– The CJEU: Controllers Should Disclose the Full List of Recipients as a Rule –
On 12th January, the CJEU ruled on whether controllers may choose to restrict the information about recipients only to the categories of recipients of personal data when responding to data subject access requests in the case of RW v Österreichische Post AG. As to the facts of the case, the applicant in the main proceedings had requested Österreichische Post AG to disclose the full list of recipients to which their personal data had been disclosed. The postal service restricted its answer only to the categories of recipients, relying on the wording of Article 15(1)(c) GDPR, which provides that the controller shall disclose ‘the recipients or categories of recipient to whom the personal data have been or will be disclosed’. Thus, the question arose whether the controller is actually obliged to disclose the full list of recipients under the right of access in the GDPR. The CJEU largely followed the AG Opinion, which we discussed previously in our newsletter, and gave a broad interpretation on the right of access to one’s data to include the disclosure of the full list of recipients as a rule. It presented the following five arguments to support its ruling. First, the clarifying Recital 63 GDPR does not mention that the right of access should be restricted to the categories of recipients. Second, the provisions on the right of access should be read in light of Article 5 GDPR, which contains the principle of transparency. For the latter to be fulfilled, the full list of recipients should be disclosed. Third, it referred to the AG Opinion, pursuant to which the requesting individual should be able to choose whether they are satisfied only with information about the categories of recipients or whether they wish to know the exact identity of these recipients. Fourth, where the data have already been disclosed to concrete recipients, their identity should be disclosed, so that the concerned data subject may check whether the recipients have a legal basis for the processing of their data and may exercise their rights of rectification, erasure, restriction of processing, to object to processing, and to effective remedies against the controller or processor and compensation. Fifth, having the full list of recipients can be derived from the controller’s obligations in Article 19 GDPR to inform the recipients of the data of any erasure, rectification, etc, requests and to inform the data subject of these recipients where the data subject so requests. Finally, the CJEU clarified that the controller may restrict the provision of the full list of recipients where either not all recipients have been determined or identified yet, or where the controller demonstrates that the request is excessive or manifestly ill-founded (Article 12 (5) GDPR).
– CJEU Rules on Relationship between Public and Private Remedies –
On 12th January the CJEU ruled in the case of BE v Nemzeti Adatvédelmi és Információszabadság Hatóság. The case concerned the efforts of BE to obtain copies of certain audio recordings which include responses to questions BE posed at a shareholder meeting. In this regard, BE started various proceedings before various legal fora – including a complaint to the data protection supervisory authority, an appeal against the negative decision of the supervisory authority before the referring court, and a parallel civil procedure against the controller. In this regard, the referring court posed the following three questions to the CJEU:
1. Does ‘the administrative appeal provided…in Article 77’ of the GDPR ‘constitute…an instrument for the exercise of public rights, whereas the legal action…in Article 79’ of the GDPR ‘an instrument for the exercise of private rights? If so, does…the supervisory authority, which is responsible for hearing and determining administrative appeals’ have ‘priority competence to determine the existence of an infringement?’
2. If ‘the data subject…simultaneously exercises his right to lodge a complaint under Article 77(1)…and his right to bring a legal action under Article 79(1)’ does Article 47 of the Charter mean ‘the supervisory authority and the court have an obligation to examine the existence of an infringement independently’ or ‘that the supervisory authority’s decision takes priority…regard being had to the powers provided for in’ the GDPR?
3. ‘Must the independence of the supervisory authority’ mean the authority, in relation to ‘proceedings under Article 77, is independent of whatever ruling may be given by final judgment by the court having jurisdiction under Article 79’?
In relation to these questions, the CJEU decided: ‘Article 77(1), Article 78(1) and Article 79(1)…read in the light of Article 47 of the Charter…must be interpreted as permitting the remedies’ in the Articles in question ‘to be exercised concurrently with and independently of each other.’ The Court also ruled, however, that: ‘It is for the Member States, in accordance with the principle of procedural autonomy, to lay down detailed rules as regards the relationship between those remedies in order to ensure the effective protection of the rights guaranteed…and the consistent and homogeneous application of…provisions, as well as the right to an effective remedy before a court or tribunal as referred to in Article 47.’ Whilst the issue dealt with in the case may seem of a rather technical nature, we note that it touches on a fascinating and important, yet seldom discussed, issue in data protection law: the relationships between the various legal fora capable of producing decisions concerning data protection law, and between the content of the decisions they may produce.
– Irish DPC Adopts Decisions on Facebook and Instagram –
On 12th January, the EDPB announced that, on the back of ‘the EDPB’s binding dispute resolution decisions of 5 December 2022, the Irish Data Protection Authority (IE DPA) has adopted its decisions regarding Facebook and Instagram (Meta Platforms Ireland Limited, ‘Meta IE’).’ In terms of size, ‘Meta IE was fined €210 million in the Facebook decision and €180 million in the Instagram decision’. The EDPB note that the ‘decisions are the result of complaint-based inquiries into Facebook’s and Instagram’s activities in particular concerning the lawfulness and transparency of processing for behavioural advertising.’ The EDPB’s decisions of 5th December altered the prior approach adopted by the Irish Data Protection Authority in a number of ways, including, for example: requiring ‘the IE DPA to include in both final decisions a finding of infringement of the principle of fairness’; requiring ‘that the IE DPA must carry out a new investigation’ concerning the processing of ‘sensitive data…by Meta IE’; and requiring that ‘the IE DPA…include, in its final decisions, an order for Meta IE to bring its processing of personal data for behavioural advertising in the context of the Facebook and Instagram services into compliance with Art. 6(1) GDPR within three months’. Significantly, the EDPB’s deliberations and decisions led to increases in the size of fines – from ‘a maximum of €36 and €23 million for the Facebook and Instagram draft decisions, to €210 million and €180 million in the final decisions respectively’.
– The CNIL Imposes Large Fines on Microsoft and Apple –
On 19 and 29th December 2022, the CNIL fined Microsoft and Apple € 60 and €8 million, respectively. The Microsoft fine concerns the use of cookies on the ‘bing.com’ website, which, according to the CNIL, breaches the French Data Protection Act, because ‘when users visited this site, cookies were deposited on their terminal without their consent, while these cookies were used, among others, for advertising purposes. It also observed that there was no button allowing to refuse the deposit of cookies as easily as accepting it.’ In addition to the monetary fine, the CNIL imposed a compliance order ‘requiring that the company collects, on the website “bing.com”, the consent of individuals residing in France, within three months, before depositing cookies and tracers with advertising purposes on their terminal. Otherwise, the company may pay a penalty of 60,000 euros per day overdue.’ The Apple fine also concerns the lack of valid consent ‘under the old version 14.6 of the operating system of the iPhone’. Thus, ‘when a user visited the App Store, identifiers used for several purposes, including personalization of ads on the App Store, were by default automatically read on the terminal without obtaining consent’ and ‘the user had to perform a large number of actions in order to deactivate this setting’. As the CNIL reports, the fines are based on breaches of the French implementation of the e-Privacy Directive, in which case the one-stop-shop mechanism under the GDPR does not apply and thus the CNIL is materially competent. The CNIL also notes that it is territorially competent to impose the fines, because the use of the Microsoft cookies and the Apple identifiers ‘is carried out within the “framework of the activities”’ of ‘APPLE RETAIL FRANCE and APPLE FRANCE’ and ‘MICROSOFT FRANCE,’ ‘which constitutes the “establishment” on French territory of’ the Microsoft and Apple groups, respectively.
– EDPS Issues Opinion on ‘Secure instant payments for individuals in the EU’–
On 19th December 2022, the EDPS issued Opinion 27/2022 on the proposed Regulation concerning ‘secure instant payments for individuals in the EU.’ The proposed Regulation seeks to address ‘the high rate of rejected instant payments due to the misidentification of individuals.’ In his Opinion, the EDPS notes two provisions in the proposal which have positive effects from a data protection point of view: (1) the payee identity verification procedure, which gives more security to the payer and can help them decide whether to authorise the payment, and out of which procedure the payer may opt in and out, and (2) the new measure for ‘verifying periodically payers’ information against information in EU sanctions lists, instead of verifying this information for each transaction.’
– EDPB holds 74th Plenary Meeting –
On 17th January, the EDPB held its 74th Plenary Meeting. From the Agenda of the meeting, it seems the following significant points, amongst others, will have been discussed:
- The ‘EU-US Data Privacy Framework’ – including ‘an exchange of views’ between Commissioner Didier Reynders and members of the EDPB and a discussion of the ‘EDPB opinion on draft adequacy decision’.
- The ‘Cookie Banner Task Force’ – including an update and a discussion of the direction of work.
- The ‘CEF cloud report’.
At the time of writing, only the Agenda of the meeting is available. We presume more materials relating to the outcome of the meeting will become available in due course.