{"id":72402,"date":"2022-12-22T19:18:07","date_gmt":"2022-12-22T18:18:07","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-85\/"},"modified":"2022-12-22T19:18:07","modified_gmt":"2022-12-22T18:18:07","slug":"data-protection-insider-issue-85","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-85\/","title":{"rendered":"Data Protection Insider, Issue 85"},"content":{"rendered":"

\u00a0–\u00a0CJEU Rules on De-referencing\u00a0<\/strong>–\u00a0<\/strong><\/a><\/p>\n

 <\/p>\n

On 8th December, the CJEU delivered its verdict in the case of\u00a0TU, RE v Google LLC.<\/em><\/a>\u00a0<\/em>In essence, the case concerned the publication of articles and images of TU and RE in connection with \u2018critical opinions\u2026as to the reliability of the investment model of several\u2026companies\u2019. Certain \u2018articles\u2026were displayed in the list of search results produced when the applicants\u2019 first names and surnames were entered in the search engine operated by Google, both on their own and in conjunction with particular company names, and\u2019 one \u2018article\u2026was displayed when particular company names were entered\u2026Google also displayed the photographs of the applicants contained in\u2019 one \u2018article\u2026as thumbnails in the overview of results of its image search\u2019. Thus, the applicants requested de-referencing of the articles which they claimed contained \u2018incorrect allegations and defamatory opinions based on false statements\u2019 and removal of \u2018thumbnails from the list of results\u2019. In this regard, the Bundesgerichtshof referred two questions to the CJEU. These concerned:<\/p>\n

 <\/p>\n

1. Whether it is \u2018compatible with the data subject\u2019s right to respect for private life\u2026and protection of personal data\u2026if\u2026within the scope of the examination of\u2026de-referencing\u2026against\u2026an internet search engine, pursuant to Article 17(3)(a)\u2026, when the link\u2026leads to content that includes factual claims and value judgments\u2026the truth of which is denied by the data subject, and the lawfulness of which depends on\u2026the extent to which\u2026factual claims\u2026are true, the national court\u2026concentrates conclusively on\u2026whether the data subject could reasonably seek legal protection against the content provider\u2026and thus at least provisional clarification on the question of the truth of the content\u2019.<\/p>\n

2. Whether, regarding de-referencing where \u2018a name search searches for photos of natural persons which third parties have introduced into the internet\u2026and which displays the photos\u2026as\u2026thumbnails\u2026within the context of the weighing-up of the conflicting rights and interests arising from Articles 7, 8, 11 and 16 of the Charter\u2019 according to Article 12(b) and Article 14 of Directive 95\/46 or Article 17(3)(a) GDPR \u2018the context of the original third-party publication be conclusively taken into account\u2019.<\/p>\n

 <\/p>\n

The Court concluded:<\/p>\n

 <\/p>\n

1. Article 17(3)(a) means \u2018that within the context of the weighing-up exercise\u2026between the rights\u2026in Articles 7 and 8 of the Charter\u2026and those\u2026in Article 11 of the Charter\u2026for the purposes of examining a request for de-referencing made to the operator of a search engine\u2026that de-referencing is not subject to the condition that the question of the accuracy of the referenced content has been resolved, at least provisionally, in an action brought by that person against the content provider\u2019. It should also be noted, however, that the Court observed that a certain obligation regarding the establishment of the accuracy of information fell on the data subject, and not on the search engine operator.<\/p>\n

2. Article 12(b) and Article 14 of Directive 95\/46, and Article 17(3)(a) of the GDPR mean \u2018that in the context of the weighing-up exercise\u2026between the rights\u2026in Articles 7 and 8 of the Charter\u2026and those\u2026in Article 11 of the Charter, for the purposes of examining a request for de-referencing\u2026seeking the removal from the results of an image search…on the basis of the name of a natural person of photographs displayed in the form of thumbnails\u2026account must be taken of the informative value of those photographs regardless of the context of their publication on the internet page from which they are taken, but taking into consideration any text element which accompanies\u2026the display of those photographs\u2019.<\/p>\n

