data of the visitors to its fan page." Administrator may, with the help of Facebook, "define the criteria in accordance with which the statistics are to be drawn up and even designate the categories of persons whose personal data is to be made use of by Facebook." Allocation of responsibilities: the "existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data."
Breyer: AG Opinion
Opinion of AG Campos Sanchez-Bordona - Points out that a dynamic IP address is not in itself sufficient to allow a service provider to identify a user of its web page, but it can do so if it combines the dynamic IP address with other additional data held by the internet services provider. - Discusses the objective and subjective. Talks about the possibility that technical advances. Agrees (with German Federal Court) that dynamic IP address is personal data. - The combination would not be reasonably likely if it was prohibited by law or disproportionately difficult in terms of time, cost and manpower - the CJEU agreed with this line of argument. - Re the second question, points out that German TMG law allows storage of personal data only to extent necessary to facilitate and charge for specific use of telemedium - but Article 7(f) DPD is more generous. This would reduce the scope of the relevant legitimate interest. - Must interpret the German legislation in a manner consistent with Directive 95/46 - balanced on a case-by-case basis. 7(f) therefore precludes national legislation the interpretation of which prevents a service provider from collecting and processing a user's personal data without his consent.
Digital Rights Ireland: AG Opinion
Opinion of AG Cruz Villalon - Considers the role of proportionality: argues that it is "manifestly disproportionate" to the objective relating to the need to ensure the functioning of the internal market. - The period of retention which may be considered permissible in light of principle of proportionality cannot be determined without according some discretion to the legislature. BUT this does not mean that all proportionality review is precluded in that respect. - Talks about the differing levels of interference if data is kept for months as compared to years. - Necessity of interference in the dimension of present time seems sufficiently justified, but no justification for an interference extending to historical time.