Category: European Court of Justice
11. December 2017
The Working Party 29 (WP29), an independent European advisory body on data protection and privacy, has evaluated the Privacy Shield agreement (framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States, see also our report on One year of Privacy Shield).
In its joint review, the WP29 focusses on the assessment of commercial aspects and governmental access to personal data for national security purposes.
Though acknowledging progress, the WP29 still finds unresolved issues on both sides.
It criticizes the lack of guidance and clear information on the principles of the Privacy Shield, especially with regards to onward transfers, the rights of the data subject and remedies.
The US authorities are further requested to clearly distinguish the status of data processors from that of data controllers.
Another important issue to be tackled is the handling of Human Resource (HR) data and the rules governing automated-decision making and profiling.
Also, the process of self-certification for companies requires improvement.
In terms of access by public authorities, the WP 29 concludes that the US government has made effort to become more transparent.
However, some of the main concerns still are to be resolved by May 25th, 2018.
The WP 29 calls for further evidence or legally binding commitments to confirm non-discrimination and the fact that authorities don’t get access on a generalized basis to data transferred to the USA from the EU.
Aside from these matters, an Ombudsperson still needs to be appointed and her/his exact powers need to be specified. According to the WP 29, the existing powers to remedy non-compliance are not sufficient.
In case no remedy is brought to these concerns in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.
19. May 2017
The German Federal Court (Bundesgerichtshof, BGH) decided, that dynamic IP-addresses are personal data. Also the BGH decides, that website operators are allowed to store the IP-address.
The judgement precedes on a decision of the European Court of Justice (EuGH) from the last year.
The EuGH decides, that a dynamic IP-address is a personal data, when the person concerned can be identified by means of the IP-address.
A German politician worried about the storing of his IP-address, because different federal institutes and authorities stored unasked his IP-address after he visited their websites. He fears, that the institutes and authorities are able to understand what he read and clicked on in the past times. Therefore his fundamental right on informational self-determination is infringed. He wants the court to decide, that his IP-address can be stored during his visit but not above.
The BGH now established, that the dynamic IP-address is personal data and the fundamental rights of the users should not be infringed, but websites are allowed to invest protocols of the surfers who visited their website, after the visitation, but only on the premise of emergency response. Especially in cases of hacker attacks. A criminal prosecution must be possible. The legal foundation is § 15 Telemediengesetz (TMG). § 15 I TMG must be interpreted compliant to the European law. Collection and processing of personal data must be required for the functionality of the service.
It is good to know that the website operator has no possibility of identifying the user by means of his IP-address, only the internet provider is able to identify the user by means of the IP-address, because the provider allocates the IP-address to the user.
6. March 2017
Vera Jourová, the European Union’s justice commissioner, is willing to suspend Privacy Shield in case the Trump administration budges from the result of the negotiation between the Obama administration and the European Union.
The Privacy Shield pact was meant to replace the Safe Harbor decision of the European Commission that was overturned in October 2015 by the European Court of Justice (ECJ). The pact’s purpose is to enable the transfer of EU citizens’ personal data to the US while ensuring the protection of those data.
Concerns about the effectiveness of the Privacy Shield came up as President Trump passed an executive order in January 2017 saying “agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
Although the US Department of Justice already affirmed the US’s commitment to the Privacy Shield, Jourová stays sceptical and wants to keep an eye on the US government’s stance. In case EU citizens’ personal data are not safe in the US Jourová will not hesitate to suspend the pact.
28. October 2016
As the website of the European Court of Justice just released, is the EU-U.S. Privacy Shield being challenged by Digital Rights Ireland, an Irish privacy advocacy group.
The facts of this case (Digital Rights Ireland v Commission; Case T-670/16) are as follows:
- Digital Rights Ireland has filed an action for annulment against the European Commission’s adequacy decision on the EU-U.S. Privacy Shield.
- There has been no comment from Digital Rights Ireland yet.
- No documents have been published with regard to the case so far.
- However, as HuntonPrivacyBlog reported “(…) media sources quote a spokesperson for the European Commission acknowledging the case and stressing the European Commission’s conviction that the Privacy Shield meets all legal requirements.”
20. October 2016
The European Court of Justice clarified the definition and the scope of personal data.
The original case, known as the Breyer case, concerned the issue whether dynamic IP addresses are personal data within the meaning of Article 2(a) of Directive 95/46/EC. The European Court of Justice now ruled that IP addresses can be seen as personal data although the information may have to be sought from third parties in order to identify the data subjects.
In detail, the European Court of Justice concludes:
- According to the approach adopted by the Bundesgerichtshof (Federal Court of Justice), a dynamic IP address is not sufficient, in itself, to identify the user who has accessed a web page through it. If the provider of a service on the Internet could, on the contrary, identify the user through the dynamic IP address, it would, no doubt, be personal data within the meaning of Directive 95/46.
- The heart of the question referred is therefore concerned with whether it is relevant, in order to classify dynamic IP addresses as personal data, that a very specific third party — the Internet access service provider — has additional data which, combined with those addresses, may identify a user who has visited a particular web page.
- Therefore, as a first conclusion, I consider that Article 2(a) of Directive 95/46 must be interpreted as meaning that an IP address stored by a service provider in connection with access to its web page constitutes personal data for that service provider, insofar as an Internet service provider has available additional data which make it possible to identify the data subject.
Therefore, the question which is raised due to this ruling is: Will this defintion stand once the GDPR comes into force in 2018?
However, it is highly probable that from now on it will be more difficult for organizations to pseudonymize or anonymize personal data.
16. September 2016
The European Court of Justice decided that free Wifi providers are not liable for illegal downloads.
The decision is based on a case between Sony and a German shop owner. Sony sued the German shop owner due to the fact that an internet user unlawfully offered music downloads by using the shop’s free Wifi. Although the case originated in Munich, the judges referred the issue to the European Court of Justice.
The European Court of Justice then found that free Wifi is provided by companies in order to attract potential customers. Therefore, they cannot be held liable for illegal acts committed by others using this respective internet network.
Furthermore, Sony can not claim compensation or seek reimbursement for its court costs.
Nevertheless, the European Court of Justice ruled that Sony could demand internet connections to be password protected, so that a user is required to identify himself before accessing the Wifi.
5. August 2016
Having in mind that the European Court of Justice declared Privacy Shield’s predecessor, Safe Harbor, invalid, the Head of the Hamburg data protection authority, Prof. Dr. Johannes Caspar, would like to ask the European Court of Justice whether it thinks that the Commission’s decision to strike the data-transfer deal was valid.
Due to the fact that there might be upoming legal changes in Germany Caspar hopes that those will make it possible for the country’s DPAs to challenge adequacy decisions.
An E-Mail was published quoting Caspar saying that “The decision of the EU Commission concerning the Privacy Shield constitutes a new legal ground for data subjects, which is a binding document for all members of the [Article 29 Working Party of data protection authorities],” and going on “On the other hand, I have serious doubts whether this adequacy decision meets the legal requirements of the principle of proportionality and judicial redress in the [CJEU’s] Safe Harbor judgement.” Caspar went on commenting that “It is expected that sooner or later the CJEU will assess whether the access by public U.S. authorities to personal data transferred under the Privacy Shield is limited to what is strictly necessary and proportionate in a democratic society. If there is a legal way to seek reference to the CJEU – and we hope that the national lawmaker will enact a law for national DPAs soon – we will take all appropriate steps for getting a ruling on the validity of the Commission’s decision.”
Due to the fact that the GDPR is a regulation rather than a directive, it does not require transposition into national laws. However, the German government debates about new legislation in order to make German data protection law compliant with the GDPR. However, in July the German government issued a statement saying it is working on the new legislation but not mentioning whether this also includes that DPAs are able to challenge adequacy decisions.
Furthermore, Caspar commented that the Article 29 Working Party’s next opportunity to question the Privacy Shield will come in a year’s time, “if the Shield will still be in force”.
However, not only Caspar shows a sceptical point of view towards the Privacy Shield, Thomas Jansen, a partner with DLA Piper in Munich stated that “Many [European] data protection and privacy experts see a high risk that the Privacy Shield will be invalidated”.
29. July 2016
As already published the European Court of Justice had to clarify which Member State’s data protection laws should apply to data processing established within the EU but directed at a number of EU Member States.
Yesterday, the European Court of Justice ruled in the case VKI v. Amazon EU that “ (…) the processing of data (…) is governed by the law of the Member State in whose territory that establishment is situated.”
However, the European Court of Justice did not discuss the respective contract between Amazon and its customers stating that “Luxembourg law shall apply.”
Nevertheless, the European Court of Justice came to the conclusion that “It is for the national court to determine (…) whether Amazon EU carries out the data processing in question in the context of the activities of an establishment situated in a Member State other than Luxembourg.”
28. July 2016
In the case Verein für Konsumenteninformation v. Amazon, the Court of Justice of the European Union has to decide which Member State’s data protection law should apply in case goods are sold across national borders but within the EU. In the respective case goods are sold from a German or Luxembourgish website to an Austrian consumer.
This can be seen as one of the more significant data protection cases of 2016. The judgement will be significant due to the fact that the EU is in the process of implementing the new General Data Protection Regulation. As a consequence an European Data Protection Board (EDPB) will be established, which will represent Data Protection Authorities of different Member States. The EDPB will also be responsible for conflicts of jurisdiction. However, this process has been described as a “ (…) hyper bureaucratic procedure that will lead to more complexity and longer procedures.”
In case the Court of Justice of the European Union clarifies the jurisdiction of Data Protection Authorities, there may be less need to utilise these hyper-bureaucratic procedures. This could make the EU’s single market more efficient.
The Court of Justice of the European Union will probably rule on this matter today.
18. May 2016
Background
In 2014, Mr. Breyer filed a suit against the Federal Republic of Germany regarding the storing of IP Addresses. Several German public bodies operate internet websites that are publicly accessible. In order to avoid and be able to prosecute criminal attacks, the access to these websites is protocolled, including names, retrieved data/website, words searched in the search fields, date and time of retrieval, data transmitted and the IP Address of the device in question.
Mr. Breyer requested that neither the Federal Republic of Germany nor third parties store the IP Address of users that accesses these websites, as there was no consent for this processing and the storage was not based on the recovery due to a disruption of the service.
Prejudicial question from the German Federal Supreme Court (Bundesgerichtshof)
The suit from Mr. Breyer was dismissed in the First Instance. However, the appeal succeed partly and the Federal Republic of Germany was sentenced not to store IP Addresses for a longer period of time than that of the access in question. Though, this was subject to the condition that Mr. Breyer provided his personal data when he accessed the website. Both parties appealed to the German Federal Supreme Court, who submitted the following questions to the ECJ:
– Question 1: Must the Data Protection Directive 95/46/EC be interpreted as meaning that an Internet Protocol address (IP Address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?
– Question 2: Does the Data Protection Directive 95/46/EC preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?
Position of the ECJ General Advocate
The ECJ General Advocate answers the above questions as follows:
– To question 1: A dynamic IP Address, through which a user has retrieved a website from a telemedia service provider, constitutes for the latter a personal data to the extent that the service provider has enough additional information, which connected with the IP-Address makes possible to identify the user. Dynamic IP-Addresses contain information regarding the time and date in which a website was accessed from a device. This data can provide information about behavioural patterns that can affect the right to privacy of individuals. Additionally it can also provide additional information about a user if it is connected to other personal data.
– To question 2: The finality to guarantee the operability of the telemedium should be basically seen as a legitimate interest that justifies the processing of an IP Address. This legitimation can be only alleged if it has primacy over the fundamental rights of the data subject. A national legal disposition that does not allow such legitimate interest, is not consistent with the Data Protection Directive 45/95/EC.
What to expect regarding IP addresses with the GDPR?
The problematic of the IP Addresses may be solved with the GDPR, as the Recital 30 enumerates, among others, also IP addresses as examples of personal data. As such, they can lead to identify an individual if combined with other information, therefore they fall under the scope of the GDPR and they are to be handled as personal data.
