Cases Flashcards
ECJ agreed in Papasavvas case
Indirect payment / remuneration was enough to make the E-Commerce Directive applicable
(e.g. from paid ads)
Gaskin v. United Kingdom
Restricting access to a personal file violated Article 8 of the ECHR
European Court of Human Rights
Protects the right to private life, family life, home, and correspondence.
Haralambie v. Romania
Placing obstacles in the way of an applicant seeking access to their secret personal file violates Article 8
European Court of Human Rights
B.B. v. France; Gardel v. France; and M.B. v. France
Automated processing of personal data by the police for purposes of maintaining a sex offender registry does NOT violate Article 8
European Court of Human Rights
M.M. v. United Kingdom
The indiscriminate and open-ended collection of criminal record data very likely does violate Article 8 of the ECHR in the absence of appropriate safeguards
European Court of Human Rights
Copland v. United Kingdom
Monitoring an employee’s email at work violates Article 8 if there is no legal basis permitting monitoring
European Court of Human Rights
Big Brothers Watch v. United Kingdom
Bulk interception of communication violated Art. 8 & 10 of ECHR
Art. 10 Free Expression
Schrems I and II
In both cases, ECJ held certain adequacy findings were invalid
Google Spain SL v. Agencia Espanola de Proteccion de Datos (AEPD)
- ECJ held that the “right to be forgotten” required search engines to delete certain data from search results.
- Google Spain Case (2012) CJEU: Established entity cannot avoid application of the GDPR by having a non-E.U. established entity conduct the processing on its behalf
Two factors should be considered: (1) the relationship between non-established entity and its local establishment; and (2) whether the revenue-raising activities are “inextricably linked” to the processing of personal data
Weltimmo s.r.o. v. Nemzeti Adatvedelmi es Információszabadság Hatóság (NAIH)
ECJ held that the phrase “establishment” is a flexible concept that cannot be avoided through legal formalism, such as incorporating an entity in another juristiction.
ANAF (Bara)
ECJ held that notice must be provided to individuals before public administrative bodies may transfer between each other.
In this case, the ECJ looked to the fact that Weltimmo’s website was directed toward Hungarian clients, that Weltimmo maintained a representative in Hungary, that Weltimmo had a bank account in Hungary, and that Weltimmo had a mailing address in Hungary.15 Based on these facts, the court found that Weltimmo was “established” in Hungary.16 But, the ECJ refused to consider the nationality of the data subject as an important factor in its territorial scope analysis.17
Tele2 and Watson
ECJ held that the ePrivacy Directive PROHIBITS the general and indiscriminate retention of data.
Lindqvist v. Åklagarkammaren i Jönköping (2003)
Publication of personal data on a personal website did not fall within exemption (under the Directive) because it was publicly accessible on the internet
Rynes v. Úřad pro ochranu osobních údajů (2014)
Use of CCTV at home was not purely personal where it captured a portion of a public footpath
Planet49 Case
Confirmed that pre-checked box was inadequate consent; consent under the ePrivacy Directive is the same as under the GDPR; Art. 5(3) applies to the use of all cookies; and users must be informed of the duration of cookies and if third parties will have access
Verein für Konsumenteninformation vs. Amazon EU Sarl (2016)
Simply having a website accessible throughout the E.U. is NOT sufficient to create an “establishment”
Antovic and Mircovic vs. Montenegro
ECHR held that the use of video surveillance in a lecture hall VIOLATED the professors’ rights to a private life.
Scarlet Extended SA vs. SABAM
ECJ held that a users’ IP address IS personal data
Breyer vs. Germany
ECJ rejected the argument that dynamic IP addresses are not personal data
Halford vs. U.K.
ECHR held that personal telephone conventions conducted on an employer’s phone while at work fell within the scope of private life protected by Art. 8 of the ECHR.
Fashion ID GmbH & Co. KG vs. Verbraucherzentrale NRW eV.
ECJ held that a website operator that embedded a Facebook social plugin on its website qualified as a joint controller along with Facebook
Rechnungshof case?
That certain parts of the Data Protection Directive were “directly applicable” on their own force and effect.
In the Rechnungshof case, the European Court of Justice held that Articles 6(1)(c) and 7(c) and (e) of the Data Protection Directive were “directly applicable, in that they may be relied on by an individual before the national courts to oust the application of rules of national law which are contrary to those provisions.”
Digital Rights Ireland, Ltd. case - ECJ
Data Retention Directive being struck down as invalid, the proportionality principle is of upmost importance.
Facebook Fan Page case
(a/k/a the Wirtschaftsakademie case)
Administrator of a Facebook fan page is a joint controller for purposes of data protection law.
In what is commonly referred to as the “Facebook Fan Page” case (a/k/a the Wirtschaftsakademie case), the European Court of Justice held that an entity that created and administered a fan page on the Facebook social networking application was a joint controller alongside Facebook itself. The court relied upon several factors to reach this decision. Among them: (1) The processing “enable[d] the fan page administrator to obtain statistics produced by Facebook from the visits to the page, for the purposes of managing the promotion of its activity, making it aware, for example, of the profile of the visitors who like its fan page or use its applications”; (2) Creating the fan page “gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account”; (3) “[T]he creation of a fan page on Facebook involves the definition of parameters by the administrator . . . which has an influence on the processing of personal data for the purpose of producing statistics based on visits to the fan page”; (4) “[T]he administrator of the fan page can ask for – and thereby request the processing of – demographic data relating to its target audience . . . and more generally enable it to target best the information it offers.” And the fact that this data was transmitted to the administrator in anonymized form was irrelevant.
