– CJEU Rules on DPA Competence in Facebook Ireland –
On 15th June 2021, the CJEU ruled in the case of Facebook Ireland Ltd, Facebook Inc., Facebook Belgium BVBA v Gegevensbeschermingsautoriteit. In terms of the facts: in 2015, the Belgian DPA brought a case before the Belgian Courts in order to gain an injunction concerning some of Facebook’s data processing practices. In 2018, the Belgian Courts granted the injunction. Later in 2018, however, Facebook brought an appeal against the judgment before a higher Beglian Court – the Court of Appeal in Brussels. The latter Court was uncertain as to several questions concerning the application of EU data protection law to the case – concerning, in particular, DPA powers and cross-border co-operation. The Court thus decided to stay proceedings to refer six questions to the CJEU:
- First: ‘Should Article 55(1), Articles 56 to 58 and Articles 60 to 66 of [Regulation 2016/679], read together with Articles 7, 8 and 47 of the [Charter], be interpreted as meaning that a supervisory authority which, pursuant to national law adopted in implementation of Article 58(5)…has the competence to initiate or engage in legal proceedings before a court in its Member State against infringements of that regulation cannot exercise that competence in connection with cross-border data processing if it is not the lead supervisory authority for that cross-border data processing?’ In response to this question, the CJEU decided that: ‘[The relevant provisions should] be interpreted as meaning that a supervisory authority of a Member State which, under the [relevant transposing] national legislation…has the power to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where necessary, to initiate or engage in legal proceedings, may exercise that power in relation to an instance of cross‑border data processing even though it is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation…provided that that power is exercised in one of the situations where that regulation confers on that supervisory authority a competence to adopt a decision finding that such processing is in breach of the rules contained in that regulation, and that the cooperation and consistency procedures laid down by that regulation are respected.’
- Second: ‘Does the answer to the first question referred differ if the controller of that cross-border data processing does not have its main establishment in that Member State but does have another establishment there?’ In response to this question, the CJEU concluded: ‘Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, in the event of cross‑border data processing, it is not a prerequisite for the exercise of the power of a supervisory authority of a Member State, other than the lead supervisory authority, to initiate or engage in legal proceedings…that the controller…has a main establishment or another establishment on the territory of that Member State.’
- Third: ‘Does the answer to the first question referred differ if the national supervisory authority initiates the legal proceedings against the main establishment of the controller in respect of the cross‑border data processing rather than against the establishment in its own Member State?’ In response to this question, the CJEU observed that: ‘Article 58(5) of Regulation 2016/679 must be interpreted as meaning that the power of a supervisory authority of a Member State, other than the lead supervisory authority, to bring any alleged infringement…to the attention of a court of that Member State and, where appropriate, to initiate or engage in legal proceedings…may be exercised both with respect to the main establishment of the controller which is located in that authority’s own Member State and with respect to another establishment of that controller, provided that the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power.’
- Fourth: ‘Does the answer to the first question referred differ if the national supervisory authority had already initiated the legal proceedings before the date on which [Regulation 2016/679] entered into force (25 May 2018)?’ In response to this question, the CJEU offered the opinion that: ‘Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, where a supervisory authority of a Member State which is not the ‘lead supervisory authority’…has brought a [relevant] legal action…before…the date when that regulation became applicable, that action may, from the perspective of EU law, be continued on the basis of the provisions of Directive 95/46… That action may, in addition, be brought by that authority with respect to infringements committed after that date, on the basis of Article 58(5) of Regulation 2016/679, provided that that action is brought in one of the situations where, exceptionally, that regulation confers on a supervisory authority of a Member State which is not the ‘lead supervisory authority’ a competence to adopt a decision finding that the processing of data in question is in breach of the rules contained in that regulation with respect to protection of the rights of natural persons as regard the processing of personal data, and that the cooperation and consistency procedures laid down by that regulation are respected.’
- Fifth: ‘If the first question referred is answered in the affirmative, does Article 58(5) of [Regulation 2016/679] have direct effect, meaning that a national supervisory authority can rely on that provision to initiate or continue legal proceedings against private parties even if Article 58(5) of [Regulation 2016/679] has not been specifically transposed into the legislation of the Member States, notwithstanding the requirement to do so?’ In response to this question, the CJEU decided that: ‘Article 58(5) of Regulation 2016/679 must be interpreted as meaning that that provision has direct effect, with the result that a national supervisory authority may rely on that provision in order to bring or continue a legal action against private parties, even where that provision has not been specifically implemented in the legislation of the Member State concerned.’
- Sixth: ‘If questions (1) to (5) are answered in the affirmative, could the outcome of such proceedings prevent the lead supervisory authority from making a contrary finding when the lead supervisory authority investigates the same or similar cross-border processing activities in accordance with the mechanism laid down in Articles 56 and 60 of [Regulation 2016/679]?’ The CJEU considered this final question to be inadmissible.
– Data on Road Traffic Offences Enjoys the Protection of the GDPR –
On 22nd June, the CJEU ruled in the case of Latvijas Republikas Saeima, where it dealt with the question of whether national provisions, which allow information about the penalties imposed on a driver for traffic offences to be disclosed to the public, are compatible with the GDPR. The case concerns a complaint by a Latvian citizen, in relation to whom information about traffic offences was made public. The CJEU ruled that disclosure of penalty points concerning a driver constitutes ‘personal data’ ‘processing’ under the GDPR. The CJEU then examined in detail whether the processing of personal data in the context of traffic offences falls within the scope of the GDPR or within the scope of the Law Enforcement Directive (LED), and concluded that the processing falls within the scope of the GDPR because the authority collecting and disclosing the penalty points cannot be classified as a ‘competent authority’ in the meaning of the LED. Then, the Court ruled that ‘road traffic offences which may result in penalty points being given are covered by the term ‘offences’ in Article 10 of the GDPR’ – even if they are given by an administrative authority – and hence deserve to be protected under Article 10 GDPR. Next, reading Article 10 GDPR in light of the legality requirements in the GDPR and in light of the CFREU, the Court concluded that national law which obliges a national authority to disclose the penalty points to anyone, without the requesting natural person or economic operator having demonstrated ‘specific interest’ in receiving the data, is not compatible with the GDPR. Finally, the Court ruled that the Latvian Constitutional Court is precluded from maintaining the national law currently in force, which has been assessed to be incompatible with the GDPR, until the day of the judgment rendered by the constitutional court. We note that in effect the CJEU gave a broad reading of the scope of application of the GDPR, including the term ‘offences’ in Article 10 to include administrative offences and therefore extending all relevant protection flowing from Article 10 to these offences.
– ECtHR Decides on ‘Right to be Forgotten’ in Hurbain v. Belgium–
On 22nd June, the ECtHR ruled in the case of Hurbain v. Belgium. In terms of the facts: in 2013, a newspaper publisher had been ordered to render a digitally archived version of an article – originally dating from 1994 – anonymous. The article concerned a driver, whose full name was mentioned, who had caused a fatal road accident. The anonymisation was mandated on the basis of the named individual’s ‘right to be forgotten’. The Court found that the requirement to anonymise the article had not interfered with the publisher’s Article 10 ECHR right to freedom of expression. The Court found that the interference – the requirement to anonymise the article – had been prescribed by law, as it had a basis in valid Belgian law, and pursued a legitimate aim – namely the protection of the driver’s right to privacy. The Court further found that the interference had been necessary. The Court recognised both the significance of the integrity of newspaper archives as well as the need to protect potentially conflicting rights. In this regard, the Court highlighted that its criteria for considering whether an archived article should be made, or kept, online were broadly equivalent to those relevant for considering whether an article should be made, or kept, available online generally – subject to potentially different weighting of criteria by virtue of the passage of time. These criteria included: i) ‘Contribution to a debate of public interest’; ii) ‘The reputation of the person concerned and the purpose of the article’; iii) ‘The conduct of the person concerned with regard to the media’; iv) ‘How the information was obtained and its veracity’; v) ‘The content, form and impact of the publication’; and vi) ‘The seriousness of the measure imposed on the applicant’. Considering these criteria in light of the facts of the case, the Court found that the reasoning of the Belgian Courts was ‘reasonable and sufficient’ and the Court found no ‘serious reason why it should substitute its own opinion for that of the domestic courts or dismiss the result of their balancing exercise’. Significantly, however, according to the legal summary: ‘This conclusion could not be interpreted as involving an obligation for the media to check their archives on a systematic and permanent basis. Without overlooking their duty to respect private life at the time of the initial publication, when it came to the archiving of articles they would not be required to make such verification, and therefore to weigh up the various rights at stake, unless they received an express request to that effect.’ The consideration of the ECtHR on the right to be forgotten is naturally highly relevant for EU data protection law. A more detailed consideration of the decision, and the degree to which its specifics correspond with the understanding of the right in EU data protection jurisprudence would be welcome. The case is available only in French. Accordingly, this report has been produced on the basis of the legal summary available in English.
