Data Protection Insider, Issue 28

– CJEU Strikes down Privacy Shield in Schrems II –

On 16th July, the CJEU handed down its much-awaited decision in Data Protection Commissioner v. Facebook Ireland Ltd, Maximillian Schrems (Shrems II). Basically, the case dealt with whether Facebook could use the SCC mechanism to transfer personal data to the US, despite the fact that US law foresees extensive possibilities for law enforcement and intelligence agencies to access EU citizens’ personal data subsequent to transfer. The CJEU’s decision is lengthy, involved and well worth reading in full. In the decision, however, the CJEU came to two conclusions of particular importance. First, the CJEU confirmed the general legitimacy of SCCs under Commission Decision 2010/87/EU, as amended by Commission Decision 2016/2297, as a means to transfer personal data to third states. This recognition, however, came with the caveat that the use of SCCs alone does not automatically serve to legitimate transfers to a third state. Rather, in any given case, the controller is liable to ensure that the use of SCCs successfully assures an essentially equivalent standard of protection. The controller is thus liable to evaluate the law of a third state and to decide whether the SCCs alone are capable of ensuring essentially equivalent protection, whether supplemental clauses are necessary to ensure essentially equivalent protection, or whether the contractual mechanism itself is incapable of ensuring essentially equivalent protection. The CJEU also highlighted that the end-result of this decision is subject to oversight by national supervisory authorities. Second, the Privacy Shield Decision is invalid, in entirety, with immediate effect. In its reasoning, the CJEU considers that US law foresees the possibility for intelligence agencies to engage in disproportionate collection of EU citizens’ personal data, in relation to which no adequate legal redress is available and thus that US law does not outline an adequate standard of protection in line with that required by the Charter of Fundamental Rights. Accordingly, the CJEU recognises the standard of protection provided by US law cannot be regarded as ‘adequate’ and that the Privacy Shield Decision cannot stand. The decision in the case has potentially wide-reaching implications. In the first instance, whilst EU-US data flows have been the focus of most discussions to date, other countries also have security and surveillance legislation to which the logic of the case may also apply. In turn, whilst the case focused on SCCs and Privacy Shield, the underlying logic of the decision – that transfers to third-states must ensure an equivalent level of protection – is also applicable to all other ad hoc transfer options, including BCCs certification and codes of conduct.


– CJEU on the Broad Concept of a “Controller” –

On 9th July, the CJEU ruled that a parliamentary Petitions Committee is a controller in the sense of the GDPR. According to the facts of the case, an individual requested access to his data, under Article 15 GDPR, which was processed by the Petitions Committee of the Hessian Parliament in Germany. The latter responded that the Committee is not subject to the GDPR because the petition procedure is a function of the parliament, whose (legislative) activities fall outside the scope of the GDPR. The referring court noted that German law provides no right of access to information processed by parliamentary Petitions Committees. Acknowledging this, the referring court sought guidance on whether the Petitions Committee can be classified as a controller under the GDPR, in which case an individual would be able to exercise his right of access against the Petitions Committee. The CJEU clarified that the concept of a ‘controller’ is a functional one and covers any entity which defines the purposes and means of data processing – i.e. repeating the definition in the GDPR. It further noted that activities such as those of a parliamentary Petitions Committee do not fall outside scope of EU law even if there is no cross-border element in relation to these activities, as the Court had already established in its case-law concerning Directive 95/46. It noted that the GDPR explicitly lists those activities which fall outside the scope of the GDPR – namely those related to national and public security and criminal law – of which parliamentary activities do not form part. Thus, the CJEU concluded that since the Petitions Committee had the power to define the purposes and means of data processing in casu and its activities do not fall outside the scope of the GDPR, it should be treated as a controller against which individuals may exercise their right of access. Data protection experts will wonder why the case had to reach the CJEU at all, given its simplicity. At the same time, the case demonstrates that the provisions of the GDPR can contradict legacy approaches to information processing based on national law, and that some controllers may have difficulty finding their way through the new legal landscape.


