Case-law (CJEU, ECHR, national courts)

CJEU
The CJEU decided in Case C-434/16 Nowak that the written answers to a test, as well as the examiner’s comments on those answers, are personal data of the person who takes the test. However, the questions of the test are not personal data (this may result in a situation where a person receives a copy of an exam script with the questions of the test blacked out). At the same time, the examiner’s comments are also the personal data of the examiner. Interestingly, the Court already referred to the GDPR in its analysis, even if the Regulation is not yet applicable.
The CJEU decided last week that the first challengers of the Privacy Shield (Digital Rights Ireland) do not have legal standing and declared their action inadmissible (see here my analysis from a year ago as to why I was expecting this to happen).
CJEU’s Advocate General Bobek published his Conclusions in Case C-498/16 Schrems v Facebook. The case concerns the possibility of the applicant to bring a consumer protection class action against Facebook in Austrian Courts. Regarding the legal standing of Schrems, the Advocate General considers that “the carrying out of activities such as publishing, lecturing, operating websites, or fundraising for the enforcement of claims does not entail the loss of consumer status for claims concerning one’s own Facebook account used for private purposes.” With regard to the second question, of whether a class action can be initiated under current law, the AG found that the current European legislation does not allow for such cross-border actions. The Court is not bound by the Conclusions of the AG, but in a majority of cases it does follow them.
Advocate General Bot published his Opinion in Case C-210/16 Schleswig-Holstein, concluding

• That the administrator of a Facebook page is a controller for the processing activity consisting of collection of traffic data on the page for viewing statistics by the social network;
• That Facebook’s presence in Germany, dealing with advertising, is sufficient to establish the applicability of German data protection law under Article 4(1)(a) of Directive 95/46, even if the company itself is located in another Member State;
• That the relevant German supervisory authority is competent to exercise its powers;
• And that the German supervisory authority may exercise its powers without calling first on the supervisory authority in the Member State in which the controller is located.

The CJEU published on its website the questions for a preliminary ruling for the new right to be forgotten case, Google v CNIL. This Court will provide guidance on whether de-listing orders from DPAs must be applied to all domain names globally, or just to national domain names (.fr in this case). The number of the case is C-507/17.
The Court of Justice of the EU (CJEU) issued a judgment last week in Case C-73/16 Puskar which concerns the challenge of Mr Puskar brought against tax authorities in Slovakia after he found out due to a leak that the authorities included his name on a blacklist of potential fraudsters, without him knowing about it. He challenged the legality of the list and asked whether the tax authorities could compile this list without his consent. He also asked whether the judicial system of Slovakia which required him to exhaust all administrative channels of complaints in the area of data protection before going to Court was in compliance with the effective right to judicial remedies provided in the Charter of Fundamental Rights. The CJEU decided that tax authorities could lawfully compile such a list in the absence of consent on another one of the grounds provided for lawful processing in the Data Protection Directive, mainly “performance of a task in the public interest”, as long as the law provides for such a task. The Court also found that the requirement to exhaust all administrative channels before going to Court does not in principle infringe the right to a judicial remedy. Here is an analysis and a summary of the Opinion of the Advocate General in this case – note that the Court largely followed the advice of the AG.

The Court of Justice of the EU gave its Opinion in Case A-1/15 EU-Canada PNR, concluding that the draft agreement between Canada and the EU on transfers of Passenger Name Records data does not comply with fundamental rights enshrined in the EU Charter. The European Parliament asked for the Court’s Opinion on the compatibility of the Agreement with the EU Charter before voting on it, exercising thus a prerogative it has under the EU treaties. The Opinion of the Court likely has implications not only for the other PNR agreements between the EU and third countries (US, Australia, the future agreement with Mexico), but also for other international data transfer mechanisms (such as the Privacy Shield) and for EU’s own internal PNR data exchange legislation. Read an excellent summary and commentary of the Court’s Opinion by Prof. Christopher Kuner here.

The CJEU hosted a public hearing in a new Max Schrems v Facebook case. The main issue for the Court to decide is whether Schrems is a “consumer” and whether he has the right to initiate a class action against the company. You have a summary of the hearing here.
A new right to be forgotten case involving Google and CNIL (in FR) was referred to the CJEU by the Conseil d’Etat (French highest administrative Court). This time, the main issue is the territorial application of delisting orders (should they apply in the country issuing the order, across the EU, or everywhere?). The CNIL ordered Google in 2015 to delist search results concerning a person from all google search websites, not only from google.fr. The company appealed the order in Court. CJEU is now called to clarify the territorial scope of delisting orders.

AG Kokott published her Conclusions in Nowak, considering that both an exam script and the examiners’ corrections are personal data of the individual being evaluated. The Opinion has some very interesting nuances and brings several dimensions to the data protection debate that have been rarely considered by Courts – the self-standing importance of the right of access to one’s own data (beyond needing it to obtain something else), the relevance of passage of time for the effectiveness of data protection rights and the complexity of one data item being personal data of two different individuals (and the competing interests of those two individuals). Read my summary of this Opinion here. 

The new right to be forgotten case was officially published, together with the questions from the French Court that the CJEU will answer, under the name C-136/17 GC et al v CNIL (the link shows all the interesting questions). 

CJEU issued its judgment in Case C-13/16 Rigas on the interpretation of the ‘legitimate interest’ lawful ground for processing in Directive 95/46, setting out a test based on three criteria to decide whether a processing operation can rely on this ground. The Court reached a surprising conclusion, stating that while there is legitimate interest to process (disclose) data in the case at hand, the controller (a public authority) would also need a legal obligation to lawfully disclose the data. In order to better understand how the Court reached this conclusion, the judgment needs to be read together with the Opinion of Advocate General Bobek.

CJEU was called by a German Court to decide who is the controller of personal data processed through a Facebook “like” button on a webpage, in Case C-40/17 Fashion ID GmbH, as well as to decide whether German public-service associations have the right to start class actions on behalf of data subjects. Here are the questions sent by the German Court.

ECHR
The European Court of Human Rights decided that camera surveillance of lecture halls in Montenegro violated professors’ right to respect for private life (link directly downloads .pdf).
The European Court of Human Rights held the public hearing (link to full video of the hearing) in an important case against the UK and its surveillance practices (the Big Brother Watch case). The case challenges the bulk interception of internet traffic transiting through undersea fiber optic cables landing in the UK, as well as its access to communications and data intercepted by the intelligence services of other countries.
The European Court of Human Rights decided that Turkey was in violation of Article 8 of the European Convention on Human Rights (the right to respect for private life) in a case brought by a Turkish citizen against a Court order that allowed mass surveillance of the entire Turkish population for a limited period of time – approximately one month. ECHR found that the Turkish citizen was a victim, and therefore had standing, even if the order didn’t refer to him, but to “anyone” in Turkey. The Court further found that the interference with the right to private life was not provided for by law, which already amounted to a violation of Article 8, and did not go further into analysing the necessity in a democratic society criterion.
The European Court of Human Rights published an updated factsheet with summaries of all its case-law on data protection up to July 2017.

The Grand Chamber of the European Court of Human Rights (ECHR) in Strasbourg gave its judgment in the Satamedia case, with new insight in balancing privacy and freedom of expression. The case concerns an order of the Finnish Data Protection Authority to stop the publication via sms and a dedicated newspaper of tax information of Finnish citizens by a private organisation. The organisation claimed the order breached the right to freedom of expression. After an incredibly long judicial saga, which saw the case going from national courts to the the Court of Justice of the EU, back to national courts and then referred to the ECHR which gave a first judgment that was appealed, the answer is now final: there was no breach of freedom of expression. 

The European Court of Human Rights ruled against Spain over police seizure of computer files without judicial authorisation. The fact that the files contained child pornography did not justify acting without a judicial authorisation. Read a summary HERE. 

The European Court of Human Rights in Strasbourg published a Factsheet with recent case-law on new technologies. (The ECtHR has a rich history of hearing privacy cases, under Article 8 of the European Convention of Human Rights. Unlike the CJEU, the ECtHR also has jurisdiction over national security practices of Member States of the Council of Europe – see for instance Zakharov v Russia, p. 15 in the Factsheet).

National courts
A German Court ruled that Germany’s foreign intelligence agency (BND) must not store the metadata – such as phone numbers – of international phone calls for the purpose of intelligence analysis, in a case filed by Reporters Without Borders.
The Microsoft case that SCOTUS will hear gets quite crowded (Microsoft is fighting a US warrant to access its servers from Dublin). The Irish Government also intends to submit an amicus brief, adding to the European Commission’s efforts to explain EU data protection rules (more about Commission’s brief, here).
The European Commission decided to intervene before the US Supreme Court in the Microsoft case concerning access by US law enforcement to data stored in the EU: “… the Commission considered it to be in the interest of the EU to make sure that EU data protection rules on international transfers are correctly understood and taken into account by the US Supreme Court. The amicus brief will not be in support of either one of the parties”, a according to a press release (scroll down the page).
The High Court in the UK handed down its first judgement in a class action regarding a data breach, finding the company liable under common law (and specifically engaging “vicarious liability”). “The issue for the court was whether the defendant data controller, Morrisons, was in principle either directly or vicariously liable for the actions of a rogue employee who had, as an act of malice directed at his employer, taken payroll data relating to some 100,000 employees and published it online. The court concluded that, despite itself having been entirely innocent of the misuse, Morrisons was in principle liable to compensate all the claimants in the group, some 5,500 individuals, on the basis of the application of common law (no fault) vicarious liability principles”, according to a summary from panopticonblog.com.  See the whole judgment here.
The Court of Appeals in Berlin upheld a lower Court decision from 2013 finding that Facebook is not allowed to release the personal data of its users living in Germany to third party providers in the Facebook App Centre without first obtaining users’ valid consent. The Court found that users were not adequately informed on the extent and purpose of data transfers when they downloaded certain games using the App Centre. The Court of Appeals decision can be challenged before the Federal Supreme Court.
The Brussels Regional Court heard last week pleadings in proceedings between the Belgian Data Protection Authority and Facebook in a case that centers on tracking users and non-users across websites and devices. The case was initiated in 2015 and had already gone through several procedural levels (one won by the Belgian DPA, the other won by Facebook). The case is now back at the Tribunal of First Instance of Brussels. Here is an overview of the hearing published by Bloomberg, the summary of arguments brought by the Belgian DPA (FR) and the detailed, technical report from 2015 (EN), that stood at the basis of the initial decision of the Belgian DPA.
The Irish High Court published yesterday its decision in the case that challenged transfers of personal data from the EU to the US by Facebook through Standard Contractual Clauses: the Irish Court decided to refer the case to the Court of Justice of the EU, after holding a five week hearing of US law experts earlier this year to clarify aspects related to surveillance laws and privacy protections. No wonder it took long for the Court to come up with this conclusion – the decision has 153 pages (here’s the Executive Summary). The main issue in the Court’s judgment seems to be that of the effective remedies available to EU persons to challenge how their personal data is used once they are transferred in the US (the EU Charter of Fundamental Rights provides for a right to effective judicial remedy under Article 47).

• Main takeaways:

• • The Court believes that the European Commission’s Decision adopting the Standard Contractual Clauses may be invalid, and as it has no jurisdiction to decide on validity of EU acts, it decided to send the case to the CJEU.
  • The reason for the possible invalidity of the SCC decision is that the Court found there are “well-founded concerns” that “there is an absence of an effective remedy in US law” compatible with requirements in the EU Charter of Fundamental Rights, afforded to EU persons whose data are transferred to the US and accessed there for national security purposes.
  • The Court mentioned that the introduction of an Ombusdperson by the EU-US Privacy Shield framework “does not eliminate those well-founded concerns”. As a reminder, the Ombudsperson created under the Privacy Shield can also review complaints under contract clauses, BCRs and data transferred via other methods.
  • Next steps:
  • In the following weeks the Court will decide the wording of the questions to be sent to the CJEU (by October 11).
  • The CJEU takes from 1 to 2 years before issuing a judgment.
  • In terms of procedure, the CJEU is bound by the fact-finding the Irish Court detailed in its decision.
  • What’s at stake:
  • The CJEU will decide on the validity of the Commission’s Decision adopting the SCCs. If the Decision will be considered invalid, it will not be possible to rely on SCCs for transfers until the Commission adopts a new Decision. The judgment of the Court will not have a direct impact on other transfer mechanisms.

The GDPR is several months away from being enforceable, but it already creates case-law: a German Court decided that Data Protection Authorities may not base administrative orders before May 25th 2018 directly on GDPR provisions. One of the German DPAs partly invoked GDPR provisions in an order from November 2016. An Administrative Court decided in July that this is not lawful. For an analysis on why DPAs will probably be able to directly invoke GDPR provisions after May 25th 2018, without waiting for national laws, read my blog post “A million dollar question, literally: Can DPAs fine a controller directly on the basis of the GDPR, or do they need to wait for national laws?”

A Belgian Court overturned the decision of the Police to block the access of three festival goers to Tomorrowland after having screened against several databases all 400.000 persons who bought tickets. While the Court admitted there is a legitimate justification to conduct such a massive screening, considering the high terrorism alert in Belgium (currently at 3, on a scale of 1 to 4), it also underlined that the measure was not transparent and was not proportionate, likely breaching the right to privacy of those screened. The decision is only an injunction under an emergency procedure. The Court will hear the case on substance in October. The Belgian DPA is an intervening party in this case. 

A German Court issued an injunction against Google preventing it from linking to the Lumen database in the context of a claim to remove a link to a defamatory story. While this request was granted on other grounds than data protection law because it concerns a legal person (a company), it is a strong sign that if a natural person were to make a similar request under the right to erasure clause in data protection law the result would be the same. 

“German court upholds WhatsApp Facebook data transfer ban”. But the court overturned the privacy regulator’s order that the companies delete data they had already transferred, on procedural grounds. This is a decision of Hamburg’s Administrative Court, in a case where Facebook challenged an order issued by the Hamburg DPA last September. You can read more about the original ban in this detailed account. The decision of the Court is not final and it will likely be challenged by Facebook, according to media reports. For those of you reading German, here is the press release and here – the text of the decision.