- CJEU on Data Retention: Cementing Quadrature du Net -
http://curia.europa.eu/juris/document/document.jsf?text=&docid=238381&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4007541

On 2nd March the CJEU delivered in H. K. v Prokuratuur, another judgement in the row of data retention judgements. This time the preliminary ruling questions came from Estonia. According to the facts of the case, an Estonian national was convicted of crimes, the evidence for which was gathered by means of access to telecommunications data – including location data, contact data, etc – as retained by the relevant telecommunications provider pursuant to Article 15 (1) ePrivacy Directive. The convicted person challenged the admissibility of the evidence, arguing that the access of the law enforcement authorities to the contested data breached several provisions of the Charter of Fundamental Rights of the EU (CJEU), amongst which the fundamental rights to privacy, data protection and fair trial. Two of the three preliminary ruling questions focused on whether the legality of the access by the law enforcement authorities to the telecommunications data depends on the seriousness of the offence and on the amount of data to which access is granted. In its ruling, the CJEU largely confirmed its prior ruling in Quadrature du Net. From the judgement, three noteworthy points stand out. First, the CJEU confirmed that telecommunications data could be revealing, and hence the interference with the fundamental rights to privacy and data protection was significant. For this reason, only in the framework of investigating and prosecuting serious crime would access be proportionate. Second, the CJEU recalled that proportionality does not depend on the period for which access to the data is sought or the amount of data accessed, as even data concerning shorter periods could be quite revealing. Third, the Court noted that the evidence obtained in breach of EU law might have to be excluded in those cases in which the defendant cannot understand and rebut the provided evidence – i.e. where the right to fair trial and the adversarial principle are at stake. We note that the judgement will barely come as a surprise to those following the CJEU’s response to data retention questions.

- CJEU Imposes Financial Penalty on Spain -
http://curia.europa.eu/juris/document/document.jsf?text=&docid=238164&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4008417

On 25th February, the CJEU ruled in the case of Commission v Spain. In this regard, the Commission had made an application to the Court, claiming the Court should: ‘declare that, by failing to adopt, by 6 May 2018 at the latest, the laws, regulations and administrative provisions necessary to comply with Directive (EU) 2016/680 [the Law Enforcement Directive] or, in any event, by failing to notify those measures to the Commission, the Kingdom of Spain has failed to fulfil its obligations under Article 63(1) of Directive 2016/680…[and therefore that the Court should:] impose a penalty… in the amount of EUR 89 548.20 for each day of delay, as from the date of the judgment of the Court, for failure to fulfil its obligation…[and] impose the payment of a lump sum…on the basis of a daily amount of EUR 21 321.00 multiplied by the number of days which have elapsed between the day following the expiry of the transposition deadline laid down in the directive and the date on which the infringement comes to an end, or, failing compliance, the date of delivery of this judgment, with a minimum lump sum of EUR 5 290 000’. Spain did not dispute that the Directive had failed to be properly transposed. Spain did, however, assert there were ‘very exceptional circumstances [concerning the interim nature of the government in the relevant period]’ which had ‘delayed the activities of the national government and parliament with regard to the adoption of the transposition measures required’. Spain considered that these should be taken into account in the proportionality calculations of the Court. The Court confirmed that Spain had failed to fulfil its obligations. In relation to the daily payment for an ongoing infringement, the Court ordered that: ‘Should the infringement established…persist at the date of delivery of this judgment, orders the Kingdom of Spain to pay the Commission, as from that date and until that Member State has put an end to that infringement, a daily penalty payment of EUR 89 000’. In relation to the lump sum, the Court ordered: ‘the Kingdom of Spain to pay the Commission a lump sum in the amount of EUR 15 000 000’. In relation to the lump sum, the Court recognised that the specific facts of a case may indeed be taken into account in calculating the size of the final penalty. In the present case, however, the Court highlighted the seriousness of the infringement: ‘The absence or inadequacy, at national level, of rules guaranteeing the proper functioning of the area of freedom, security and justice within the European Union must be considered particularly serious in the light of its effects on public and private interests within the European Union’. The Court also highlighted that: ‘contrary to the Kingdom of Spain’s submission, special institutional circumstances such as those characterising the present failure cannot be regarded as mitigating circumstances within the meaning of the Court’s case-law’.

