Keywords: data protection – privacy – right to be forgotten – right of access – data commissioners.
In a short time (from Spring 2014 to Autumn 2015) the Court of Justice of the European Union has issued ten decisions providing for the authoritative interpretation of the EU legislation in the field of personal data processing. At the same time, it has issued several other judgments, which clarify the relationship between data processing and other legal procedures.
This is the list, in a chronological order:
1. Judgment of 8 April 2014, joint cases C-293/12, C-594/12, Digital Rights Ireland and Seitlinger v. Austrian Minister for Communications, Marine and Natural Resources
2. Judgment of 13 May 2014, case C-131/12, Google Spain, Google Inc. v. Agencia Española de Protección de Datos (AEPD), Mario Costeja González
3. Judgment of 19 June 2014, case C-683/13, Pharmacontinente-Saúde e Higiene SA v. Autoridade Para As Condições do Trabalho [Portugal]
4. Judgment of 17 July 2014, joint cases C-141/12, C-372/12, Y.S. v. Minister voor Immigratie, Integratie en Asiel [Netherlands]
5. Judgment of 2 December 2014, case C-212/12, Ryneš v. Úřad pro ochranu osobních údajů [Czech Republic]
6. Judgment of 6 April 2015, joint cases from C-446/12 to C-449/12, Willems v. Burgemeester van Nuth [Netherlands]
7. Judgment of 16 July 2015, case C-580/13, Coty Germany GmbH v. Stadtsparkasse Magdeburg
8. Judgment of 1 October 2015, case C-201/14, Bara v. Președintele Casei Naționale de Asigurări de Sănătate [Romania]
9. Judgment of 1 October 2015, case C-230/14, Weltimmo s. r. o. v. Nemzeti Adatvédelmi és Információszabadság Hatóság [Hungary]
10. Judgment of 6 October 2015, case C-362/14, Schrems v. Data Protection Commissioner [Ireland]
The previous decisions are all preliminary rulings in the form of judgments, except for  which is an order of the Court. There are also two ECJ appellate decisions worth mentioning:
11. Judgment of 2 October 2014, case C-127/13 P, Strack v. Commission
12. Judgment of 16 July 2015, case C-615/13 P, ClientEarth e PAN Europe v. EFSA
One should make a few preliminary remarks: the first is that the cases submitted come from all over Europe (Czech Republic, Germany, Hungary, Ireland, Netherlands, Romania, Spain). This points out that there is a growing uncertainty in the application of Directive 1995/46 and the connected legislation. The second is that the ECJ has accelerated its decision-making procedure: the last judgments delivered came from cases submitted to the Court not more than a year before.
One can attempt to group the decisions into specific topics.
a) The most important ones are, surely, the Digital Rights Ireland and the Schrems decisions by which the CJEU has declared invalid Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks; and the Commission Decision 2000/520/EC on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce. In both judgments the paramount provisions which have been considered violated by the Directive and the Decision are Arts 7 and 8 of the Charter of Fundamental Rights of the European Union (Charter).
b) Jurisdiction over data processors. The landmark case is obviously Google Spain where the ECJ – with a significant departure from its precedents – stated that “that processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State (...) when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State”.
In Weltimmo it has applied this principle to infra-community transfers of data stating that “the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, [is permitted] in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity – even a minimal one – in the context of which that processing is carried out”. In order to verify such “real and effective activity” one should “take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned. By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant”.
c) What is “personal data”. In Minister voor Immigratie, Integratie en Asiel the Court stated that “the data relating to an applicant for a residence permit contained in an administrative document, such as the ‘minute’ at issue in the main proceedings, setting out the grounds that the case officer puts forward in support of the draft decision which he is responsible for drawing up in the context of the procedure prior to the adoption of a decision concerning the application for such a permit and, where relevant, the data in the legal analysis contained in that document, are ‘personal data’ within the meaning of that provision, whereas, by contrast, that analysis cannot in itself be so classified”.
In Pharmacontinente-Saúde e Higiene SA the Court stated that “un registre du temps de travail [...] qui comporte l’indication, pour chaque travailleur, des heures de début et de fin du travail ainsi que des interruptions ou des pauses correspondantes, relève de la notion de ‘données à caractère personnel’, au sens de cette disposition [the Directive]".
d) What are “purely private data”. In Ryneš the Court stated that “the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision [the Directive]”.
e) What falls under the notion of ‘”data processing”. Considering that Directive 1995/46 was drafted in a pre-Internet age, one can easily understand the doubts raised by new digital technologies as to what should be considered as “data processing”. The Google Spain decision states that “the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) [of the Directive] when that information contains personal data”; and that “the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d) [of the Directive]”.
f) Rights granted and remedies available. The Google Spain decision is famous also because it recognized the so-called ‘right to be forgotten’: “In order to comply with the rights laid down in those provisions [of the Directive] and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine [may be] obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful”. In order to verify if such conditions exist “it should inter alia be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject. As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question”.
In Bara the CJEU stated that the Directive precludes “national measures (…) which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing”.
In Minister voor Immigratie, Integratie en Asiel the Court of justice while stating that “an applicant for a residence permit has a right of access to all personal data concerning him which are processed by the national administrative authorities within the meaning of Article 2(b) of that directive [1995/46]”. Adding, however, that “for that right to be complied with, it is sufficient that the applicant be in possession of a full summary of those data in an intelligible form, that is to say a form which allows that applicant to become aware of those data and to check that they are accurate and processed in compliance with that directive, so that he may, where relevant, exercise the rights conferred on him by that directive”.
In Willems the Court stated that “does not require the Member States to guarantee, in their legislation, that biometric data collected and stored in accordance with that regulation will not be collected, processed and used for purposes other than the issue of the passport or travel document, since that is not a matter which falls within the scope of that regulation.
g) Balance between protection of personal data and right of access. In ClientEarth e PAN Europe the Court stated that “no automatic priority can be conferred on the objective of transparency over the right to protection of personal data”. However “exceptions to the right of access to documents held by the institutions must be interpreted strictly, a requirement which entails that it must be established that there is a risk of a specific and actual adverse effect on the interest protected”. Therefore “the authority concerned must assess whether the disclosure requested might have a specific and actual adverse effect on the interest protected”.
In Coty Germany (where the parties were both private entities) the Court stated that Directive 2004/48/EC on the enforcement of intellectual property rights “must be interpreted as precluding a national provision, such as that at issue in the main proceedings, which allows, in an unlimited and unconditional manner, a banking institution to invoke banking secrecy in order to refuse to provide (...) information concerning the name and address of an account holder”.
h) Powers of national data protection authorities. In Pharmacontinente-Saúde e Higiene SA the Court stated that the relevant EU provisions “ne s’opposent pas à une réglementation nationale, telle que celle en cause au principal, qui impose à l’employeur l’obligation de mettre à la disposition de l’autorité nationale compétente en matière de surveillance des conditions de travail le registre du temps de travail afin d’en permettre la consultation immédiate, pour autant que cette obligation est nécessaire aux fins de l’exercice par cette autorité de ses missions de surveillance de l’application de la réglementation en matière de conditions de travail, notamment en ce qui concerne le temps de travail”. And that it is upon the national judge to decide if “l’obligation, pour l’employeur, de fournir à l’autorité nationale compétente en matière de surveillance des conditions de travail un accès au registre du temps de travail de façon à en permettre la consultation immédiate peut être considérée comme nécessaire aux fins de l’exercice par cette autorité de sa mission de surveillance, en contribuant à une application plus efficace de la réglementation en matière de conditions de travail, notamment en ce qui concerne le temps de travail”.
In Weltimmo the ECJ stated that a “supervisory authority will be able to exercise the effective powers of intervention conferred on it (...) only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should request the supervisory authority within the Member State whose law is applicable to act”.
* Full Professor of Comparative Law, University of Roma Tre, firstname.lastname@example.org.