Data Privacy Day 2023: highlighting the most impactful ECJ judgments from the past year

Key principles for lawful data processing

Judgment of 22 November 2022 in cases C-37/20 and C-601/20

Member States established a Register of Ultimate Beneficial Ownership (UBO), in line with the anti-money-laundering-directive (AMLD5) 2018/843, amending AMLD4 2015/849. Article 1(15)(c) AMLD5 contained an obligation for Member States to improve transparency in the ownership of companies and trusts by making certain information on the UBO accessible to any member of the general public. In this case, the Luxembourg Register and the validity of article 1(15)(c) Directive 2018/843 were challenged. The Luxembourg District Court asked for a preliminary ruling on a series of questions concerning the validity of article 1(15)(c) in light of article 7 and 8 of the Charter of Fundamental Rights of the European Union – the right to respect for private and family life and the right to protection of personal data.

The Court held that in light of the Charter, the provision whereby Member States must ensure that the provision whereby the UBO of corporate and other legal entities incorporated with their territory is accessible in all cases to any member of the general public, is invalid. This access of the general public constitutes a serious interference with the rights to respect for private life and to protection of personal data. The legislature pursues an objective of general interest, and the measure is appropriate for contributing to this objective. However, the measure is neither limited to what is necessary nor proportionate to this objective pursued.

The implications of this decision were large: public access to the UBO register was suspended in several Member States, including the Netherlands, Belgium and Luxembourg. The effect of the declaration of invalidity is that the 2018 amendment should be regarded as never having taken place. Therefore, the old version of the 2015 AMLD4 is now applicable. According to that version, information on UBOs must be accessible in all cases to any person or organisation able to demonstrate a legitimate interest. It remains to be seen when and how access to the UBO register will be re-entered for persons and organisations with a legitimate interest, including the press, civil society organisations, and non-life insurers.

Judgment of 20 October 2022 (C-77/21)

In this case, a Hungarian internet and television provider created a copy of (a part of) their clients’ personal data records to use in a test database after having experienced a technical malfunction. One and a half year later, an ethical hacker penetrates this test database and notifies the provider, who then deletes the personal data in the test database. The Hungarian Data Protection Authority fines the provider for breaching the retention period and therefore violating article 5(1)(b) and (e) GDPR (purpose limitation and data minimization). The provider challenges this decision, because the initial processing of the personal data was lawful and the mere fact that a copy was made for testing purposes does not change the lawfulness.

The Hungarian court asked the European Court of Justice for a preliminary ruling on the questions:

1. whether copying initially collected personal data to another database changes the purpose of the initial data collection and processing and whether setting up a test database and processing customer data in this other database is compatible with the purpose of the initial collection of this data and

2. in case the processing is not compatible with purpose limitation: whether copying personal data to another database is compatible with the principle of data minimization.

The Court explains that article 5(1)(b) GDPR contains two requirements: first, personal data must be collected for specified, explicit and legitimate purposes, and second, they must not be further processed in a way incompatible with those purposes. With regard to the ‘further processing’, the Court emphasizes that every processing following the initial processing qualifies as ‘further processing’, including copying personal data to a test database. For all further processing, the data controller has to assess the compatibility of the processing with the initial purpose. There should be a sufficient connection between the initial purpose and the purpose of the further processing, and the reasonable expectations of the data subject should be met. This creates a balance between the need for predictability and legal certainty as to the purposes of processing previously collected personal data, on the one hand, and a degree of flexibility for the controller in the management of that data, on the other.

In summary, it is for the national courts to determine both the purposes of the initial collection of personal data and those of the further processing of those data. If the purposes of that further processing are different from the purposes of the initial collection, the national court must decide on the compatibility of both processing activities.

Although the actual assessment is reserved for the national courts, the ECJ considers that the principle of purpose limitation does not as such preclude the controller from storing personal data in a database set up for testing and error correction purposes, if such further processing is compatible with the initial data collection purposes.

With regard to the second question on data minimization, the ECJ considers that all GDPR principles apply cumulatively. Personal data should not be stored longer than the purpose for processing requires. Besides, the necessity requirement in article 6(1)(b-f) GDPR implies that no more personal data may be processed than necessary. The principle of data minimization (article 5(2)(e) GDPR) therefore precludes the controller from retaining previously collected personal data in a database set up for testing and error rectification purposes, for longer than necessary to carry out those tests and rectify those errors.

Data subject rights

Judgment of 12 January 2023 (C-154/21)

On 12 January 2023, the Court confirmed in a preliminary ruling that every data subject has the right, on request, to know the actual identity of recipients to whom his or her personal data have been disclosed. Article 15 GDPR indeed grants data subjects the right to information about “the recipients or categories of recipients” of his or her personal data, and such information should be as precise as possible.

Emphasizing the importance of effectiveness of the data subject’s rights, the Court finds that the right to be informed of the actual identify of specific recipients (contrary to only the categories of recipients) is necessary to enable the data subject to exercise other rights conferred by the GDPR. This includes the right to rectification, right to erasure (‘right to be forgotten’), right to restriction of processing, right to object to processing or right of action where he or she suffers damage.

However, the Court also recognized that it may be impossible for data controllers to identify the recipients (in particular where they are not yet known), or that a data subject’s request to access may be manifestly unfounded or excessive. Only in such circumstances, the data controllers is allowed to limited the information to only the categories of recipients. The burden of proof to demonstrate that the request from a data subject is manifestly unfounded or excessive then lies with the data controller.

Judgment of 8 December 2022 (C-460/20)

This case is a typical example of conflicting fundamental rights. The question is whether Google as a search engine should delete hyperlinks and so called ‘thumbnails’ if these links lead to information that is, according to the data subject, incorrect. Google rejected the data subject’s request for erasure, pointing out the fundamental right to information and freedom of expression. The data subject pointed out their fundamental right to data protection.

The ECJ stresses that the right to protection of personal data does not have absolute validity, but must be considered in relation to its function in society. In accordance with the principle of proportionality, it must be balanced against other fundamental rights. The GDPR therefore explicitly provides that the right to data erasure does not apply when the processing of the data is necessary for the exercise of the right, inter alia, to freedom of information.

The data subjects’ right to protection of their private life and to protection of personal data generally take precedence over the legitimate interest of internet users who might want to have access to information. However, referring to its Google/Spain ruling, the ECJ stresses that this consideration may depend on the relevant circumstances of the case, including the nature of such information and its sensitivity for the private life of the data subject and the public interest in having this information.

The right to freedom of expression and information cannot be taken into account when at least a not insignificant part of the information in the linked content is found to be incorrect. It is up to the data subject to provide the evidence that the information is incorrect. In order to avoid an excessive burden of proof for the data subject, which may undermine the useful effect of the right to remove links, the data subject only needs to provide the evidence that can reasonably be required of them. They are not, in principle, obliged to provide evidence by submitting a court decision against the owner of the information, e.g. the editor of a website.

Judgment of 27 October 2022 (C-129/21)

This case is about the way consent for listing in directories can be withdrawn. Proximus, a Belgian provider of telecommunications services, publishes telephone directories – including personal data. A data subject contacted Proximus to request that his data no longer be included in the directory operated by Proximus and other directories to which Proximus had provided his data. Because of an update by an uninformed third-party directory provider, the data later reappeared as available for the public.

The e-Privacy Directive (2002/58) provides it is sufficient for a subscriber to consent once to the use of their personal data in a directory, so that other directory providers can process the same data for the same purpose. This can lead to issues when a subscriber wants to withdraw its consent: to whom should this request be addressed – the directory providers together or each of them? In addition: should the provider pass on an erasure request to third parties?

The Court of Justice holds that consent by a subscriber who has been duly informed is necessary for the purposes of the publication of his or her personal data in a public directory. This consent extends to any subsequent processing of data by third-party directory providers who process the data for the same purpose. It is not required that the data subject is aware of the identity of all other providers of directories.

Subscribers must have the opportunity to have their personal data withdrawn from directories, by using the right to erasure. The Court holds it follows from the general GDPR-obligations that a controller such as Proximus must, by means of appropriate technical and organizational measures, inform the other providers of directories that have received the data of the withdrawal of the consent of the data subject. Where various controllers rely on the single consent, it is sufficient that the data subject contacts any one of the controllers, in order to withdraw consent. Finally, the Court holds that a controller such as Proximus is required to ensure that reasonable steps are taken to inform search engine providers of the request addressed to for erasure.

Data retention

In its judgments of 5 April 2022 (C-140/20) and 20 September 2022 (joined cases C-339/20 and C-397/20 and joined cases C-793/19 and C-794/19), the ECJ confirmed that EU law precludes national legislation that provides, as a preventative measure, for the general and indiscriminate retention of traffic and location data for the purposes of combating serious crime.

Article 15 of the e-Privacy Directive enables Member States to restrict the scope of certain provisions of the e-Privacy Directive. Such restriction should constitute a necessary, appropriate, and proportionate measure within a democratic society to safeguard national security (i.e. State security), defense, public security, and the prevention, investigation, detection, and prosecution of criminal offences or of unauthorised use of the electronic communication system. A restriction cannot consist of a general and indiscriminate retention of traffic and location data.

Coming to this conclusion, the Court considered, amongst others, that traffic and location data relating to electronic communications may reveal sensitive information that enjoy special protection under EU law, such as sexual orientation, political opinions, religious, philosophical, societal or other beliefs and state of health. Taken as a whole, those data may allow very precise conclusions to be drawn concerning the private lives of the persons whose data have been retained.

However, in its judgments the Court also clarified that – subject to the conditions as further elaborated in the judgments themselves – EU law does not preclude national legislation that:

• allows an instruction (that is subject to effective review) to be given to providers of electronic communications services to retain, generally and indiscriminately, traffic and location data in situations where the Member State concerned is confronted with a serious threat to national security that is shown to be genuine and present or foreseeable. The instruction must be subject to effective review and limited to a period of time that is strictly necessary, but with the possibility to extend this period if the threat persists;
• provides for the targeted retention of traffic and location data which is limited, based on objective and non-discriminatory criteria, according to the categories of persons concerned or using a geographical criterion (such as the average crime rate in a particular geographical area), for a period of time that is no longer than what is strictly necessary, but which may be extended;
• provides for the general and indiscriminate retention of IP addresses assigned to the source of an internet connection, for a period that is no longer than what is strictly necessary;
• provides for the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems; and
• allows competent authorities instructing the providers of electronic communications services to undertake the expedited retention (“quick freeze”) of traffic and location data in their possession, for a specified period of time at the first stage of an investigation into a serious threat for public security or a possible serious crime.

Such national legislation must then also ensure, via clear and precise rules, that the retention of data is subject to compliance with the applicable substantive and procedural conditions and that the persons concerned have effective safeguards against the risk of potential abuse.

Enforcement

In its judgment of 12 January 2023 (C-132/21), the ECJ ruled that the different remedies provided for under the GDPR could be exercised independently and concurrently. The GDPR provides three types of remedies: (i) the right to lodge a complaint with a supervisory authority (art. 77); (ii) the right to an effective judicial remedy against a supervisory authority (art. 78) and (iii) the right to an effective judicial remedy against a controller or processor (art. 79). The Court ruled that there is no hierarchy between the civil and administrative remedies, nor is there any rule of precedence. One type of remedy is thus not superior to the other, and data subjects can exercise more than one remedy simultaneously. Parallel procedures can, however, lead to conflicting outcomes from the different bodies involved. That is why, according to the ECJ, Member States should resolve these conflicts through detailed national rules on procedure, all while ensuring a person’s right to an effective remedy and effective protection of his or her rights under the GDPR.

While this article is devoted to discussing case law of the ECJ, it goes without saying that national data protection authorities are key players in enforcement of data protection legislation. To briefly illustrate the importance hereof, a recent decision of the Irish privacy regulator (the "DPC") is worth mentioning. The DPC announced its final decision regarding Meta Ireland's Facebook and Instagram services on 4 January 2023. The decisions focus on the legal basis for processing personal data for personalised ads. Meta based its processing activities on the "performance of a contract" basis. By accepting the Meta terms of use, the user would enter into an agreement with the platform. In doing so, according to Meta, it would be necessary to process their personal data, including for offering personalised ads. The EDPB considers that Meta’s Facebook and Instagram services are mainly used to communicate and not to receive personalised ads. Thus, the provision of personalised ads is not a core element of the services provided by Meta and Meta should not have relied on this processing basis. In its final decision, the DPC fined Meta Ireland 210 million euros (for breaches of the GDPR in relation to its Facebook services) and 180 euros million (for breaches in relation to its Instagram services). A detailed consideration of this decision can be found in this blog.

In the past year, the litigation chamber of the Belgian data protection authority (“DPA”) has published 51 decisions. Eleven decisions led to fines, among which the (second) highest fine imposed by the DPA to date: the DPA fined IAB Europe 250.000,00 EUR based on its decision that IAB’s Transparency and Consent Framework was not compliant with the principles of the GDPR. Previously the DPA had already imposed a fine of 600.000,00 EUR on Google, but this decision – including the fine – was subsequently annulled by the Market Court. We note that the majority of the fines relate to violations of article 6 GDPR, which is expected to remain a priority for the litigation chamber. For 2023, the DPA has indicated to further investigate, and if necessary sanction, the processing activities of “data brokers”. As the fines imposed in 2022 tend to be higher than previous years, companies should be aware of a growing financial risk related to data protection compliance and enforcement in Belgium. 

In the Netherlands, the supervisory authority called the “Autoriteit Persoonsgegevens” or “AP” has also sanctioned several organisations and institutions for breaches of the GDPR. These include fines of 3.7 million EUR for the Dutch Tax Administration for illegally processing personal data for years in a 'fraud identification facility', and of 565.000,00 EUR for the Dutch Ministry of Foreign Affairs for inadequately securing via applications. The AP also fined DPG Media for unnecessarily requesting copies of identity documents and the police for using vehicles equipped with 360-degree cameras in Rotterdam during the COVID pandemic to check whether people were keeping a distance of 1.5 metres from each other without a prior risk assessment.

The data protection and privacy specialists at Stibbe can assist you with any data protection- or privacy-related matters, ranging from advisory and compliance work, contracting, M&A implications to dispute resolution and domestic and international (administrative or judicial) procedures.