Learn more<\/span><\/strong><\/span><\/a><\/p>\n

 <\/p>\n

– General Court Declares WhatsApp\u2019s Annulment Application against an EDPB Decision Inadmissible –<\/strong><\/a><\/p>\n

 <\/p>\n

On 7th December, the General Court dismissed the action for annulment of an EDPB decision, filed by WhatsApp Ireland Ltd against the EDPB, as inadmissible<\/a>. As to the facts of the case, the Irish Data Protection Commission (DPC), which is the Lead Supervisory Authority for WhatsApp Ireland Ltd, opened an investigation into whether WhatsApp was complying with GDPR\u2019s requirements on transparency and the right to information. After having presented its findings and proposed its draft decision to the other concerned EU supervisory authorities, the latter raised objections on certain points. This triggered the GDPR\u2019s consistency mechanism, which lead to the adoption of a binding EDPB decision, i.e. binding on the Irish DPC. This EDPB decision effectively influenced parts of the final decision adopted by the Irish DPC, including the amount of the fine which the Irish DPC imposed on WhatsApp in the end (\u20ac 225 million). WhatsApp Ireland decided to challenge the EDPB decision with EU\u2019s General Court. The Court dismissed the annulment application as inadmissible, mainly because the contested decision did not \u2018directly affect that applicant\u2019s legal situation and, second, (it left) discretion to its addressees\u2019, i.e. to the Irish DPC\u00a0in casu<\/em>. The Court acknowledged that \u2018WhatsApp is individually concerned by the contested decision\u2019, but that \u2018the contested decision does not in itself change WhatsApp\u2019s legal position\u2019, because it is a preparatory decision which is not \u2018directly enforceable against WhatsApp\u2019. This is without prejudice to the fact that it constitutes \u2018indeed an act of a body of the Union\u2019 and \u2018the contested decision is intended to produce legal effects vis-\u00e0-vis third parties, since it is a \u2018binding decision\u2019 vis-\u00e0-vis the supervisory authorities concerned\u2019. Finally, the Court clarified that WhatsApp may challenge the Irish DPC\u2019s decision in Irish courts, which might submit preliminary ruling questions with the CJEU related to the EDPB\u2019s decision and thus indirectly question the legality of the content of the EDPB decision.<\/p>\n

Learn\u00a0more<\/strong><\/span><\/a><\/p>\n

 <\/p>\n

–\u00a0<\/strong><\/a>The CJEU Clarifies Key Aspects of the Law Enforcement Directive<\/a>\u00a0–<\/strong>\u00a0<\/strong><\/a><\/p>\n

\u00a0<\/strong><\/p>\n

On 8th December, the CJEU provided an interpretation of the purpose limitation principle and the requirement on distinguishing between the different categories of data subject under the Law Enforcement Directive (LED), as well as the relationship between the LED and the GDPR, in\u00a0VS v Inspektor v Inspektorata kam Visshia sadeben savet<\/em>.<\/a>\u00a0As to the facts of the case, the applicant in the main proceedings was first treated as a victim of a criminal offence. His personal data were thus initially processed for the purposes of \u2018\u2018detection\u2019 and \u2018investigation\u2019 of a criminal offence\u2019, which is one of the possible purposes for the processing of personal data under Article 1(1) LED. Subsequently, the prosecution raised charges against the applicant and wished to process the personal data collected on him for the purposes of prosecuting him, another purpose listed under Article 1(1) LED. Thus, the question arose whether the situation gave rise to a change in the purposes of the processing and whether such a change could be lawful under the LED. In addition, the referring court wished to know whether the prosecution could re-process the collected personal data in order to defend its position in civil courts, where its actions were challenged. As to the first question, the Court ruled that the change of purpose from detection and investigation into prosecution indeed constitutes a change in the purpose of the data processing. It clarified that such a re-purposing can be lawful only where the two cumulative requirements of Article 4(2) LED are satisfied, i.e. the controller may process the data for new purpose under Union or Member State law and the processing is necessary and proportionate to that purpose. The Court clarified that when determining whether the purpose of the processing has changed, the obligation to distinguish between the categories of data subjects in Article 6 LED (suspect, victim, witness) \u2018is not relevant\u2019. As to the second question, the Court ruled that the GDPR is applicable to the re-processing of the said personal data for the purposes of the prosecution defending its position in an action for damages raised against it and that the processing is lawful \u2018where, first, it informs the court having jurisdiction of the opening of files relating to a natural person who is a party to that action for the purposes set out in Article 1(1) of Directive 2016\/680 and, second, it transmits those files to that court\u2019, and that it could rely on Article 6(1)(e) GDPR as a legal basis for the processing, provided all the applicable requirements of the GDPR are complied with.<\/p>\n

Learn\u00a0more<\/strong><\/span><\/a><\/p>\n

 <\/p>\n

– AG Opinion on the Right of Access –\u00a0<\/a><\/strong><\/p>\n

 <\/p>\n

On 15th December, AG Pitruzzella delivered an Opinion in the case of \u00d6sterreichische Datenschutzbeh\u00f6rde and CRIF.\u00d6sterreichische Datenschutzbeh\u00f6rde and CRIF.<\/em><\/a>\u00a0<\/em>In essence, the case concerned a consulting agency, which, in response to a data subject\u2019s access request, provided only \u2018some of the requested information as an aggregate\u2026first, in a table\u2026and, second, in a statement summarising corporate functions and powers of representation\u2019. In this regard, four questions were referred to the Court concerning the right to access in Article 15 of the GDPR. These concerned:<\/p>\n

 <\/p>\n

1. Whether the term \u2018\u201ccopy\u201d in Article 15(3) of [the GDPR]\u2019 can cover \u2018an \u201cAbschrift\u201d, a \u201cdouble\u201d (\u201cduplicata\u201d) or a \u201ctranscript\u201d\u2019.<\/p>\n

2. Whether the \u2018first sentence of Article 15(3)\u2019 can be interpreted as offering a right \u2018to obtain a copy of\u2026entire documents\u2026or to receive a copy of a database extract\u2019.<\/p>\n

3. Whether, if \u2018the data subject has a right only to an exact reproduction of the personal data\u2026Article 15(3)\u2019 should be \u2018interpreted as meaning that, depending on the nature of the data processed\u2026it may\u2026be necessary in individual cases to make text passages or entire documents available\u2019.<\/p>\n

4. Whether \u2018the term \u201cinformation\u201d\u2026pursuant to\u2026Article 15(3)\u2019 should be \u2018interpreted as referring solely to the \u201cpersonal data undergoing processing\u201d\u2019.<\/p>\n

 <\/p>\n

The AG concluded:<\/p>\n

 <\/p>\n

1. In relation to the first three questions: \u2018The first sentence of Article 15(3)\u2019 means \u2018that the concept of \u201ccopy\u201d\u2026must be understood as a faithful reproduction\u2026of the personal data\u2026that enables the data subject effectively to exercise his or her\u2019 rights; \u2018the exact form of the copy is determined by the specific circumstances of each case\u2019; the provision in question does \u2018not confer\u2026a general right to obtain a partial or full copy of the document\u2026or\u2026an extract from that database\u2019; and that the provision in question does not preclude \u2018the data subject having to be provided with portions of documents, or entire documents or extracts from databases\u2026if\u2026necessary\u2019.<\/p>\n

2. In relation to the fourth question: \u2018The concept of \u201cinformation\u201d\u2026must be interpreted as referring\u2026to the \u201ccopy of personal data undergoing processing\u201d\u2019.<\/p>\n

 <\/p>\n

This is an interesting case concerning significant issues which are seldom the subject of jurisprudential consideration. As always, however, it remains to be seen whether, and to what degree, the AG\u2019s Opinion will be followed by the Court.<\/p>\n

