– CJEU Ruling Strengthens the Role of Consent and Right to Erasure –
On 27th October, the CJEU ruled on the right to withdraw consent and the right to erasure in relation to multiple controllers in the case of Proximus NV v Gegevensbeschermingsautoriteit in the context of publishing someone’s contact details in public directories. As to the facts of the case, a subscriber of telecommunication services provided by Telenet indicated to Proximus, which also provides such services and publishes directories, that they do not wish their data to be published in public directories either by Proximus or by other directory providers to which Proximus provides contact information for the purposes of creating and publishing directories. Proximus recorded this in its systems. When Telenet subsequently sent to Proximus the list of its subscribers who wish to be included or do not object to being included in public directories, the applicant’s details were included and Proximus changed its system accordingly. As a result, the applicant’s contact data were published. Upon learning this, the applicant asked Proximus to delete their contact information from the public directory. Proximus informed the applicant that it has deleted their data from the Proximus directory, that it has informed the other directory providers to which it had provided the data and Google of the withdrawal of the applicant’s consent. In parallel, the applicant submitted a complaint with the Belgian DPA, which imposed a € 20 000 fine on Proximus, relying on the requirement in the e-Privacy Directive that consent is required for the inclusion of the subscribers’ data in public directories. When appealing the fine, the latter argued that it was not in breach of the GDPR, because consent was not required for the publication of the data in directories. The dispute eventually reached the CJEU via the preliminary ruling procedure. The Court ruled that ‘consent by a subscriber who has been duly informed is necessary for the purposes of the publication of his or her personal data in a public directory and extends to any subsequent processing of data by third-party undertakings active in the market for publicly available directory enquiry services and directories, provided that such processing pursues the same purpose.’ The Court then unsurprisingly clarified that consent may be withdrawn and such a request could be treated as an erasure request. The Court further ruled that Proximus should inform the other directory providers and the telecommunications provider from whom the data originated of the withdrawal of consent via ‘appropriate technical and organisational measures’. From the text of the judgment it is evident that the Court relies here on Article 24 GDPR. Thus, the Court concluded that where several controllers rely on one consent, it is enough that the concerned data subject contacts only one of them. Finally, the Court ruled that ‘a controller such as Proximus is required, under the GDPR, to ensure that reasonable steps are taken to inform search engine providers of the request addressed to it by the subscriber of a telephone service operator for erasure of his or her personal data.’ From the text of the judgment, it becomes clear that here the Court relies on Article 17(2) GDPR.
Editorial note: The story is based on the Press Release as the judgment is not available in English yet. The references to the GDPR Articles have been taken directly from the judgment.
– German Constitutional Court Decides on Data Sharing by Intelligence Services –
On 28th September, the German Constitutional Court ruled in a case concerning the scope of domestic intelligence agencies’ data sharing powers. In terms of the facts, the case concerned an application by a complainant ‘who was convicted in criminal proceedings relating to the National Socialist Underground (who challenged) the data sharing powers of the domestic intelligence services and (asserted) a violation of the fundamental right to informational self-determination.’ The powers in question essentially flow from the Federal Protection of the Constitution Act (Bundesverfassungsschutzgesetz) and allowed federal and state intelligence services to share information with police and public prosecutors ‘when there are factual indications that the sharing of information is necessary for the prevention or prosecution of offences against state security.’ The same powers are relied upon as justification for the establishment of ‘the Standardised Central Database to Combat Violent Right-Wing Extremism (Rechtsextremismus-Datei-Gesetz)…a joint database for police authorities and intelligence services of the Federation and the Länder that serves to facilitate inter-agency requests for information.’ In this regard, the Court generally held ‘that the data sharing powers of domestic intelligence services under the Federal Protection of the Constitution Act…are not compatible with the fundamental right to informational self-determination under Art. 2(1) in conjunction with Art. 1(1) of the Basic Law (Grundgesetz – GG). Specifically, (the) ruling is directed at provisions permitting the sharing of personal data that was obtained by…domestic intelligence services through covert methods. These provisions violate the principles of legal clarity and proportionality. They also lack sufficiently specific documentation requirements.’ The case is interesting and will surely be a worthwhile subject of study for anyone interested in law and data processing for security purposes. The considerations on the proportionality of the provisions in question are particularly interesting.
Editorial note: The story is based on the Press Release as the judgment is not available in English.
– Statewatch Releases Documents on Personal Data Processing by Frontex –
On 4th November, Statewatch published a series of documents concerning the operational personal data processing practices of Frontex (the European Border and Coast Guard Agency), especially those carried out for the purposes of fighting cross-border crime. The documents cover the period from December 2018 until November 2022. According to Statewatch, the documents ‘make it crystal clear how the management of the EU’s most powerful agency sought to ignore the advice of its Data Protection Officer (DPO), echoing previous attempts to sideline the agency’s Fundamental Rights Officer (FRO) in the scandal over pushbacks at the Greek-Turkish border and operations at the Hungarian-Serbian border.’ One of the released documents concerns the Management Board Decision of December 2021, which seeks to regulate the processing of operational personal data. Statewatch notes that ‘following the publication of the investigation into the process of adoption, they were rescinded and are now being redrafted.’ We believe that those who carry out research on Frontex, including on its data protection compliance, will find the sources very informative.
– OECD Publishes Report on Dark Commercial Pattern –
On October 26th, the OECD made the report ‘Dark Commercial Patterns’ available. The report builds on the recognition ‘of the growing need to address dark commercial patterns comprehensively’ and on the back of a roundtable on the topic held in November 2020. In terms of content, the report is split into six substantive sections, which discuss: i) ‘the nature of dark patterns and issues around their definition’ – including the following working definition: ‘Dark commercial patterns are business practices employing elements of digital choice architecture, in particular in online user interfaces, that subvert or impair consumer autonomy, decision-making or choice. They often deceive, coerce or manipulate consumers and are likely to cause direct or indirect consumer detriment in various ways, though it may be difficult or impossible to measure such detriment in many instances’; ii) ‘their prevalence’; iii) ‘effects on consumer decision-making, detectability, and harms’; iv) ‘regulatory and enforcement measures’; and v) ‘educational, technical and business initiatives and tools’. The report is also accompanied by a number of annexes, which include evidence of dark patterns and their consequences, examples of enforcement actions against dark patterns, and considerations of EU law which may be useful in addressing dark patterns. The report deals with a fascinating topic and will be of interest to all concerned with developments in commercial data practices.