By Orla Lynskey
Data protection policy, in particular the right to protection of personal data in Article 8 of the EU Charter, has remained firmly within the EU law limelight in recent years. This right played a key role in seminal judgments of the CJEU such as Schecke and Eifert, where for the first time a provision of secondary legislation was annulled for incompatibility with the Charter, and in Digital Rights Ireland (discussed earlier on this blog), where for the first time an entire Directive was annulled on the same grounds. Furthermore, in Google Spain (considered here) this fledgling right was ostensibly given precedence over the more established right to freedom of expression in certain circumstances, leading to a media furore on both sides of the Atlantic. 2015 was no different in this regard as much attention focused on the Court’s judgment in Schrems (discussed here), which invalidated the 15 year old Safe Harbor data sharing agreement between the EU and the US, and on the culmination of four years of negotiation on the new Proposed General Data Protection Regulation in December.
For good or for bad, the EU data protection juggernaut appears unstoppable, leaving in its wake legal instruments that do not meet its strict standards. Yet, in the shadows of these well-documented events, other noteworthy developments occurred. 2015 also saw the Dutch referring court withdraw its preliminary reference in Rease and Wullems, thereby regrettably removing the opportunity for the CJEU to pronounce upon the margin of discretion of national Data Protection Authorities (DPAs) when adopting a de minimis approach to their enforcement strategy to the detriment of individual or small group complainants. The Court did, however, deliver a number of largely overlooked yet significant data protection judgments in 2015. This contribution will focus on two significant cases which the CJEU delivered in the first week of October, immediately prior to the Schrems judgment, in Bara and Weltimmo. These preliminary references allowed the Court to clarify the interpretation of obligations and exemptions under the Data Protection Directive, as well as the Directive’s enforcement in online situations.
Bara: data transfers and the right to information of data subjects
Bara provided the Court with the opportunity to elaborate on the right to information of individuals (data subjects) prior to and following the transfer of their personal data between public authorities. In that case, a national tax administration agency had transferred data relating to the declared income of self-employed individuals to the national health insurance fund. This transfer of data had occurred without the consent or knowledge of the relevant individuals and for purposes other than those for which the data had initially been communicated to the tax agency. Furthermore, the Romanian law permitting transfers of specified data from public bodies to the health insurance funds did not explicitly provide for the transfer of data relating to income.
Three of the four questions refereed to the Court were declared inadmissible, as they bore no relation to the object of the dispute. The fourth question also reflected a misunderstanding of the data protection rules. The referring court asked the CJEU to consider whether personal data could be processed by authorities other than those to which it was addressed where such operations give rise retroactively to financial loss. As ‘financial loss’ is of no relevance to the legality of personal data processing operations, the CJEU rephrased the question it was asked. It considered whether the provisions of the 1995 Data Protection Directive (hereafter: the Directive) preclude national measures which allow the data transfers between public bodies and subsequent data processing without informing the data subject of the transfer and processing. Of particular relevance were Articles 10 and 11 of the Directive that set out the right to information of the data subject, and Article 13, which limits the application of this right in certain circumstances.
Having established that the transfer constituted personal data processing, the Court acknowledged that in order to be lawful the data transfer required a legal basis (pursuant to Article 7 of the Directive) and had to comply with the data protection safeguards in Article 6 of the Directive. However, it did not assess whether these conditions were fulfilled in this scenario. This is surprising as the processing could not be lawful if it did not comply with Articles 6 and 7, and it is unclear from the facts whether the data transfer complied with the Article 6(1)(b) principle of purpose limitation. This principle provides that personal data must be collected for ‘specified, explicit and legitimate purposes and not further processed in a way incompatible with these purposes’. It is unclear whether processing personal data for the purpose of identifying who should contribute to public health insurance is ‘incompatible’ with the processing of personal data provided for tax purposes. The opinion of the CJEU on this question would have lent greater clarity to the concept of ‘purpose limitation’ in EU data protection law.
The Court opted instead to assess the compatibility of the data transfer between public authorities with the rights to information of the data subject (Articles 10 and 11) and to consider whether an exemption to these rights applied pursuant to Article 13. The Court highlighted that, pursuant to Article 10, the data subject is explicitly entitled to information regarding the ‘recipients or categories of recipients of the data’ if this information is necessary to ‘guarantee fair processing of the data’. The Court stated that this fair processing requirement, laid down in Article 6, applies to all personal data processing and, in turn, affects the data subject’s right of access and to rectify personal data. The Court therefore concluded that the Article 6 ‘fairness’ safeguard requires a public administrative body to inform data subjects of the transfer of their data to another public administrative body for further processing. The Romanian authorities did not satisfy this requirement, as the Romanian law did not provide for the transfer of data on income to the health insurance funds. The domestic law was therefore insufficient to comply with the requirements of Article 10. Similar reasoning was applied in the Article 11 context.
The Court’s ruling appears to be based on an overly strict reading of Articles 10 and 11. The wording of Articles 10 and 11 requires further information regarding recipients of personal data to be provided to the data subject ‘in so far as such further information is necessary…to guarantee fair processing’. The Directive also states that in making this assessment, regard should be had to the ‘specific circumstances in which the data are collected’. It appears that this information should be provided only where the failure to do so would be unfair, however according to the Court’s interpretation, the principle of fairness in Article 6 always requires the provision of this information. This finding is therefore out of line with a literal interpretation of the Directive.
The Court then examined whether Article 13 could exempt the failure to inform the data subjects of the transfer between public authorities. The Court noted that Article 13(e) enables Member States to restrict (amongst others) the Article 10 right when necessary to safeguard ‘an important economic or financial interest of a Member State’ including taxation matters, while Article 13(f) provides such an exemption for ‘monitoring, inspection or regulatory function’ connected with the exercise of such authority. However, the Court emphasised that any such restrictions must be imposed by legislative measures. As the detailed provisions governing the data transfer were laid down in a protocol concluded between the tax authority and health fund, and not in a legislative measure, the Court held that the Article 13 conditions were not fulfilled.
Finally, the Court found that the health insurance fund, which became a data controller once it received the personal data from the tax authorities, did not comply with its information requirements pursuant to Article 11 of the Directive. The health fund could not benefit from the exemption to this information right as no exemptions were set out in Romanian law, as required by the Directive. The Court therefore advised the domestic court that Articles 10, 11 and 13 of the Directive preclude data transfers such as those between the tax agency and the health insurance fund as a result of the failure to provide the data subject with relevant information regarding the data processing.
Weltimmo: determining the applicable law for data processing operations
In Weltimmo the CJEU was asked to consider the compatibility with the Directive of a fine imposed on Weltimmo by the Hungarian Data Protection Authority (DPA). Weltimmo ran a website dealing in Hungarian properties and had its with registered office in Slovakia. It advertised properties for free for the first month and charged a monthly fee thereafter. As a result, many advertisers sought to have their advertisements, as well as the personal data processed for these purposes, deleted after one month. Weltimmo failed to delete these advertisements, and the accompanying personal data, when requested and continued to charge these advertisers for its services. When these charges went unpaid, Weltimmo provided the personal data of the advertisers to a debt collection agency. The advertisers therefore complained to the Hungarian DPA, which subsequently fined Weltimmo. Weltimmo challenged this fine before domestic tribunals, and these challenges culminated in the referral of questions regarding the law applicable to the dispute to the CJEU.
The Court was asked, in essence, whether Articles 4(1)(a) and 28(1) of the Directive must be interpreted as permitting the DPA of one Member State to apply its national data protection law to a data controller which is running a website dealing in properties in that Member State but whose company is registered in another Member State. The referring court also sought guidance on the relevance of other factual elements, such as the nationality of the advertisers and the owners of the website, when determining the applicable data protection law.
The CJEU highlighted that Article 4 of the Directive governs the question of the relevant law applicable to legal proceedings, while Article 28 determines the role and powers of the relevant supervisory authority. Article 4(1)(a) grants the Directive a broad territorial scope: a Member State’s law applies where the processing is ‘carried out in the context of the activities of an establishment of the controller’. The Court began by elaborating on the concept of establishment. It noted that ‘establishment’ implies the real and effective exercise of activity through stable arrangements and that the legal form of such an establishment is not the determining factor. The Court highlighted that any real or effective activity – even minimal – could constitute a ‘stable arrangement’. This allowed the Court to conclude that Weltimmo conducted a real and effective activity in Hungary: it ran several websites dealing in Hungarian properties and written in Hungarian. Furthermore, the Court pointed to the fact that Weltimmo had a representative based in Hungary, a Hungarian bank account for the proceeds of its debt collection and a Hungarian post box for its daily affairs. These factors again demonstrated the existence of a Hungarian establishment for the purposes of Article 4(1)(a).
The Court then considered whether the personal data processing was carried out ‘in the context of the activities’ of that establishment. It found that the online publication of the personal data of property owners as well as the use of those data for invoicing constituted processing taking place in the context of the activities pursued by Weltimmo in Hungary. On these grounds, the Court found that the application of Article 4(1)(a) supported the conclusion that Hungarian data protection law applied to the proceedings.
Finally, the Court considered, obiter dicta, whether a DPA could exercise its supervisory and sanctioning powers under Article 28 of the Directive when the law applicable to data processing was the law of another Member State. The Court held that in such circumstances the DPA cannot impose penalties outside its own Member State and must instead request the DPA in the relevant state to exercise its powers.
While Bara and Weltimmo were delivered in the shadows of more newsworthy developments, they are both of significant practical importance. Bara places renewed focus on the rights of data subjects in particular the right to information, which is often overlooked. Public and private data controllers may need to double-check their compliance strategies following the strict interpretation of the obligations flowing from the Directive in this case. Similarly, Weltimmo marks another blow to attempts by data controllers to locate their data processing operations strategically in order to shelter from the enforcement activities of active DPAs. Both judgments will be drawn from the shadows in due course for these reasons.