- ECtHR Rules on Groups, Hate Speech and Privacy -
https://hudoc.echr.coe.int/eng#%7B%22itemid%22:%5B%22002-13139%22%5D%7D

On 16th February 2021, the ECtHR delivered two judgments in the cases of Behar and Gutman v. Bulgaria and Budinova and Chaprazov v. Bulgaria. In the cases, the applicants alleged that a politician had made statements ‘which constituted harassment of and incitement to discrimination against Jew[s] through passages in two books (in Behar and Gutman) and Roma in Bulgaria in a series of statements made in his television programme, interviews, speeches and a book (in Budinova and Chapzarov).’ The complainants argued that, as representatives of the minorities in question, that they had been impacted by the politician’s statements. The domestic Courts, however, dismissed each of these complaints. The Court recognised the possibility that Article 8 could be triggered in such cases– i.e. that ‘negative public statements about a social group could be seen as affecting the “private life” of individual members of that group’ – but also recognised that: ‘to be seen as capable of impacting on the sense of identity of an ethnic or social group and on the feelings of self-worth and self-confidence of that group’s members to the point of triggering Article 8 applicability, the negative stereotyping of the group had to reach a certain level.’ In this regard, whilst a case-by-case consideration is necessary: ‘the relevant factors for deciding whether Article 8 was applicable included, but were not necessarily limited to: 1. the characteristics of the group (for instance its size, its degree of homogeneity, its particular vulnerability or history of stigmatisation and its position vis-à-vis society as a whole); 2. the precise content of the negative statements regarding the group (in particular, the degree to which they could convey a negative stereotype about the group as a whole, and the specific content of that stereotype); 3. the form and context in which the statements had been made, their reach (which might depend on where and how they had been made), the position and status of their author, and the extent to which they could be considered to have affected a core aspect of the group’s identity and dignity.’ In relation to the cases, the Court recognised that the threshold for triggering Article 8 had been met as both groups could be seen as being in a vulnerable position in Bulgaria, that the statements made were particularly virulent and that the politician who had made the statements had, at the time the complaints were made, been increasingly prominent in Bulgarian public life. The Court further considered that: ‘By refusing to grant the applicants redress in respect of the politician’s discriminatory statements, [national authorities] had [failed] to comply with their positive obligation to respond adequately to discrimination on account of the applicants’ ethnic origin and to secure respect for their “private life”.’ In this regard, the Court considered that : ‘The Bulgarian authorities had not assessed the tenor of the politician’s statements in an adequate manner.’ The Court also highlighted that: ‘sweeping statements attacking or casting in a negative light entire ethnic, religious or other groups deserved no or very limited protection under Article 10, read in the light of Article 17…[and the] fact that the author of those statements was a politician or had spoken in their capacity as a member of parliament did not alter that.’ The cases are particularly worthwhile reading for all concerned with the relationship between privacy and ethnicity and the relationship between privacy and groups.

- EDPS Issues an Opinion on the Conclusion of the EU and UK Trade Agreement and the EU and UK Exchange of Classified Information Agreement -
https://edps.europa.eu/system/files/2021-02/2021_02_22_opinion_eu_uk_tca_en.pdf

On 22nd February the EDPS issued an Opinion concerning the conclusion of the EU and UK trade agreement and the EU and UK exchange of classified information agreement. The Opinion focuses, though, only on the Trade and Cooperation Agreement (TCA). While the EDPS welcomes the fact that the TCA commits to the respect of fundamental and human rights and contains data protection safeguards, there are significant deficiencies. First, ‘…the EDPS regrets that the TCA fails to faithfully take over the horizontal “EU provisions on Cross-border data flows and protection of personal data and privacy in the Digital Trade Title of EU trade agreements” endorsed by the European Commission in 2018 …’. Second, and stemming from the prior observation, the TCA does not contain adequate safeguards for the transfer of personal data to the UK to the effect that the EU’s autonomy in protecting personal data would be limited. Third, in the field of law enforcement cooperation the data protection provisions lack safeguards such as distinguishing between the different categories of data subjects or defining serious crime in the framework of PNR. Fourth, the TCA provisions in the framework of the Prüm cooperation are at present not accompanied by adequate safeguards, e.g. on the core data protection principles. Fifth, the EDPS emphasizes that the TCA and the data protection provisions therein do not constitute a legal basis for the transfer of data to the UK. Finally, the EDPS notes that the TCA is based on the presumption that the Commission will adopt adequacy decisions for the transfer of personal data under the GDPR and the LED. Since this is not guaranteed at the moment, the TCA should prepare for other scenarios, too.

- AEPD Issues Largest Spanish Fine -
https://edpb.europa.eu/news/national-news/2021/spanish-data-protection-authority-aepd-imposes-fine-6000000-eur-caixabank-sa_de

The AEPD – the Spanish Data Protection Authority – has issued a 6.000.000 EUR fine to CAIXABANK. According to the EDPB, the fine was issued: ‘for unlawfully processing clients’ personal data (4.000.000 EUR) and not providing sufficient information regarding the processing of personal data (2.000.000 EUR).’ In terms of unlawful processing of personal data, the AEPD considered there to be issues in relation to both consent and legitimate processing – these included, as reported by the EDPB, failures to ‘provide…any mechanism to collect the data subject’s consent; that the data subject’s consent did not meet with all the elements of valid consent, and that the processing activities based on the company’s legitimate interest were not sufficiently justified’ – and thus that there had been a violation of Article 6 GDPR. In terms of insufficient information provision, the AEPD considered that CAIXABANK had failed to provide data subjects with numerous types of information required under Articles 13 and 14 of the GDPR – including, as reported by the EDPB, information about the categories of data processed, the purposes of processing and the legal basis of processing – and had thus violated the requirements set out in these Articles. This is, to our knowledge, the largest financial sanction issued to date by the AEPD. Notably, however, the sanction, large as it is, still falls far short of the higher level fines issued in other jurisdictions – for example the 50.000.000 million EUR fine issued to Google by the CNIL.

- France to Undo CJEU’s Data Retention Rulings? -
https://www.politico.eu/article/france-data-retention-bypass-eu-top-court/

On 3rd March Politico reported that the French government is essentially trying to convince its highest Court – the Council of State – to disapply the CJEU’s rulings in Quadrature du Net and Privacy International – in which the CJEU basically outlined a high threshold for the retention and access of telecommunications data for law enforcement and national security purposes. The preliminary ruling given by the CJEU in Quadrature du Net needs to be now applied by the French courts although no date for the hearing appears to have been set. As Politico reports, the French government intends to evoke a special clause – ‘constitutional identity’ – in order to have the Council of State disapply the CJEU ruling. The rarely used concept of ‘constitutional identity’ was introduced in 2006 and can be evoked in order to disapply EU law. One of the arguments which the French government seeks to put forward is that EU law should not interfere with national security matters. Politico also notes that despite CJEU rulings which challenge the existing EU data retention laws and practices, France still has not modified its regime. Finally, we agree with the caution expressed in the article that should France disapply the ruling, this would set a worrying precedent for other Member States, especially those who suffer from rule-of-law deficits.

Recommend this newsletter. If you were forwarded this email, subscribe here https://dev.lexxion.eu/en/newsletter/

Lexxion Verlagsgesellschaft mbH
Güntzelstr. 63
10717 Berlin
Deutschland

+49-(0)30-814506-0

https://dev.lexxion.eu

We sincerely apologize if you find this email an intrusion of your privacy or a source of inconvenience to you. If you would like to unsubscribe from the newsletter service, please click here:

Terms https://dev.lexxion.eu/en/terms-conditions/ | Privacy https://dev.lexxion.eu/en/data-protection/