Cases

Question 1

ECJ agreed in Papasavvas case

Answer 1

Indirect payment / remuneration was enough to make the E-Commerce Directive applicable

(e.g. from paid ads)

Question 2

Gaskin v. United Kingdom

Answer 2

Restricting access to a personal file violated Article 8 of the ECHR

European Court of Human Rights

Protects the right to private life, family life, home, and correspondence.

Question 3

Haralambie v. Romania

Answer 3

Placing obstacles in the way of an applicant seeking access to their secret personal file violates Article 8

European Court of Human Rights

Question 4

B.B. v. France; Gardel v. France; and M.B. v. France

Answer 4

Automated processing of personal data by the police for purposes of maintaining a sex offender registry does NOT violate Article 8

European Court of Human Rights

Question 5

M.M. v. United Kingdom

Answer 5

The indiscriminate and open-ended collection of criminal record data very likely does violate Article 8 of the ECHR in the absence of appropriate safeguards

European Court of Human Rights

Question 6

Copland v. United Kingdom

Answer 6

Monitoring an employee’s email at work violates Article 8 if there is no legal basis permitting monitoring

European Court of Human Rights

Question 7

Big Brothers Watch v. United Kingdom

Answer 7

Bulk interception of communication violated Art. 8 & 10 of ECHR

Art. 10 Free Expression

Question 8

Schrems I and II

Answer 8

In both cases, ECJ held certain adequacy findings were invalid

Question 9

Google Spain SL v. Agencia Espanola de Proteccion de Datos (AEPD)

Answer 9

1. ECJ held that the “right to be forgotten” required search engines to delete certain data from search results.
2. Google Spain Case (2012) CJEU: Established entity cannot avoid application of the GDPR by having a non-E.U. established entity conduct the processing on its behalf
   Two factors should be considered: (1) the relationship between non-established entity and its local establishment; and (2) whether the revenue-raising activities are “inextricably linked” to the processing of personal data

Question 10

Weltimmo s.r.o. v. Nemzeti Adatvedelmi es Információszabadság Hatóság (NAIH)

Answer 10

ECJ held that the phrase “establishment” is a flexible concept that cannot be avoided through legal formalism, such as incorporating an entity in another juristiction.

Question 11

ANAF (Bara)

Answer 11

ECJ held that notice must be provided to individuals before public administrative bodies may transfer between each other.

In this case, the ECJ looked to the fact that Weltimmo’s website was directed toward Hungarian clients, that Weltimmo maintained a representative in Hungary, that Weltimmo had a bank account in Hungary, and that Weltimmo had a mailing address in Hungary.15 Based on these facts, the court found that Weltimmo was “established” in Hungary.16 But, the ECJ refused to consider the nationality of the data subject as an important factor in its territorial scope analysis.17

Question 12

Tele2 and Watson

Answer 12

ECJ held that the ePrivacy Directive PROHIBITS the general and indiscriminate retention of data.

Question 13

Lindqvist v. Åklagarkammaren i Jönköping (2003)

Answer 13

Publication of personal data on a personal website did not fall within exemption (under the Directive) because it was publicly accessible on the internet

Question 14

Rynes v. Úřad pro ochranu osobních údajů (2014)

Answer 14

Use of CCTV at home was not purely personal where it captured a portion of a public footpath

Question 15

Planet49 Case

Answer 15

Confirmed that pre-checked box was inadequate consent; consent under the ePrivacy Directive is the same as under the GDPR; Art. 5(3) applies to the use of all cookies; and users must be informed of the duration of cookies and if third parties will have access

Question 16

Verein für Konsumenteninformation vs. Amazon EU Sarl (2016)

Answer 16

Simply having a website accessible throughout the E.U. is NOT sufficient to create an “establishment”

Question 17

Antovic and Mircovic vs. Montenegro

Answer 17

ECHR held that the use of video surveillance in a lecture hall VIOLATED the professors’ rights to a private life.

Question 18

Scarlet Extended SA vs. SABAM

Answer 18

ECJ held that a users’ IP address IS personal data

Question 19

Breyer vs. Germany

Answer 19

ECJ rejected the argument that dynamic IP addresses are not personal data

Question 20

Halford vs. U.K.

Answer 20

ECHR held that personal telephone conventions conducted on an employer’s phone while at work fell within the scope of private life protected by Art. 8 of the ECHR.

Question 21

Fashion ID GmbH & Co. KG vs. Verbraucherzentrale NRW eV.

Answer 21

ECJ held that a website operator that embedded a Facebook social plugin on its website qualified as a joint controller along with Facebook

Question 22

Rechnungshof case?

Answer 22

That certain parts of the Data Protection Directive were “directly applicable” on their own force and effect.

In the Rechnungshof case, the European Court of Justice held that Articles 6(1)(c) and 7(c) and (e) of the Data Protection Directive were “directly applicable, in that they may be relied on by an individual before the national courts to oust the application of rules of national law which are contrary to those provisions.”

Question 23

Digital Rights Ireland, Ltd. case - ECJ

Answer 23

Data Retention Directive being struck down as invalid, the proportionality principle is of upmost importance.

Question 24

Facebook Fan Page case
(a/k/a the Wirtschaftsakademie case)

Answer 24

Administrator of a Facebook fan page is a joint controller for purposes of data protection law.

In what is commonly referred to as the “Facebook Fan Page” case (a/k/a the Wirtschaftsakademie case), the European Court of Justice held that an entity that created and administered a fan page on the Facebook social networking application was a joint controller alongside Facebook itself. The court relied upon several factors to reach this decision. Among them: (1) The processing “enable[d] the fan page administrator to obtain statistics produced by Facebook from the visits to the page, for the purposes of managing the promotion of its activity, making it aware, for example, of the profile of the visitors who like its fan page or use its applications”; (2) Creating the fan page “gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account”; (3) “[T]he creation of a fan page on Facebook involves the definition of parameters by the administrator . . . which has an influence on the processing of personal data for the purpose of producing statistics based on visits to the fan page”; (4) “[T]he administrator of the fan page can ask for – and thereby request the processing of – demographic data relating to its target audience . . . and more generally enable it to target best the information it offers.” And the fact that this data was transmitted to the administrator in anonymized form was irrelevant.