{"id":72476,"date":"2024-03-08T23:50:50","date_gmt":"2024-03-08T22:50:50","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-108\/"},"modified":"2024-05-12T00:35:19","modified_gmt":"2024-05-11T22:35:19","slug":"data-protection-insider-issue-108","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-108\/","title":{"rendered":"Data Protection Insider, Issue 108"},"content":{"rendered":"
\n
\n

– CJEU: Court on Personal Data and Controllership in Online Advertising<\/span>\u00a0–<\/span><\/a><\/strong><\/p>\n

On 7th March, the CJEU ruled in the case of IAB Europe v Gegevensbeschermingsautoriteit. <\/a>In terms of the facts, the case concerned IAB Europe\u2019s Transparency & Consent Framework (TCF). The TCF provides a set of rules and technical specifications aimed at allowing online advertisers to process users\u2019 personal data legally. The TCF is used in relation to \u2018Real Time Bidding\u2019 \u2013 \u2018an instant and automated online auction system of user profiles for the purpose of selling and purchasing advertising space on the internet\u2019. In this regard, when a user first consults a website, they are faced with a pop-up window, which, in line with the TCF, allows them \u2018to give\u2026consent\u2026for the collection and processing of\u2026personal data for\u2026purposes, such as\u2026marketing or advertising, or with a view to sharing those data with certain providers, and, second, to object to various types of data processing or to the sharing of those data, based on legitimate interests\u2026within the meaning of Article 6(1)(f)\u2019. These preferences are then translated into a combination of symbols \u2013 the Transparency and Consent String (TC String) \u2013 \u2018which is shared with personal data brokers and advertising platforms\u2026so that they know to what the user has consented or objected\u2019. A cookie is also placed \u2018on the user\u2019s device. When they are combined, the TC String and the\u2026cookie can be linked to that user\u2019s IP address\u2019. Following a number of complaints about the TCF, the Belgian DPA initiated the cooperation and consistency procedure and, eventually, passed down the decision that IAB Europe is a data controller \u2018as regards the recording of the consent signal, objections and preferences of individual users by means of a TC String, which\u2026is associated with an identifiable user\u2019 and \u2018ordered IAB Europe\u2026to bring into conformity with the provisions of the GDPR the processing of personal data\u2026and imposed on it\u2026corrective measures as well as an administrative fine\u2019. IAB Europe appealed this decision before the referring national court, which posed the following questions to the CJEU:<\/p>\n

1. Does Article 4(1) mean a string of symbols, such as the TC String, containing a user\u2019s preferences, constitute personal data, \u2018where a sectoral organisation has established the framework of rules\u2019 for the generation, storage, and dissemination of the string, \u2018and the members of such an organisation have implemented such rules and thus have access to that string\u2019? And, in relation to the above, is it important \u2018for that string to be associated with an identifier, such as, inter alia, the IP address of that user\u2019s device, allowing the data subject to be identified, and\u2026for such a sectoral organisation to have the right to access\u2026the personal data\u2026processed by its members?<\/p>\n

2. Does Article 4(7) mean that a sectoral organisation such as the IAB, in relation to a framework such as the T&C \u2018must be classified as a \u2018controller\u2019\u2026and whether, for the answer to that question, it is relevant that such a sectoral organisation itself have direct access to the personal data\u2019? And, in relation to the above, does any joint controllership extend \u2018automatically to the subsequent processing of personal data carried out by third parties, such as website or application providers\u2019?<\/p>\n

In light of the above, the CJEU decided:<\/p>\n

1. Article 4(1) means a string of symbols, such as the TC String, containing a user\u2019s preferences, constitutes personal data where \u2018those data may, by reasonable means, be associated with an identifier, such as, inter alia, the IP address of that user\u2019s device\u2019 which allows \u2018the data subject to be identified\u2019. That, without supplemental, external, information, \u2018a sectoral organisation holding that string can neither access the data\u2026processed by its members\u2026nor combine that string with other factors does not preclude that string from constituting personal data\u2019.<\/p>\n

2. Articles 4(7) and 26(1) mean a sectoral organisation such as the IAB, in relation to a framework such as the T&C, \u2018must be classified as a \u2018joint controller\u2019\u2026where\u2026it exerts influence over the personal data processing\u2026for its own purposes, and determines\u2026jointly with its members, the purposes and means of such processing\u2019. That \u2018such a sectoral organisation does not\u2026have direct access to the personal data processed by its members\u2026does not preclude it from\u2019 being a joint controller. Equally, \u2018the joint controllership of that sectoral organisation does not extend automatically to the subsequent processing of personal data\u2026by third parties\u2019.<\/p>\n

This is a complex and fascinating case, and the CJEU offers much to consider regarding the concept of personal data, and the concept of controllership.<\/p>\n<\/div>\n<\/div>\n

 <\/p>\n

\n

– CJEU: Europol May be Jointly and Severely Liable for Unlawful Data Processing<\/a>–<\/a><\/span><\/strong><\/p>\n

On 5th March, the CJEU ruled that, in the framework of cooperation between Europol and the law enforcement authorities of a Member State, Europol may be jointly and severely liable for unlawful personal data processing, i.e. processing contrary to the Europol Regulation. The case in which the decision was passed down, was: Mari\u00e1n Ko\u010dner v European Union Agency for Law Enforcement Cooperation (Europol).<\/a> As to the facts of the case, Europol assisted the Republic of Slovakia in examining materials related to the investigation of the murder of the journalist Ko\u010dner, such as data from the mobile phone and USB stick of the applicant in the main proceedings. Data related to the investigation was allegedly illegally disclosed and the applicant in the main proceedings sought compensation from Europol for the illegal disclosure (including materials of intimate nature between the applicant and his girlfriend). The General Court rejected the applicant\u2019s claim on the grounds that \u2018the appellant had not adduced \u2018evidence of a causal link established to a sufficient degree\u2019 between the damage alleged and any conduct on the part of Europol\u2019 and \u2018although it is true that recital 57 of Regulation 2016\/794 states, in essence, that Europol and the Member State in which the damage arising from unlawful data processing carried out by that agency or by that Member State occurred are jointly and severally liable for that damage, it must nevertheless be held that that joint and several liability mechanism is neither expressed by or based on the provisions of that regulation.\u2019 The applicant appealed the decision of the General Court, which was referred to the Grand Chamber. The Grand Chamber rejected that part of the General Court\u2019s decision. It examined the Europol Regulation and concluded that its Article 50, read together with Article 49(3) and recitals 56-57, \u2018lays down rules rendering Europol and the Member State in which the damage resulting from unlawful data processing occurred jointly and severally liable in the context of cooperation between them under that regulation.\u2019 It also referred to Article 82(4) GDPR on joint and several liability as an established concept under EU data protection law. Then, the Grand Chamber examined the conditions which need<\/p>\n

to be fulfilled for Europol to incur liability under Article 50(1) Europol Regulation. First, it established that Article 50(1) Europol Regulation \u2018relieves the individual concerned of the burden of establishing the identity of the entity whose conduct gave rise to the alleged damage and, second, provides that, after that individual has been compensated, the \u2018ultimate responsibility\u2019 for that damage must, where appropriate, be definitively settled in proceedings involving only Europol and the Member State concerned before the Management Board of Europol.\u2019 According to the Court, it suffices that an \u2018individual show that, in the course of cooperation between Europol and the Member State concerned under that regulation, unlawful data processing which caused him or her to suffer damage has been carried out, without there being any need for him or her to establish additionally to which of those two entities that unlawful processing is attributable.\u2019 The Court recalled that it is up to the defendant entity to prove that the damage did not arise in the course of cooperation between Europol and a Member State \u2013 e.g. that the damage occurred prior to the cooperation. Editorial note: The applicant appealed also other parts of the General Court\u2019s decision, but these were rejected by the Grand Chamber.<\/p>\n<\/div>\n

 <\/p>\n

\n

– CJEU: Oral Disclosure of Personal Data May be Subject to the GDPR<\/span><\/span>\u00a0– <\/span><\/span><\/a><\/strong><\/p>\n

On 7th March, the CJEU ruled, in Endemol Shine Finland Oy, that oral disclosure of personal data may fall under the GDPR \u2013 e.g. where the data form part of a filing system.<\/a> As to the facts of the case, \u2018Endemol Shine Finland, the appellant in the main proceedings, made an oral request to the Etel\u00e4-Savon k\u00e4r\u00e4j\u00e4oikeus (District Court, South Savo, Finland) for information on possible ongoing or completed criminal proceedings concerning a natural person involved in a competition organised by that company for the purpose of clarifying the criminal record of that person.\u2019 The Finnish courts are uncertain whether the oral disclosure of such personal data may fall under the material scope of the GDPR. The CJEU ruled that oral disclosure constitutes \u2018processing of personal data\u2019. As to whether the oral disclosure in question falls within the material scope of the GDPR, the CJEU ruled that \u2018(s)ince the oral disclosure of personal data constitutes, as such, processing other than by automated means, the data that are the subject of that processing must therefore \u2018form part\u2019 or be \u2018intended to form part of\u2019 a \u2018filing system\u2019 in order for that processing to come within the material scope of the GDPR.\u2019 According to the CJEU, \u2018(i)n the present case, it is clear from the request for a preliminary ruling that the data requested by the appellant in the main proceedings are contained in \u2018a court\u2019s register of persons\u2019. It thus appears that those data are contained in a filing system within the meaning of Article 4(6) of the GDPR, which it is, however, for the referring court to verify, it being immaterial whether those data are contained in electronic databases or in physical files or registers.\u2019 Finally, the Court logically ruled that the (oral) disclosure of personal data related to criminal convictions has to comply with the other provisions of the GDPR. Referring especially to Articles 6(1)(e) and 10 GDPR, the Court ruled that the GDPR \u2018must be interpreted as precluding data relating to criminal convictions of a natural person contained in a court\u2019s filing system from being disclosed orally to any person for the purpose of ensuring public access to official documents, without the person requesting the disclosure of those data having to establish a specific interest in obtaining those data, it being irrelevant in that regard whether that person is a commercial company or a private individual.\u2019<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

– CJEU: Court on Personal Data and Controllership in Online Advertising\u00a0– On 7th March, the […]<\/p>\n","protected":false},"author":144,"featured_media":71110,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72476","dpi","type-dpi","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72476","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72476"}],"version-history":[{"count":1,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72476\/revisions"}],"predecessor-version":[{"id":72493,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72476\/revisions\/72493"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media\/71110"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72476"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72476"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}