– The CJEU Repeats that Indiscriminate and General Data Retention is Contrary to EU Law –
On 20th September, the CJEU rendered another judgment on the indiscriminate and general retention of traffic and location electronic telecommunications data, including IP addresses, under the e-Privacy Directive, this time in relation to the German legal framework. When examining the German system, the Court first confirmed its existing case law on the retention of telecommunication data. On the basis of this case law, it ruled that the German system is not compatible with the e-Privacy Directive, as read in light of the CFREU, for the following reasons. First, the Court established that the German regime did not ensure that the data retention is targeted. Second, with regard to the retention period, the Court noted that despite the fact that the data were stored for up to between four and ten weeks only, the richness of the data is ‘liable to provide information regarding the communications made by a user of a means of electronic communication or regarding the location of the terminal equipment which he or she uses, [and] is in any event [a] serious [infringement] regardless of the length of the retention period and the quantity or nature of the data retained, when that set of data is liable to allow precise conclusions to be drawn concerning the private life of the person or persons concerned’. Third, as to the safeguards in relation to the interferences with the fundamental rights of the concerned individuals stemming from the retention and access to the retained data, the Court noted that the rules on access to the data cannot be a safeguard for the indiscriminate retention of the data – it added that if the retention is illegal, then access to the retained data also cannot be considered legitimate. Fourth, the Court repeated that serious crime may not be treated in the same way as national security, i.e. the margin of appreciation of the Member States is smaller. Finally, as concerns ‘targeted retention, expedited retention or retention of IP addresses’, the Court noted that, for the purposes of fighting serious crime and terrorism, Member States may exceptionally provide for more general and indiscriminate data retention, provided that adequate safeguards exist.
– CJEU Rules on Data Retention in France –
On 20th September, the CJEU ruled in Joined Cases VD and SR. In terms of the facts of the cases, the cases essentially revolved around the legitimacy of legislation requiring telecommunications providers to engage in general data retention schemes to allow authorities responsible for market abuse to be able to effectively investigate and prosecute those involved. In this regard, the referring Court posed the following questions to the CJEU:
- ‘Do Article 12(2)(a) and (d) of Directive [2003/6] and Article 23(2)(g) and (h) of Regulation [No 596/2014], which replaced that directive from 3 July 2016, read in the light of recital 65 of that regulation, not imply that, account being taken of the covert nature of the information exchanged and the fact that the potential subjects of investigation are members of the general public, the national legislature must be able to require electronic communications operators to retain connection data on a temporary but general basis in order to enable the administrative authority referred to in Article 11 of [Directive 2003/6] and Article 22 of [Regulation No 596/2014], in the event of the emergence of grounds for suspecting certain persons of being involved in insider dealing or market manipulation, to require the operator to surrender existing records of traffic data in cases where there are reasons to suspect that the records so linked to the subject matter of the investigation may prove relevant to the production of evidence of the actual commission of the breach, to the extent, in particular, that they offer a means of tracing the contacts established by the persons concerned before the suspicions emerged?’
- ‘If the answer … [to the first question] is such as to prompt the Cour de cassation (Court of Cassation) to form the view that the French legislation on the retention of connection data is not consistent with EU law, could the effects of that legislation be temporarily maintained in order to avoid legal uncertainty and to enable data previously collected and retained to be used for one of the objectives of that legislation?’
- ‘May a national court temporarily maintain the effects of legislation enabling the officials of an independent administrative authority responsible for investigating market abuse to obtain access to obtain connection data without prior review by a court or another independent administrative authority?
In response, the CJEU concluded:
- ‘national legislation, such as that at issue in the main proceedings, which requires operators providing electronic communications services, as a preventive measure, in order to combat market abuse offences including insider dealing, to retain generally and indiscriminately the traffic data of all users of means of electronic communication, with no differentiation in that regard or with no provision made for exceptions and without establishing the link required, in accordance with the case-law referred to in the previous paragraph, between the data to be retained and the objective pursued, falls outside of what is strictly necessary and cannot be considered to be justified, in a democratic society, as is required by Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter (see, to that effect, judgment of 6 October 2020, Privacy International, C‑623/17, EU:C:2020:790, paragraph 81)…[Thus] the answer to the first question…must be interpreted as precluding legislative measures which, as a preventive measure, in order to combat market abuse offences including insider dealing, provide for the general and indiscriminate retention of traffic data for a year from the date on which they were recorded.’
- ‘the answer to the second and third questions…is that EU law must be interpreted as precluding a national court from restricting the temporal effects of a declaration of invalidity which it is required to make, under national law, with respect to provisions of national law which, first, require operators providing electronic communications services to retain generally and indiscriminately traffic data and, second, allow such data to be submitted to the competent financial authority, without prior authorisation from a court or independent administrative authority, owing to the incompatibility of those provisions with Article 15(1) of Directive 2002/58 read in the light of the Charter. The admissibility of evidence obtained pursuant to provisions of national law that are incompatible with EU law is, in accordance with the principle of procedural autonomy of the Member States, a matter for national law, subject to compliance, inter alia, with the principles of equivalence and effectiveness.’
The ruling seems to align with the CJEU’s prior case law. Nevertheless, we recall that this is yet another in a long line of data retention cases and we see no reason that this case should represent the last word on the matter, or that the ruling should forestall further complaints and decisions.
– AG Advises CJEU that the GDPR May Be Considered by Competition Authorities in Competition Disputes –
On 20th September, AG Rantos issued his Opinion on a dispute between Meta (previously Facebook) and the German Federal Cartel Office. As to the facts of the case, the Office prohibited Meta from combining the personal data it collects on different users across all its platforms, including Facebook, Instagram and WhatsApp, arguing that this constitutes ‘an abuse of the company’s dominant position in the social media market for private users in Germany.’ Meta decided to challenge the decision in German courts. The central question referred to the CJEU is whether a national competition authority may examine the compliance of an entity with the GDPR provisions when investigating a competition matter, while at the same time the Lead Supervisory Authority (LSA) in another Member State under the GDPR is investigating the data protection questions. Additional questions, which concern the interpretation of several GDPR provisions – related especially to the legality of the processing of personal data – we will not touch upon for space reasons. As to the question on the role and powers of a competition authority in data protection matters and its relationship with the data protection authorities, AG Rantos advised the Court that ‘a competition authority, within the framework of its powers under the competition rules, may examine, as an incidental question, the compliance of the practices under investigation with the GDPR rules, while taking account of any decision or investigation of the competent supervisory authority on the basis of the GDPR, informing and, where appropriate, consulting the national supervisory authority.’ In this regard, the AG suggests that, if there is already a decision by the LSA, it has to be followed, whereas in the absence of such a decision, the competition authority should at least inform and cooperate with the DPAs in its own country and with the LSA. We note that if the Court follows this advice, this might lead to more pressure on LSAs to adopt decisions and might thus help address the repeated complaints that DPAs do not act quickly enough.
– AG Rules on Employee Data Protection and Article 88 –
On 22nd September, AG Campos Sánchez-Bordona delivered an Opinion in the case of Hauptpersonalrat der Lehrerinnen und Lehrer beim Hessischen Kultusministerium. The case concerns a ‘dispute as to whether the introduction of live streaming lessons by means of video conferencing systems…requires…the consent of the respective teachers, or whether, on the other hand, the data processing which takes place in that context is covered by the first sentence of Paragraph 23(1) of the HDSIG [as relevant local law]’. The referring court is unclear as to whether this law can be regarded as ‘a ‘more specific rule’ in respect of the processing of employees’ personal data within the meaning of Article 88 of the GDPR…[as] it merely cites ‘necessity’ as the legal basis for the processing of the data of employees and civil servants; [and] any processing of employees’ data that goes beyond what is merely necessary for the purposes of the employment contract must be carried out after a balancing of interests that goes beyond mere ‘necessity’, which national law does not provide for.’ In this regard, the referring court posed the following two questions to the CJEU:
- ‘Is Article 88(1) of [the GDPR] to be interpreted as meaning that, in order to be a more specific rule for ensuring the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context within the meaning of Article 88(1) of [the GDPR], a provision must meet the requirements imposed on such rules by Article 88(2) of [the GDPR]?’
- ‘If a national rule clearly does not meet the requirements under Article 88(2) of [the GDPR], can it nevertheless remain applicable?’
In response the AG concluded:
‘Article 88(1) and (2) of [the GDPR] is to be interpreted as meaning that: ‘A legislative provision adopted by a Member State is a more specific rule for ensuring the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context only if it meets the requirements laid down by Article 88(2) of Regulation 2016/679. If that legislative provision does not meet the requirements laid down by Article 88(2) of Regulation 2016/679, it is applicable, where appropriate, only in so far as it may be based on other provisions of that regulation or on national adaptation provisions, as referred to in Article 6(2) thereof.’
The conclusion seems unsurprising, yet this remains an interesting Opinion and contains discussions which should be of general interest– for example those concerning opening clauses in the GDPR. As always, it remains to be seen whether, and to what degree, the Court will follow the AG’s Opinion.
– EDPB Adopts Documents in September Plenary –
- ‘Opinion 25/2022 regarding the European Privacy Seal (EuroPriSe) certification criteria for the certification of processing operations by processors’.
- ‘Statement 03/2022 on the European Police Cooperation Code’.
- ‘Open letter on EDPB budget proposal for 2023’
The documents are available on the EDPB’s website at the link below.
– EDPS Continues Being Strict with Europol –
On 16th September, the EDPS filed a case with the CJEU challenging the modernised Europol Regulation which recently entered into force. In the application, the EDPS seeks the annulment of two provisions in particular (Articles 74a and 74b), on two related grounds. First, the EDPS challenges the fact that the amendments brought by the Regulation effectively legalise the data processing operations by Europol which include the data of persons who are not involved in any criminal activity. This illegal processing resulted in an EDPS order in January 2022 to promptly delete the illegally processed data (see the Europol Big Data Challenge). Second, the EDPS notes that the contested provisions therefore restrict the independence of the EDPS as a supervisory authority, because the ‘contested provisions establish a worrying precedent with the risk of authorities anticipating possible counter-reactions of the legislator aimed at overriding their supervision activities, depending on political will’, which the EDPS regard as contrary to the CFREU.
On 16th September, Statewatch reported that the EDPS ordered Europol to grant a Dutch activist access to their personal data as processed by the Dutch police and disclosed to Europol. As to the facts of the case, according to Statewatch as referring to the unpublished EDPS order, the Dutch police had labelled the applicant as ‘a Dutch left-wing activist involved “in various social media platforms, protests and initiatives against racism and discrimination,”’ who was placed under surveillance and treated as a ‘potential terrorist suspect.’ When trying to obtain access to his data as processed by the Dutch police, the applicant learned that the data had been disclosed to Europol and decided to seek access to the data as processed by Europol. Since Europol did not grant him access to his data, the applicant filed a complaint with the EDPS. As a result of the investigations, the EDPS first established that Europol had failed to provide a proper assessment before refusing access to the data, contrary to the Europol Regulation. Second, it admonished Europol that it, together with the Dutch police, had considered erasing the data after the access request had been submitted, which could have led to another breach of the applicable data protection framework.