– CJEU Rules on De-referencing –
On 8th December, the CJEU delivered its verdict in the case of TU, RE v Google LLC. In essence, the case concerned the publication of articles and images of TU and RE in connection with ‘critical opinions…as to the reliability of the investment model of several…companies’. Certain ‘articles…were displayed in the list of search results produced when the applicants’ first names and surnames were entered in the search engine operated by Google, both on their own and in conjunction with particular company names, and’ one ‘article…was displayed when particular company names were entered…Google also displayed the photographs of the applicants contained in’ one ‘article…as thumbnails in the overview of results of its image search’. Thus, the applicants requested de-referencing of the articles which they claimed contained ‘incorrect allegations and defamatory opinions based on false statements’ and removal of ‘thumbnails from the list of results’. In this regard, the Bundesgerichtshof referred two questions to the CJEU. These concerned:
1. Whether it is ‘compatible with the data subject’s right to respect for private life…and protection of personal data…if…within the scope of the examination of…de-referencing…against…an internet search engine, pursuant to Article 17(3)(a)…, when the link…leads to content that includes factual claims and value judgments…the truth of which is denied by the data subject, and the lawfulness of which depends on…the extent to which…factual claims…are true, the national court…concentrates conclusively on…whether the data subject could reasonably seek legal protection against the content provider…and thus at least provisional clarification on the question of the truth of the content’.
2. Whether, regarding de-referencing where ‘a name search searches for photos of natural persons which third parties have introduced into the internet…and which displays the photos…as…thumbnails…within the context of the weighing-up of the conflicting rights and interests arising from Articles 7, 8, 11 and 16 of the Charter’ according to Article 12(b) and Article 14 of Directive 95/46 or Article 17(3)(a) GDPR ‘the context of the original third-party publication be conclusively taken into account’.
The Court concluded:
1. Article 17(3)(a) means ‘that within the context of the weighing-up exercise…between the rights…in Articles 7 and 8 of the Charter…and those…in Article 11 of the Charter…for the purposes of examining a request for de-referencing made to the operator of a search engine…that de-referencing is not subject to the condition that the question of the accuracy of the referenced content has been resolved, at least provisionally, in an action brought by that person against the content provider’. It should also be noted, however, that the Court observed that a certain obligation regarding the establishment of the accuracy of information fell on the data subject, and not on the search engine operator.
2. Article 12(b) and Article 14 of Directive 95/46, and Article 17(3)(a) of the GDPR mean ‘that in the context of the weighing-up exercise…between the rights…in Articles 7 and 8 of the Charter…and those…in Article 11 of the Charter, for the purposes of examining a request for de-referencing…seeking the removal from the results of an image search…on the basis of the name of a natural person of photographs displayed in the form of thumbnails…account must be taken of the informative value of those photographs regardless of the context of their publication on the internet page from which they are taken, but taking into consideration any text element which accompanies…the display of those photographs’.
– General Court Declares WhatsApp’s Annulment Application against an EDPB Decision Inadmissible –
On 7th December, the General Court dismissed the action for annulment of an EDPB decision, filed by WhatsApp Ireland Ltd against the EDPB, as inadmissible. As to the facts of the case, the Irish Data Protection Commission (DPC), which is the Lead Supervisory Authority for WhatsApp Ireland Ltd, opened an investigation into whether WhatsApp was complying with GDPR’s requirements on transparency and the right to information. After having presented its findings and proposed its draft decision to the other concerned EU supervisory authorities, the latter raised objections on certain points. This triggered the GDPR’s consistency mechanism, which lead to the adoption of a binding EDPB decision, i.e. binding on the Irish DPC. This EDPB decision effectively influenced parts of the final decision adopted by the Irish DPC, including the amount of the fine which the Irish DPC imposed on WhatsApp in the end (€ 225 million). WhatsApp Ireland decided to challenge the EDPB decision with EU’s General Court. The Court dismissed the annulment application as inadmissible, mainly because the contested decision did not ‘directly affect that applicant’s legal situation and, second, (it left) discretion to its addressees’, i.e. to the Irish DPC in casu. The Court acknowledged that ‘WhatsApp is individually concerned by the contested decision’, but that ‘the contested decision does not in itself change WhatsApp’s legal position’, because it is a preparatory decision which is not ‘directly enforceable against WhatsApp’. This is without prejudice to the fact that it constitutes ‘indeed an act of a body of the Union’ and ‘the contested decision is intended to produce legal effects vis-à-vis third parties, since it is a ‘binding decision’ vis-à-vis the supervisory authorities concerned’. Finally, the Court clarified that WhatsApp may challenge the Irish DPC’s decision in Irish courts, which might submit preliminary ruling questions with the CJEU related to the EDPB’s decision and thus indirectly question the legality of the content of the EDPB decision.
– The CJEU Clarifies Key Aspects of the Law Enforcement Directive –
On 8th December, the CJEU provided an interpretation of the purpose limitation principle and the requirement on distinguishing between the different categories of data subject under the Law Enforcement Directive (LED), as well as the relationship between the LED and the GDPR, in VS v Inspektor v Inspektorata kam Visshia sadeben savet. As to the facts of the case, the applicant in the main proceedings was first treated as a victim of a criminal offence. His personal data were thus initially processed for the purposes of ‘‘detection’ and ‘investigation’ of a criminal offence’, which is one of the possible purposes for the processing of personal data under Article 1(1) LED. Subsequently, the prosecution raised charges against the applicant and wished to process the personal data collected on him for the purposes of prosecuting him, another purpose listed under Article 1(1) LED. Thus, the question arose whether the situation gave rise to a change in the purposes of the processing and whether such a change could be lawful under the LED. In addition, the referring court wished to know whether the prosecution could re-process the collected personal data in order to defend its position in civil courts, where its actions were challenged. As to the first question, the Court ruled that the change of purpose from detection and investigation into prosecution indeed constitutes a change in the purpose of the data processing. It clarified that such a re-purposing can be lawful only where the two cumulative requirements of Article 4(2) LED are satisfied, i.e. the controller may process the data for new purpose under Union or Member State law and the processing is necessary and proportionate to that purpose. The Court clarified that when determining whether the purpose of the processing has changed, the obligation to distinguish between the categories of data subjects in Article 6 LED (suspect, victim, witness) ‘is not relevant’. As to the second question, the Court ruled that the GDPR is applicable to the re-processing of the said personal data for the purposes of the prosecution defending its position in an action for damages raised against it and that the processing is lawful ‘where, first, it informs the court having jurisdiction of the opening of files relating to a natural person who is a party to that action for the purposes set out in Article 1(1) of Directive 2016/680 and, second, it transmits those files to that court’, and that it could rely on Article 6(1)(e) GDPR as a legal basis for the processing, provided all the applicable requirements of the GDPR are complied with.
– AG Opinion on the Right of Access –
On 15th December, AG Pitruzzella delivered an Opinion in the case of Österreichische Datenschutzbehörde and CRIF.Österreichische Datenschutzbehörde and CRIF. In essence, the case concerned a consulting agency, which, in response to a data subject’s access request, provided only ‘some of the requested information as an aggregate…first, in a table…and, second, in a statement summarising corporate functions and powers of representation’. In this regard, four questions were referred to the Court concerning the right to access in Article 15 of the GDPR. These concerned:
1. Whether the term ‘“copy” in Article 15(3) of [the GDPR]’ can cover ‘an “Abschrift”, a “double” (“duplicata”) or a “transcript”’.
2. Whether the ‘first sentence of Article 15(3)’ can be interpreted as offering a right ‘to obtain a copy of…entire documents…or to receive a copy of a database extract’.
3. Whether, if ‘the data subject has a right only to an exact reproduction of the personal data…Article 15(3)’ should be ‘interpreted as meaning that, depending on the nature of the data processed…it may…be necessary in individual cases to make text passages or entire documents available’.
4. Whether ‘the term “information”…pursuant to…Article 15(3)’ should be ‘interpreted as referring solely to the “personal data undergoing processing”’.
The AG concluded:
1. In relation to the first three questions: ‘The first sentence of Article 15(3)’ means ‘that the concept of “copy”…must be understood as a faithful reproduction…of the personal data…that enables the data subject effectively to exercise his or her’ rights; ‘the exact form of the copy is determined by the specific circumstances of each case’; the provision in question does ‘not confer…a general right to obtain a partial or full copy of the document…or…an extract from that database’; and that the provision in question does not preclude ‘the data subject having to be provided with portions of documents, or entire documents or extracts from databases…if…necessary’.
2. In relation to the fourth question: ‘The concept of “information”…must be interpreted as referring…to the “copy of personal data undergoing processing”’.
This is an interesting case concerning significant issues which are seldom the subject of jurisprudential consideration. As always, however, it remains to be seen whether, and to what degree, the AG’s Opinion will be followed by the Court.
– AG Advises on the Definition of a Data Recipient re: the Right of Access –
On 15th December, AG Sanchez-Bordona delivered an Opinion in the case of Pankki S concerning the question of whether the employees of a bank are recipients of personal data in the sense of the GDPR, and whether their identity may or must be disclosed when the controller answers a data subject access request. As to the facts of the case, the applicant in the main proceedings was at the same time an employee and a customer in a bank. He discovered that his customer personal data had been accessed by other employees of the bank and requested the disclosure of their identity, relying on his right of access under Article 15(1)(c) GDPR. The bank did not disclose the names of the employees, but it did inform the applicant that his bank data were accessed for auditing purposes. The applicant submitted a complaint with the data protection supervisory authority, which rejected the complaint. Thus, the issue reached domestic courts, which turned to the CJEU about the interpretation of the notion of a ‘recipient’. In his proposed answer to the Court, the AG argued that ‘the concept of recipient does not include employees of a legal person who, when using the latter’s computer system, consult the personal data of a client on behalf of its administrative bodies. Where such employees act under the direct authority of the controller, they do not, on that basis alone, acquire the status of ‘data recipients’.’ He then pointed out that where the employee accessed the data illegally, i.e. not under the instruction of the controller, then this employee could be described as a recipient or even as a data controller. In those cases, data subjects may have an interest in learning who processed their personal data illegally ‘with a view to exercising his or her right to take action against that employee.’ In the view of the AG, such a situation requires a balance to be struck between the interests of the concerned data subject, and those of the employer and the concerned employees. The AG argued that this balance should be struck by the supervisory authority: ‘it will be the supervisory authority that, from its position of impartiality, will have to assess whether the doubts about the actions of the employees acting on behalf of the banking institution are sufficiently well founded and reliable to justify disclosing their identity’. Finally, the AG observed that the requirement to keep a record of the processing activities in Article 30 GDPR serves the purpose of allowing the supervisory authority to monitor the lawfulness of the data processing by different controllers and if the names of the individual employees are recorded in these records, these should be accessible to the supervisory authority, but not to the data subject under Article 15(1)(c).
– Process to Adopt EU US Adequacy Agreement Launched –
According to the European Commission, ‘the process towards the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework, which will foster safe trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020’ has been launched. The Commission states that the process follows ‘the signature of a US Executive Order by President Biden on 7 October 2022, along with the regulations issued by the US Attorney General Merrick Garland’ – which implement, into US domestic law, the substance of the agreement. In terms of next steps, the agreement has now been submitted to the EDPB for comment. Subsequently ‘the Commission will seek approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. Once this procedure is completed, the Commission can proceed to adopting the final adequacy decision.’ We note, however, that concerns have already been raised as to the content of the agreement by civil society. Given the history of EU US adequacy agreements, we would be surprised if the road was all smooth from here.