Nautadutilh periodically compiles a jurisprudence overview of relevant privacy case law. First, three interesting cases are highlighted. Below that is an overview of relevant privacy jurisprudence in the months of January and February, where the ruling date has been retained.
Background
In April 2023, the State announced two tenders for standard software. With both tenders, the State aims to conclude framework agreements with resellers who will supply software licenses from different vendors to participants at their own expense and risk.
SoftwareOne submitted offers on both tenders, but also filed a complaint with the Committee of Procurement Experts (CvAE) regarding the mandatory signing of a processing agreement and unlimited liability in the agreements with the vendors. The CvAE upheld the complaint.
SoftwareOne then asked the State to withdraw the procedures and possibly proceed to retender. The State informed that the contract will be awarded to the other three parties and that SoftwareOne finished in fourth place and lost on price. The State sees no reason to withdraw the tender procedures.
Legal framework
The crux of the dispute in both cases concerns whether the manner in which the risk of the contract was allocated in the tenders is proportional based on Article 1.10(1) of the Procurement Act and the Guide Proportionality.
The Interim Injunction Judge provisionally ruled that the terms contested by SoftwareOne violated Rule 3.9A of the Guide to Proportionality. SoftwareOne has made it plausible that a reseller cannot control the risk of non-compliance with a processor agreement if the reseller does not have access to the personal data and the vendor processes personal data of the participant. SoftwareOne pointed out in that regard that in that case, the reseller itself does not process personal data, does not have any actual involvement in it, does not have access to the software and services on which the personal data are stored and does not have access to the personal data processed with the use of the software (by the participant). Therefore, the reseller has no control or influence over i) how the participant uses its right of use and ii) how the personal data are processed at the vendor, and thus no control over compliance with the processor agreement.
Regulation 3.9A of the Guide to Proportionality further states that the risk should be placed with the party best able to control it. Since the reseller has no access to the personal data and they are processed exclusively by the vendor, the State (and the participants) must be considered the most appropriate party to control the risk. The interim relief judge adopts the opinion of the CAA that the State deviates from Regulation 3.9D of the Guide Proportionality without proper justification. The reseller has unlimited liability for personal data breaches, which is not controllable by the reseller. Therefore, the provision judge considers the conditions that the reseller must enter into a processing agreement and that it has unlimited liability disproportionate. That means the award decisions cannot stand.
Background
Blue is a market research company that processes large amounts of personal data. Nebu is a software development company focused on facilitating market research and data collection. Blauw has been using Nebu's services since 2013, and in 2018 the parties signed a processor agreement drafted by Blauw. On March 10 and 11, 2023, a security incident occurred at Nebu that may have involved data belonging to Blauw. According to Blauw, Nebu failed in its security measures, such as Multi-Factor Authentication (MFA) and data separation. Blauw argues that Nebu is liable for the damages suffered and claims (i) damages and (ii) rescission of the agreement for breach of contract. Nebu argues that it acted appropriately and that the measures at the time of the incident were in accordance with the accepted standard.
Legal framework
The Blauw processor agreement required Nebu to take appropriate technical and organizational measures to ensure the security of its services and to review and improve them regularly. Blauw argues that Nebu failed to comply with this because it had not implemented an MFA, which, according to Blauw, was "common practice" at the time and would have reduced the chances of a successful attack by 99%. In addition, Blauw accuses Nebu of failing to implement customer data segregation and should have reported the attack earlier.
Nebu disputes this, arguing that several products without MFA were on the market at the time of the attack and that relevant legislation did not mandate MFA. Moreover, MFA would not have prevented the attack. Nebu also points to the multi-tenant environment contract with Blue, where different customers used the same environment for data storage, which Nebu says was common.
The court considers it necessary to clarify the foregoing issues first. Only then can it be determined whether there has been any breach of Nebu's contractual obligations and/or duty of care. To obtain that clarity, information from an independent expert is necessary, and therefore the court submits the following questions to an expert:
1. What was common industry practice in early 2023 for a diligent service provider/(sub)processor within the meaning of the AVG in the Dutch market when it comes to the security of personal data, especially with respect to data separation and MFA, or a combination of both? Does it make a difference in this respect that it concerns a customer of the (sub)processor that conducts market research in which a lot of personal data of natural persons (including medical data) are stored and processed? To what extent was therecommon practice?
2. a. If in this case both MFA and data separation in accordance with the use referred to in question 1 had been put in place as a measure, what would have been the probability that the incident would have occurred? Would the impact of the incident on the personal data of which Blue was a processor have been different in that case than they were in the situation that actually occurred? If so, in what respect?
b. What would your answer to this question be if only MFA or only data separation were set up as per the standard of question 1?
3. Given the state of the art and customs in the market in early 2023, would it have been possible to detect the incident earlier than March 11, 2023 at 8:30 a.m.? Would an earlier notification of that incident to Blue than on March 11, 2023 at 10:51 a.m. have been possible and meaningful? Could more and different notice have been given to Blue at 10:51 a.m. on March 11, 2023 than Nebu did at that time? If no, why not? If so, what?
4. As of March 24, 2023, was the determination, after internal investigation, that there was an incident resulting in a personal data breach, for a diligent service provider to the situation in early 2023, determination within a reasonable time?
5. Are there any other points you would like to raise that you think the court should take note of?
Background
By judgment dated June 7, 2024, the preliminary injunction court ordered LinkedIn, Microsoft Ireland, Microsoft Corporation and Xandr (LinkedIn et al.) to cease placing or reading tracking cookies, on defendant's device. After the judgment was rendered, the defendant had LinkedIn et al. investigate their compliance with the judgment. The expert issued a report concluding that LinkedIn et al. placed tracking cookies on defendant's computer on the two dates under investigation. The defendant hereafter served a forfeited penalty payment of 25,000 euros on each of the parties for violating the pronounced injunction and then levied an execution order. LinkedIn et al. seek an order for the defendant to lift the attachments.
Legal framework
According to LinkedIn et al. only the cookies mentioned by name in the judgment may no longer be placed. The cookies mentioned by name in the judgment are examples of tracking cookies, but the injunction was given for tracking cookies or other cookies requiring consent. LinkedIn et al.'s narrower interpretation is therefore incorrect, according to the court, because it could still continue to violate the AVG and the Telecommunications Act.
Next, LinkedIn et al. claim that they took steps to prevent cookies from being read or placed without the defendant's consent. However, no explanation at all has been given as to how this was allegedly done, whereas this should have been expected of them. LinkedIn et al.'s argument is too thin. In addition, LinkedIn et al. take the position that they conducted their own investigation and, unlike the defendant's investigation, did not find any violations. The court rules on this investigation that it was not conducted by an independent third party and that it predates the defendant's investigations.
The argument of LinkedIn et al. the defendant is doing cherry picking is not followed by the court. That there are websites where cookies have not been detected is difficult to take seriously. After all, the fact that it sometimes goes right does not take away the times it goes wrong, the court said. Moreover, the defendant's investigation explained in detail why the cookies found qualify as tracking cookies and are therefore not proportional or necessary. For example, the cookies only expire after 6 or 12 months, which ensures that LinkedIn et al. can collect detailed data about users. Against this rationale, LinkedIn et al. have raised little of substance.
The court found proof that LinkedIn et al. violated the injunction by placing the tracking cookies. LinkedIn and Microsoft Ireland both forfeited penalty payments of 25,000 euros. The fines imposed on Microsoft Corporation and Xandr are lifted, since the judgment was not served on them until after the dates on which compliance with the judgment was verified. That they failed to comply with the injunction issued by the preliminary injunction court is not shown anywhere.
Rb. North Netherlands Jan. 7, 2025, ECLI:NL:RBNNE:2025:187 : The court considers that this concerns father's request for son's data. This is in the private sphere of father and son, as it concerns his personal data and therefore this is an AVG request and not a Woo request, the court said. The court then ruled that son is 16 years old and therefore, in accordance with Art. 8(1) AVG and Art. 5(1) UAVG, he decides for himself whether the data will be shared. That son's consent is not required because the father has custody of him is incorrect. Since son has refused this, the requested documents cannot be sent to father.
Rb. Midden-Nederland Jan. 8, 2025, ECLI:NL:RBMNE:2025:91 : The plaintiffs' appeal against the failure to make a timely decision on the request to remove BSN numbers from the civil service table is inadmissible. The plaintiffs wanted the minister to decide on their application. Since the Minister has since decided, the plaintiffs no longer have an interest in ruling on the appeal against the untimely decision.
General Court EU Jan. 8, 2025, ECLI:EU:T:2025:4 : Bindl asked the General Court to annul transfers of its personal data to third countries without an adequate level of protection and to claim compensation for non-material damage. The General Court ruled that the transfer of personal data to the U.S. without adequate safeguards was a violation of Article 46 AVG and awarded Bindl compensation of €400 for non-material damage.
CJEU Jan. 9, 2025, ECLI:EU:C2025:2 : The Court ruled that the mandatory collection of address titles (Mr/Ms) for commercial communications by a transport company violates the AVG. It is not necessary for the performance of a contract and cannot be justified by a legitimate interest, as customers' rights outweigh it, especially due to discrimination risk. The right to object of Art. 21 AVG does not play a role in assessing the lawfulness of the processing, legitimate interest Art. 6(1)(f) AVG, because Art. 21 AVG presupposes lawful processing.
Rb. North Netherlands Jan. 9, 2025, ECLI:NL:RBNN:2025:83 : The court ruled that the AP correctly concluded that a woman who streamed live camera images of bridges and a harbor in a Frisian village for advertising and tourism purposes, among others, could not invoke legitimate interest. The live images also showed houses and residents in public areas. Residents do not expect their personal data to be processed through a live stream. Despite warning signs, passersby are not always aware of the livestream. The processing is not lawful, transparent or proper, and the woman's stated interests do not outweigh those of the residents.
Rb. Gelderland Jan. 21, 2025, ECLI:NL:RBGEL:2025:277 : The court ruled that the claimant was wrongfully denied access to her GIR (Municipal Incidents Registration) records. The municipality refused access because of the confidentiality of the GIR system and the protection of employees. The court found that the municipality did not sufficiently substantiate why this falls under the data subject protection limitation of Art. 23(1)(i) AVG and Art. 41(1)(i) UAVG. The GIR record could have been provided in a different form, where confidential data was not visible, as long as this complied with Art. 15(3) AVG.
Rb. Limburg Jan. 31, 2025, ECLI:NL:RBLIM:2025:778 : The claimant objected to the UWV's processing of his personal data, but this was rejected. The UWV argued that it has a statutory duty to process data for the policy administration, especially since the claimant receives pension benefits. The court ruled that the UWV does indeed have a statutory duty that makes this processing necessary. As a result, the exception of Art. 17(3)(b) AVG arises and the claimant has no right to erasure of his data.
Rb. Limburg Feb. 4, 2025 ECLI:NL:RBLIM:2025:930 : Appeal against the Inland Revenue for failure to decide in time on a request for inspection. The court declared the appeal for failure to decide on time inadmissible because the opponent no longer had a procedural interest in a ruling on that appeal, since the Tax Administration had since made a decision on his request for inspection and there was also no other reason to assume a procedural interest.
Rb. The Hague Feb. 5, 2025, ECLI:NL:RBDHA:2025:1138 : The District Court of The Hague ruled in the case of former House Speaker Arib v. House of Representatives, that the State had a legitimate interest in processing Arib's personal data. This concerned the interests of civil servants, the creation of a safe working environment and the general public. Arib's interests weighed less heavily because, among other things, her interest had been taken into account in the processing by considering the nature and sensitivity of the information to Arib's life and opting for an external investigation.
Rb. North Holland Feb. 11, 2025, ECLI:NL:RBNHO:2025:1087 : A director of school umbrella organization SPO believes that SPO should not have been allowed to process her data in the school leaders register without her consent. The court ruled that SPO was allowed to do so on the basis of legitimate interest (Art. 6(1)(f) AVG) because its task is to monitor the quality of school leaders. The balance of interests falls in SPO's favor because the data being processed, just her name and school, are less sensitive.
Rb. Amsterdam Feb. 12, 2025, ECLI:NL:RBAMS:2025:885 : Plaintiffs claim that Microsoft and Xandr place cookies without permission. Microsoft and Xandr take the position that they are not responsible for the setting of these cookies as this is done by other website operators. According to the court, Microsoft and Xandr have influence over the placement of cookies and are therefore in violation of Article 11.7a of the Telecommunications Act. They must stop placing cookies without consent.
Conclusion A-G Feb. 21, 2025, ECLI:NL:PHR:2025:260 : ICS's method of identification involves asking a customer for proof of identity with a passport photograph. In addition, they are asked to take a selfie and send it. The selfie is used to verify the stated identity as evidenced by the ID. The verification is performed by a person. The client believes that this is biometric data (Art. 4(14) AVG). The A-G is of the opinion that the mere capture and storage of photographs containing facial images does not constitute processing of biometric data. Indeed, this would require technical processing, which is lacking here.
CJEU Feb. 27, 2025, ECLI:EU:C:2025:117 C-203/22: ECJ ruled that in automated decision-making, including profiling, the data subject has the right to receive understandable information about the underlying logic under Art. 15 (1) (h) AVG. If this information contains trade secrets or personal data of third parties, the controller must disclose it to the supervisory authority or court, which weighs the rights and interests to determine the scope of the right of access.
Rb. Amsterdam Jan. 15, 2025, ECLI:NL:RBAMS:2025:313 : The court rules that the collective claim foundations are admissible in their collective action concerning the lawfulness of Google 's processing of personal data. The court finds that both foundations meet the admissibility requirements of Art. 3:305 BW and the WAMCA. The court gives the parties the opportunity to comment on the desired outcome of the proceedings now that the District Court of Rotterdam in SDBN v. Amazon (ECLI:NL:RBROT:2024:11322) intends to ask preliminary questions. We discussed this ruling in the November-December case law review.
RvS Jan. 29, 2025 ECLI:NL:RVS:2025:321 : Ms.'s request for access was too general and she had failed to specify her request, despite the college's request to do so. Ms. argued on appeal that the college knew what data she wanted to see. The judge ruled that under section 63 AVG, given the large amount of data, the college was right to request specification and that it had been correctly held that the college did not need to provide more data.
Rb. Overijssel Feb. 7, 2025, ECLI:NL:RBOVE:2025:691 : An employee at a mental health institution was summarily dismissed for accessing the patient file of an ex-pro football player. The employee challenged the dismissal. The subdistrict court granted her request, ruling that although she acted culpably, it was not seriously culpable. What was important here was that she had only accessed the file once and was authorized to do so in the system.
