Data Protection Insider, Issue 39

– Mediapart and Others: ECtHR on the Publication of Illegitimately Obtained Recordings

On 14th January, the ECtHR delivered its judgment in the case of Société Editrice de Mediapart and Others v. France. The facts of the case were as follows: during 2009, Ms Bettencourt – the main shareholder in the L’Oréal group – and her daughter had an argument concerning financial gifts made to a writer and photographer. This argument had been the subject of significant media attention. In 2009 and 2010, recordings were made, without consent, of conversations which had taken place at the home of Ms. Bettencourt. These recordings found their way into the hands of Mediapart – a news website – which then published transcriptions. Following objections from Ms. Bettencourt and her wealth manager French national courts issued orders which required Mediapart to remove the illicitly obtained recordings from the website. The plaintiffs – Mediapart and two of Mediapart’s staff, Mr Hervé Edwy and Mr Fabrice Arfi – appealed to the ECtHR on the grounds that the orders infringed their Article 10 right to freedom of expression. The ECtHR concluded that there had been no interference with Article 10. In this regard, the Court concurred with the reasoning of the French courts that the publication of the transcriptions constituted an infringement of privacy. The ECtHR also concurred with the assessment of the French courts that the infringement of privacy was illegitimate. The ECtHR agreed with the French courts that, amongst other things: i) the plaintiffs had had other means of reporting on the pertinent issues in question; ii) the fact that Ms Bettencourt was a public figure did not remove her expectation of respect and protection for private life or remove the journalists’ obligations to behave in line with professional and ethical obligations – especially given Ms Bettencourt was not a public figure exercising official authority; iii) the order was necessary to end harms caused as a result of the publication of material which had been obtained without consent from an individual in a position of vulnerability; iv) there was a legitimate expectation that the materials would be removed from the website; and v) there was no evidence that the obligation to remove materials should have a deterrent effect on the ability of the plaintiffs to exercise their right to freedom of expression. The case is yet another in a long line in which the ECtHR has sought to balance privacy with journalistic freedom of expression.

 

L.B. v Hungary: ECtHR on the Publication of Tax Defaulters’ Personal Data Online

On 12th January the ECtHR delivered its judgment in L.B. v Hungary. The case concerns the online publication, on the tax authority’s website, of the personal data of citizens who have defaulted on paying a high amount of taxes – publication continued until the taxes have been paid. More precisely, the published data include the names, home address, tax identification number and amount of unpaid taxes. The applicant, L.B., complained that this publication infringed his rights under Article 8 ECHR. After having confirmed that the contested publication constituted an interference with Article 8 ECHR, the Court ruled that it did not breach Article 8. The Court noted that the measure had a legal basis in domestic law and pursued a legitimate aim, namely “to protect the economic well-being of the country and the rights of others”, which is best served by clearly identifying tax evaders. The Court deemed that the measure, including the personal data selected for publication, did not exceed the margin of appreciation enjoyed by the Hungarian government – i.e. that the interests pursued by the measure did outweigh the rights of the applicant. In a dissenting opinion, however, two judges offered a dissenting opinion which noted that the publication of home addresses was disproportionate as this might make it easy for burglars to locate the home of the concerned evaders – whereas those who are doing business with the applicant could easily identify them by name only. In addition, these judges rightly observed that the internet does not forget, so that even where the said data are taken down after the payment of the tax arrears, the potential risks for the data subject will continue to exist. We agree with these observations. We further note that the effectiveness of the said measure in preventing tax evasion needs to be assessed and proven. An interesting question is whether the CJEU would have reached a similar conclusion to the ECtHR had it examined the case on the basis of the GDPR – especially Articles 17 and 23 thereof.

 

– AG Bobek’s Opinion on the One-Stop-Shop: More Flexibility for DPAs –

On 13th January Advocate General Bobek delivered his Opinion in a case sent to the CJEU for preliminary ruling, brought by the Belgian DPA against Facebook. The legal questions are multi-faceted but can be summarized as seeking clarification on the “one-stop-shop” mechanism created by the GDPR. As to the facts of the case, the Belgian DPA had brought proceedings before the Belgian courts against Facebook Inc., Facebook Ireland Ltd. and Facebook Belgium as regards the tracking mechanism set up by Facebook – inter alia via cookies – which are argued to negatively affect the data protection rights of residents of Belgium. However, Facebook argued that since its main establishment is in Ireland, in cross-border cases following the applicability of the GDPR, it is the Irish DPA which is the lead supervisory authority and that the Belgian DPA therefore does not have competence to issue orders and bring court proceedings against Facebook. AG Bobek’s main message can be summarised as follows: “…the provisions on the GDPR do not include any general bar for other supervisory authorities, especially SACs (supervisory authorities concerned), to start proceedings against potential infringements of data protection rules. On the contrary, various situations in which they are empowered to do so are expressly envisaged in the GDPR, or follow impliedly from it.” AG Bobek identified five cases in which the exception to the general rule could apply: (1) when the DPA acts outside the scope of application of the GDPR, e.g. where no personal data are processed; (2) where the cross-border processing is carried out by the public authorities of the Member States in which the said DPA is established; (3) where a certain controller engaged in cross-border processing does not have an establishment in the EU; (4) where the concerned DPA needs to adopt urgent measures and (5) where the lead DPA has decided not to handle a certain case, then the other concerned DPAs might bring court proceedings before their courts. We note that in the past years the “one-stop-shop” mechanism has been criticized for being slow and inefficient. In this regard, following exception (5) might give more room for action to other concerned DPAs. In addition, it is interesting to note that an argument sometimes brought by controllers, namely that they do not process personal data, especially in adtech cases, might now become an argument in favour of DPAs bringing cases in their national courts where they are not the lead supervisory authority. It remains to be seen whether the Court will follow the recommendations and whether, in practice, an effective solution will be found to balance the need for the harmonized enforcement of the GDPR with the swift and efficient enforcement of the GDPR.

 

– EDPB and EDPS Adopt Joint Opinions on Commission’s New Standard Contractual Clauses

The EDPB and the EDPS have adopted two Opinions on the European Commission’s recently released draft implementing decisions on SCCs. The first Opinion is the ‘EDPB – EDPS Joint Opinion 1/2021 on the European Commission’s Implementing Decision on standard contractual clauses between controllers and processors’. In this Opinion, the EDPB and EDPS generally welcome the new SCCs. They also, however, highlight several areas in which improvements could be made. Improvements are suggested in relation to both the scope and the content of the SCCs. As the EDPB summarize in their announcement on the adoption of the Opinion: ‘Several amendments were requested in order to bring more clarity to the text and to ensure its practical usefulness in day-to-day operations of the controllers and processors. These include the interplay between the two documents, the so-called “docking clause” which allows additional entities to accede to the SCCs, and other aspects relating to obligations for processors. Additionally, the EDPB and EDPS suggest that the Annexes to the SCCs clarify as much as possible the roles and responsibilities of each of the parties with regard to each processing activity – any ambiguity would make it more difficult for controllers or processors to fulfil their obligations under the accountability principle.’ The second Opinion is the ‘EDPB – EDPS Joint Opinion 2/2021 on the European Commission’s Implementing Decision on standard contractual clauses for the transfer of personal data to third countries’. In this Opinion, the EDPB and EDPS again generally welcome the new SCCs. Again, however, they suggest several areas in which improvements might be made. As the EDPB summarize in their announcement on the adoption of the Opinion: ‘the EDPB and EDPS are of the view that several provisions could be improved or clarified, such as the scope of the SCCs; certain third party beneficiary rights; certain obligations regarding onward transfers; aspects of the assessment of third country laws regarding access to public data by public authorities; and the notification to the SA.’ The Opinions are technical and detailed and should play an important role in the forthcoming debates on SCCs.

 

– EDPB Releases Guidelines on Data Breach Notifications

On 14th January the EDPB released its Guidelines on examples concerning data breach notifications for public consultation. The Guidelines complement and build on the 2017 Article 29 Working Party’s Guidelines on data breach notifications by providing “…practice-oriented, case-based guidance that utilizes the experiences gained by SAs (Supervisory Authorities) since the GDPR [became] applicable.” They seek to guide data controllers in handling data breaches and assessing the risks posed by breaches. The Guidelines focus on the following categories of breaches by providing several practical examples per category: (1) ransomware; (2) data exfiltration attacks; (3) internal human risk source; (4) lost or stolen devices and paper documents; (5) mispostal and (6) other cases, such as social engineering. Stakeholders may submit their feedback until 02 March 2021.

 

– Irish DPC Highlights Resource Limitations

The Irish Times reports that the Irish DPC has highlighted limited resourcing as an obstruction to its optimal function. The Times reports that the DPC pointed both to the difficulty its current resourcing placed on its ability to investigate large tech firms with access to ‘disproportionate’ resources and to the fact that its current resourcing often leads to delays in investigations. The DPC made the observations in a pre-budget submission which was made available under Freedom of Information laws. The observation that DPAs struggle with resourcing issues under the GDPR is nothing new – indeed, the question of adequate DPA resourcing long predates the GDPR. However, the fact that the Irish DPC has directly highlighted resourcing issues as an obstacle to its ability to effectively investigate large tech firms is interesting. This is particularly the case given that a number of high-profile tech firms which have their European headquarters in Ireland. It will be interesting to see how DPA resourcing develops as data protection gains increasing political prominence moving forwards. It will also be interesting to see the impacts of changes in resourcing in terms of how DPAs approach the prosecution of data protection infringements as well as in terms of how data subjects, data controllers and the public react to these changes in approach.

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply