Data Protection Insider, Issue 15

– ECtHR Rules on Online Hate Speech about Sexual Orientation –

On 14th January 2020, the ECtHR ruled on the case of Beizaras and Levickas v. Lithuania. The facts of the case were as follows: Pictures of two young men, in a relationship, kissing, were posted on facebook. These pictures were met with numerous hateful comments, certain of which included explicit threats of violence – some directed at the men personally, others directed at LGBT people generally. The relevant national authorities refused to initiate criminal procedures against those who had published the comments on the basis that the couple had been behaving provocatively and that the comments – whilst unethical – had not reached the relevant level of seriousness to mandate criminal prosecution. In its decision, the ECtHR found that the national authorities had, in refusing to initiate criminal proceedings behaved in a discriminatory way on the basis of the applicants’ sexual orientation and, as a result, had failed to provide them with effective protection. Whilst the case ostensibly deals with issues of online hate speech, the case is nevertheless of interest for data protection discussions. This is true for two reasons in particular. First, the past year has clearly demonstrated that no issue connected to the circulation and impact of personal data on social medial platforms can be effectively disconnected from data protection discussions. Second, in the case, the ECtHR takes – in some cases reiterates – clear positions on the scope and substance of the Article 8 right to respect for private and family life in relation to sexual orientation. The Court states, for example: ‘Such elements as a person’s sexual orientation and sexual life fall within the personal sphere protected by Article 8’ and that ‘[even one-off, unstructured, hate-comments on a social media page could affect] psychological well-being and dignity [and thus fall] within the sphere of…private life’. Such basic assertions will be important in informing increasingly prevalent discussions as to how sensitive personal data concerning sexual orientation should be protected.



– ECtHR on Publishing Personal Data on Adoption –

In the case of X. and Others v Russia, decided on 14th January 2020, the ECtHR dealt with an Article 8 complaints concerning the publication of judicial decisions concerning the adoption of children by families in Russia. According to the complaints, with publication, the judiciary had breached the principle of the secrecy of adoptions in Russia and had thus violated the applicants’ Article 8 right to family life. The ECtHR decided that the publication had no basis in national law as Russian law clearly provided that judicial decisions concerning adoption should not be published on the Internet. In turn, the ECtHR found that the legal system in Russia did not allow effective remedies against such judicial actions, as required by Article 13 ECHR. As a result of its reasoning, the Court did not go on to assess the necessity and proportionality of the measure pursuant to Article 8 ECHR – necessity and proportionality seldom being considered following a finding of no legal basis. In this regard, the case represents a procedurally and substantially straightforward decision and the outcome is in no way surprising. Considering the case counter-factually, however, raises an interesting question: should the law have allowed the publication of such decisions in certain cases, under what circumstances would this law reflect a legitimate aim and a proportionate interference with Article 8?



– AG Opinion on Data Retention: Key Aspects –

On 15th January 2020 Advocate General Campos Sánchez-Bordona delivered his Opinion in four preliminary ruling cases from Belgium, France and the UK on the retention of telecommunication data for the purposes of fighting serious crime and terrorism. In the first instance, the Opinion dealt with the applicability of Directive 2002/58 – the e-Privacy Directive – to serious crimes such as terrorism, which fall, strictly speaking, outside the scope of EU law. Pursuant to the Opinion, the exclusion of such crimes from the scope of EU law does not preclude the applicability of Directive 2002/58 because national security activities require the cooperation of private actors who have to comply with Directive 2002/58 and its data protection provisions – e.g. ensuring the confidentiality of end-users’ communication. Accordingly, the Opinion suggests that any restriction to end-users’ rights should be interpreted strictly, and be compatible with EU law, including the CFREU. In turn, the Opinion dealt with the general legitimacy of data retention legislation under EU law. In this regard, the AG came to two general conclusions. First – in line with previous CJEU case-law in Tele2 and Watson – the AG argued that untargeted and unlimited retention of all subscribers’ data would be disproportionate, unless an extraordinary risk justifies general retention. Second the AG argued that – also in line with Tele2 and Watson – even in instances in which data retention is, in principle, legitimate, safeguards must nevertheless be put in place to protect individuals’ rights. The AG suggests such safeguards should include: independent review; and measures to prevent misuse of the data; and notification of data subjects after surveillance has taken place. This final safeguard raises a significant practical issue which has recently been the subject of much discussion: how can law enforcement and national security authorities effectively notify data subjects – potentially vast numbers of data subjects – they have been the subject of surveillance? On the back of these conclusions, the AG argued that the three national laws in question were incompatible with EU law. Should the Court follow the Opinion in its final judgment, it will remain true to its existing case law on data retention. It will be interesting to analyse the present Opinion in light of the forthcoming Opinion of AG Pitruzzella – due in the week of the 20th January – concerning a preliminary review of an Estonian case on a related topic (to be covered in the next issue).



– EDPS Preliminary Opinion on Scientific Research –

The EDPS has released a preliminary version of an Opinion on data protection and scientific research. The opinion is now open for comment. The preliminary Opinion contains much to be applauded. Three aspects of the Opinion might be highlighted as particularly praiseworthy. First, there has long been a need for holistic official guidance as to how data protection rules should be applied to scientific research. The Opinion begins to full this gap. Second, the Opinion highlights the significant issues concerning the relationship between scientific research and online platforms, including: the lack of clarity as to the ethical legitimacy of certain types of research currently conducted with platform users’ personal data by platforms and affiliated researchers; and the need for researcher access to users’ personal data to research issues of significant current public interest – for example the spread of disinformation. Finally, the Opinion takes a brave, and necessary, stance on a matter of significant concern in the GDPR: Recital 50. Specifically, the Opinion suggests that, despite the wording of Recital 50, secondary uses of personal data may still require a legitimate ground under Article 6 or Article 9. There are, however, several aspects of the Opinion which would still benefit from further clarification. For example, the Opinion offers the position that: whilst consent may be ethically required, or even legally required in another applicable instrument, to legitimate research, consent may yet not be the relevant legal ground to legitimate research under data protection law. This is a hard position to understand and, in order to be fully justified, would require more clarification than is currently available.



– The EU Issues Guidance on Providing Information in the Context of Eurodac –

The European Union Agency for Fundamental Rights (FRA) and the Eurodac Supervision Coordination Group (SCG) have issued guidelines concerning the information obligations of Member State asylum and migration authorities in relation to the Eurodac system. The guidelines concern the collection of asylum seekers’ fingerprints in Eurodac and how the authorities should comply with their information obligations according to the GDPR, Eurodac Regulation, and CFREU. The guidelines mainly seek to outline what the authorities need to communicate to asylum seekers when taking their fingerprints and how to provide this information – i.e. the need to provide information in a clear and transparent manner and in a language the asylum seeker speaks etc. The issuance of the guidelines could be interpreted as a signal that authorities have thusfar not been sufficiently diligent in discharging their informational obligations – although these are easily identified in the GDPR and the Eurodac Regulation. The issuance of the guidelines could also, however, be interpreted as a signal that the fulfilment of these obligations is, in practice, much more difficult than it would appear looking at the legal texts. Put differently: is it that the lack of effective communication signals a lack of awareness or willingness on the side of data controllers to comply with the relevant obligations? Or is it that data processing and the exercise of data protection rights are so complex that controllers have a hard time understanding how to communicate relevant and adequate information to data subjects? 



– Further Developments in Data Protection-AdTech Discussions –

The past two weeks have brought further significant developments in the current data protection-AdTech discussions. Two developments stand out. First, the Norwegian Consumer Council have filed complaints, with the Norwegian Data Protection Authority, against Grindr and several other companies. The complaints concern the companies’ collection and use of personal data in AdTech. The complaints come on the back of an extensive report by the Council into current AdTech practices and their relationship with European data protection law. The report is valuable in offering a rare insight into the nature, mechanics and extent of AdTech activities in Europe. In this regard, the Council observe: ‘practices are out of control and in breach of European data protection legislation. The extent of tracking makes it impossible for us to make informed choices about how our personal data is collected, shared and used’. Second, the ICO released information as to the progression of its investigation into AdTech practices. On the one hand, the ICO highlight the good work of several key industry entities – for example the IAB UK and Google – to meet the requirements of data protection law. On the other hand, however, the ICO suggest that other organisations are much more intransigent and ‘appear to have their heads firmly in the sand.’ Ominously in this regard, the ICO further suggest: ‘It is now clear to us that engagement alone will not address all these issues.’



DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort