Data Protection Insider, Issue 108

Data Protection Insider, Issue 108 - DPI

– CJEU: Court on Personal Data and Controllership in Online Advertising 

On 7th March, the CJEU ruled in the case of IAB Europe v Gegevensbeschermingsautoriteit. In terms of the facts, the case concerned IAB Europe’s Transparency & Consent Framework (TCF). The TCF provides a set of rules and technical specifications aimed at allowing online advertisers to process users’ personal data legally. The TCF is used in relation to ‘Real Time Bidding’ – ‘an instant and automated online auction system of user profiles for the purpose of selling and purchasing advertising space on the internet’. In this regard, when a user first consults a website, they are faced with a pop-up window, which, in line with the TCF, allows them ‘to give…consent…for the collection and processing of…personal data for…purposes, such as…marketing or advertising, or with a view to sharing those data with certain providers, and, second, to object to various types of data processing or to the sharing of those data, based on legitimate interests…within the meaning of Article 6(1)(f)’. These preferences are then translated into a combination of symbols – the Transparency and Consent String (TC String) – ‘which is shared with personal data brokers and advertising platforms…so that they know to what the user has consented or objected’. A cookie is also placed ‘on the user’s device. When they are combined, the TC String and the…cookie can be linked to that user’s IP address’. Following a number of complaints about the TCF, the Belgian DPA initiated the cooperation and consistency procedure and, eventually, passed down the decision that IAB Europe is a data controller ‘as regards the recording of the consent signal, objections and preferences of individual users by means of a TC String, which…is associated with an identifiable user’ and ‘ordered IAB Europe…to bring into conformity with the provisions of the GDPR the processing of personal data…and imposed on it…corrective measures as well as an administrative fine’. IAB Europe appealed this decision before the referring national court, which posed the following questions to the CJEU:

1. Does Article 4(1) mean a string of symbols, such as the TC String, containing a user’s preferences, constitute personal data, ‘where a sectoral organisation has established the framework of rules’ for the generation, storage, and dissemination of the string, ‘and the members of such an organisation have implemented such rules and thus have access to that string’? And, in relation to the above, is it important ‘for that string to be associated with an identifier, such as, inter alia, the IP address of that user’s device, allowing the data subject to be identified, and…for such a sectoral organisation to have the right to access…the personal data…processed by its members?

2. Does Article 4(7) mean that a sectoral organisation such as the IAB, in relation to a framework such as the T&C ‘must be classified as a ‘controller’…and whether, for the answer to that question, it is relevant that such a sectoral organisation itself have direct access to the personal data’? And, in relation to the above, does any joint controllership extend ‘automatically to the subsequent processing of personal data carried out by third parties, such as website or application providers’?

In light of the above, the CJEU decided:

1. Article 4(1) means a string of symbols, such as the TC String, containing a user’s preferences, constitutes personal data where ‘those data may, by reasonable means, be associated with an identifier, such as, inter alia, the IP address of that user’s device’ which allows ‘the data subject to be identified’. That, without supplemental, external, information, ‘a sectoral organisation holding that string can neither access the data…processed by its members…nor combine that string with other factors does not preclude that string from constituting personal data’.

2. Articles 4(7) and 26(1) mean a sectoral organisation such as the IAB, in relation to a framework such as the T&C, ‘must be classified as a ‘joint controller’…where…it exerts influence over the personal data processing…for its own purposes, and determines…jointly with its members, the purposes and means of such processing’. That ‘such a sectoral organisation does not…have direct access to the personal data processed by its members…does not preclude it from’ being a joint controller. Equally, ‘the joint controllership of that sectoral organisation does not extend automatically to the subsequent processing of personal data…by third parties’.

This is a complex and fascinating case, and the CJEU offers much to consider regarding the concept of personal data, and the concept of controllership.

 

– CJEU: Europol May be Jointly and Severely Liable for Unlawful Data Processing

On 5th March, the CJEU ruled that, in the framework of cooperation between Europol and the law enforcement authorities of a Member State, Europol may be jointly and severely liable for unlawful personal data processing, i.e. processing contrary to the Europol Regulation. The case in which the decision was passed down, was: Marián Kočner v European Union Agency for Law Enforcement Cooperation (Europol). As to the facts of the case, Europol assisted the Republic of Slovakia in examining materials related to the investigation of the murder of the journalist Kočner, such as data from the mobile phone and USB stick of the applicant in the main proceedings. Data related to the investigation was allegedly illegally disclosed and the applicant in the main proceedings sought compensation from Europol for the illegal disclosure (including materials of intimate nature between the applicant and his girlfriend). The General Court rejected the applicant’s claim on the grounds that ‘the appellant had not adduced ‘evidence of a causal link established to a sufficient degree’ between the damage alleged and any conduct on the part of Europol’ and ‘although it is true that recital 57 of Regulation 2016/794 states, in essence, that Europol and the Member State in which the damage arising from unlawful data processing carried out by that agency or by that Member State occurred are jointly and severally liable for that damage, it must nevertheless be held that that joint and several liability mechanism is neither expressed by or based on the provisions of that regulation.’ The applicant appealed the decision of the General Court, which was referred to the Grand Chamber. The Grand Chamber rejected that part of the General Court’s decision. It examined the Europol Regulation and concluded that its Article 50, read together with Article 49(3) and recitals 56-57, ‘lays down rules rendering Europol and the Member State in which the damage resulting from unlawful data processing occurred jointly and severally liable in the context of cooperation between them under that regulation.’ It also referred to Article 82(4) GDPR on joint and several liability as an established concept under EU data protection law. Then, the Grand Chamber examined the conditions which need

to be fulfilled for Europol to incur liability under Article 50(1) Europol Regulation. First, it established that Article 50(1) Europol Regulation ‘relieves the individual concerned of the burden of establishing the identity of the entity whose conduct gave rise to the alleged damage and, second, provides that, after that individual has been compensated, the ‘ultimate responsibility’ for that damage must, where appropriate, be definitively settled in proceedings involving only Europol and the Member State concerned before the Management Board of Europol.’ According to the Court, it suffices that an ‘individual show that, in the course of cooperation between Europol and the Member State concerned under that regulation, unlawful data processing which caused him or her to suffer damage has been carried out, without there being any need for him or her to establish additionally to which of those two entities that unlawful processing is attributable.’ The Court recalled that it is up to the defendant entity to prove that the damage did not arise in the course of cooperation between Europol and a Member State – e.g. that the damage occurred prior to the cooperation. Editorial note: The applicant appealed also other parts of the General Court’s decision, but these were rejected by the Grand Chamber.

 

– CJEU: Oral Disclosure of Personal Data May be Subject to the GDPR 

On 7th March, the CJEU ruled, in Endemol Shine Finland Oy, that oral disclosure of personal data may fall under the GDPR – e.g. where the data form part of a filing system. As to the facts of the case, ‘Endemol Shine Finland, the appellant in the main proceedings, made an oral request to the Etelä-Savon käräjäoikeus (District Court, South Savo, Finland) for information on possible ongoing or completed criminal proceedings concerning a natural person involved in a competition organised by that company for the purpose of clarifying the criminal record of that person.’ The Finnish courts are uncertain whether the oral disclosure of such personal data may fall under the material scope of the GDPR. The CJEU ruled that oral disclosure constitutes ‘processing of personal data’. As to whether the oral disclosure in question falls within the material scope of the GDPR, the CJEU ruled that ‘(s)ince the oral disclosure of personal data constitutes, as such, processing other than by automated means, the data that are the subject of that processing must therefore ‘form part’ or be ‘intended to form part of’ a ‘filing system’ in order for that processing to come within the material scope of the GDPR.’ According to the CJEU, ‘(i)n the present case, it is clear from the request for a preliminary ruling that the data requested by the appellant in the main proceedings are contained in ‘a court’s register of persons’. It thus appears that those data are contained in a filing system within the meaning of Article 4(6) of the GDPR, which it is, however, for the referring court to verify, it being immaterial whether those data are contained in electronic databases or in physical files or registers.’ Finally, the Court logically ruled that the (oral) disclosure of personal data related to criminal convictions has to comply with the other provisions of the GDPR. Referring especially to Articles 6(1)(e) and 10 GDPR, the Court ruled that the GDPR ‘must be interpreted as precluding data relating to criminal convictions of a natural person contained in a court’s filing system from being disclosed orally to any person for the purpose of ensuring public access to official documents, without the person requesting the disclosure of those data having to establish a specific interest in obtaining those data, it being irrelevant in that regard whether that person is a commercial company or a private individual.’

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply