{"id":84233,"date":"2025-11-27T11:58:11","date_gmt":"2025-11-27T10:58:11","guid":{"rendered":"https:\/\/www.lexxion.eu\/?post_type=dpi&#038;p=84233"},"modified":"2026-01-14T11:24:12","modified_gmt":"2026-01-14T10:24:12","slug":"data-protection-inside-issue-144","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-inside-issue-144\/","title":{"rendered":"Data Protection Insider, Issue 144"},"content":{"rendered":"<h3><a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX:62023CJ0654\" target=\"_blank\" rel=\"noopener\"><strong>-CJEU Rules on Personal Data Processing by Online News Platforms-<\/strong><\/a><\/h3>\n<p><a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX:62023CJ0654\" target=\"_blank\" rel=\"noopener\">On 13th November, the CJEU handed down its verdict in the case of <em>Inteligo Media SA v Autoritatea Na\u0163ional\u0103 de Supraveghere a Prelucr\u0103rii Datelor cu Caracter Personal (ANSPDCP).<\/em><\/a> In terms of the facts, Inteligo is the publisher of an online news service. The company \u2018introduced\u2026a paid subscription system for part of the content provided to its readers. At the time of the facts in the main proceedings, the company allowed a maximum number of six articles per month to be viewed free of charge\u2026. In order to access additional articles, the user concerned, initially, had to create a free account\u2026which meant that that user accepted the contractual terms and conditions for the provision of the\u2019 paid subscription service. \u2018By registering for that service, that user obtained the right to access, free of charge, two additional articles per month, to receive, free of charge, via email, the daily newsletter, entitled \u2018Personal Update\u2019, containing an overview of the previous day\u2019s legislative developments, with hyperlinks to the relevant articles available on that platform, and the right to access, on an optional basis and for a fee, all the articles of the publication and to receive, via email, the full version of that newsletter\u2019. The Romanian DPA (ANSPDCP) then imposed a fine on Inteligo on \u2018for infringement of Article 5(1)(a) and (b), Article 6(1)(a) and Article 7 of the GDPR\u2019 arguing that the \u2018company had not been able to prove that it had obtained express consent from 4 357 users to the processing of their personal data (email address, password, username) and that it had processed those data in a manner incompatible with the purpose for which they had initially been collected. Those data, initially collected for the purpose of performing the contract at issue, had been processed for the purpose of transmitting the \u2018Personal Update\u2019 newsletter\u2019. This led to a series of proceedings before the national courts, and finally, a referral for a preliminary ruling to the CJEU. In this regard, the Court considered, in substance, the following two questions \u2013 more questions were referred but not considered:<\/p>\n<ul>\n<li>Do Articles 13(1) and (2) of Directive 2002\/58 mean \u2018the email address of a user is obtained by the publisher of an online publication \u2018in the context of the sale of a product or a service\u2019, within the meaning of Article 13(2)\u2026where that user creates a free account on that publisher\u2019s online platform giving him or her the right to access, free of charge, a certain number of articles of that publication, to receive, free of charge, via email, a daily newsletter\u2026and that the transmission of such a newsletter constitute\u2026a use of electronic mail \u2018for the purposes of direct marketing\u2019 for \u2018similar products or services\u2019 within the meaning of that provision\u2019.<\/li>\n<li>Does Article 13(2) of Directive 2002\/58, in light of Article 95 of the GDPR, mean \u2018where the controller uses the email address of a user in order to send him or her an unsolicited communication, in accordance with Article 13(2)\u2026the conditions for lawful processing laid down in Article 6(1) of that regulation are applicable\u2019.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>Considering these questions, the Court concluded:<\/p>\n<ul>\n<li>That Articles 13(1) and (2) of Directive 2002\/58\/EC mean \u2018that the email address of a user is obtained by the publisher of an online publication \u2018in the context of the sale of a product or a service\u2019\u2026where that user creates a free account on that publisher\u2019s online platform giving him or her the right to access, free of charge, a certain number of articles of that publication, to receive, free of charge, via email, a daily newsletter\u2026The transmission of such a newsletter constitutes a use of electronic mail \u2018for the purposes of direct marketing\u2019 for \u2018similar products or services\u2019 within the meaning of that provision\u2019.<\/li>\n<li>Article 13(2) of Directive 2002\/58, in light of Article 95 of the GDPR, means \u2018that, where the controller uses the email address of a user in order to send him or her an unsolicited communication, in accordance with Article 13(2)\u2026the conditions for lawful processing laid down in Article 6(1) of that regulation are not applicable\u2019.<\/li>\n<\/ul>\n<h3><a href=\"https:\/\/curia.europa.eu\/juris\/document\/document.jsf?text=&amp;docid=306389&amp;pageIndex=0&amp;doclang=FR&amp;mode=lst&amp;dir=&amp;occ=first&amp;part=1&amp;cid=9128474\" target=\"_blank\" rel=\"noopener\"><strong>-CJEU Clarifies the LED Provisions on Processing of Biometric and Genetic Data-<\/strong><\/a><\/h3>\n<p><a href=\"https:\/\/curia.europa.eu\/juris\/document\/document.jsf?text=&amp;docid=306389&amp;pageIndex=0&amp;doclang=FR&amp;mode=lst&amp;dir=&amp;occ=first&amp;part=1&amp;cid=9128474\" target=\"_blank\" rel=\"noopener\">On 20th November, the CJEU clarified the legality requirements for the collection and further processing of biometric and genetic data in accordance with the LED in <em>JH v Policejn\u00ed prezidium<\/em><\/a>. As to the facts of the case, the applicant in the main proceedings, JH, was a Czech civil servant, against whom investigations into misconduct in public office were initiated and who was subsequently convicted. In the framework of the investigations, the police collected his fingerprint and facial image data, as well as DNA (cheek swab) against his will. The applicant challenged the data collection, storage and the identification procedure. The dispute escalated to the CJEU with three questions concerning the lawfulness of the biometric and genetic processing under the LED. As to the first question, the Court ruled that Articles 8 and 10 LED require that when biometric and genetic data are processed by law enforcement authorities (LEAs), such processing should be based on a generally applicable law, which sets out the minimum conditions for collecting, storing and erasing the said data, as interpreted by Member State case law, where this case law is sufficiently accessible and foreseeable. As to the second question, the Court held that Articles 6 and 4(1)(c) LED, read in conjunction with Article 10 LED, should be interpreted to mean that LEAs are not obliged to always make a distinction between suspected and accused persons (as required by Article 6 LED), where this distinction is not required for the purposes of the data processing. Thus, according to the Court, domestic laws may allow for the collection of biometric and genetic data of any of these persons, as long as the data processing complies with the requirements of Article 4 LED (especially on data minimisation) and 10 LED (on strict necessity of the processing of sensitive data). As to the third question, the Court ruled that Article 4(1)(e) LED does not require Member States to set out in law maximum retention periods for the storage of biometric and genetic data, so long as there are internal rules which require the LEAs to review and justify at set time limits the strict necessity for continuing to store the data.<\/p>\n<p><em>Editorial note: At the time of writing the above summary, the judgment was not available in English. Thus, it is based on the French version of the judgment and the English summary by the Court.<\/em><\/p>\n<h3><a href=\"https:\/\/hudoc.echr.coe.int\/eng#{%22article%22:[%228%22],%22documentcollectionid2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22],%22itemid%22:[%22001-245814%22]}\" target=\"_blank\" rel=\"noopener\"><strong>-ECtHR Rules on Security Services\u2019 Efforts to Recruit Political Figure-<\/strong><\/a><\/h3>\n<p><a href=\"https:\/\/hudoc.echr.coe.int\/eng#{%22article%22:[%228%22],%22documentcollectionid2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22],%22itemid%22:[%22001-245814%22]}\" target=\"_blank\" rel=\"noopener\">On 13th November, the ECtHR ruled in the case of <em>Manukyan v. Armenia<\/em><\/a>. In terms of the facts, the case essentially concerns a political figure \u2013 the applicant \u2013 who was approached to collaborate with the security services. An offer which the applicant refused, following considerable pressure, including threats, from the representative of the security services. The applicant recorded the conversation with the representative of the security services in which they were approached, and, on the back of this, \u2018submitted a crime report to the Prosecutor General along with the audio recording of his conversation\u2019. The Prosecutor General, however, replied that \u2018the actions attributed to the agent\u2026did not contain <em>prima facie<\/em> elements of a criminal offence. Therefore, the applicant\u2019s complaint did not constitute a crime report and was not subject to examination under the relevant Articles of the Code of Criminal Procedure\u2019. Whilst the applicant challenged the decision before the national courts, following a lengthy series of appeals, it was not found necessary that the Prosecutor General recognise the existence, <em>ex ante<\/em>, of a crime, and investigate accordingly. In this regard, the applicant complained to the ECtHR, on the basis of Article 8, \u2018of an unjustified interference with his private and family life and about the lack of an effective investigation into it\u2019 \u2013 including the fact that information about him had been collected and that threats had been made. The Court ruled in favour of the applicant. In this regard, the Court initially recognised that the security services \u2018collected and stored personal information about the applicant and that serious threats against him were made by its agent. Each of the two actions described\u2026amounted to a State interference with the applicant\u2019s private life within the meaning of Article 8\u2019. In this regard, the Court considered that the interference in question was not acceptable in light of the \u2018accordance with the law\u2019 criterion. The Court highlighted that the government \u2018did not demonstrate that domestic law authorised the NSS to collect information on an individual with the aim of attempting to coerce him into cooperation with the secret services. Furthermore, they failed to identify any concrete or even alleged national security concern\u2019. Equally the Court highlighted that the lack of foreseeability and accessibility of classified orders concerning collaboration with the security services, as well as the fact that the coercive measure used by the security services were incompatible with the principle of the rule of law. The Court then went on to rule that the lack of subsequent investigation constituted a \u2018failure of the respondent State to comply with its positive obligations under Article 8\u2019. In this regard, the Court considered that \u2018the prosecutor merely limited himself to a superficial and selective assessment of the audio recording of the conversation in question\u2026In particular, he stated that the applicant\u2019s crime report had not specified which threats had been made, despite the fact that this information had clearly been provided to him in the form of the audio recording. Moreover, he readily accepted\u2019 the security services\u2019 agent\u2019s \u2018assertion during the recorded conversation that cooperation was meant to be voluntary, while overlooking the obvious threats and coercive remarks, which were manifestly incompatible with the notion of voluntary cooperation. Despite the above-mentioned deficiencies, the prosecutor\u2019s decision was upheld\u2019.<\/p>\n<h3><a href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/ip_25_2718\" target=\"_blank\" rel=\"noopener\"><strong>-European Commission Presents Draft Digital Omnibus, Data Union Strategy and European Business Wallet-<\/strong><\/a><\/h3>\n<p><a href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/ip_25_2718\" target=\"_blank\" rel=\"noopener\">On 19th November, the European Commission presented a wide range of legislative amendments, policy, and legislative proposals in the sphere of its digital policies<\/a>. These are, more concretely:<\/p>\n<ol>\n<li>\u2018Digital Omnibus\u2019;<\/li>\n<li>\u2018Data Union Strategy\u2019; and<\/li>\n<li>\u2018European Business Wallet\u2019.<\/li>\n<\/ol>\n<p>More specifically, according to the Commission, the <em>Digital Omnibus<\/em> contains <strong>\u2018Innovation-friendly AI rules\u2019, \u2018Simplif(ied) cybersecurity reporting\u2019, \u2018innovation-friendly privacy framework\u2019, \u2018Modernis(ed) cookie rules to improve users&#8217; experience online\u2019, and \u2018Improv(ed) access to data\u2019.<\/strong> As to the <em>Data Union Strategy<\/em>, the Commission claims that it \u2018outlines additional measures to unlock more high-quality data for AI by expanding access, such as data labs\u2019 and \u2018strengthens Europe&#8217;s data sovereignty through a strategic approach to international data policy: anti-leakage toolbox, measures to protect sensitive non-personal data and guidelines to assess fair treatment of EU data abroad\u2019. Regarding the <em>European Business Wallet<\/em>, it is supposed to \u2018provide European companies and public sector bodies with a unified digital tool, enabling them to digitalise operations and interactions that in many cases currently still need to be done in person\u2019. We note, however, similarly to many civil and consumer organisations, that the proposed amendments, especially to the GDPR as resulting from the Digital Omnibus, effectively curtail the existing rights and protections enjoyed by data subjects and should not be seen as purely technical adjustments.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>-CJEU Rules on Personal Data Processing by Online News Platforms- On 13th November, the CJEU [&hellip;]<\/p>\n","protected":false},"author":144,"featured_media":84231,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-84233","dpi","type-dpi","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/84233","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=84233"}],"version-history":[{"count":2,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/84233\/revisions"}],"predecessor-version":[{"id":84628,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/84233\/revisions\/84628"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media\/84231"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=84233"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=84233"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=84233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}