-CJEU: Broad Interpretation of ‘Undertaking’ When Calculating Fines-
On 13th February, the CJEU ruled that when the maximum amount for fines for GDPR infringements are calculated, ‘the undertaking’s total worldwide annual turnover in the preceding business year’ has to be taken into account, irrespective of whether the fine is imposed by a DPA or by a criminal court, in ILVA A/S. As to the facts of the case, ILVA (furniture store chain) is part of a larger group (Lars Larsen Group). The former had breached the GDPR by not protecting adequately the personal data of about 350 000 former customers. Under Danish law, the DPA may not impose administrative fines. It may initiate them, but they are eventually imposed by a criminal court. In casu, the proposed fine was based not only on ILVA’s total turnover, but also that of the Lars Larsen Group. The dispute in the main proceedings concerns the interpretation of Article 83(4)-(6) GDPR, more specifically how the term ‘undertaking’ should be interpreted for the purposes of calculating a GDPR fine. The CJEU ruled that the term ‘undertaking’ should have the same meaning as under Articles 101 and 102 TFEU (competition law). The CJEU clarified that, as a result, when calculating the maximum amount of fines under the GDPR, national authorities should take into account the turnover of the group to which an undertaking belongs. The CJEU recalled that, when calculating the actual fine in each case, though, regard must be had, amongst others, to ‘the nature, gravity and duration of the infringement; the number of data subjects affected and the level of damage suffered by them; the intentional or negligent character of the infringement; the actions taken by the controller or processor of personal data to mitigate the damage suffered; the degree of responsibility of that controller or processor; and the categories of personal data affected by the infringement’. Finally, the CJEU established that the above considerations are without regard to the fact whether the fine is of administrative or criminal nature.
-ECtHR: Georgia Does Not Adequately Protect the Confidentiality of Lawyers’ Communications-
On 18th February, the ECtHR ruled that Georgian law does not provide sufficient safeguards against abuse when recording the telephone conversations of a company lawyer in Romanchenko and Kharazishvili v. Georgia. As to the facts of the case, the applicants are a married couple. The wife was the lawyer of a company, which was suspected of illegal trade activities and against which a criminal investigation was opened. Her husband was also suspected of having links to criminal activities. In the framework of the investigation, the prosecutor ordered the interception and recording of their conversation (including also of other individuals). The applicants complained that the measures were in breach of their Article 8 ECHR rights. The Court ruled first that the measures, according to established case law, constitute an interference with Article 8 ECHR. Then, it moved on to examine whether the measures were justified. It ruled first that the measure had a basis in domestic law and that the legal basis was accessible to the applicants. Since the matter concerns the question of covert surveillance, the Court decided to focus primarily on the question of whether there were enough safeguards against abuse, which the Court decided to examine under the requirements of both ‘quality of the law’ and ‘necessity’. The Court noted that ‘the judge dealing with the prosecutor’s surveillance application in the present case checked only whether the formal requirements had been satisfied, without taking into consideration the substantive material in support of the application. It is simply unclear to what extent the judge concerned examined the material submitted in support of the prosecutor’s application, as the court order, in justifying the measure, neither made any reference to the specific facts of the case nor provided any specific reasons concerning those facts. This also concerns the operational information …that was purportedly included in the case file submitted in support of the prosecutor’s surveillance application…. The Court cannot but note that the covert investigative measure was simultaneously ordered in respect of eight individuals within the scope of one single court order, without any individualised reasons. The court order therefore gave no relevant and sufficient reasons based on reliable information that had been purportedly provided in support of the requested covert investigative measure’. In addition, the Court was also disturbed by the fact that the domestic authorities did not acknowledge and take account of the fact that the first applicant was a practising lawyer and that her communications were subject to a special level of confidentiality. Thus, the Court concluded that the interference was not in accordance with domestic law and was not ‘necessary in a democratic society’, and that there was a violation of Article 8 ECHR.
-ECtHR Rules on Covert Surveillance-
On 13th February, the ECtHR decided in the case of Denysyuk and Others v. Ukraine. In terms of the facts, the case essentially concerns a series of applicants who were subject to covert surveillance measures by the Ukrainian state. These measures included telephone taps, and video and audio surveillance. A final applicant was a lawyer involved with the aforementioned applicants who was concerned that interactions with clients might also have been subject to the covert surveillance measures, despite lawyer-client privilege. Whilst complaints were submitted to the Court under several Articles, only the Article 8 complaints will be considered here. The first set of applicants complained to the Court that ‘the covert investigative measures of which they had been notified…had breached their rights guaranteed by Article 8 of the Convention, having regard, in particular, to the alleged lack of adequate safeguards in the applicable law and the practical means of implementing it in their respective cases’. The final applicant complained to the Court that ‘his Article 8 rights had been compromised, as the domestic law applicable to covert interception of telephone communications lacked adequate safeguards protecting his privileged communications with clients’. With regard to the first set of applicants, the Court found a violation, specifically highlighting that the interference ‘was not “in accordance with the law” for the following reasons: (i) lacking access to the judicial decisions authorising the disputed measures, the Court’ could not ‘conclude that they were ordered “lawfully,” including regarding the requirement to conduct a prior “necessity” assessment of those measures; (ii) in the course of the implementation of the disputed measures, the applicants’ communications with their lawyers were not sufficiently protected by specific and detailed rules and procedures defining how such communications should be identified and handled in the event of having been intercepted accidentally and because there was no independent oversight authority with sufficient competence to protect the applicants from abuse or mistakes by the law-enforcement officers; and (iii) the applicants could not obtain sufficient information and documents for challenging, in a meaningful way, the legality and necessity of the disputed measures after their completion and did not have at their disposal an effective domestic procedure for the determination of the core of their Article 8 complaints in good time’. With regard to the final applicant, the Court also found a violation. The Court again highlighted the deficiencies with safeguards in domestic law identified in relation to the other applicants. The Court also highlighted that ‘according to its settled case-law, an individual whose communications have been accidentally intercepted in the course of a surveillance operation targeting another person should have the possibility of vindicating his or her relevant Article 8 rights by resorting to an appropriate domestic remedy’ and that it is ‘not apparent from the material in the present case or from the Government’s observations that the fourth applicant, as a person potentially randomly affected by the interception of his telecommunications, had any mechanism at his disposal for verifying the veracity of his allegations and the lawfulness and necessity of the authorities’ actions’.
-ECtHR Rules on Provision of Telecoms Data to Tax Authorities-
On 13th February, the ECtHR ruled in the case of Macharik v. the Czech Republic. In terms of the facts, the case concerned the provision, by a telecommunications provider, to state authorities, for the purposes of the investigation of tax evasion, of data related to communications concerning a certain mailbox. The applicant’s correspondence and information constituted part of the information provided to the authorities. Following inspection of the applicant’s information, an investigation was opened into the applicant, which concluded with the applicant being charged for tax evasion. Following a series of domestic proceedings, the applicant complained to the Court, under Article 8, that ‘her email communications had been obtained without a proper legal basis, in breach of the guarantees of Article 8 of the Convention’ – the applicant also complained under other Articles, including 6 and 13, the details of which will not be considered here. In relation to this complaint, the Court found a violation. In this regard, the Court concluded that ‘the interpretation and application of domestic law…lacked clarity and consistency and, therefore, were not foreseeable for the purposes of Article 8 of the Convention. The interference with the applicant’s rights under Article 8 was therefore not “in accordance with the law”. In coming to this conclusion, the Court highlighted, in particular, the fact that domestic law did not seem to permit the collection of data concerning the applicant in question, the fact that the domestic courts did not address the applicant’s complaints concerning the telecoms provider’s confidentiality in this respect, and finally, and perhaps most interestingly, that ‘the way in which the domestic courts interpreted and applied the relevant legal provisions was incoherent and demonstrated the lack of clarity of the legal framework in question’.
-AG Spielmann: Pseudonymous Data Between Identifiable and Non-identifiable Data-
On 6th February, AG Spielmann advised the CJEU to rule, amongst others, that careful examination is needed in order to determine whether certain (sets of) data are pseudonymised in such a way as to preclude their identification when transferred to another entity, which could lead to the non-applicability of the GDPR in casu, in SRB v EDPS. As to the facts of the case, the EDPS is seeking the annulment of a judgment of the General Court in the case of SRB v EDPS. The procedural aspects of the case will not be further examined. The following summary will focus on the points raised in relation to the interpretation of the concerned data protection provisions, the central one of which is the concept of personal data. More precisely, in the dispute between the EDPS and the Single Resolution Board (SRB), the EDPS was of the opinion that the SRB, which clearly processes the personal data of shareholders and creditors (e.g. identity data and their comments and opinions), forwarded to Deloitte their data in pseudonymized and aggregated form, but the risk for re-identification by Deloitte was not eliminated. Hence, the EDPS decided to treat them as personal data, which led to disagreement with the SRB and the subsequent action before the General Court, whose judgment the EDPS seeks to set aside. As to the question of the concept of personal data, AG Spielmann first advised the CJEU to rule that the said data, as processed by the SRB and Deloitte, clearly ‘relate to’ natural persons and the examination performed by the EDPS had complied with Nowak on that point. Second, AG Spielmann examined the question as to whether the data as transferred by the SRB to Deloitte were identifiable. He opined that ‘it was necessary to determine whether the pseudonymisation of the data at issue was sufficiently robust to conclude that the complainants, who were the authors of the information transmitted to Deloitte, were not reasonably identifiable. In other words, in that context, if Deloitte had reasonable means to identify those complainants, it could be considered to be processing personal data’. Third, AG Spielmann argued that irrespective of whether the data at issue may be considered personal data once transferred to Deloitte, they are still personal data for the SRB. Thus, he argued that the SRB was obliged to inform the concerned individuals about the transfer of their data to Deloitte. Finally, AG Spielmann opined on the question of accountability that the SRB had discharged its obligation to prove that it had sufficiently anonymized the data when transferring them to Deloitte and it was for the EDPB to prove that the data were not sufficiently anonymized in that case.