 – ECtHR Rules on Refugees’ Rights to Change Gender –

On 16th July, the ECtHR ruled in the case of Rana v. Hungary. The facts of the case were as follows: the applicant, who was originally from Iran, had refugee status in Hungary. When the applicant sought to change their official gender in Hungary, however, they found this was not possible. The Hungarian procedure required changes to be made to documents concerning birth at the Registrar of Births/Marriages/Deaths. As a refugee, however, the applicant did not have the relevant local records and the change could not be implemented. The applicant brought complaints before the national courts. One set of complaints before the Budapest Administrative and Labour Courts was rejected on the basis of a lack of jurisdiction. Another set of proceedings before the Constitutional Court resulted in judicial recognition that the Hungarian government needed to amend gender change proceedings such that they were available in situations such as that of the applicant. In these proceedings, the Constitutional Court ‘called upon Parliament to meet its legislative duty by 31 December 2018’. This amendment, however, ‘has yet to be done’. In light of this situation, the applicant complained that: ‘the refusal to change his name and his sex marker from “female” to “male” in his identity documents had amounted to a violation of Article 8.’ The ECtHR found in favour of the applicant. The ECtHR examined the compliant in light of whether Hungary had met its positive obligation to secure the applicant’s Article 8 rights to change gender. In this regard, the ECtHR found that the legislative gap ‘excluded all lawfully settled non-Hungarian citizens from accessing the procedures for changing gender and name regardless of their circumstances, which disproportionately restricted their right to human dignity’. The ECtHR observed ‘that the domestic authorities rejected the applicant’s application purely on formal considerations, without examining his situation and therefore without conducting any balancing exercise of the competing interests. In particular, the relevant authorities did not take into account the fact that the applicant had been recognised as a refugee precisely because he had been persecuted on the grounds of his transgenderism in his country of origin. The Court considers that in the circumstances of his case the applicant could not reasonably have been expected to pursue the recognition of gender reassignment and the name‑change procedure in his country of birth.’


 – ECtHR Reaffirms Right to Gender Reassignment –

On 9th July the ECtHR ruled in Y.T. v Bulgaria that transgender people should have the right to have their gender changed in official records. According to the facts of the case, the applicant was born a female but had undergone gender transition, including changing his physical appearance, and had been living in society as a man. He requested the Bulgarian authorities to change his gender and names in the official records. The Bulgarian Courts, however, argued that such a gender change was contrary to the public interest, without either clarifying what this public interest was or performing a balancing exercise between the rights of the applicant and the public interest. The applicant claimed that the refusal to modify the records and documents constituted an interference with Article 8 ECHR. The ECtHR noted that the legal framework in Bulgaria allowed the applicant to submit, and have examined, his request for gender reassignment by the authorities. According to national law, his gender reassignment had to be recognised by a domestic court, which was refused in casu. The ECtHR ruled that the interference was not justified because the domestic courts had not been able to motivate the refusal in casu, whereas in similar cases recognition of the gender reassignment of other individuals was granted. We note that, in the present case, it is not explicitly clear whether the violation was established under the ‘legitimate aim’ criterion, the ‘necessary in a democratic society’ criterion, or the ‘in accordance with law’ criterion. Nevertheless, it becomes clear that it is difficult to identify a public interest which can stand in the way of gender reassignment recognition.


– EDPB Releases Second Version of Guidelines on the RTBF in Search Engine Cases –

On 7th July, the EDPB published its updated Guidelines on the application of the right to be forgotten (RTBF) to search engines under the GDPR. More precisely, in the Guidelines, the EDPB examines the right to delisting in light of Article 17 GDPR. The EDPB provides an in-depth analysis of the grounds for requesting the de-listing of information under Article 17(1) GDPR and of the grounds for refusing de-listing requests by the controller under Article 17(3) GDPR. With regards to Article 17(1), the EDPB notes that the right to de-listing can be evoked under both Article 17(1) and under the right to object under Article 21 – which is also mentioned in Article 17(1)(c). With regards to the exceptions in 17(3), the EDPB notes that ‘… most of the exceptions under Article 17.3 GDPR do not appear suitable in case of a delisting request.’ The EDPB notes, however, that the exception outlined under Article 17(3)(a), concerning ‘the right of freedom of expression and information’ may be relevant. Whilst the Guidelines do not extensively analyse the obligations of search engines pursuant Article 17(2) concerning the controller’s obligation to notify other controllers of an erasure request, further Guidelines on the provision are planned. In addition, the Guidelines will be supplemented by an Annex to help Supervisory Authorities assess the criteria for examining complaints against the refusal to de-index information online.


– Council to Push for E-Privacy Reform –

On 6th of July, the Council, under the German Presidency, released a discussion paper outlining their intention to revisit e-privacy discussions – which have repeatedly stalled over the past few years. The discussion paper intends to start a process aimed at: ‘reaching a General Approach and/or a mandate to start negotiations with the European Parliament.’ The paper intends to build on the compromise proposal put forward by the Croatian Presidency on 6th of March 2020 and highlights two aspects of e-privacy law, in particular, to be addressed in forthcoming discussions: i) ‘the rules for the processing of electronic communications data in Articles 6 to 6d’; and ii) the rules ‘for the protection of endusers’ terminal equipment information in Article 8’. The paper highlights two goals for e-privacy reform – neither of which are novel or surprising: i) ‘to ensure effective protection of privacy in electronic communications in accordance with the requirements of the Charter of Fundamental Rights’; and ii) ‘to ensure the preservation and advancement of innovative business models in the digital world’. Member States will now have until 24th of July to provide comments and feedback before a compromise text will be prepared. We can only hope this latest effort to ignite e-privacy reform will be more successful than previous efforts. There is, however, a long road ahead before anything concrete appears from these preliminary discussions. Equally, judging from the opposition to previous reform proposals, this road will undoubtedly be filled with obstacles.


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply