Data Protection Insider, Issue 116

Data Protection Insider, Issue 116 - DPI

-CJEU Rules on the Standing of Representative Organisations-

On 11th July, the CJEU ruled in the case of Meta Platforms Ireland Ltd v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV. In terms of the facts, the Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (‘Federal Union‘) wanted to submit a complaint as a representative action under Article 80(2) GDPR against Meta Platforms for not properly informing its users about the processing of their personal data according to Articles 12 and 13 GDPR before obtaining their consent for processing in the framework of the games offered in the app centre of Meta Platforms Ireland. Following a prior exchange with the CJEU – dealt with in case C‑319/20 – the German Federal Court of Justice referred another question to the CJEU, which the CJEU summarized as follows: does Article 80(2)…GDPR mean ‘that the condition that an authorised entity, in order to be able to bring a representative action under that provision, must assert that it considers the rights of a subject of a personal data processing operation to have been infringed ‘as a result of the processing’, within the meaning of that provision, is satisfied where such an action is based on an infringement of the controller’s obligation under the first sentence of Article 12(1) and Article 13(1)(c) and (e) of that regulation, to provide the data subject, in a concise, transparent, intelligible and easily accessible form, in clear and plain language, with information relating to the purposes of that data processing and to the recipients of such data, at the latest when they are collected’? In this regard, the Court concluded that Article 80(2) means that the condition in question ‘is satisfied where that entity asserts that the infringement of the data subject’s rights occurs in the course of the processing of personal data and results from the controller’s infringement of its obligation, under the first sentence of Article 12(1) and Article 13(1)(c) and (e) of that regulation, to provide the data subject, in a concise, transparent, intelligible and easily accessible form, in clear and plain language, with information relating to the purposes of that data processing and to the recipients of such data, at the latest when they are collected’. The conclusion in the judgment will likely not come as a surprise to many in the data protection community. Nevertheless, the case is well worth reading, as it deals with a range of topical and significant issues, not least concerning the processing activities of data giants, the capacity of representative organisations to bring cases under the GDPR, and the issue of transparency in data processing.

 

-CJEU Deals with the Processing of Personal Data by a Legal Guardian-

On 11th July, the CJEU ruled in the case of MK v WB. The case essentially concerned WB, who was appointed as MK’s legal guardian until he was relieved of his duties. MK sought to access the personal data collected about him by WB during this period. His initial efforts before the national courts were, however, unsuccessful – with the court ruling that a guardian does not qualify as a controller under Article 4(7). MK, however, appealed. In the course of this appeal, the appeal court referred two questions to the CJEU. These concerned, in essence: ‘whether Article 4(7) of the GDPR must be interpreted as meaning that a former guardian who performed his or her duties in a professional capacity with regard to a person placed under his or her guardianship must be classified as a ‘controller’, within the meaning of that provision, of the personal data of that person in his or her possession and that such processing must comply with all the provisions of that regulation, including Article 15 thereof.’ The Court, in a brief decision, concluded that Article 4(7) means ‘a former guardian who performed his or her duties in a professional capacity in respect of a person placed under his or her guardianship must be classified as a ‘controller’…of personal data in his or her possession concerning that person and that such processing must comply with all the provisions of that regulation, including Article 15 thereof’. Despite its brevity, there are interesting aspects to the case, for example, the Court’s discussion of the household exemption, and the Court’s discussion of the concept of guardianship under data protection law. The case will likely be of most interest, however, to those with close interest in the themes involved.

 

-ECtHR: Azerbaijan’s Tax Authority’s Search and Seizure Breaches Article 8-

On 4th July, the ECtHR ruled that the search and seizure operations performed by the Azerbaijani Tax Authority breached the applicant’s right to respect for home and correspondence in Rustamkhanli v. Azerbaijan. As to the facts of the case, the applicant in the main proceedings is ‘the founder, director and sole owner of the Qanun Magazine Editorial Office’, a publishing office in Azerbaijan. His office was subject to an unannounced tax audit in the course of which numerous documents were seized, more precisely ‘electronic devices, documents, stamps, notebooks, journals and booklets’, without regard to the fact whether they were relevant for the tax audit. The tax officials argued that this was necessary for efficiency purposes. The applicant claimed that the scope of the audit breached their rights under Article 8 ECHR. The Court decided to focus on the right to home and correspondence and did not deem it necessary to examine the private life aspects of the complaint. The Court first confirmed that the search and seizure constituted an interference with Article 8 ECHR. It then started examining whether it was ‘in accordance with the law’. The Court noted that the interference had a basis in domestic law. However, it found that the Tax Authority failed to comply with the domestic law, according to which only materials necessary for the tax audit may be seized. In addition, domestic courts failed to address this issue. Thus, the ECtHR concluded that the searches and seizures were ‘not in accordance with the law.’

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply