Data Protection Insider, Issue 111

Data Protection Insider, Issue 111 - DPI

– CJEU rules on Access to Internet Data in relation to Copyright 

On 30th April, the CJEU ruled in the case of La Quadrature du Net and Others. The case essentially concerned French legislation which the applicants alleged ‘permit access to’ internet ‘connection data in a disproportionate manner for non-serious copyright offences committed on the internet, without prior review by a judge or an authority offering guarantees of independence and impartiality’. In this regard, three questions were referred to the Court, which the Court bundled together and considered in terms of one overarching question: ‘Does Article 15(1) of Directive 2002/58, in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, preclude ‘national legislation which authorises the public authority responsible for the protection of copyright and related rights against infringements of those rights committed on the internet to access data, retained by providers of publicly available electronic communications services, relating to the civil identity associated with IP addresses previously collected by rightholder organisations, so that that public authority can identify the holders of those addresses…and may, where appropriate, take measures against them, without that access being subject to the requirement of a prior review by a court or an independent administrative body’?


In this regard, the Court decided that:


  • Article 15(1) does not preclude such national legislation…provided that, under that legislation:’
    • ‘those data are retained in conditions and in accordance with technical arrangements which ensure that the possibility that that retention might allow precise conclusions to be drawn about the private life of those IP address holders…is ruled out’;
    • ‘that public authority’s access to such data…serves exclusively to identify the person suspected of having committed a criminal offence and is subject to the necessary safeguards to ensure that that access cannot, except in atypical situations, allow precise conclusions to be drawn about the private life of the IP address holders’;
    • ‘the possibility, for the persons responsible for examining the facts…, of linking such data with files containing information that reveals the title of protected works…in cases where the same person again repeats an activity infringing copyright or related rights, to review by a court or an independent administrative body, which cannot be entirely automated and must take place before any such linking’;
    • ‘the data processing system used by the public authority is subject at regular intervals to a review, by an independent body acting as a third party in relation to that public authority’.

This is a fascinating case, touching on multiple significant issues both within and beyond data protection law. We would suggest all interested in data protection case law – and in particular those interested in the ongoing case law concerning access under the e-Privacy Directive – to read the full text.


– CJEU Rules on Access to Telecommunications Data relating to Criminal Offenses 

On 30th April, the CJEU ruled in the case of Procura della Repubblica presso il Tribunale di Bolzano. In terms of the facts, the case essentially concerned acts of mobile phone theft. In relation to these acts, ‘the Public Prosecutor’s Office requested’ on the basis of national law, from ‘the referring court, authorisation to obtain from all the telephone companies the telephone records of the stolen telephones’. This included ‘all the data in’ in the possession of these companies, ‘with tracking and localisation methods (in particular, users and possible…International Mobile Equipment Identity (IMEI)…codes called/callers, sites visited/reached, times and durations of calls/connections and details of the cells and/or towers concerned, users and IMEI codes of senders/receivers of SMS and MMS and, where possible, details of the holders concerned) of incoming and outgoing telephone conversations/communications and connections made, including under roaming and including those not billed (unanswered calls) from the date of the theft to the date the request’ was made. In this regard, the following question was referred to the Court: ‘Does Article 15(1) of Directive 2002/58 preclude national law which provides that ‘Within the retention period laid down by law, if there is sufficient evidence of the commission of an offence for which the law prescribes the penalty of life imprisonment or a maximum term of imprisonment of at least three years…or of an offence of threatening and harassing or disturbing persons by means of the telephone, where the threat, harassment or disturbance is serious, the data may, if relevant to establishing the facts, be acquired with the prior authorisation of the court, by way of reasoned order, at the request of the Public Prosecutor’s Office or upon an application by the legal representative of the accused, of the person under investigation, of the injured party or of any other private party’? In this regard, the Court decided that: Article 15(1) does not preclude ‘a national provision which requires a national court, acting in the context of a prior review carried out following a reasoned request for access to a set of traffic or location data…submitted by a competent national authority in the context of a criminal investigation, to authorise such access if it is requested for the purposes of investigating criminal offences punishable under national law by a maximum term of imprisonment of at least three years, provided that there is sufficient evidence of the commission of such offences and that those data are relevant to establishing the facts, on condition, however, that that court is entitled to refuse such access if it is requested in the context of an investigation into an offence which is manifestly not a serious offence, in the light of the societal conditions prevailing in the Member State concerned’.


– AG Rantos Suggests Limits on the Data Processed for Targeted Advertising –

On 25th April, AG Rantos advised the CJEU to rule that the controller should limit in time and scope the personal data processed for the purposes of personal advertising in the case of Maximilian Schrems v Meta Platforms Ireland Limited, formerly Facebook Ireland Limited. As to the facts of the case, Schrems complained first that Facebook processed his personal data for the purposes of targeted advertising contrary to the principle of data minimisation. He referred especially to two types of data: (1) the personal data which he provided to Meta, as required by the contractual terms and conditions for using Facebook, and (2) data inferred by Facebook, e.g. events he liked. He also complained that Facebook processed the public statement Schrems made about his homosexuality contrary to the purpose limitation principle and the legality requirements on processing sensitive data. As to the first complaint, AG Rantos invited the Court to rule that the principle of data minimisation ‘must be interpreted as precluding the processing of personal data for the purposes of targeted advertising without restriction as to time or type of data and that it is for the referring court to assess, in the light of the circumstances of the case and by applying the principle of proportionality, the extent to which the data retention period and the amount of data processed are justified having regard to the legitimate aim of processing those data for the purposes of personalised advertising.’ As to the second complaint, AG Rantos suggested that the principle of purpose limitation as anchored in the GDPR as read ‘in conjunction with Article 9(2)(e) thereof, must be interpreted as meaning that a statement made by a person about his or her own sexual orientation for the purposes of a panel discussion open to the public, while capable of constituting an act by which the data subject has ‘manifestly made public’ those data for the purposes of Article 9(2)(e) of that regulation, does not in itself permit the processing of those or other data concerning the sexual orientation of that person with a view to aggregating and analysing the data for the purposes of personalised advertising.’


– AG Szpunar Argues for a Limited Scope of Health Data –

On 25th April, AG Szpunar advised the Court to rule that personal data processed for the purposes of selling online pharmacy-only but not prescription medicine do not constitute data related to health within the meaning of the GDPR in ND v DR. As to the facts of the case, the plaintiff and defendant are pharmacists. ND also sells pharmacy-only products online. DR claimed that this constitutes a breach of the unfair competition rules in Germany, based on the processing of data concerning health. Thus, the question arose whether the processing of data online for the purposes of selling pharmacy-only products constitutes a processing of health data under the GDPR (Article 4(15) GDPR). The AG concluded that ‘the data of the customers of a pharmacist which are transmitted when an order is placed on an online sales platform for pharmacy-only but non-prescription medicines do not constitute ‘data concerning health’ within the meaning of Article 4(15) and Article 9 of the GDPR, in so far as only hypothetical or imprecise conclusions as to the health status of the person placing the online order may be drawn, which it is for the referring court to verify.’ Another question raised by the referring Court was whether Chapter VIII GDPR precludes national rules which allow legal entities, e.g. competitors as in the main proceedings, to rely on the remedies in Chapter VIII GDPR. AG Szpunar recalled that the beneficiaries of the protection of the GDPR are the data subjects. However, he also argued that ‘an action for an injunction brought by an undertaking against a competitor in reliance on the infringement by that competitor of the provisions of the GDPR may exist alongside the remedies established in Chapter VIII of the GDPR in so far as those provisions are not thereby adversely affected and the objectives and effectiveness of that regulation are not undermined.’


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort