-CJEU: Disclosure of Identifiable Information Constitutes Processing of Personal Data and Should not be made Impossible-
On 3 April, the CJEU ruled in L.H. v Ministerstvo zdravotnictví that the disclosure of the names, signature and contact details of natural persons acting on behalf a legal person constitutes the processing of personal data and that a requirement in national law which allows the disclosure of the said data only after informing and consulting the concerned natural persons is compatible with the GDPR only if it does not make the disclosure impossible. As to the facts of the case, the applicant in the main proceedings, L.H., requested the Czech Health Ministry to disclose the names, signatures and contact details of the individuals ‘who had signed contracts for the purchase of COVID-19 screening tests concluded by that ministry, as well as certificates relating to those tests and demonstrating that they may be used on the territory of the European Union’. The Ministry provided L.H. with the certificates, but redacted the information on the names, signatures, position held, and, on some occasions, also the contact details of the said individuals. The Ministry motivated its decision quoting compliance with the GDPR and protecting the personal data of these individuals, referring the provisions in national law that the disclosure of the data in dispute presupposes informing the concerned individuals. The two questions for consideration sent to the CJEU seek to clarify (1) whether the disclosure of the data in question constitutes the processing of personal data and (2) whether the Czech legislation regulating the disclosure is compatible with the GDPR. The CJEU first ruled that Article 4 (1) and (2) GDPR ‘must be interpreted as meaning that the disclosure of the first name, surname, signature and contact details of a natural person representing a legal person constitutes processing of personal data. The fact that that disclosure is made for the sole purpose of enabling the identification of the natural person authorised to act on behalf of that legal person is irrelevant in that regard’. As to the second question, the CJEU examined the provisions of Article 6 GDPR on the legal conditions for the processing of personal data and the margin of appreciation left for the Member States in that regard, including the conditions in Article 86 GDPR on reconciling data protection with public access to documents containing personal data. The Court concluded that ‘Article 6(1)(c) and (e) of the GDPR, read in conjunction with Article 86 of that regulation, must be interpreted as not precluding national case-law which requires a controller, being a public authority responsible for reconciling public access to official documents with the right to the protection of personal data, to inform and consult the natural person concerned prior to the disclosure of official documents containing such data, provided that such an obligation is not impossible to implement and that it does not require disproportionate effort and, therefore, it does not result in a disproportionate restriction on public access to those documents’.
-ECtHR: Slovakia Offers Insufficient Guarantees for Searches of Data on Lawyer’s Computer-
On 3 April, the ECtHR declared that the Slovak legal framework and practice on seizing and searching a lawyer’s computer do not offer sufficient guarantees against abuse in breach of Article 8 ECHR, in Kulak v Slovakia. As to the facts of the case, Mr Kulak is a practising lawyer. He represented, amongst others, the defendant in the criminal case Vodari. This was one of the many cases subject to investigation by the National Crime Agency on suspicions of bribery within and outside the judiciary. One of the first-instance judges in the Vodari case, acting as a cooperating witness, had disclosed in the framework of the investigations that Mr Kulak had drafted the first instance judgment and that the draft had been endorsed by one of the accused judges. In October 2020, the prosecutor ‘issued a warrant for the securing and surrendering of computer data… referring to all telecommunications devices, information technology devices and other data carriers used by the applicant. The warrant concerned all computer data, applications, text documents and audiovisual recordings stored in the memory of those devices which contained, even separately, keywords linked to the Vodári case’. Mr Kulak complained to the ECtHR that the searches of his legal office and the seizure of his computer violated his right to legal professional privilege as protected by Article 8 ECHR. The ECtHR first confirmed that the searches and seizures constitute an interference with the applicant’s right to confidential communication with his clients. Second, it found that the contested interference had a basis in domestic law. Third, it acknowledged that the search and seizures were accompanied by certain safeguards: ‘It was carried out by five law-enforcement officers, including a forensic technician, in the presence of an independent observer, an electronics expert… and a representative of the Slovak Bar Association…. The applicant and his legal representative were also present throughout the entire search. Furthermore, it appears from the documents in the Court’s possession that the prosecutor was informed of the search by the law-enforcement officers by telephone’. However, the Court noted that at the material time Slovak law did not provide ‘immediate ex post factum judicial review of the lawfulness of, and justification for, searches of non-residential premises, such as law firms’. In addition, the Court observed that Mr Kulak’s entire computer was seized, containing materials not related to the Vodari case, and the presence of a member of the Slovakian bar was purely formal. Thus, the law enforcement authorities went beyond the warrant as issued by the prosecutor, resulting in errors in the work of the experts which could not be corrected and, as the Court noted, ‘there is no information to warrant the conclusion that only relevant information was accessed on the applicant’s computer’. Finally, the Court noted that the computer was returned to Mr Kulak only 15 months later, which undoubtedly impacted his work. Thus, the ECtHR found a violation of Article 8 ECHR because the contested measures were ‘not in accordance with the law’.
-ECtHR Rules on the Transfer of Data from a Criminal Investigation to a Competition Authority-
On 1st April, the ECtHR ruled in the case of Ships Waste Oil Collector B.V. and Others v. The Netherlands. In terms of the facts, the case concerns Dutch companies, some of which are engaged in the collection of waste liquids from ships, others of which are engaged in construction. Certain data related to these companies was collected in the course of criminal proceedings, through telephone tapping. This data was then transferred, on the authorisation of the investigating judge, to the Dutch competition authority, in order that the data might be used in the context of other investigations – unrelated to the initial criminal investigations – into price-fixing. As a result of these investigations, the companies were fined for violations of the Competitions Act. Following a series of national procedures, the applicants complained to the ECtHR, under Article 8 – breaches of Article 13 were also alleged, although these will not be considered here, and, indeed, do not form a significant part of the present judgment – ‘that the transmission to the… Competition Authority… of intercept data that were irrelevant to the criminal investigation had constituted a violation of their rights…. In addition, they complained that the exploratory interactions between the’ competition authority ‘officials and those involved in the criminal investigations had not been in accordance with the law’. The Chamber initially found, in 2023, that there had been no violation of Article 8 – highlighting the existence of an interference, but recognising this to have fulfilled the criteria constituting a legitimate interference. Later in 2023, on the applicant’s request, the case was then referred to the Grand Chamber – the decision under discussion here. The Grand Chamber also found no violation of Article 8. The Grand Chamber recognised an interference, but considered the interference to be unproblematic. The interference was found to be in accordance with the law – which itself was found to be of adequate quality – to undoubtedly pursue a legitimate aim – the aim of ‘protecting the economic well-being of the country’ – and to have been necessary in a democratic society. In this regard, the Court found that there the authorisation procedures and the available remedies afforded adequate safeguards to prevent risks of ‘arbitrariness and abuse’ and that national authorities had not acted outside their margin of appreciation and had conducted ‘an adequate balancing exercise under Article 8 of the Convention between the interests of the applicant companies and the authorities’ interests to protect the economic well-being of the country’.
-AG Szpunar: Direct Marketing Should be Regulated Only by the ePrivacy Directive-
On 27th March, AG Szpunar advised the CJEU to rule that the sending of a daily newsletter following subscription to an online service, which allowed users to consent to the sending of the newsletter and to unsubscribe from it, constitutes direct marketing and should be regulated by the ePrivacy Directive, in Inteligo Media SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP). As to the facts of the case, Inteligo Media SA publishes information on the daily legislative changes in Romania. Users can read a certain number of articles for free. They can also subscribe to the website run by Inteligo Media SA in order to have access to further articles and to receive a newsletter. Users may also opt for a paid service which allows them to access all the publications and receive a newsletter. To subscribe, they need to provide their email address and to accept the T&Cs of the service. The Romanian DPA fined Inteligo Media SA for not having obtained the explicit consent of its subscribers as required by Article 5(1)(a) and (b), Article 6(1)(a) and Article 7 GDPR. The dispute in front of the CJEU concerns the question whether the newsletter in question constitutes ‘direct marketing’ in the sense of Article 13 ePrivacy Directive and if so, whether the sender of the newsletter has to comply only with Article 13 of the ePrivacy Directive, or also with the relevant provisions of the GDPR. First, AG Szpunar suggested that the CJEU should rule that ‘Article 13(2) of Directive 2002/58 must be interpreted as meaning that a user’s email address obtained when he or she creates an online account entitling him or her (i) to free access to a number of articles from the publication concerned, (ii) to receive, by email, a daily newsletter containing a summary of new legislation covered in articles of the publication as well as hyperlinks to those articles and (iii) to access, for a fee, additional and/or more detailed articles and analyses of the publication, is obtained ‘in connection with the sale of a product or a service’. The transmission of the daily newsletter described in (ii) constitutes ‘direct marketing’ for ‘similar products or services’, within the meaning of that provision’. Second, the AG invited the CJEU to rule that ‘Article 13(2) of Directive 2002/58, read in conjunction with Article 95 of the GDPR, must be interpreted as meaning that, where the controller uses a user’s email address in order to send a daily newsletter, in accordance with Article 13(2) of Directive 2002/58, and the processing of personal data has been found lawful on the basis of that provision, Article 6 of the GDPR is not applicable’.
Editorial note: Two more questions were referred for preliminary ruling, but the AG advised the CJEU to declare them as inadmissible. These were: (1) whether national legislation which uses the term ‘commercial communication’ instead of ‘direct marketing’ is compatible with EU law (according to the AG, this is a hypothetical question which is not necessary to resolve the dispute); and (2) what level of detail of explanation Article 83(2) GDPR requires when an administrative fine is imposed on an entity (according to the AG, the GDPR is not applicable in the case – however, if it were applicable, ‘as long as an individual is in a position to understand the grounds of the individual measure adversely affecting him or her, that principle is complied with, without it being necessary to go into detail regarding each of the criteria listed in Article 83(2) of the GDPR’).
-AG’s Opinion on the Possibility to Challenge EDPB Decisions-
European Data Protection Board. In terms of the facts, the case essentially concerned a binding decision by the EDPB – adopted under the consistency mechanism – addressed to the Irish DPA, related to complaints against WhatsApp. WhatsApp then brought ‘an action before the General Court requesting the annulment of the contested decision’. The General Court, however, ‘considered, in essence, that the contested decision did not constitute a challengeable act for the purpose of the first paragraph of Article 263 TFEU and that the appellant was not directly concerned with that decision, within the meaning of the fourth paragraph of Article 263 TFEU’. Accordingly, in the current proceedings, ‘the appellant requests that the Court of Justice set aside the order under appeal, find the action admissible, refer the case back to the General Court to decide on the substance of the matter, and order the EDPB to pay the costs’. The applicant appealed on two grounds. ‘By its first ground of appeal, it claims that the General Court misinterpreted the concepts of challengeable act, as arising from the first paragraph of Article 263 TFEU, and of direct concern, as contained in the fourth paragraph thereof. That error resulted in the misapplication of Article 263 TFEU in the case at hand, leading the General Court to incorrectly qualify the contested decision as not being an act challengeable by the appellant. By its second ground of appeal, the appellant claims that the General Court misinterpreted and incorrectly applied Article 65(1) of the GDPR in relation to the contested decision’. The AG structured their analysis in terms of five considerations: (i) the question of whether ‘the underlying action was brought out of time’; (ii) a consideration of whether ‘the General Court confused the conditions for establishing whether the contested decision is a challengeable act with the conditions for finding whether the appellant is directly concerned’; (iii) a consideration of whether the General Court committed an error of law when it considered that the contested decision does not concern the appellant directly’; (iv) a consideration of whether, according to the ‘position of the General Court, the logic of the system of judicial remedies, as designed under the Treaties and interpreted by the Court of Justice, requires that the validity of the contested decision be decided in a direct action before the EU Courts’. Following extensive consideration, the AG came to a series of conclusions: (i) ‘Given that the appellant challenged the contested decision within the applicable time limits from its date of publication on the EDPB’s website…the fact that it may also have been aware of the material content of that decision prior to its mandated publication is irrelevant for the purposes of the admissibility of the present action for annulment’ and accordingly rejected the ‘argument that the action before the General Court was brought out of time’; (ii) ‘By focusing on the fact that the contested decision does not constitute the final decision within the consistency mechanism envisaged by the GDPR instead of assessing whether that decision constitutes the final or definitive decision of the EDPB that produces binding legal effects on the Irish supervisory authority, the General Court erred, in the order under appeal, in its assessment of the conditions under the first paragraph of Article 263 TFEU’; (iii) ‘The General Court erred in applying the conditions for assessing the existence of direct concern under the fourth paragraph of Article 263 TFEU. First, it based its assessment on non-existing conditions that the challenged act…be directly enforceable towards the applicant in annulment procedures and…not entail implementing measures. Second, the General Court erred in the assessment that the contested decision left discretion to the implementing authority, in this case the Irish supervisory authority. Finally, the General Court erred in concluding that the presence of parts not covered by the contested decision in the Irish supervisory authority’s final decision was relevant for the question of whether the contested decision left no discretion to that authority’; and (iv) ‘The logic of the system of judicial protection established by the Treaties does not require that the action for annulment introduced by the appellant before the General Court is found to be inadmissible’. This is a complex, but important, case, and an accordingly complex Opinion. We cannot do its details justice in this brief summary, and would advise all interested to read the full Opinion. As always, it remains to be seen whether, and to which extent, the Court follows the AG’s Opinion.