On 28th June, the Commission adopted two Adequacy Decisions concerning the UK. The first concerns adequacy under the GDPR and the second concerns adequacy under the Law Enforcement Directive – the Decisions and the process leading to their adoption have been covered previously in DPI. Subject to the Decisions, personal data will be able to flow freely between the EU and the UK. We would highlight, however, that the conclusion of an Adequacy Decision regarding a third country is not necessarily the end of the story. Adequacy Decisions can be challenged before the Courts and, should their conditions be found not to meet the standard of protection required by EU data protection law, are subject to being struck down – consider Privacy Shield, for example. The confirmation of UK Adequacy happens only a few days after the EU Commission launched the process towards the adoption of an Adequacy Decision for South Korea. The Commission considers ‘that the Republic of Korea ensures an essentially equivalent level of protection to the one guaranteed under the General Data Protection Regulation (GDPR).’ The Commission now require the opinion of the EDPB and a committee of Member State representatives on a draft Decision before proceeding toward adoption of a Decision.
– EDPB and EDPS Publish Joint AI Act Opinion –
On 18th June, the EDPB and EDPS published a Joint Opinion on the recent EU AI Act Proposal. In their Opinion, they welcomed the Proposal against the background of the necessity to regulate AI. They acknowledged the data protection implications of the Proposal and in light of this they noted that there are weaknesses in the Proposal in terms of EU data protection law. Whereas the present contribution will not mention all the issues raised, the following 13 points made by the EDPB and EDPS deserve discussion. First, the responsibilities of the stakeholders foreseen under the Proposal should be aligned with the concepts of data controller and processor under EU data protection law. Second, the scope of the Proposal needs to be widened to include international organisations and third countries who use AI applications in the context of international law enforcement cooperation. Third, the Proposal should clarify explicitly that the three general EU data protection instruments apply to the processing of personal data in the framework of the Proposal and that the Proposal does not limit the application of the applicable data protection provisions. Fourth, whereas the Opinion welcomes the risk-based approach in principle, it considers it a weakness that the prohibitions on certain applications are limited – e.g. the EDPB and EDPS recommend that any type of social scoring should be prohibited, that the prohibition on real-time remote biometric identification systems is too weak and a general ban in other contexts is needed, including biometric categorisation and prediction of the risk of re-offending. Fifth, the list of high-risk applications in Annex II and III are not complete, as they need to mention other high-risk applications. Sixth, the Proposal should regulate the rights and remedies of individuals who are subject to AI applications and it should be made clear that lawful AI application under the Proposed AI Act does not guarantee lawful personal data processing under the EU data protection framework. Seventh, the Opinion criticizes the exemption in the Proposal concerning its applicability to AI systems already in use – including many AFSJ applications. Eighth, the Opinion warns that the Proposal should not be interpreted to provide a legal basis for the processing of special categories of data as the current wording does not correspond to the requirements of a legal basis under the GDPR, LED and Regulation 2018/1725. Ninth, with regards to the proposed supervisory mechanism, the EDPB and EDPS are concerned the mechanism might prejudice the independence of the supervisory authorities – e.g. DPAs – especially because of the proposed reporting obligations to the Commission and the envisaged role of the Commission in the framework of the envisaged European AI Board (EAIB). Furthermore, they suggest that the DPAs should be the designated supervisory authorities under the Regulation due to the intertwining of their supervisory tasks in relation to personal data processing and the proposed tasks of the supervisory authorities under the Act. Tenth, the Opinion calls for respect for the rights of the data subjects and explicitly calls for the establishment of a right to explanation. Eleventh, the Opinion calls for clarification around sandboxes. Twelfth, the Opinion requires clarification on the relationship between certification under the Proposal and certificates under the GDPR. Finally, the Opinion considers Codes of Conduct should also include requirements stemming from the GDPR. The EDPB and EDPS clarify that the Opinion is only a ‘preliminary analysis of the Proposal’ and further opinions and comments might be issued later.
– EDPB Holds its 50th Plenary Session –
On 18th June, the EDPB held its 50th Plenary Session. During the meeting, the following documents were adopted:
- ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’;
- ‘(L)etter addressed to EU Institutions on the privacy and data protection aspects of a possible digital euro’;
- ‘(J)oint EDPB-EDPS opinion on the draft AI Regulation’.
The EDPB also designated the three EDPB representatives to the European Travel Information and Authorisation System Fundamental Rights Guidance Board. In addition, from the meeting agenda it becomes evident that the EDPB discussed the territorial applicability of the e-Privacy Directive, the administrative cooperation between the EU and Third Country Supervisory Authorities, and the Opinion on a Tobacco Traceability System.