-CJEU Rules on Personal Data Processing by Online News Platforms-
On 13th November, the CJEU handed down its verdict in the case of Inteligo Media SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP). In terms of the facts, Inteligo is the publisher of an online news service. The company ‘introduced…a paid subscription system for part of the content provided to its readers. At the time of the facts in the main proceedings, the company allowed a maximum number of six articles per month to be viewed free of charge…. In order to access additional articles, the user concerned, initially, had to create a free account…which meant that that user accepted the contractual terms and conditions for the provision of the’ paid subscription service. ‘By registering for that service, that user obtained the right to access, free of charge, two additional articles per month, to receive, free of charge, via email, the daily newsletter, entitled ‘Personal Update’, containing an overview of the previous day’s legislative developments, with hyperlinks to the relevant articles available on that platform, and the right to access, on an optional basis and for a fee, all the articles of the publication and to receive, via email, the full version of that newsletter’. The Romanian DPA (ANSPDCP) then imposed a fine on Inteligo on ‘for infringement of Article 5(1)(a) and (b), Article 6(1)(a) and Article 7 of the GDPR’ arguing that the ‘company had not been able to prove that it had obtained express consent from 4 357 users to the processing of their personal data (email address, password, username) and that it had processed those data in a manner incompatible with the purpose for which they had initially been collected. Those data, initially collected for the purpose of performing the contract at issue, had been processed for the purpose of transmitting the ‘Personal Update’ newsletter’. This led to a series of proceedings before the national courts, and finally, a referral for a preliminary ruling to the CJEU. In this regard, the Court considered, in substance, the following two questions – more questions were referred but not considered:
- Do Articles 13(1) and (2) of Directive 2002/58 mean ‘the email address of a user is obtained by the publisher of an online publication ‘in the context of the sale of a product or a service’, within the meaning of Article 13(2)…where that user creates a free account on that publisher’s online platform giving him or her the right to access, free of charge, a certain number of articles of that publication, to receive, free of charge, via email, a daily newsletter…and that the transmission of such a newsletter constitute…a use of electronic mail ‘for the purposes of direct marketing’ for ‘similar products or services’ within the meaning of that provision’.
- Does Article 13(2) of Directive 2002/58, in light of Article 95 of the GDPR, mean ‘where the controller uses the email address of a user in order to send him or her an unsolicited communication, in accordance with Article 13(2)…the conditions for lawful processing laid down in Article 6(1) of that regulation are applicable’.
Considering these questions, the Court concluded:
- That Articles 13(1) and (2) of Directive 2002/58/EC mean ‘that the email address of a user is obtained by the publisher of an online publication ‘in the context of the sale of a product or a service’…where that user creates a free account on that publisher’s online platform giving him or her the right to access, free of charge, a certain number of articles of that publication, to receive, free of charge, via email, a daily newsletter…The transmission of such a newsletter constitutes a use of electronic mail ‘for the purposes of direct marketing’ for ‘similar products or services’ within the meaning of that provision’.
- Article 13(2) of Directive 2002/58, in light of Article 95 of the GDPR, means ‘that, where the controller uses the email address of a user in order to send him or her an unsolicited communication, in accordance with Article 13(2)…the conditions for lawful processing laid down in Article 6(1) of that regulation are not applicable’.
-CJEU Clarifies the LED Provisions on Processing of Biometric and Genetic Data-
On 20th November, the CJEU clarified the legality requirements for the collection and further processing of biometric and genetic data in accordance with the LED in JH v Policejní prezidium. As to the facts of the case, the applicant in the main proceedings, JH, was a Czech civil servant, against whom investigations into misconduct in public office were initiated and who was subsequently convicted. In the framework of the investigations, the police collected his fingerprint and facial image data, as well as DNA (cheek swab) against his will. The applicant challenged the data collection, storage and the identification procedure. The dispute escalated to the CJEU with three questions concerning the lawfulness of the biometric and genetic processing under the LED. As to the first question, the Court ruled that Articles 8 and 10 LED require that when biometric and genetic data are processed by law enforcement authorities (LEAs), such processing should be based on a generally applicable law, which sets out the minimum conditions for collecting, storing and erasing the said data, as interpreted by Member State case law, where this case law is sufficiently accessible and foreseeable. As to the second question, the Court held that Articles 6 and 4(1)(c) LED, read in conjunction with Article 10 LED, should be interpreted to mean that LEAs are not obliged to always make a distinction between suspected and accused persons (as required by Article 6 LED), where this distinction is not required for the purposes of the data processing. Thus, according to the Court, domestic laws may allow for the collection of biometric and genetic data of any of these persons, as long as the data processing complies with the requirements of Article 4 LED (especially on data minimisation) and 10 LED (on strict necessity of the processing of sensitive data). As to the third question, the Court ruled that Article 4(1)(e) LED does not require Member States to set out in law maximum retention periods for the storage of biometric and genetic data, so long as there are internal rules which require the LEAs to review and justify at set time limits the strict necessity for continuing to store the data.
Editorial note: At the time of writing the above summary, the judgment was not available in English. Thus, it is based on the French version of the judgment and the English summary by the Court.
-ECtHR Rules on Security Services’ Efforts to Recruit Political Figure-
On 13th November, the ECtHR ruled in the case of Manukyan v. Armenia. In terms of the facts, the case essentially concerns a political figure – the applicant – who was approached to collaborate with the security services. An offer which the applicant refused, following considerable pressure, including threats, from the representative of the security services. The applicant recorded the conversation with the representative of the security services in which they were approached, and, on the back of this, ‘submitted a crime report to the Prosecutor General along with the audio recording of his conversation’. The Prosecutor General, however, replied that ‘the actions attributed to the agent…did not contain prima facie elements of a criminal offence. Therefore, the applicant’s complaint did not constitute a crime report and was not subject to examination under the relevant Articles of the Code of Criminal Procedure’. Whilst the applicant challenged the decision before the national courts, following a lengthy series of appeals, it was not found necessary that the Prosecutor General recognise the existence, ex ante, of a crime, and investigate accordingly. In this regard, the applicant complained to the ECtHR, on the basis of Article 8, ‘of an unjustified interference with his private and family life and about the lack of an effective investigation into it’ – including the fact that information about him had been collected and that threats had been made. The Court ruled in favour of the applicant. In this regard, the Court initially recognised that the security services ‘collected and stored personal information about the applicant and that serious threats against him were made by its agent. Each of the two actions described…amounted to a State interference with the applicant’s private life within the meaning of Article 8’. In this regard, the Court considered that the interference in question was not acceptable in light of the ‘accordance with the law’ criterion. The Court highlighted that the government ‘did not demonstrate that domestic law authorised the NSS to collect information on an individual with the aim of attempting to coerce him into cooperation with the secret services. Furthermore, they failed to identify any concrete or even alleged national security concern’. Equally the Court highlighted that the lack of foreseeability and accessibility of classified orders concerning collaboration with the security services, as well as the fact that the coercive measure used by the security services were incompatible with the principle of the rule of law. The Court then went on to rule that the lack of subsequent investigation constituted a ‘failure of the respondent State to comply with its positive obligations under Article 8’. In this regard, the Court considered that ‘the prosecutor merely limited himself to a superficial and selective assessment of the audio recording of the conversation in question…In particular, he stated that the applicant’s crime report had not specified which threats had been made, despite the fact that this information had clearly been provided to him in the form of the audio recording. Moreover, he readily accepted’ the security services’ agent’s ‘assertion during the recorded conversation that cooperation was meant to be voluntary, while overlooking the obvious threats and coercive remarks, which were manifestly incompatible with the notion of voluntary cooperation. Despite the above-mentioned deficiencies, the prosecutor’s decision was upheld’.
-European Commission Presents Draft Digital Omnibus, Data Union Strategy and European Business Wallet-
On 19th November, the European Commission presented a wide range of legislative amendments, policy, and legislative proposals in the sphere of its digital policies. These are, more concretely:
- ‘Digital Omnibus’;
- ‘Data Union Strategy’; and
- ‘European Business Wallet’.
More specifically, according to the Commission, the Digital Omnibus contains ‘Innovation-friendly AI rules’, ‘Simplif(ied) cybersecurity reporting’, ‘innovation-friendly privacy framework’, ‘Modernis(ed) cookie rules to improve users’ experience online’, and ‘Improv(ed) access to data’. As to the Data Union Strategy, the Commission claims that it ‘outlines additional measures to unlock more high-quality data for AI by expanding access, such as data labs’ and ‘strengthens Europe’s data sovereignty through a strategic approach to international data policy: anti-leakage toolbox, measures to protect sensitive non-personal data and guidelines to assess fair treatment of EU data abroad’. Regarding the European Business Wallet, it is supposed to ‘provide European companies and public sector bodies with a unified digital tool, enabling them to digitalise operations and interactions that in many cases currently still need to be done in person’. We note, however, similarly to many civil and consumer organisations, that the proposed amendments, especially to the GDPR as resulting from the Digital Omnibus, effectively curtail the existing rights and protections enjoyed by data subjects and should not be seen as purely technical adjustments.