Data Protection Insider, Issue 118

Data Protection Insider, Issue 118 - DPI 9

-CJEU Rules on Disclose of Shareholder Data-

On 12th September, the CJEU ruled in the case of HTB Neunte Immobilien Portfolio geschlossene Investment UG & Co. KG and Others. In terms of the facts, the applicants are investment companies, which hold shares in investment funds via trust companies. These funds are organised as limited partnerships – partnerships ‘offering shares for public subscription’. Indirect shareholding is possible through trust companies. ‘The applicants…request the defendants…which are trust companies, to disclose the names and addresses of all their partners with indirect shareholdings in the investment funds’. The defendants object, on the basis that the applicants wish to obtain this information for their own economic benefit – e.g. by ‘advertising their own investment products, causing concern among investors, or purchasing their shares at a price below their value and making a profit by reselling them’ – and point to clauses in the relevant contracts which prohibit the disclosure of this information. The applicants dispute this, and claim they have a ‘right to contact the other limited partners with shareholdings in the investment funds concerned, inter alia, in order to enter into share purchase negotiations’. In this regard, the referring court posed four questions to the CJEU. The CJEU bundled these together and considered: whether Articles 6(1)(b) and (f) GDPR mean ‘that the processing of personal data which consists in disclosing, at the request of a partner of an investment fund established in the form of a partnership offering shares for public subscription, information on all the partners with indirect shareholdings in that fund, through trust companies, irrespective of the size of their shareholding…for the purpose of contacting them and negotiating the purchase of their shares or to coordinate with them for the purpose of reaching a consensus in connection with partners’ resolutions, may be regarded as being necessary for the performance of a contract to which the data subjects are parties within the meaning of point (b), or for the purposes of legitimate interests pursued by the controller or by a third party within the meaning of point (f)’. In this regard, the Court concluded that:

  • Article 6(1)(b) means the processing of personal data in relation to the Courts consideration, may be ‘regarded as being necessary…for the performance of the contract pursuant to which those partners have purchased such shareholdings, only on condition that that processing is objectively indispensable for a purpose…integral to the contractual obligation intended for those same partners, with the result that the main subject matter of the contract could not be achieved if that processing were not to occur. That is not the case if that contract expressly prohibits the disclosure of those personal data to other shareholders’.
  • Article 6(1)(f) means ‘processing may be regarded as being necessary for the purposes of legitimate interests pursued by a third party…only on condition that that processing is strictly necessary to achieve such a legitimate interest and that, in the…circumstances, the interests or fundamental rights and freedoms of those partners do not override that legitimate interest’.
  • Adding a consideration of Article 6(1)(c), the Court also held that ‘processing of personal data is justified…where…necessary for compliance with a legal obligation to which the controller is subject, under the law of the Member State concerned, as stated by the case-law of that Member State, on condition that that case-law is clear and precise, that its application is foreseeable for those persons subject to it and that it meets an objective of public interest and is proportionate to it’.

This is a case which may fall below the radar of many in the data protection community. The subject matter seems highly specific to investment arrangements, and the Court’s reasoning seems largely formal and unsurprising. There are, however, several fascinating themes which seem, to us – with the caveat that we are not experts in finance – to lurk just beneath the surface, and which make the case a worthwhile subject of careful consideration. In the first instance, whilst data protection cases often involve the direct interests of data subjects pitted against those of data controllers, this case also seems to involve – at least as the parties present the conflict – the ostensibly economic interests of organisations, refracted through the lens of data protection. Further, the case raises fascinating issues regarding the allocation of controllership within complex partnerships, as well as the delineation of the bounds of the data subject from the corporate subject. Unfortunately, these legal issues are not addressed by the Court, yet assumptions connected to them seem evident within the judgment.

-AG de la Tour Argues for Enhanced Algorithmic Transparency-

On 12th September, AG de la Tour delivered an Opinion in which he suggested a broad reading of the requirements on algorithmic transparency in Article 15 (1) (h) GDPR in the case of Dun & Bradstreet Austria. According to the facts of the case, an individual (‘CK’) was refused a contract with a mobile operator because of their low creditworthiness, as calculated via an automated assessment by Dun & Bradstreet. CK requested information about the logic of the automated assessment, which was turned down by Dun & Bradstreet on the grounds of protecting trade secrets. The conflict was then escalated to the Austrian courts. In the meantime, the CJEU issued its ruling in the SCHUFA Holding and Others case, in which it established that ‘Article 22(1) of the GDPR must be interpreted as meaning that the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes ‘automated individual decision-making’ within the meaning of that provision, where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person’. The Austrian courts wished to maintain their request for preliminary ruling as they sought guidance on how to strike the right balance between CK’s right of access to the decision-making technology and Dun & Bradstreet’s right to protect their trade secrets. In his Opinion, AG de la Tour proposed the following interpretation of Article 15 (1) (h) GDPR:

  • ‘where a data subject is the subject of automated decision-making, including profiling, as referred to in Article 22 of Regulation 2016/679, the ‘meaningful information about the logic involved’ in such automated decision-making to which that person has a right of access relates to the method and criteria used by the controller for that purpose’.
  • This ‘information must enable the data subject to exercise the rights guaranteed to him or her by Regulation 2016/679 and, in particular, by Article 22 thereof. It must therefore be concise, easily accessible and easy to understand, and formulated in clear and plain language. In addition, the information must be sufficiently complete and contextualised to enable that person to verify its accuracy and whether there is an objectively verifiable consistency and causal link between, on the one hand, the method and criteria used and, on the other hand, the result arrived at by the automated decision at issue.
  • Further, ‘the controller is not required to disclose to the data subject information which, by reason of its technical nature, is so complex that it cannot be understood by persons who do not have particular technical expertise, which is such as to preclude disclosure of the algorithms used in automated decision-making’.
  • And finally, ‘where the information to be provided to the data subject under the right of access guaranteed by Article 15(1)(h) of Regulation 2016/679 is likely to result in an infringement of the rights and freedoms of others, in particular because it contains personal data of third parties protected by that regulation or a trade secret within the meaning of Article 2(1)(1) of Directive (EU) 2016/943…on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure, that information must be disclosed to the competent supervisory authority or court so that the latter can weigh up, in full knowledge of the facts and in accordance with the principle of proportionality and the confidentiality of that information, the interests involved and determine the extent of the right of access that must be granted to that person’.

We understand the latter point as an invitation to read into Article 15 (1)(h) GDPR a right of ‘indirect’ access, similar to the one existing under Article 17(3) Law Enforcement Directive.

-AG Collins: The Right to Rectification Includes Gender Changes in a Refugee Register-

On 12th September, AG Collins suggested that the right to rectification in Article 16 GDPR includes the right to change the gender of a person in the register of refugees in the case of Deldits. As to the facts of the case, an Iranian refugee (VP), who obtained refugee status in Hungary, was registered in the dedicated register as a female. In their refugee application, they stated their transsexuality as the reason for seeking refugee status, providing certificates by a psychiatrist and a gynaecologist. Upon receiving their refugee status, they requested a change in the register from ‘female’ to ‘male’ and a change in their name, relying on the right to rectification in Article 16 GDPR. The request was rejected on the ground that VP had not proved that ‘they had undergone gender reassignment surgery and that the applicant’s gender had changed’. Eventually, the conflict escalated to a preliminary ruling question as to the scope of the right to rectification in Article 16 GDPR. AG Collins suggested in his Opinion that the right to rectification, read in light of the principle of accuracy in Article 5(1)(d) GDPR includes the right of a refugee to have their gender rectified, where the authority keeping the refugee register had incorrectly recorded it upon enrolling the refugee in the register. As to the question of proving the gender change, AG Collins suggested that the right to rectification ‘may require a person requesting rectification of data to produce evidence to establish the inaccuracy of that data in the light of the purposes for which they were collected or processed but may not be required to adduce evidence of having undergone gender reassignment surgery’.

-EDPB to collaborate regarding the Interplay of the DMA and the GDPR-

In the past two weeks, the EDPB announced that ‘Commission services in charge of the enforcement of the Digital Markets Act (DMA) and the European Data Protection Board (EDPB) have agreed to work together to clarify and give guidance on the interplay between DMA and GDPR’. According to the press release, the work will focus on ‘the applicable obligations to digital gatekeepers under the DMA which present a strong interplay with the GDPR’. The initiative is justified on the basis that ‘there is a need to ensure the coherent application to digital gatekeepers of the applicable regulatory frameworks’ and that ‘a coherent interpretation of the DMA and GDPR while respecting each regulators’ competences in areas where the GDPR applies and is referenced in the DMA is crucial to effectively implement the two regulatory frameworks and achieve their respective and complementary objectives’. The press release does not refer to a timeline for the work. The initiative certainly echoes concerns in the data protection community regarding uncertainty as to how the DMA should relate to the GDPR. The outcome of the collaboration is thus to be anticipated with interest.

 

 

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply