Data Protection Insider, Issue 21

– Advocate General Opinion on Data Protection vs IPR –

On 2nd April, Advocate General (AG) Saugmandsgaard Øe delivered his Opinion in an intellectual properties rights dispute (Constantin Film Verleih GmbH v Google Inc and Youtube LLC). The dispute concerns two Google and Youtube users who uploaded two films of Constantin Film Verleih GmbH on Google and Youtube. Constatin Film Verleih GmbH requested that the two platforms disclose: the users’ email addresses; the users’ telephone numbers; the IP addresses from which the films were uploaded; the precise time of uploading; the IP addresses last used by the users to access their Google/Youtube accounts; and the time of this last access. Since Article 8(2)(a) of Directive 2004/48 on the enforcement of intellectual property rights provides only for the disclosure of the “names and addresses” of the users in intellectual properties rights disputes, the question thus arose as to whether the information requested by Constantin Film Verleih GmbH could fall under the concept of ‘names and addresses’. As the AG observed, because Directive 2004/48 does not make reference to national law as concerns the interpretation of the concept of ‘names and addresses’ this concept should be regarded as having an independent existence in EU law. Unfortunately, however, the concept is not defined in EU law. In this regard, the AG noted that a phone number is clearly neither a name, nor an address. He also argued that IP and email addresses should not be regarded as names or addresses – several factors, including the travaux preparatoires of Directive 2004/48 and its objectives, support the interpretation that these also do not qualify as an ‘addresses’. The AG further noted that the requested data are personal data in the meaning of the GDPR and that Directive 2004/48 seeks to ensure a balance between intellectual properties rights and data protection rights. Thus, reading email and IP addresses into the general concept of ‘addresses’ would mean that the CJEU, in effect, would strike a different balance. He further argued that shifting such a balance is a task for the legislature rather than the CJEU. Although it remains unclear whether the CJEU will follow the Opinion, the Opinion does seem to offer a logical interpretation of the law. Interestingly, the question still remains open whether Directive 2004/48 strikes a fair balance between the two competing fundamental rights – i.e. to privacy and data protection on one hand, and to intellectual property, on the other hand. Unfortunately, this question was not raised by the parties and the AG did not raise the question of his own volition, either.

 

 – ECtHR Rules on DNA Collection –

On 14th April, the ECtHR ruled on the case of Dragan Petrović v. Serbia. The facts of the case were as follows: the applicant was suspected of involvement in a murder. Based on this suspicion, the Serbian police obtained two orders from a judge: i) an order permitting the search of the applicant’s flat; ii) an order permitting the collection of a DNA sample. In relation to the search of the flat, the applicant argued their Article 8 privacy rights had been infringed as ‘the search warrant had been too vague and had lacked proper reasoning, while the search itself had been carried out and recorded in an arbitrary fashion’. In relation to the collection of DNA, the applicant argued their Article 8 privacy rights had been infringed as the relevant law was vague and therefore violated quality of law criteria. The Court found no issue with the search of the applicant’s flat. The Court did, however, find a violation in the collection of DNA. In particular, the Court found that the law in force at the time of the collection failed to provide safeguards later outlined in subsequent national legislation and that: ‘it would be reasonable to assume that by adopting the clearly more detailed provisions regarding the taking of DNA samples in [the later law], the respondent State has itself implicitly acknowledged the need for tighter regulation compared with the earlier legislation.’ Whilst the Court’s decision focused on the legal framework for the legitimate collection of DNA in criminal law, the case is still interesting from a data protection perspective for two reasons. First, national data protection law was highlighted as providing a national remedy in the case. This further highlights the relevance of data protection as a framework for the governance of the collection and use of DNA. Second, this case adds to the growing body of ECtHR jurisprudence dealing with the collection and use of DNA and the genetic data contained therein. Previous case law has dealt extensively with issues of data protection. The decision in this case will thus feed into a body of jurisprudence directly relevant for data protection.

 

– EDPB Twentieth Plenary Session –

On 7th of April, the EDPB held its 20th plenary session. The session was held despite the EDPB’s previous announcement that the April plenary would not take place. In the session, the EDPB focused on the assignment of concrete mandates to two key working subgroups dealing with data protection in relation to the COVID 19 outbreak. The mandates concerned:

  • ‘geolocation and other tracing tools in the context of the COVID-19 outbreak – a mandate was given to the technology expert subgroup for leading this work;
  • processing of health data for research purposes in the context of the COVID-19 outbreak – a mandate was given to the compliance, e-government and health expert subgroup for leading this work.’

 

Given the importance of the two topics dealt with, the EDPB made the decision to postpone planned work on teleworking tools and practices in relation to the COVID 19 outbreak. 

 – Conseil d’Etat: RTBF Applies to Europe Only –

The top French administrative court – the Conseil d’Etat – has ruled that the CNIL may not order a search engine to globally delist search results concerning an individual. The CNIL may only order such a delisting within the EU. In the ruling, the Conseil d’Etat overturned a fine of 100,000 EUR previously imposed by the CNIL on Google. The CNIL will now update its guidelines on delisting. The Conseil d’Etat judgment, in principle, follows the preliminary ruling of the CJEU on the question from 24 September 2019 – covered in issue 8 of Data Protection Insider. In this ruling, the CJEU concluded that a general delisting order imposed by an EU national supervisory authority need not apply to search results outside EU Member States. In this ruling, the CJEU also noted, however, that, in certain situations, national supervisory authorities and/or judicial authorities may order the delisting of results globally provided this represents a fair balance between the fundamental rights to data protection and freedom of expression. The Conseil d’Etat judgment added to this latter CJEU position, however, the requirement that the CNIL’s ability to order global delisting would also need to have been foreseen in national law. In this regard, as the Conseil d’Etat noted, it seems like the French legislator did not foresee the possibility for the CNIL to act outside the EU law and thus its power was restricted to requiring delisting within the EU. Thus, hypothetically, had French law given more powers to the CNIL and had, in casu, the right to data protection prevailed over the right to freedom of expression, the CNIL could have ordered the global delisting of the contested search results.

 

– Fines and Criminal Charges for Refusal to Allow Polish DPA Inspection –

During an investigation concerning a telemarketing company, the Polish DPA came across Vis Consulting Sp. z o.o. – a company to whom telemarketing activities had been outsourced. The DPA thus decided to engage in an investigation of the activities of Vis Consulting Sp. z o.o. In a first effort to investigate this company, the DPA found nobody at the address listed in the National Register. Although the DPA did subsequently try to conduct the investigation, the company twice made this impossible. The company was then liquidated before the investigation could take place. The DPA thus decided that the company was deliberately avoiding inspection by the DPA and was thus in violation of Articles 31, 58(1)(e) and 58(1)(f) GDPR. Considering the violation, the DPA decided to fine the company approximately 4,500 EUR (20,000 PLN). On top of the monetary fine, the DPA also notified the Public Prosecutor of the behaviour of the company, who then lodged an indictment against the company’s director before the courts – according to Polish law, such deliberate refusal to cooperate with a DPA investigation can carry criminal charges. The case is interesting from two perspectives. First, this is the first case – to our knowledge – in which a DPA has issued sanctions for failure to comply with the GDPR’s procedural provisions requiring cooperation with a DPA. Second, the case provides a rare functional example of the interplay between data protection law and criminal law.

 

– GDPR Consultation on International Transfers and Cooperation Between Supervisory Authorities –

The European Commission is working on a roadmap towards the implementation of the GDPR as concerns two topics: i) international transfers; and ii) the cooperation mechanism between national data protection authorities. In this regard, the Commission invites stakeholders to provide their feedback by 29th April 2020. This feedback will then be taken into account when further developing the initiative. Following the procedure, the Commission will summarise the received feedback in a report and will explain how the input will take into account – as well as why certain suggestions will not be taken up. Provided participation in the feedback process materializes at all, the consultation has the potential to highlight to the EU legislator the lived experience of citizens in relation to two key mechanisms of the GDPR. Having said this, it is very hard to predict, in advance, what level of participation will eventuate, and which sorts of participants will contribute to the process. In consequence, it is hard to predict which substantive issues will be highlighted as problematic and which substantive solutions to these issues will be proposed.

Über

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort