Recent case-law on privacy issues and their surroundings.

Courts both, on a national as well as on an international level, are increasingly approached to deal with problems related to the protection or to the proper handling of personal data. The General Data Protection Regulation (GDPR), by now being in force for a bit more than 18 months, has certainly contributed to raise the awareness about how an individual’s personal information is used (and frequently abused) by companies and by their service providers. Hence, more and more issues end up in front of the Courts and an increased number of judgements are dealing with this kind of issues.

Over the last months, several decisions have kept privacy experts and scholars busy with the analysis of the judges’ findings. I would like to share a short list of the most popular ones, dealing with the right to be forgotten (and its balance against the – equally fundamental – right to freedom of information), cookie use, consent issues and provider liability.

The Right to be forgotten

In my previous post I have reported about a decision of the grand Chamber of the Court of Justice of the European Union – CJEU (reference is to the Google Spain case, C-131/12) and its potential impact on the business of online platforms, in particular on search engines. In said post, I have also mentioned another case, pending in front of the CJEU and involving additional aspects relating to the so-called “Right to be forgotten”.

Google vs. Commission nationale de l’informatique et des libertés and others– CNIL (case no. C-507/17)

This case originated from a dispute between Google and the CNIL about a formal notice served by the French Data Protection Commission’s President. The notice ordered Google to extend – when a natural person is entitled to the removal of all listed results of a specific name search – such outcome to all of the search engine domain name extensions.  

In the course of such dispute the French Highest Administrative Court felt that the resolution of the case needed clarification from the CJEU on the following questions:

- whether the ‘right to de-referencing’, as established in the CJEU’s Google Spain decision should “be interpreted as meaning that a search engine operator is required, when granting a request for de-referencing, to deploy the de-referencing to all of the domain names used by its search engine so that the links at issue no longer appear, irrespective of the place from where the search initiated on the basis of the requester’s name is conducted, and even if it is conducted from a place outside the territorial scope of Directive [95/46/EC] of 24 October 1995?”

- if not, whether such right is to be intended “as meaning that a search engine operator is required, when granting a request for de-referencing, only to remove the links at issue from the results displayed following a search conducted on the basis of the requester’s name on the domain name corresponding to the State in which the request is deemed to have been made or, more generally, on the domain names distinguished by the national extensions used by that search engine for all of the Member States of the European Union?”

- finally, whether such right implies that “a search engine operator is required, when granting a request for de-referencing, to remove the results at issue, by using the‘geo-blocking’ technique, from searches conducted on the basis of the requester’s name from an IP address deemed to be located in the State of residence of the person benefiting from the‘right to de-referencing’, or even, more generally, from an IP address deemed to be located in one of the Member States subject to Directive [95/46/EC] of 24 October 1995, regardless of the domain name used by the internet user conducting the search?”

On September 24, 2019 the Grand Chamber of the CJEU delivered its decision and – on the premise that at the date of the submitted request for clarification Directive no. 95/46 was applicable, while EU Regulation no. 2016/679 became applicable as per May 25, 2018, it would examine the referred questions both, in the light of that Directive and that Regulation (so, paragraphs 40-41) – considered that:

- while according to articles 12 and 14 of the 1995 Directive and – now – to article 17 of the 2016 Regulation, a data subject is entitled to a specific ‘right to erasure (also qualified as ‘right to be forgotten’), the right to protection of personal data is not an absolute one, but must take into account its “function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality”.. especially as “the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet user, on the other, is likely to vary significantly around the world” (so paragraph 60), and

stated that:

- under Regulation 2016/679 (art. 17), “a data subject has the right to obtain from a controller the erasure of personal data concerning him or her without undue delay..“(paragraph 47), bearing the controller a corresponding obligation to perform such erasure without delay, provided the grounds laid down in the Regulation occur and provided the right of freedom and of information to internet users is granted,

- subsequently both, the Directive as well as the Regulation, “.. permit data subjects to assert their right to de-referencing against a search engine operator who has one or more establishments in the territory of the Union in the context of activities involving the processing of personal data concerning those data subjects, regardless of whether that processing takes place in the Union or not” (paragraph 48),

- added (paragraph 49) that in earlier case-law it had been affirmed that “the processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that search engine and which orientates its activity towards the inhabitants of that Member State (judgment of 13 May 2014, Google Spain and Google, C‑131/12, EU:C:2014:317, paragraph 60)”,

- specifically, with respect to the case at stake, it appeared “..from the information provided in the order for reference, first, that Google’s establishment in French territory carries on, inter alia, commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned, and, second, that that search engine must, in view of, inter alia, the existence of gateways between its various national versions, be regarded as carrying out a single act of personal data processing. The referring court considers that, in those circumstances, that act of processing is carried out within the framework of Google’s establishment in French territory. It thus appears that such a situation falls within the territorial scope of Directive 95/46 and Regulation 2016/679”(paragraph 52),

- neither the Directive nor the Regulation contain provisions allowing EU laws to be applied “beyond the territory of Member States” (paragraph 62), hence “.. currently there is no obligation for a search engine operator, who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all versions of its search engine” (paragraph 64),

- as to the“.. question whether .. a de-referencing is to be carried out on the versions of the search engine corresponding to the Member States or only on the version of that search engine corresponding to the Member State of residence of the person benefiting from the de-referencing .. to ensure a consistent and high level of protection throughout the European Union and to remove the obstacles to flows of personal data within the Union,” the answer was that “the de-referencing in question is, in principle, supposed to be carried out in respect of all the Member States” (paragraph 66).

One wonders whether concerns about a potentially too extensive interpretation of the principle mentioned above induced the Court to stake out its statement by pointing out that “.. the interest of the public in accessing information may, even within the Union, vary from one Member State to another, meaning that the result of weighing up that interest, on the one hand, and a data subject’s rights to privacy and the protection of personal data, on the other, is not necessarily the same for all the Member States, especially since, .. it is for the Member States, in particular as regards processing undertaken solely for journalistic purposes or for the purpose of artistic or literary expression, to provide for the exemptions and derogations necessary to reconcile those rights with, inter alia, the freedom of information” (paragraph 67). Hence, the Court’s recommendation that “..for cross-border processing .. the various national supervisory authorities concerned must cooperate .. in order to reach a consensus and a single decision which is binding on all those authorities and with which the controller must ensure compliance as regards processing activities in the context of all its establishments in the Union. Moreover, Article 61(1) of Regulation 2016/679 obliges the supervisory authorities, in particular, to provide each other with relevant information and mutual assistance in order to implement and to apply that regulation in a consistent manner throughout the Union”, while“.. the urgency procedure provided for in Article 66 of Regulation 2016/679 permits the immediate adoption, in exceptional circumstances, where a supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, of provisional measures intended to produce legal effects on its own territory with a specified period of validity which is not to exceed three months” (paragraph 68).

Finally, the decision closes by stating that:

- the regulatory framework in force “.. provides the national supervisory authorities with the instruments and mechanisms necessary to reconcile a data subject’s rights to privacy and the protection of personal data with the interest of the whole public throughout the Member States in accessing the information in question and, accordingly, to be able to adopt, where appropriate, a de-referencing decision which covers all searches conducted from the territory of the Union on the basis of that data subject’s name” (paragraph 69),

- “..  it is for the search engine operator to take, if necessary,. Those measures must themselves meet all the legal requirements and have the effect of preventing or, at the very least, seriously discouraging internet users in the Member States from gaining access to the links in question using a search conducted on the basis of that data subject’s name ..“(paragraph 70),

- it is the task of the referring (national) Court to assess whether the measures adopted by a search engine are capable of meeting the requirements mentioned above (paragraph 71), and

 - by   summarizing its view on the submitted questions through the following announcement: “.. where a search engine operator grants a request for de-referencing pursuant to those provisions, that operator is not required to carry out that dereferencing on all versions of its search engine, but on the versions of that search engine corresponding to all the Member States, using, where necessary, measures which, while meeting the legal requirements, effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, to the links which are the subject of that request.”

Some personal thoughts on this decision.

I am afraid that this decision will not be capable of meeting the high expectations of all interested stakeholders, seeking a uniform standard and clear guidance on the issues at stake. The JCEU’s indications appear to give (and to skim off) a little bit to all interested parties.

Search engines and online platform owners will certainly be happy to learn that they do not bear a global (i.e. worldwide) obligation to ‘automatically’ comply with de-referencing orders from a national judicial or regulatory authority by extending them to all versions of their search engines. They will, however, need to get prepared to apply such national order throughout all Member States of the European Union.

It is not difficult to imagine that such stakeholders (as well as companies doing business on an international level) will be less happy with the arguments, which induced the Court to affirm the competence of the national DPA (i.e. the French CNIL), as this could easily result in a coup de grace to the “one-stop-shop” principle”[i]. Privacy Advocates and Consumer Protection Associations may also look at this aspect – obviously from a different perspective – with mixed feelings.  

The fact that it is up to the search engine to put into place measures, sufficient “.. to ensure the effective protection of the data subject’s fundamental rights” and capable “.. of preventing or, at the very least, seriously discouraging internet users in the Member States from gaining access to the links..”leading tobanned references, together with the assignment to the national Courts of the task of assessing “.. whether the measures adopted by a search engine are capable of meeting” the protection requirements, will unavoidably imply a range of differing outcomes, hardly in line with the (harmonizing) aims of Regulation 2016/679.

The Joint Chambers of the Italian Highest Civil Court (“Corte di Cassazione”) offers its view.

In my earlier post I have also reported that the Italian Highest Civil Court had been called several times to deal with the problem of how a correct balance between the right to be forgotten and the right to offer - and receive – information could be achieved.

In November 2018 the Third Chamber of the High Court:

- acknowledged that its preceding case-law referred entirely to the – no longer effective – statute law provisions implementing Directive no. 46 of 1995,

- considered that a correct balance between the right to be forgotten and that to freedom of information had a direct impact on how to intend democracy in a modern society, which, on one hand, finds a crucial pillar in freedom of expression and pluralism of information and, on the other hand, cannot renounce the protection of an individual’s personality in its various expressions,

- felt that a correct balance could be struck only if clear and consistent reference criteria were individuated and made available for assessing whether – and how - such goal could be achieved.

Hence, the issue was referred – through a temporary decision – to the Joint Chambers of the Court[ii] in order to achieve such consistent reference criteria with respect to the legal framework currently in force (i.e. Regulation 2016/679).

On July 22, 2019 the Court made known its decision (Joint Chambers no. 19681/2019) on the submitted issues.

In such decision, the Court:

- found that the so-called ‘the right to be forgotten’ essentially covered three (different) cases: (a) the position of an individual objecting to a repeated publication of information relating to facts previously diffused on legitimate grounds, when a significant period of time has passed between the two moments of publication, (b) the situation where information, available online and published years ago, is re-used (and re-published) to be put in an ‘actual context’, finally (c) the position such as the one dealt with in the CJEU’s Google Spain decision, where an individual exercises his/her right to erasure,

-  reminded that its function was not to elaborate‘general and theoretical principles on legal issues’ but to offer harmonized decision criteria, applicable and relating to a specific case or legal problem (though presenting an overall validity with respect to identical or similar issues),

- hence clarified that it would deal exclusively with the case mentioned in point (a) above (i.e. when an information of public interest - uncontested at the time of its first publication - is diffused again after an extensive period),

- went on to explain that the “right to inform” covered the publication of information of public interest as well as cases in which an earlier publication is repeated, enriched with additional, new elements, capable of rendering the combination between old facts and new elements in itself as relevant to the public,

- affirmed that such right had to be distinguished from that to ‘report about historical facts’, also relevant but distinct and different as the latter allowed to describe facts, events (when renown and of public interest) as well as individuals (when famous or in public positions), inserted into a specific historical context (in short the difference is identical to that between “news” and “history”),

- it followed that a report about past events, situations and individuals had to restrain from making specific reference to identified (ordinary) people, when there is no actual relevance and current interest in identifying them by name and in describing their actions,

- additionally, explained that the editorial choices of a newspaper or magazine (e.g. to report about a series of major crimes occurred in a certain area over a – even extensive - period) were clearly covered by the ‘freedom of press’ principle, however, that a court was certainly entitled to assess whether– when dredging up the past and re-publishing ancient facts - there is or not a qualified interest to making specific reference to identified individuals,

- stated that the ‘right to inform’ did not – automatically – include the ‘right to make public again’ personal information allowing an individual’s identification,

- reminded that the ethic rules governing journalists’ professional behavior also supported such conclusion as they required journalists “to respect an individual’s personal identity and to restrain from making reference to facts of the past, save the case such reference is essential for the information’s completeness” as well as “to evaluate, when revealing again– after a substantial time had elapsed– the personal details of a convicted, the impact of such republication on the individual’s family and on the process of his social reintegration”,

- finally, found that in the case brought to its attention, an improper application of the principles mentioned above had been made, hence the contested second instance decision was overturned.

Google vs. CNIL and others (case no. C-136/17).

For the sake of completeness, I would like to mention that on the same day (September 24, 2019) the CJEU’s Grand Chamber delivered another decision on issues similar to those dealt with in initial section of this post. In my knowledge, such decision – though containing some interesting findings – did not receive the hype previously assigned to the other Google vs. CNIL judgement.

This case also originated in France, where several individuals had approached the CNIL for a de-referencing order to be issued against Google with respect to search results involving their names and containing statements they considered as disparaging. When the CNIL dismissed such request, the applicants brought the issue in front of the Conseil d’État (French Council of State, an Administrative Court), which found that the definition of the case required a preliminary ruling of the CJEU on the meaning of the provisions laid down in Directive 95/46.

Specifically, the referring Court sought clarification on the following aspects:

Question 1:

- Whether the provisions of the Directive’s Article 8, paragraphs 1 and 5[iii], had to be intended as requiring the operator of a search engine – in its role as a ‘processing controller’–“to grant as a matter of course the requests for de-referencing in relation to links to web pages concerning such data”?

Question 2:

- If so, how some of the exceptions laid down in in Directive 95/46[iv]  should “be interpreted, when they apply to the operator of a search engine, in the light of its specific responsibilities, powers and capabilities? In particular, may such an operator refuse a request for de-referencing, if it establishes that the links at issue lead to content which, although comprising data falling within the categories listed in Article 8(1), is also covered by the exceptions laid down by Article 8(2) of the directive, in particular points (a) and (e)”? “Similarly, when the links subject to the request for de-referencing lead to processing of personal data carried out solely for journalistic purposes or for those of artistic or literary expression,…“ on which basis the provisions of Directive 95/46 allow “the operator of a search engine… to refuse a request for de-referencing”?

Question 3 (if question 1 is answered in the negative):

- Which specific requirements of Directive 95/46 must be met by the operator of a search engine, in view of its responsibilities, powers and capabilities?

- When the operator establishes that the web pages at the end of the links subject to the request for dereferencing comprise data whose publication on those pages is unlawful, must the provisions of Directive 95/46 be interpreted as:

– requiring the operator of a search engine to remove those links from the list of results displayed following a search made on the basis of the name of the person making the request; or

– meaning only that it is to take that factor into consideration in assessing the merits of the request for dereferencing, or

– meaning that this factor has no bearing on the assessment it is to make?

- Furthermore, if that factor is not irrelevant, how is the lawfulness of the publication on web pages of the data at issue which stem from processing falling outside the territorial scope of Directive 95/46 and, accordingly, of the national laws implementing it to be assessed?

Question 4 (irrespective of the answer to be given to Question 1):

- Whether or not publication of the personal data on the web page at the end of the link at issue is lawful, must the provisions of Directive 95/46 be interpreted as:

-  requiring the operator of a search engine, when the person making the request establishes that the data in question have become incomplete or inaccurate, or are no longer up to date, to grant the corresponding request for de-referencing;

– more specifically, requiring the operator of a search engine, when the person making the request shows that, having regard to the conduct of the legal proceedings, the information relating to an earlier stage of those proceedings is no longer consistent with the current reality of his situation, to de-reference the links to web pages comprising such information?

- must Article 8(5) of Directive 95/46 be interpreted as meaning that information relating to the investigation of an individual or reporting a trial and the resulting conviction and sentencing constitutes data relating to offences and to criminal convictions?

- more generally, does a web page comprising data referring to the convictions of or legal proceedings involving a natural person fall within the ambit of those provisions?’

Again, the CJEU declared forehand that even though the questions submitted concerned the interpretation of Directive 95/46 (no longer in force), it would consider the provisions of EU Regulation 2016/679 to “.. to ensure that its answers will in any event be of use to the referring court”.

On the first question the CJEU held that “.. the provisions of Article 8(1) and (5) of Directive 95/46 must be interpreted as meaning that the prohibition or restrictions relating to the processing of special categories of personal data… apply also, subject to the exceptions provided for by the directive, to the operator of a search engine in the context of his responsibilities, powers and capabilities as the controller of the processing carried out in connection with the activity of the search engine, on the occasion of a verification performed by that operator, under the supervision of the competent national authorities, following a request by the data subject.”

On the second question it explained that:

- “.. the provisions of Article 8(1) and (5) of Directive 95/46 must be interpreted as meaning that the operator of a search engine is in principle required by those provisions, subject to the exceptions provided for by the directive, to accede to requests for de-referencing in relation to links to web pages containing personal data falling within the special categories referred to by those provisions.

–Article 8(2)(e) of Directive 95/46 must be interpreted as meaning that, pursuant to that article, such an operator may refuse to accede to a request for de-referencing if he establishes that the links at issue lead to content comprising personal data falling within the special categories referred to in Article 8(1) but whose processing is covered by the exception in Article 8(2)(e) of the directive, provided that the processing satisfies all the other conditions of lawfulness laid down by the directive, and unless the data subject has the right under Article 14(a) of the directive to object to that processing on compelling legitimate grounds relating to his particular situation.

–the provisions of Directive 95/46 must be interpreted as meaning that, where the operator of a search engine has received a request for de-referencing relating to a link to a web page on which personal data falling within the special categories referred to in Article 8(1) or (5) of Directive 95/46 are published, the operator must, on the basis of all the relevant factors of the particular case and taking into account the seriousness of the interference with the data subject’s fundamental rights to privacy and protection of personal data laid down in Articles 7 and 8 of the Charter, ascertain, having regard to the reasons of substantial public interest referred to in Article 8(4) of the directive and in compliance with the conditions laid down in that provision, whether the inclusion of that link in the list of results displayed following a search on the basis of the data subject’s name is strictly necessary for protecting the freedom of information of internet users potentially interested in accessing that web page by means of such a search, protected by Article 11 of the Charter.”

No answer was provided as to question 3, as it was submitted only if Question 1 had received a negative answer.

Finally, the CJEU concluded (on Question 4) that the provisions of Directive 95/46 had to be interpreted as meaning that:

–“first, information relating to legal proceedings brought against an individual and… information relating to an ensuing conviction are data relating to‘offences’ and‘criminal convictions’ within the meaning of Article 8(5) of Directive 95/46, and

– second, the operator of a search engine is required to accede to a request for de-referencing relating to links to web pages displaying such information, where the information relates to an earlier stage of the legal proceedings in question and, having regard to the progress of the proceedings, no longer corresponds to the current situation, in so far as it is established in the verification of the reasons of substantial public interest referred to in Article 8(4) of Directive 95/46 that, in the light of all the circumstances of the case, the data subject’s fundamental rights guaranteed by Articles 7 and 8 of the Charter override the rights of potentially interested internet users protected by Article 11 of the Charter.”

Again, on disparaging online posts and jurisdiction issues.

CJEU Third Chamber October 3^rd, 2019 – Case C-18/18.

Austrians also take issue with online dissemination of comments they consider harmful to their reputation. A member of the Parliament and spokesperson for a party was not happy with comments posted on a Facebook user’s personal page (publicly accessible), which were considered as insulting and defamatory.

As FB apparently refused to take down the comment, the offended person filed action before a local first instance court against FB Ireland. In the context of such proceeding the plaintiff sought for a temporary injunction to prevent further dissemination of the content in dispute, of content with similar meaning as well as of thumbnail pictures accompanying such content. The Court granted the temporary injunction and FB Ireland disabled access in Austria to the initial offending content,

The case was brought to a Court of Appeals, which confirmed the earlier cease and desist order but specified that as far as allegations with equivalent content were concerned FB had to comply only with respect to those brought to its knowledge.

On such aspect, the cases ended up before the Austrian Supreme Court to clarify whether a cease and desist order issued against a host provider operating a social network with a multitude of users may also be extended to statements with identical wording and/or having equivalent content of which the provider it is not aware.

To resolve the case, the Austrian Supreme Court sought guidance from the CJEU on the following issues:

“(1) Does Article 15(1) of Directive [2000/31] generally preclude any of the obligations listed below of a host provider which has not expeditiously removed illegal information, specifically not just this illegal information within the meaning of Article 14(1)(a) of [that] directive, but also other identically worded items of information:

– worldwide;

– in the relevant Member State;

– of the relevant user worldwide;

– of the relevant user in the relevant Member State?

(2) In so far as Question 1 is answered in the negative: does this also apply in each case for information with an equivalent meaning?

(3) Does this also apply for information with an equivalent meaning as soon as the operator has become aware of this circumstance?’”

The CJEU’s Third Chamber dealt with the submitted questions by finding – as to the legal and factual background of the case - that:

- the host provider may benefit from the liability exemption set in Article 14 of Directive2000/31, if: (a) it has no knowledge of the illegal activity or information occurring/present on its platform, (b) having achieved knowledge, it takes expeditious action to remove (or to disable access to) such illegal information, being however apparent (from the Directive’s Article 14/3) that the exemption does not prevent “.. national courts or administrative authorities to require the host provider concerned to terminate or prevent an infringement, including by removing the illegal information or by disabling access to it”,

- it followed that “a host provider may be the addressee of injunctions adopted on the basis of the national law of a Member State, even if it satisfies one of the alternate conditions set out in Article 14(1) of Directive 2000/31, that is to say, even in the event that it is not considered to be liable”,

- in the specific case, FB “.. did have knowledge of the illegal information at issue” but “.. did not act expeditiously to remove or to disable access to that information”, which induced the applicant to approach a national court to seek – and obtain – “.. an injunction like the one referred to in Article 18”(of Directive 2000/31).

On such premise the CJEU considered that:

- while the Directive does not impose (nor allow Member States to do so on a national level) on service providers a general obligation to monitor content collected or stored on their platforms nor “to actively seek facts or circumstances indicatingillegal activity”, such exemption may not be extended to the monitoring ‘in a specific case’, i.e. when “.. aparticular piece of information stored by the host provider .. at the request of a certain user of its social network ..”, was found – after being examined by a national court –to be illegal (paragraph 35),

- in such specific case, a national court, ascertaining the presence of illegal content, must be allowed and enabled to require the host provider “.. to block access to the information stored, the content of which is identical to the content previously declared to be illegal, or to remove that information, irrespective of who requested the storage of that information”, such possibility though not implying a provider’s general obligation to monitor the content stored on its platform nor to actively investigate facts or circumstances revealing illegal activity (paragraph 37),

- however, it followed that a court order to remove - or block access to - illegal content and to information conveying messages with an ‘equivalent meaning’ (but worded in a different way) must contain“.. specific elements which are properly identified in the injunction, such as the name of the person concerned by the infringement determined previously, the circumstances in which that infringement was determined and equivalent content to that which was declared to be illegal. Differences in the wording of that equivalent content, compared with the content, which was declared to be illegal, must not, in any event, be such as to require the host provider concerned to carry out an independent assessment of that content”, (paragraph 45), and

told the referring Austrian Court that:

- according to the premises laid out above, “..the answer to the first and second questions is that Directive 2000/31, in particular Article 15(1), must be interpreted as meaning that it does not preclude a court of a Member State from:

– ordering a host provider to remove information which it stores, the content of which is identical to the content of information, which was previously declared to be unlawful, or to block access to that information, irrespective of who requested the storage of that information,

– ordering a host provider to remove information which it stores, the content of which is equivalent to the content of information which was previously declared to be unlawful, or to block access to that information, provided that the monitoring of and search for the information concerned by such an injunction are limited to information conveying a message the content of which remains essentially unchanged compared with the content which gave rise to the finding of illegality and containing the elements specified in the injunction, and provided that the differences in the wording of that equivalent content, compared with the wording characterising the information which was previously declared to be illegal, are not such as to require the host provider to carry out an independent assessment of that content, and

– ordering a host provider to remove information covered by the injunction or to block access to that information worldwide within the framework of the relevant international law.”

Based on these indications the CJEU did not feel necessary to consider the referring court’s third question.

Hence, Courts in countries members to the EU can issue a cease and desist order against hosting providers located abroad, but enforcing such an order – especially when a provider is located outside the EU (e.g. in the US) and has no presence within the EU – is an entirely different story.

Mmmmh, Cookies, so sweet but so dangerous! Cookie use and consent/information requirements.

For all those dealing with the theme of protection of personal data – be it under Directive 95/46 or under Regulation 2016/679 – consent issues used to be at the core of their concerns. Even though the 2016 Regulation has transformed ‘consent’ from Mama’s sweetie to just one of the bases/grounds for legal data processing, consent requirements remain a ‘hot topic’ among privacy experts and scholars.

Specifically, consent issues have become increasingly relevant to companies performing their businesses (or just promoting them) through online platforms and social media. The almost unlimited use of cookies placed – in such context - on the targeted audience’s end devices opens such companies up to a range of legal problems (from illegal data processing to liability issues).

Despite detailed guidelines issued by the Article 29 Working Party (now, the European Data Protection Board - EDPB) as well as by national DPAs, questions related to when and how data ‘subjects’ consent’ needs to be sought for or to the characteristics of a valid consent, have kept the Courts busy over recent years.

A recent decision: Grand Chamber of the CJEU– judgement of October 1^st, 2019 (in case C-673/17).

In 2017 the Court of Justice of the European Union (CJEU) got a case referred by a German Federal Court, seeking clarification of the consent and information requirements in relation to the use of cookies.

The case originated from a practice performed by a German company in relation to a promotional lottery: internet user intending to take part in the lottery had to fill out a form containing at its end two pre-checked ticker-boxes, having them agree, respectively, to:

- receiving information – by post, pone, e-mail or SMS – about offers from ‘certain sponsors and cooperation partners’ of the company (the link for details on such partners revealed a list of 57 companies, with an ‘unsubscribe’ mechanism necessary for each of them to opt out),

- web analytics services being used for them (meaning that after the registration to the lottery, they would accept cookies to evaluate their surfing and use behavior on the websites of advertising partners).

It must be mentioned, that participation to the lottery was subject to the maintenance of the acceptance checking at least for the first checkbox.

A Consumer protection association took issue with this practice and filed a (partially successful) action before a First Instance Court. However, a Court of Appeal overturned such decision, hence the case ended up in front of the Federal Court, which felt that the resolution of the dispute was not possible without a preliminary ruling from the CJEU on the requirements of a validly expressed consent.

Specifically, the German Federal Court wondered:

Question 1:

- Whether it “.. does .. constitute a valid consent… if the storage of information, or access to information already stored in user’s terminal equipment, is permitted by way of a pre-checked check box which the user must deselect to refuse his or her consent?” and

- whether it does “.. make a difference”.. when “the information stored or accessed constitutes personal data”?

- if so (when the information constitutes personal data) “whether the mechanism described does result in a valid consent?”

Question 2:

- What information does the service provider has to give within the scope of the provision of clear and comprehensive information to the user that has to be undertaken in accordance with Article 5(3) of Directive [2002/58]? and, additionally

- “Does this include the duration of the operation of the cookies and the question of whether third parties are given access to the cookies?”

On October 1^st, 2019 the Grand Chamber of the CJEU published its findings. Again, the Court explained that there were reasons for taking into account the provisions of Regulation 2016/679 and not only those of Directives 95/46 and 2002/58.

On the submitted issues the Court found that:

- according to Directive 2002/58 “..the storing of information, or gaining access to information already stored, in the terminal equipment of a user is only allowed on condition that the user concerned has given his or her consent, having been provided with clear and comprehensive information… about the purposes of the processing” (paragraph 46),

- while the Directive does not “.. indicate the way in which consent must be given”, the expression‘given his or her consent’ clearly suggests that consent has to be achieved through an“action” on the part of the user, a conclusion supported by the statement contained in Recital 17, which confirms that “.. a user’s consent may be given by any appropriate method enabling a freely given specific and informed indication of the user’s wishes”, inclusive “by ticking a box when visiting an internet website”(paragraph 49),

- the practice in dispute (pre-ticked acceptance box), did not allow “..to ascertain objectively whether a website user had actually given his or her consent to the processing of his or her personal data by not deselecting a pre-ticked checkbox nor .. whether that consent had been informed ..”, being also unclear whether the user had noticed an read the information relating to such checkbox (paragraph 55),

- hence “.. consent .. is not validly constituted if the storage of information, or access to information already stored in a website user’s terminal equipment, is permitted by way of a checkbox pre-ticked by the service provider which the user must deselect to refuse his or her consent” (paragraph 57),

- such conclusion had to be considered valid in any case, i.e. irrespective of whether the information stored (or accessed when already stored on a user’s terminal equipment) resulted in personal data or not (as per Directive 95/46 and Regulation 2016/679),

- as to the meaning of the information requirement service providers had to fulfill towards website visitors, when making use of cookies (and specifically with respect to the duration of such use and to the potential access to them by third parties), the provisions of Article 5/3 of Directive 2002/58 implied an obligation to offer “clear and comprehensive information…, inter alia, about, the purposes of the processing” (paragraph 73) as well as to ensure that visitors, after having received such information are “able to determine easily the consequences of any consent ..” and to“.. comprehend the functioning of the cookies employed” (paragraph 74),

- while the details of the information requirements set by Articles 10 of Directive 95/46 and 5/3 of Directive 2002/58 do not specifically make reference to the ‘duration of the processing’, such reference is now contained in Article 13 of Regulation 2016/679, providing that “the controller must, in order to ensure fair and transparent processing, provide the data subject with information relating, inter alia, to the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period” (paragraph 78),

- as to third parties’ access to cookies, such indication did also fall under the information requirements set by Article 5/3 of Directive 2002/58

Hitting the“LIKE” button all the time on social media. Be careful what you like!

CJEU Second Chamber– July 29, 2019– Case C-40/17

During the Summer, this case was one of the most talked about as it involved a practice extremely popular among companies, i.e. using social media to promote their products or services.

It is common knowledge that when you visit a website, the browser will display different content (such as: news, pictures, videos, etc.) originating from various sources and frequently featuring a ‘like’ button. The latter can be embedded (‘plugin’) on visitor’s website and will be able to create a link from such website to an external platform. As a result of such linking practice, visitors of a company website containing such a plugin, get ‘intercepted’ and have their IP addresses as well as other technical data transferred to the external third-party platform. While visitors have no knowledge about such data transfer, the company ‘hosting’ the plugin on its website ignores which uses the third-party platform will make of the transferred data.

A German online fashion retailer, making use of the practice described above (i.e. embedding a social media’s like button on its website) had to face the objections of a consumer protection association, which approached a first instance court complaining about illegal data use in absence of proper notice to - and of consent from - the interested individuals. The court, after ascertaining that the association had a proper standing to raise the issue, partially upheld the complaint. The case went - in second instance – to a Regional Court, where the fashion retailer insisted in contesting:

- the association’s standing by arguing that the remedies provided in Articles from 22 to 24 of Directive 95/46 had to be considered as ‘of personal nature’, i.e. as reserved exclusively to the individual whose data had been processed illegally and to the competent supervising authority,

- first court’s finding that it had to be considered as a ‘controller’, as it had no influence either on the data transmitted by visitors’ browsers or on the uses of such data by the (third party) social platform.

Such issues stayed when the case reached the Higher Regional Court and determined a referral to the CJEU on following aspects:

“(1) Do the rules in Articles 22, 23 and 24 of Directive [95/46] preclude national legislation which, in addition to the powers of intervention conferred on the data protection authorities and the remedies available to the data subject, grants public service associations the power to take action against the infringer in the event of an infringement in order to safeguard the interests of consumers?

If the answer to the question is negative:

(2) In a case such as the present one, in which someone has embedded a programming code in his website which causes the user’s browser to request content from a third party and, to this end, transmits personal data to the third party, is the person embedding the content the“controller” within the meaning of Article 2(d) of Directive [95/46] if that person is himself unable to influence this data-processing operation?

(3) If Question 2 is answered in the negative: Is Article 2(d) of Directive [95/46] to be interpreted as meaning that it definitively regulates liability and responsibility in such a way that it precludes civil claims against a third party who, although not a“controller”, nonetheless creates the cause for the processing operation, without influencing it?

(4) Whose“legitimate interests”, in a situation such as the present one, are the decisive ones in the balancing of interests to be undertaken pursuant to Article 7(f) of Directive [95/46]? Is it the interests in embedding third-party content or the interests of the third party?

(5) To whom must the consent to be declared under Articles 7(a) and 2(h) of Directive [95/46] be given in a situation such as that in the present case?

(6) Does the duty to inform under Article 10 of Directive [95/46] also apply in a situation such as that in the present case to the operator of the website who has embedded the content of a third party and thus creates the cause for the processing of personal data by the third party?”

On the first question the Second Chamber of the CJEU found that:

- while “.. no provision of that directive obliges Member States to provide, or expressly empowers them to provide, in their national law that an association can represent a data subject in legal proceedings or commence legal proceedings on its own initiative against the person allegedly responsible for an infringement of the laws protecting personal data” (paragraph 47), from such premise did not “.. not follow .. that Directive 95/46 precludes national legislation allowing consumer-protection associations to bring or defend legal proceedings against the person allegedly responsible for such an infringement” (paragraph 48), as “.. the Member States are required, when transposing a directive, to ensure that it is fully effective, but they retain a broad discretion as to the choice of ways and means of ensuring that it is implemented”(paragraph 49),

Subsequently, “.. the fact that a Member State provides in its national legislation that it is possible for a consumer-protection association to commence legal proceedings against a person who is allegedly responsible for an infringement of the laws protecting personal data in no way undermines the objectives of that protection and, in fact, contributes to the realisation of those objectives” (paragraph 51).

On the second question the CJEU:

- reminded its previous case-law on the definition of the concept of ‘controller’, which not necessarily refers to a single entity but may concern several actors taking part in the processing of personal data, leading also to the conclusion that “joint liability does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, with the result that the level of liability of each of them must be assessed with regard to all the relevant circumstances of the particular case ..” (paragraph 70),

- found that in the specific case ‘joint controlling’ had occurred, both by the fashion company, which through the plugin on its website had made possible a transfer of visitors’ data to the external platform, as well as by the social media company, which determined the use of such data after the mentioned transfer,

- hence stated that in the submitted case the fashion company – due to its embedding of a social plugin – had to be considered as a ‘controller’ and could be held liable for illegal processing as far as the collection of website visitor’s data and the disclosure by transmission to the social media company were concerned.

No answer the Second Chamber felt was necessary on the third question.

On the issue (4^th question) whether in case like the one at stake the involved parties (i.e. the fashion retailer or the social media company) – and eventually which one – could rely on legitimate interest (reference is to article 7 of Directive no. 95/46) [v], the Court clarified that:

- the Directive’s provision “.. lays down three cumulative conditions for the processing of personal data to be lawful, namely, first, the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, the condition that the fundamental rights and freedoms of the data subject whose data require protection do not take precedence” (paragraph 95),

- occurring ‘joint processing’, each of the controllers had .. “to pursue a legitimate interest, within the meaning of Article 7(f)” (paragraphs 96 and 97).

Finally, on the questions 5 and 6 (i.e. which of the involved parties had to collect visitors’ consent and whether the obligation of informing visitors about the practice in dispute had to be fulfilled by the website operator), the Court concluded that the requirements of collecting visitors’ consent to the data processing and of informing them about the purposes of collection of such data lies on the operator of the website.

However, such obligation only refers to the processing of data “..of which the operator actually determines the purposes and means” (paragraph 102).

Closing remarks.

Regulation 2016/679 intended to introduce clear and harmonized standards for processing of personal data throughout the European Union. Such goal remains still to be achieved, as it appears from the number of decisions issued by the CJEU over the last four months (a relatively short period). This even more, if we consider that the list of decisions reported in this paper is all but exhaustive. Hence, privacy issues – and problems related to them – will continue to end up before courts and will keep privacy experts busy, especially, once the Supervising and Regulatory Authorities (DPAs) start awarding serious fines for infringement of the GDPR’s provisions.