Our partner Nautadutilh will provide a case law overview on a regular basis, each time also discussing a number of cases in more detail. To the right, you can see an overview of relevant privacy case law in the months of September and October. Below, Danique Knibbeler and Siebe Been, Privacy & Data Protection attorneys at NautaDutilh, highlight two interesting cases. Happy reading!
Background
The case concerns the processing of sensitive personal data by Meta Platforms Ireland Limited (formerly Facebook Ireland Limited). Maximilian Schrems is suing the company for allegedly unlawfully processing his personal data, including data about his sexual orientation and political views. This data is used for personalized advertisements without his explicit consent. The case revolves around the interpretation of several articles of the AVG, particularly on purpose limitation, data minimization and the processing of special categories of personal data such as sexual orientation and political beliefs. The Court must assess whether these processing operations are lawful without the user's explicit consent.
Prejudicial questions
Reply
The first question was withdrawn by the referring court following the judgment in another case (C-252/21, Meta Platforms and Others), making it no longer relevant for answering. The second question was answered by explaining that Article 5(1)(c) AVG should be interpreted to mean that the principle of data minimization prevents all personal data obtained by a data controller, such as the operator of an online social networking platform (from the data subject or third parties and collected both on and off that platform), from being aggregated, analyzed and processed for targeted advertisements without temporal limitation and without distinction as to type of data. The third question was also withdrawn by the referring court following the judgment in the same case (C-252/21, Meta Platforms and Others). The fourth question was answered by explaining that Article 9(2)(e) AVG should be interpreted to mean that the fact that a person made a statement about his or her sexual orientation during a public panel discussion does not mean that the operator of an online social networking platform may process other data relating to that person's sexual orientation. This also applies to data obtained through third-party partner websites and apps. The mere fact that a person has publicly shared information about his or her sexual orientation does not give permission to collect, aggregate and analyze other related data for personalized advertisements based on this basis.
Background
Sparkasse, a public institution that also provides banking services (data controller), reported a data breach under Article 33 AVG to the HBDI, the regulator in Hesse, Germany. An employee had accessed the personal data of customer TR (data subject) several times without consent. The controller considered that this breach was unlikely to pose a high risk to the data subject because of disciplinary measures taken and other precautions. Therefore, the controller did not inform the data subject under Article 34 AVG. However, the data subject became aware by chance that his personal data had been unlawfully accessed and filed a complaint with the HBDI about the failure to inform about the breach. The HBDI held that there was no breach of Article 34 AVG because the risk assessment by the controller was not manifestly incorrect. No corrective action was taken against Sparkasse. The data subject then filed an appeal with the Administrative Court requesting action against Sparkasse.
Prejudicial question
Should Article 57(1)(a) and (f), Article 58(2)(a) to (j) in conjunction with Article 77(1) AVG be interpreted as meaning that the supervisory authority is always obliged to act in accordance with Article 58(2) AVG when it establishes that a data processing operation violates the rights of the data subject?
Reply
When interpreting Union law provisions, their wording, context and objectives must be taken into account. National supervisory authorities are responsible for monitoring compliance with personal data protection rules (Article 8(3) Charter, Articles 51(1) and 57(1)(a) AVG). Article 57(1)(f) AVG requires complaints to be dealt with in accordance with Article 77(1) AVG. Article 58(1) AVG grants broad investigative powers to supervisors. When violations occur, they must respond appropriately to remedy inadequacy, with any action being appropriate, necessary and proportionate. Article 58(2) AVG gives supervisors discretion in choosing appropriate means to remedy violations. Regarding administrative fines, Article 83(2) AVG provides that they depend on circumstances of each case and may be imposed in addition to or instead of other measures. Supervisors must consider factors such as nature, severity and duration of violations. Neither Article 58(2) AVG nor Article 83 AVG imposes an obligation on supervisors to always impose corrective measures or fines upon finding violations; this is only mandatory if appropriate, necessary and proportionate. In the present case, Sparkasse informed the HBDI about an employee's unauthorized access to personal data and indicated that it had taken disciplinary action. The HBDI decided to waive corrective measures or fines under Article 58(2) AVG. It is for the referring court to determine whether the HBDI acted diligently within its discretion.
