Menu

Filter by
content
PONT Data&Privacy
  • PONT home
    • mill

    0

    NautaDutilh Case law overview November

    January 2, 2025

    Case law - Summaries

    NautaDutilh

    Our partner Nautadutilh will provide a case law overview on a regular basis, each time also discussing a number of cases in more detail. To the right, you can see an overview of relevant privacy case law in the months of September and October. Below, Danique Knibbeler and Siebe Been, Privacy & Data Protection attorneys at NautaDutilh, highlight two interesting cases. Happy reading!

    Danique Knibbeler  Danique Knibbeler          Siebe Been   Siebe Been

     

    ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834(Schrems v. Meta)

    Background

    The case concerns the processing of sensitive personal data by Meta Platforms Ireland Limited (formerly Facebook Ireland Limited). Maximilian Schrems is suing the company for allegedly unlawfully processing his personal data, including data about his sexual orientation and political views. This data is used for personalized advertisements without his explicit consent. The case revolves around the interpretation of several articles of the AVG, particularly on purpose limitation, data minimization and the processing of special categories of personal data such as sexual orientation and political beliefs. The Court must assess whether these processing operations are lawful without the user's explicit consent.

    Prejudicial questions

    1. Should Article 6(1)(a) and (b) AVG be interpreted to mean that the legality of contractual provisions for personalized advertisements must be assessed according to Article 6(1)(a) AVG, read with Article 7 AVG, and cannot be replaced by Article 6(1)(b) AVG?
    2. Does Article 5(1)(c) AVG allow all personal data obtained by a platform such as Facebook to be aggregated, analyzed and processed for targeted advertising without time limitation and without distinction of data type?
    3. Does the ban on processing special categories of personal data in Article 9(1) AVG also cover data that may lead to the filtering of special categories such as political opinions or sexual orientation, even if the controller itself does not distinguish between these types of data?
    4. Does Article 5(1)(b) AVG, read with Article 9(2)(e) AVG, allow a statement about a person's sexual orientation during a public panel discussion to lead to processing of other sexual orientation data for personalized advertisements?

    Reply

    The first question was withdrawn by the referring court following the judgment in another case (C-252/21, Meta Platforms and Others), making it no longer relevant for answering. The second question was answered by explaining that Article 5(1)(c) AVG should be interpreted to mean that the principle of data minimization prevents all personal data obtained by a data controller, such as the operator of an online social networking platform (from the data subject or third parties and collected both on and off that platform), from being aggregated, analyzed and processed for targeted advertisements without temporal limitation and without distinction as to type of data. The third question was also withdrawn by the referring court following the judgment in the same case (C-252/21, Meta Platforms and Others). The fourth question was answered by explaining that Article 9(2)(e) AVG should be interpreted to mean that the fact that a person made a statement about his or her sexual orientation during a public panel discussion does not mean that the operator of an online social networking platform may process other data relating to that person's sexual orientation. This also applies to data obtained through third-party partner websites and apps. The mere fact that a person has publicly shared information about his or her sexual orientation does not give permission to collect, aggregate and analyze other related data for personalized advertisements based on this basis.

    ECJ EU 26 September 2024, C-768/21, ECLI:EU:C:2024:785(TR v. Land Hessen)

    Background

    Sparkasse, a public institution that also provides banking services (data controller), reported a data breach under Article 33 AVG to the HBDI, the regulator in Hesse, Germany. An employee had accessed the personal data of customer TR (data subject) several times without consent. The controller considered that this breach was unlikely to pose a high risk to the data subject because of disciplinary measures taken and other precautions. Therefore, the controller did not inform the data subject under Article 34 AVG. However, the data subject became aware by chance that his personal data had been unlawfully accessed and filed a complaint with the HBDI about the failure to inform about the breach. The HBDI held that there was no breach of Article 34 AVG because the risk assessment by the controller was not manifestly incorrect. No corrective action was taken against Sparkasse. The data subject then filed an appeal with the Administrative Court requesting action against Sparkasse.

    Prejudicial question

    Should Article 57(1)(a) and (f), Article 58(2)(a) to (j) in conjunction with Article 77(1) AVG be interpreted as meaning that the supervisory authority is always obliged to act in accordance with Article 58(2) AVG when it establishes that a data processing operation violates the rights of the data subject?

    Reply

    When interpreting Union law provisions, their wording, context and objectives must be taken into account. National supervisory authorities are responsible for monitoring compliance with personal data protection rules (Article 8(3) Charter, Articles 51(1) and 57(1)(a) AVG). Article 57(1)(f) AVG requires complaints to be dealt with in accordance with Article 77(1) AVG. Article 58(1) AVG grants broad investigative powers to supervisors. When violations occur, they must respond appropriately to remedy inadequacy, with any action being appropriate, necessary and proportionate. Article 58(2) AVG gives supervisors discretion in choosing appropriate means to remedy violations. Regarding administrative fines, Article 83(2) AVG provides that they depend on circumstances of each case and may be imposed in addition to or instead of other measures. Supervisors must consider factors such as nature, severity and duration of violations. Neither Article 58(2) AVG nor Article 83 AVG imposes an obligation on supervisors to always impose corrective measures or fines upon finding violations; this is only mandatory if appropriate, necessary and proportionate. In the present case, Sparkasse informed the HBDI about an employee's unauthorized access to personal data and indicated that it had taken disciplinary action. The HBDI decided to waive corrective measures or fines under Article 58(2) AVG. It is for the referring court to determine whether the HBDI acted diligently within its discretion.

    Share article

    Case law summary

    Relevant privacy case law in the months of September and October, each in chronological order. Data subjects' rights:

    Under the AVG, an administrative body must provide all requested information when requesting access. If the administrative body states that a document is not (or no longer) in its possession, the requester must prove that this is the case. Making data unreadable (varnishing) is permitted, provided it does not interfere with the rights of the data subject. An administrative body satisfies a request for inspection when it provides the personal data requested that are under its control. Data not covered by the request or held by another administrative body need not be provided. A former employee has no right to inspect the employer's request for advice to a third party and the subsequent opinion on an employment dispute addressed to the court. This right may be limited to protect the rights and freedoms of others (including the controller) pursuant to Art. 23(1)(i) AVG and Art. 41(1)(i) UAVG. Objection art. 21 AVG and removal requests art. 17 AVG have been rejected. The registrations in the event records and the IVR are lawful; the bank has a legitimate interest under Art. 6(1)(f) AVG that has been sufficiently explained because the registrations serve to protect integrity in the financial sector. It has not been argued why the registration period of eight years in accordance with the Pifi Protocol would not be proportionate, thus not reducing the registration period. The rectification request under Art. 16 AVG was rejected because this request cannot be invoked if personal data is inaccurate or incomplete, unless this inaccuracy can be objectively established. The right is not intended to correct opinions, research results, impressions and conclusions, nor does it extend to supplementing documents. The court ruled that the "hit" of the Transaction Monitoring System was not an automated decision under Art. 22 AVG, so the bank did not have to disclose the underlying logic (Art. 15(1)(h) AVG). After the "hit," an investigation by employees took place, which involved human intervention. The inspection request under Art. 41(1)(d) UAVG was rejected because the bank's interest in complying with Wwft obligations outweighed the applicant's interest. The individual already had access to his payment transactions and knew that a payment transaction prompted the investigation, which was sufficient explanation according to the court. The court ruled that police assistance tasks fall under the Wpg because they are not easily distinguishable from other police tasks. The line between enforcement and assistance is vague and may overlap. As a result, the data subject cannot request access under the AVG.
    AVG principles: Art. 6(1)(f) AVG should be interpreted to mean that a commercial interest can be a legitimate interest, but only if steps 2 and 3 are also met. This means that only those personal data may be processed that are strictly necessary to pursue legitimate interests, and the interests, fundamental freedoms and fundamental rights of the data subject do not outweigh that legitimate interest in light of all relevant circumstances. Art. 6(1)(f) AVG does not require such an interest to be determined by law but does require that the interest invoked be legitimate. The principle of minimum data processing under Art. 5(1)(c) AVG opposes unrestricted processing of personal data for targeted advertising. In addition, Art. 9(2)(e) AVG does not allow a social media platform operator to process other data about a person's sexual orientation. The mere fact that a partner is not personally liable and is liable only up to the small amount of his contribution is not automatically sufficient to conclude that he has a legitimate interest in obtaining information about all partners with indirect holdings. The need for such data processing must be objectively indispensable for contractual performance (Art. 6(1)(b) AVG) or strictly necessary for legitimate interests where alternatives must be considered (Art. 6(1)(f) AVG). Damage: Plaintiffs must prove both the existence of damages (material or immaterial) and a causal connection to the breach. An apology may suffice for immaterial damages if it fully compensates for the damages. The attitude and motivation of the data controller (e.g., good intentions or positive attitude) cannot reduce compensation; only the extent of damage caused by the breach is important. A short loss of control over personal data can cause immaterial damage if such damage is proven. An opinion of a supervisory authority under Art. 58(3)(b) AVG does not exempt a controller from liability under Art. 82(2) AVG. This article provides for a fault-based liability regime where the burden of proof does not lie with the person who has suffered damage, but with the controller. The latter must prove that it is in no way responsible for the event that caused the damage in order to be exempted from liability. Opinions of a supervisory authority are additionally covered by advisory powers and have no legal effect. Recital 143 AVG confirms that the right to an effective remedy does not cover non-binding measures such as supervisory authority opinions or recommendations. Varia: The fine for the police's failure to conduct a DPIA remains in place. The court did not accept force majeure by COVID-19 as justification because the police did have time to conduct a pre-DPIA, which demonstrated that there was time and resources to also conduct a full DPIA. Therefore, the court found that there was no untenable situation justifying the failure to conduct the DPIA. Chapter VIII AVG does not prevent national law from allowing competitors to bring civil lawsuits for data protection violations. In addition, data that customers enter when ordering pharmacy-only medications online, such as their name, delivery address and product details, constitute health data. This applies even if no prescription is required and regardless of whether the user or another person is involved. National rules may allow authorities to access data on a cell phone for criminal purposes, provided they define the crimes precisely, respect the principle of proportionality and require prior judicial review. Data subjects should be informed as soon as possible. Supervisory authorities are not always required to impose corrective measures or fines for a breach, provided such actions are not appropriate, necessary or proportionate.

    Join PONT | Data & Privacy

  • Access to Knowledge Base
  • Read e-books
  • Contact with peers
  • Own news overview
    • BECOME A MEMBER

    General

    Service

    Navigate

    Berghauser Pont Media Group

    CONTACT

    𝕏

    Copyright 2025 Berghauser Pont | Website created by Buro Zero