Tag Archives: EU data protection law

Brief case-law companion for the GDPR professional

This collection of quotes from relevant case-law has been compiled with the purpose of being useful to all those working with EU data protection law. The majority of the selected findings are part of a “Countdown to the GDPR” I conducted on social media, one month before the Regulation became applicable, under #KnowYourCaseLaw. This exercise was prompted by a couple of reasons.

First, data protection in the EU is much older and wider than the General Data Protection Regulation (GDPR) and it has already invited the highest Courts in Europe to weigh in on the protection of this right. Knowing what those Courts have said is essential.

Data protection law in the EU is not only a matter of pure EU law, but also a matter of protecting human rights following the legal framework of the Council of Europe (starting with Article 8 of the European Convention on Human Rights – ‘ECHR’). The interplay between these two legal regimes is very important, given the fact that the EU recognizes fundamental rights protected by the ECHR as general principles of EU law – see Article 6(3) TEU.

Finally, knowing relevant case-law makes the difference between a good privacy professional and a great one.

What to expect

This is not a comprehensive collection of case-law and it does not provide background for the cases it addresses. The Handbook of data protection law, edition 2018, is a great resource if this is what you are looking for.

This is a collection of specific findings of the Court of Justice of the EU (CJEU), the European Court of Human Rights (ECtHR) and one bonus finding of the German Constitutional Court. There are certainly other interesting findings that have not been included here (how about an “Encyclopedia of interesting findings” for the next project?). The ones that have been included provide insight into specific issues, such as the definition of personal data, what constitutes data related to health, what does freely consent mean or what type of interference with fundamental rights is profiling. Readers will even find a quote from a concurring opinion of an ECtHR judge that is prescient, to say the least.

Enjoy the read!

Brief Case-Law Companion for the GDPR Professional

Section 4. Innovative thinking: Article 8(2) + Article 52(1) = conditions for justification of interference with Article 8(1) Charter

(Section 4 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

After establishing that the EU-Canada PNR Agreement allows for a particularly serious interference with the rights to respect for private life and to the protection of personal data, the AG goes on to analyze whether this interference is justified.

First, he establishes that neither of the two rights “is an absolute prerogative” (§181), meaning that their exercise can be limited. The AG recalls that “that limitations may be placed on the exercise of rights such as those enshrined in Article 7 and Article 8(1) of the Charter, provided that those limitations are provided for by law, that they respect the essence of those rights and that, subject to the principle of proportionality, they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others” (§182).

Again, just like in §170, the AG refers only to limitations of the first paragraph of Article 8. Moreover, he specifies in the following paragraph that “Article 8(2) of the Charter permits the processing of personal data ‘for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law’” (§183). He follows this only by stating that “with regard to one of the conditions set out in Article 8(2) of the Charter … the agreement envisaged does not seek to base the processing of the PNR data communicated to the Canadian competent authority on the consent of the air passengers” (§184).

This is why paragraph 188 comes as a surprise, because, after finding the essence of the two rights is not touched (see below), the AG states that “It is therefore necessary to ascertain whether the other conditions of justification provided for in Article 8(2) of the Charter and those laid down in Article 52(1) thereof, which, moreover, overlap in part, are satisfied” (§188).  

To my knowledge, it is for the first time an Advocate General, or the Court for that matter, refers to the second paragraph of Article 8 of the Charter as prescribing “conditions for justification” of interferences with the right to the protection of personal data and equals them to those laid down in Article 52(1) of the Charter.

Such a hypothesis is not without merit from the outset, but it would need a more in depth justification than simply stating a couple of paragraphs above that Article 8(2) of the Charter only allows processing of data only for specified purposes and if it is based on consent or has another legitimate basis laid down by law. For instance, if indeed we were to consider that any processing of personal data constitutes an interference with Article 8 (this finding by the Court in DRI has some faults worthy of academic attention, but for the moment we have to work with it), then it would make sense to see the conditions for having a lawful basis for processing as being conditions for justifying the “interference” with the right to the protection of personal data.

Moreover, a separate analysis of whether the conditions in Article 8(2) are satisfied does not follow. The AG merely states in §189 that the conditions from Article 52(1) for the interference to be provided for by law and to meet objectives of general interest are equivalent with the “expression used in Article 8(2)” – having a “legitimate basis”, and they are “manifestly satisfied” (§189).

As for the essence of the two rights, the AG recalls that neither of the parties did not invoke before the Court that the interference harms the essence of the two fundamental rights (§185).

With regard to the essence of Article 7, he further explains that “the nature of the PNR data forming the subject matter of the agreement envisaged does not permit any precise conclusions to be drawn as regards the essence of the private life of the persons concerned. The data in question continues to be limited to the pattern of air travel between Canada and the Union” (§186). The AG also refers in this context to the “masking” and gradual “depersonalization” of the data as guarantees to preserve private life (§186).

With regard to the essence of Article 8, the AG mentions that “under Article 9 of the agreement envisaged, Canada is required, in particular, to ‘ensure compliance verification and the protection, security, confidentiality and integrity of the data’, and also to implement ‘regulatory, procedural or technical measures to protect PNR data against accidental, unlawful or unauthorised access, processing or loss’. In addition, any breach of data security must be amenable to effective and dissuasive corrective measures which might include sanctions” (§187). Unfortunately, the AG does not expand on the concept of the essence of the right to the protection of personal data and does not depart from what the Court indicated in Digital Rights Ireland at §40, restricting the essence of Article 8 mainly to the presence of data security measures.

Concluding that the essence of the two rights is not touched upon, the AG further analyzes the proportionality and the necessity of the interference.

Accessing content of emails – the 2nd Californian Gmail case. A summary and some post scriptum thoughts

Yesterday I stumbled upon the ‘Order denying the motion to dismiss as to the merits of plaintiff’s claims’, issued by the US District Court – Northern District of California on 12 August 2016 in the case of Matera v. Google.  The order allows the trial against Google to move forward.

This is the second case brought in front of the Californian Court alleging that Google’s practice to scan the content of emails sent through its Gmail service violates US wiretap laws. The first try was not successful because the plaintiffs could not constitute a ‘class’ (there’s a short history of the first case recalled in the Order). What’s interesting is that most of the findings in this Order are in fact re-statements of findings from the previous case. And with this case moving forward for now, there’s a chance we’ll see a real assessment of the facts of the case and an actual Court decision in the end.

Now, the plaintiff seeks to represent non-Gmail users ‘who have never established an email account with Google, and who have sent emails to or received emails from individuals with Google email accounts’.

‘Google allegedly intercepted the emails for the dual purposes of (1) providing advertisements targeted to the email’s recipient or sender, and (2) creating user profiles to advance Google’s profit interests.’

According to the plaintiff, Google utilizes the user profiles ‘for purposes of selling to paying customers, and sending to the profiled communicants, targeted advertising based upon analysis of these profiles’ (p. 3).

Google defends itself by stating, among other things, that this practice is a part of their ‘ordinary course of business’ and therefore it falls under an exception of the Wiretap Law that allows them to look at the content of communications.

I read the Order with the mind of an EU data protection lawyer that was part of the team assessing the EU-US Privacy Shield for the Article 29 Working Party and this is a list of findings that caught my eye:

  1. The Court found it plausible that the use of data to target ads is not ‘routine and legitimate commercial behaviour’ that is part of Google’s ordinary course of business, so it’s not exempted under the Wiretap Act.
  • The Court reiterated that it stands by the findings in Gmail I, according to which ‘the ordinary course of business exception protected electronic communication service providers from liability where the interceptions facilitated or were incidental to provision of the electronic communication service at issue‘ (p. 11).
  • In other words, the Court concluded that there ‘must be some nexus between the need to engage in the alleged interception and the provider’s ultimate business, that is, the ability to provide the underlying service or good‘ (p. 12).
  • Otherwise, the Court explained, ‘an electronic communication service provider could claim that any activity routinely undertaken for a business purpose is within the ordinary course of business, no matter how unrelated the activity is to the provision of the electronic communication service‘ (p. 15).
  • The Court further restated an argument of Chief Judge Hamilton from a previous case, who noted that ‘it is untenable for electronic communication service providers to ‘self-define’ the scope of their exemption from Wiretap Act liability‘.
  • Google used this following argument: ‘the alleged interception of email enables Google to provide targeted advertising, which in turn generates the revenue necessary for Google to provide Gmail. Google further contends that “the use of data to target ads is routine and legitimate commercial behavior”‘ (p. 24).
  • The Court in fact found that, because Google ceased intercepting and analysing the contents of emails transmitted via Google Apps for Education, ‘Google is able to provide the Gmail service to at least some users without intercepting, scanning and analyzing the content of email for advertising purposes’ (p. 24).

2)  Google claims that California’s Invasion of Privacy Act does not apply to email and does not apply to new technologies in general. The Court is ‘unpersuaded’ by these claims and follows California Supreme Court’s philosophy according to which, when faced with two possible interpretations of CIPA, the CSC construes CIPA ‘in accordance with the interpretation that provides the greatest privacy protection’. 

  • Section 631 of the California Penal Code creates liability for any individual who ‘reads, or attempts to read or to learn the contents or meaning of any message, report or communication while the same is in transit or passing over any wire, line or cable, or is being sent from or received at any place within this state‘.
  • There is also a Section 630, according to which:

The Legislature hereby declares that advances in science and technology have led to the development of new devices and techniques for the purpose of eavesdropping upon private communications and that the invasion of privacy resulting from the continual and increasing use of such devices and techniques has created a serious threat to the free exercise of personal liberties and cannot be tolerated in a free and civilized society.

The Legislature by this chapter intends to protect the right of privacy of the people of this state.

  • The Court refers to the California Supreme Court’s findings in Flanagan v. Flanagan that ‘In enacting [CIPA], the Legislature declared in broad terms its intent to protect the right of privacy of the people of this state from what it perceived as a serious threat to the free exercise of personal liberties that cannot be tolerated in a free and civilized society. This philosophy appears to lie at the heart of virtually all the decisions construing [CIPA]’ (p.33). (Flanagan v. Flanagan, 27 Cal. 4th 766, 775 (2002)).
  • Replying to Google’s claim that CIPA cannot refer to emails, as emails did not exist at the time CIPA was adopted, the Court quotes again the California Supreme Court, which regularly reads statutes to apply to new technologies where such a reading would not conflict with the statutory scheme (p. 34, 35):

“Fidelity to legislative intent does not ‘make it impossible to apply a legal text to technologies that did not exist when the text was created. . . . Drafters of every era know that technological advances will proceed apace and that the rules they create will one day apply to all sorts of circumstances they could not possibly envision.” (Apple Inc. v. Superior Court, 56 Cal. 4th 128, 137 (2013))

  • Finally, the Court refers to two other courts in its district that already decided to apply Section 631 of CIPA to ‘electronic communications similar to email’ (re Facebook Internet Tracking Litig., 140 F. Supp. 3d at 936 – holding that section 631 applies to “electronic communications”; Campbell, 77 F. Supp. 3d at 848 – finding that plaintiffs stated a claim under section 631 when defendant allegedly intercepted online Facebook messages). (p. 37).

Some post scriptum thoughts:

When the Court says there must be a ‘nexus between the need to engage in the alleged interception and the provider’s ultimate business, that is, the ability to provide the underlying service or good’ for the interception of the content of the communications to be lawful, it’s almost like the Court would be saying that the interception must be ‘strictly necessary’ for the ordinary course of business (for a background of the ‘necessity’ condition in EU data protection law, click HERE).

If we were to transpose this case into the realm of EU law, we may not even get to think whether the interception (which amounts to an interference) is strictly necessary or not to achieve a purpose ‘allowed’ by the applicable law. The main question that would be there to answer is ‘does accessing all the content of emails and profiling all the users for marketing purposes touches the essence of the fundamental right to private life and that of the fundamental right to data protection?’.

There are very good chances the answer would be ‘yes’…