-CJEU General Court: EDPB May Order a National DPA to Broaden the Scope of Investigations and Issue a New Decision-
On 29th January, the General Court dismissed the action submitted by the Irish DPC against the EDPB in which the Irish DPC sought the annulment of the EDPB’s decision that the Irish DPC should broaden the scope of its investigations against Meta Platforms Ireland Ltd in Data Protection Commission v European Data Protection Board. As to the facts of the case, the Irish DPC was the lead supervisory authority for complaints submitted by NOYB against Meta. However, a dispute arose between the Irish DPC and the other concerned DPAs, which resulted in three Binding Decisions issued by the EDPB. As a result of these three Binding Decisions, the Irish DPC was ordered, amongst others, (1) to examine aspects of the complaints which it had previously not investigated, and (2) to issue a new decision. The Irish DPC claimed that the EDPB exceeded its competence with these two orders and sought the annulment of these decisions. The General Court (‘GC’) dismissed the action sought by the Irish DPC and thus upheld the contested EDPB Binding Decisions in their entirety. The GC motivated its judgment as follows. First, it argued that the EDPB had not exceeded its competence when issuing the contested decisions. It reached this conclusion after performing a detailed literal, contextual and purposive analysis of Article 65(1)(a) GDPR in conjunction with Article 4(24) GDPR. Second, the GC argued that the principles of conferral of powers on EU bodies are not contrary to the power of the EDPB to issue decisions in which they order the broadening of the scope of investigations by national DPAs and order them to issue a new decision. Amongst the arguments brought up by the GC was that the EDPB’s power ‘is exercised only in the event of a clearly identified shortcoming in the analysis undertaken by the lead supervisory authority in its handling of the case which may have significant consequences, as is apparent from the definition of a relevant and reasoned objection set out in Article 4(24) of Regulation 2016/679, and, second, that that power results from the collective assessment of the supervisory authorities comprising the EDPB’.
-ECtHR: Russia’s Security Services’ Collection of Social Media Data of Users Promoting LGBTI Content is Illegal-
On 4th February, the ECtHR held that thttps://l.lexxion.eu/9ruhe Russian Security Services had illegally collected the social media data of users who promote LGBTI rights in Klimova and Others v Russia. As to the facts of the case, one of the applicants (Tsvetkova) administered a page on a Russian social media platform (VK) which promoted LGBTI rights. The Russian Security Services opened an administrative offence investigation against her for distributing materials related to LGBTI rights targeting minors. In the framework of that investigation, they requested VK to disclose Ms Tsvetkova’s user data related to her account and the related data of the users of the VK community which she administered. Ms Tsvetkova claimed that the disclosure violated her Article 8 ECHR rights and those of her community. The Court first ruled that the contested data processing constituted an interference with the applicant’s Article 8 rights. It established that the collection included ‘IP addresses…and user details…such as telephone numbers, email addresses, family names, first names and passwords’ ‘information about which online communities had been created and administered by the applicant; what communities she belonged to, including private ones; and any content published on her account wall’ ‘data related to the VK community administered by her, including user details of those who created and administered that VK community, its membership list with the user details of each member, and all the content published, specifying the time, IP address, and user ID associated with each publication’. The Court held that this allowed the identification of the applicant and linked it to her online activity and thus revealed information about her political beliefs, etc, which include sensitive data. Hence the Court also highlighted the severity of the interference. Then the Court ruled that the contested measure had a legal basis. It held, however, that domestic law offered no adequate safeguards against abuse. It pointed out that the collection of the data was not based on a judicial authorisation and domestic law did not offer the possibility to contest the collection. Furthermore, the Court established that the measure pursued no legitimate purpose, recalling that ‘the Court has previously found that the legal provisions prohibiting the promotion of homosexuality among minors do not serve to advance the legitimate aim of the protection of morals, and that such measures are likely to be counterproductive in achieving the legitimate aims of the protection of health and the protection of rights of others’. As to the necessity for the interference, the Court took account of the collection of sensitive data, the fact that the data collection related to the user’s exercise of her right to freedom of expression, and the fact that she did not promote morally inappropriate behaviour amongst minors. The Court noted that she was accused of merely publishing ‘information on LGBTI rights, such as, among other things, information about a project to monitor LGBTI discrimination, a guide for teachers on how to deal with such discrimination and a video by a psychologist explaining how to help LGBTI teenagers in trouble’. Thus, the Court concluded that the interference was not accompanied by sufficient safeguards and was not ‘necessary in a democratic society’. Editor’s note: The above summary does not include certain other complaints dealt with in the case.
-ECtHR: Russia Did Not Prevent the Dissemination of Homosexuals’ Data-
On 4th February, the ECtHR held that the Russian State had violated Article 8 ECHR by not preventing the dissemination of data of homosexual people, including their identity, in Bazhenov and Others v Russia. As to the facts of the case, the first set of applicants are homosexual people who owned business in Russia and published on their business website a message that they respect their customers ‘regardless of their sex, gender identity or sexual orientation’. A homophobic internet community reposted the said post, adding to it the names of the applicants, the photograph of one of them and the addresses of some of their shops. The third applicant is a homosexual and a lawyer who often represents clients who identify as victims of homophobic behaviour. His names and address were published by a homophobic group online. The applicants claimed that they were being discriminated on the basis of their sexual orientation (Article 14 ECHR) and that their rights under Article 8 ECHR were infringed by the non-consensual dissemination of their data. The ECtHR decided to examine the case on the basis of Article 14 ECHR in conjunction with Article 8 ECHR. It first established that the data publication concerned the positive obligations of the Russian State under Articles 14 and 8 ECHR. It noted that the criminal complaints which the applicants had submitted with the domestic authorities had been initially rejected and started effectively after the inactivity of the authorities had been challenged. Then, once the investigations started, they were not sufficiently detailed and effective. Thus, it ruled that the applicants’ rights under Articles 14 and 8 ECHR had been violated because the Russian State had not discharged its positive obligations to prosecute the data dissemination and looked into the Article 14 ECHR aspects of the data dissemination.
-ECtHR Rules on Tax Investigations concerning Legal Persons-
On the 6th of February 2025, the ECtHR passed down its decision in the case of Italgomme Pneumatici S.r.l. and Others v. Italy. In terms of the facts, the case concerns the collection of documents and other materials from a set of legal persons, and one natural person, by the Italian authorities, connected with a tax investigation. The plaintiffs complained to the Court regarding ‘the excessively broad scope of the discretion conferred on the domestic authorities by the national legislation and of the lack of sufficient procedural safeguards capable of protecting them against any abuse or arbitrariness, and in particular that there had been no ex ante and/or ex post judicial or independent review of the contested measures’. The applicants thus claimed their Article 8, in conjunction with Article 13, rights had been violated. The Court found a violation. The Court found that the national legislation in question was inadequate as it lacked the relevant safeguards to ensure the protection of the plaintiffs’ rights – thereby violating the quality of law requirement. The Court highlighted, for example, the authorities’ excessively broad discretion regarding the justification and scope of the measures, as well as the lack of effective ex post review. The Court’s deliberations regarding adequate procedural safeguards concerning data collection and retention by national authorities are always interesting in and of themselves. Perhaps the more interesting aspect of this case however, and the reason we choose to include it in this issue, is the fact that the plaintiffs are, for the most part, legal persons. In this regard, this case reminds us that Article 8 remains relevant for legal persons regarding the collection and processing of information, in a way that EU data protection law does not.
-AG Opinion on Platforms Hosting Advertisements-
On the 6th of February, the AG delivered their Opinion in the case of X v Russmedia Digital SRL, Inform Media Press SRL. In terms of the facts, the case essentially concerns an individual, about whom an advertisement was posted on an online platform which hosts advertisements, by a third party, including content of a sexual nature. This advertisement was posted without the individual’s permission and was then replicated on other websites. Following a series of procedures in front of the national courts, a series of four questions were referred to the CJEU. The AG bundled there into two sets of considerations. The first concerned ‘whether Article 14(1) of Directive 2000/31 must be interpreted as meaning that the provider of an information society service that makes available to users an online marketplace on which free or paid advertisements can also be considered eligible for the exemption from liability provided for in that legal provision where that provider indicates, in the general terms and conditions of use of its online marketplace’ that it retains certain rights related to the use of the information posted. The second set of considerations then concerned ‘whether Article 5(1)(b) and (f), Article 6(1)(a) and Articles 7, 24 and 25 of the GDPR must be interpreted as meaning that a provider of information society services with an activity consisting in hosting advertisements, whether free or paid, on a website at the request of its users is required to verify in advance the identity of the advertiser…and the content of the advertisements published…and to implement security measures to prevent or limit the copying or redistribution of the content of advertisements containing personal data’. In relation to the first set of considerations, the AG decided: that the provider of such a platform service ‘may also be considered eligible for the exemption from liability…where that provider indicates, in the general terms and conditions of use of its online marketplace, that, while it does not claim any right of ownership’ of the information posted, it still retains certain rights over their further dissemination, ‘provided that that service provider does not take any action that would cause it to cease to be classified as a neutral hosting provider’. In relation to the second set of considerations, the AG decided: ‘that the provider of an information society service with activity consisting in hosting advertisements, whether free or paid, on a website at the request of its users acts as processor in respect of the personal data contained in the advertisements posted on its online marketplace. In that context, it is not required to verify the content of the advertisements posted or to implement security measures to prevent or limit the copying and redistribution of the content of the advertisements published by means of its services. However, it must implement appropriate organisational and technical measures to ensure the security of processing vis-à-vis third parties. On the other hand, such a service provider acts as a data controller with regard to the personal data of user advertisers registered on its website. In that context, it is required to verify the identity of those user advertisers’. As always, it remains to be seen whether, and to which degree, the Court will follow the reasoning of the AG. Nevertheless, the Opinion is well worth reading in full for a number of reasons, including: for its consideration of the allocation of the concepts of data controller and data processor in relation to online platforms hosting advertisements; as well as for its extensive consideration of the relationship between the GDPR and Directive 2000/31/EC – the e-commerce Directive.