Case Law

Question 1

Invalidated the Commission’s decision that Safe Harbor was an adequate framework to legitimize data transfer to the US.

ECJ held that Safe Harbor Program was invalid; this led to development of the Privacy Shield Framework

Answer 1

Schrems I

Question 2

Declared invalid the Privacy Shield Framework
Stated ECJ EC Decision 2010/87 on Standard Contractual Clauses (SCCs) for the transfer of personal data from EU Controllers to Processors in 3rd Countries was valid but subject to a case-by-case assessment

Answer 2

Schrems II

Question 3

ECJ held that “right to be forgotten” required search engine to delete certain data from search results.
Established entity cannot avoid application of GDPR by having a non-EU established entity conduct the processing on it’s behalf
Two factors to be considered: 1) the relationship between the non-established entity and the established entity and 2) whether revenue-raising activities are inextricably linked to the processing of personal data
Search engine will be controllers of personal data of those making searches

Answer 3

Google Spain (2012)

Question 4

o ECJ held that the phrase “establishment” is a flexible concept
o The term “establishment” as a flexible concept that cannot be avoided through legal formalism
o No single factor is dispositive in determining whether an entity is “established”
o It found that in order to determine whether a company/data controller has an establishment (within the meaning of Directive 95/46) in a Member State other than the one it is registered in, one must consider (i) the degree of stability of the arrangements and (ii) the effective exercise of activities in that other Member State. These must be assessed with particular regards to the (1) specific nature of the economic activities and (iii) the provision of services concerned. It stated that this test is particularly applicable to exclusively web-based companies.

Answer 4

Weltimmo
(2015)

Question 5

ECJ held that notice must be provided to individuals before public administrative bodies may transfer data between each other

Answer 5

ANAF (Bara)

Question 6

o ECJ held that the ePrivacy Directive prohibits the general and indiscriminate retention of data

o That the ePrivacy Directive prohibits the general and indiscriminate retention of data, even if this is permitted under national legislation for the purposes of fighting crime.

o The ECJ held that national legislation establishing general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication (mass surveillance of electronic communications) for the purpose of fighting crime violated the right to privacy and the right to data protection of the Charter of Fundamental Rights of the European Union. The Court further reasoned that access of the competent national authorities to the retained data must be restricted to fighting serious crime, with prior review by a court or an independent administrative authority, and the concerned data had to be retained within the EU

Answer 6

Tele2 and Watson

Question 7

Restricting access to a personal file violated Article 8 of the ECHR

Answer 7

Gaskin v. United Kingdom

Question 8

Placing obstacles in the way of an applicant seeking access to their secret personal file violates Article 8

Answer 8

Haralambie v. Romania

Question 9

Automated processing of personal data by the police for purposes of maintaining a sex offender registry does not violate Article 8

Answer 9

B.B. v. France; Gardel v. France; and M.B. v. France

Question 10

The indiscriminate and open-ended collection of criminal record data very likely does not comply with Article 8 in the absence of appropriate safeguards

Answer 10

M.M. v. United Kingdom

Question 11

Monitoring an employee’s email at work violates Article 8 if there is no legal basis permitting monitoring

Answer 11

Copland v. United Kingdom

Question 12

o Bulk interception of communications violated Arts. 8 and 10 of ECHR
o Found that the bulk interception of communications and storage of such communications under the Regulation of Investigatory Powers Act of 2000 (RIPA) violated the European Convention on Human Rights

Answer 12

Big Brothers Watch v. United Kingdom

Question 13

ECJ held that a dynamic IP address was personal data on the facts of that case

Answer 13

Breyer v. Germany

Question 14

o joint controllers in the collaboration and transmission of data even though Fashion ID didn’t have access to the data collected – because it exerted a decisive influence of the plug in (like button).
o ECJ held that a website operator that embedded a Facebook social plugin on its website qualified as a joint controller along with Facebook
o But court also held that operator was not liable for subsequent processing operations undertaken by Facebook after the initial collection of data
o Most processing by users of the social media platform will qualify for the “household use” exception to avoid application of the GDPR

Answer 14

Fashion ID case

Question 15

o Simply having a website accessible throughout the E.U. is not sufficient to create an “establishment”
o Determination requires an assessment of
(1) “the degree of stability of the arrangements” and
(2) “the effective exercise of activities in the Member State in question”

Answer 15

Verein für Konsumenteninformation v. Amazon EU Sarl
(2016)

Question 16

Offering goods or services looks at the manifestation of intent to establish commercial relations with consumers in the E.U.; no one factor is dispositive in analysis

Answer 16

Pammer and Heller Cases (2010)

Question 17

Publication of personal data on a personal website did not fall within exemption (under the Directive) because it was publicly accessible on the internet

ECJ decided that merely accessing a website via a server based in the E.U. did not constitute a transfer to the third country where the website was accessed

Answer 17

Lindqvist v. Åklagarkammaren i Jönköping
(2003)

Question 18

o Use of CCTV at home was not purely personal where it captured a portion of a public footpath
o ECJ held that the at-home use of a CCTV system was not purely personal where is also captured a portion of a public footpath.4 Therefore, in the absence of a lawful basis to process, individuals using at-home surveillance systems should ensure that only their purely private property is subject to surveillance.

o The EDPB has called for this exception, in the context of video recording and otherwise, to be construed narrowly.5 Whether this exception applies to the use of video recording devices on private premises should be decided on a case-by-case basis, looking at the situation holistically

Answer 18

Rynes v. Úřad pro ochranu osobních údajů
(2014)

Question 19

ECJ held that personal telephone conversations conducted on an employer’s phone while at work fell within the scope of private life protected by Article 8 of the ECHR

Answer 19

Halford v. U.K.: European Court of Human Rights

Question 20

oData Retention Directive was invalidated
o even though Data Retention Directive was invalidated member states may still impose retention obligations under Article 15(1) of the ePrivacy Directive
o Retention obligation must be “necessary, appropriate and proportionate” to the needs of a democratic society
o The ePrivacy Directive requires electronic service providers to keep communications and traffic data confidential; wiretapping is prohibited
o Traffic data must be erased or anonymized when no longer needed for purposes of transmission, except for billing, marketing, fraud detection, and similar services

Answer 20

Digital Rights Ireland case

Question 21

Antovic and Mirkovic v. Montenegro

Answer 21

ECHR held (in a 4-3 split) that the use of video surveillance in a lecture hall violated the professors’ right to a private life – importance of determining the proportionality of video recording

Question 22

Employees were terminated after being caught on camera stealing items. According to the court, a proportionality analysis should consider what information is disclosed about the video surveillance, the extent of the monitoring, the justification for the monitoring, whether alternative means are available to accomplish the same goals, and any potential consequences of the monitoring.31 The court noted that while the lack of disclosure in this case made video surveillance unlawful, there are interests that could weigh in favor of not providing complete information related to video surveillance.

Answer 22

Lopez Ribalda and Others v. Spain

Question 23

o Confirmed that pre-checked box was inadequate consent; consent under the ePrivacy Directive is the same as under the GDPR; Art. 5(3) applies to the use of all cookies; and users must be informed of the duration of cookies and if third parties will have access
o Consent for the use of cookies requires affirmative opt-in consent; the use of a pre-checked checkbox authorizing the use of cookies is an inadequate form of consent.24

o Consent for purposes of the ePrivacy Directive is the same as consent as defined under the GDPR.25

o Article 5(3) of the ePrivacy Directive applies to the use of all cookies and similar technologies, regardless of whether the cookies constitute personal data or contain personal data.

o The ePrivacy Directive requires that users be informed about the duration of cookies and whether any third parties will have access to those cookies.

Answer 23

Planet49 Case

Question 24

The ECJ held that a user’s IP address is personal data

Answer 24

Scarlet Extended SA v. SABAM

Question 25

o other parties may be joint controllers (e.g., “targeters”)
o “While the mere fact of making use of a social network such as Facebook does not make a Facebook user a controller jointly responsible for the processing of personal data by that network, it must be stated, on the other hand, that the administrator of a fan page hosted on Facebook, by creating such a page, gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account.”
o So, the fan page holder was a controller because it set processing parameters that influenced or contributed to the purposes and manner of Facebook’s processing.
o “In particular, the administrator of the fan page can ask for — and thereby request the processing of — demographic data relating to its target audience, including trends in terms of age, sex, relationship and occupation, information on the lifestyles and centers of interest of the target audience and information on the purchases and online purchasing habits of visitors to its page, the categories of goods and services that appeal the most, and geographical data which tell the fan page administrator where to make special offers and where to organize events, and more generally enable it to target best the information it offers.”
o In any event, the fact that the fan page holder had no access to the personal data Facebook obtained did not preclude it from being a data controller (para 38). The definition of ‘data controller’ in Directive 95/46/EC does not talk about access to personal data.

Answer 25

Facebook Fan Case

Question 26

o Negotiated to replace Privacy Shield Framework; an adequacy decision was finalized July 10, 2023.

o Under the Trans-Atlantic Data Privacy Framework, binding safeguards will be put in place to limit access to data by U.S. intelligence agencies to only that which is necessary and proportionate to protect national security. U.S. intelligence agencies will have to adopt appropriate procedures to effect this. Additionally, European citizens will have access to a redress system, including a new Data Protection Review Court, to handle claims of improper access by U.S. intelligence authorities. American companies seeking to rely on the Trans-Atlantic Data Privacy Framework will have to self-certify compliance through the U.S. Department of Commerce

Answer 26

Trans-Atlantic Data Privacy Framework