Learn more<\/strong><\/span><\/a><\/p>\n

 <\/p>\n

–\u00a0AG Advises on the Definition of a Data Recipient re: the Right of Access\u00a0<\/strong>–\u00a0<\/strong><\/a><\/p>\n

\u00a0<\/strong><\/p>\n

On 15th December, AG Sanchez-Bordona delivered an Opinion in the case of\u00a0Pankki S<\/em>\u00a0concerning the question of whether the employees of a bank are recipients of personal data in the sense of the GDPR, and whether their identity may or must be disclosed when the controller answers a data subject access request. As to the facts of the case, the applicant in the main proceedings was at the same time an employee and a customer in a bank. He discovered that his customer personal data had been accessed by other employees of the bank and requested the disclosure of their identity, relying on his right of access under Article 15(1)(c) GDPR. The bank did not disclose the names of the employees, but it did inform the applicant that his bank data were accessed for auditing purposes. The applicant submitted a complaint with the data protection supervisory authority, which rejected the complaint. Thus, the issue reached domestic courts, which turned to the CJEU about the interpretation of the notion of a \u2018recipient\u2019.\u00a0In his proposed answer to the Court, the AG argued that \u2018the concept of recipient does not include employees of a legal person who, when using the latter\u2019s computer system, consult the personal data of a client on behalf of its administrative bodies. Where such employees act under the direct authority of the controller, they do not, on that basis alone, acquire the status of \u2018data recipients\u2019<\/a>.\u2019 He then pointed out that where the employee accessed the data illegally, i.e. not under the instruction of the controller, then this employee could be described as a recipient or even as a data controller. In those cases, data subjects may have an interest in learning who processed their personal data illegally \u2018with a view to exercising his or her right to take action against that employee.\u2019 In the view of the AG, such a situation requires a balance to be struck between the interests of the concerned data subject, and those of the employer and the concerned employees. The AG argued that this balance should be struck by the supervisory authority: \u2018it will be the supervisory authority that, from its position of impartiality, will have to assess whether the doubts about the actions of the employees acting on behalf of the banking institution are sufficiently well founded and reliable to justify disclosing their identity\u2019. Finally, the AG observed that the requirement to keep a record of the processing activities in Article 30 GDPR serves the purpose of allowing the supervisory authority to monitor the lawfulness of the data processing by different controllers and if the names of the individual employees are recorded in these records, these should be accessible to the supervisory authority, but not to the data subject under Article 15(1)(c).<\/p>\n

Learn more<\/strong><\/span><\/a><\/p>\n

 <\/p>\n

–<\/strong><\/a>\u00a0<\/strong>Process to Adopt EU US Adequacy Agreement Launched<\/a>\u00a0<\/strong>–\u00a0<\/strong><\/a><\/p>\n

\u00a0<\/strong><\/p>\n

According to the European Commission, \u2018the process towards the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework, which will foster safe trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in its\u00a0Schrems II<\/em>\u00a0decision of July 2020\u2019 has been launched.<\/a>\u00a0The Commission states that the process follows \u2018the signature of a US Executive Order by President Biden on 7 October 2022, along with the regulations issued by the US Attorney General Merrick Garland\u2019 \u2013 which implement, into US domestic law, the substance of the agreement. In terms of next steps, the agreement has now been submitted to the EDPB for comment. Subsequently \u2018the Commission will seek approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. Once this procedure is completed, the Commission can proceed to adopting the final adequacy decision.\u2019 We note, however, that concerns have already been raised as to the content of the agreement by civil society. Given the history of EU US adequacy agreements, we would be surprised if the road was all smooth from here.<\/p>\n

Learn more<\/strong><\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

\u00a0–\u00a0CJEU Rules on De-referencing\u00a0–\u00a0   On 8th December, the CJEU delivered its verdict in the […]<\/p>\n","protected":false},"author":144,"featured_media":63588,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72402","dpi","type-dpi","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72402","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72402"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72402\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media\/63588"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72402"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72402"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72402"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}