On 6 October 2022, the Advocate General (Campos Sánchez-Bordona) issued his opinion in UI v Österreichische Post AG on the interpretation of the rules on civil liability under the GDPR .

He concluded that a data subject must have suffered harm in order to claim compensation, and that breach of the GDPR alone was not sufficient.  There is also a distinction to be drawn between mere upset (which does not give rise to a right for compensation) and non-material damage (which does).

Continue Reading ‘Mere upset’ insufficient for compensation under the GDPR

The European Data Protection Board (EDPB) adopted final Recommendations on Supplementary Measures (Recommendations) for data transfers to third countries, published in response to the CJEU ruling in Schrems II. The Recommendations contain a six-step methodology to assess transfers of personal data from the EEA to those countries outside the EEA that have not been approved by the European Commission as providing adequacy. The Recommendations also contain various supplementary measures that can be used if the transfer tools an organisation has selected does provide an equivalent level of protection to that offered under the GDPR and individual’s rights and freedoms under the EU Charter of Fundamental Rights. The Recommendations contain practical guidance where there is “problematic legislation” in an importing country such that public and governmental authorities would be able to access individuals’’ personal data.

The EDPB published draft recommendations for public consultation in November 2020. There are some key changes between the draft and the final Recommendations.  The final draft places a particular focus on the specific circumstances of the transfer in the data transfer assessment. It also calls organisations to review not only laws but also practices of a third country’s surveillance measures by public authorities. The final Recommendations also emphasise that use of the GDPR derogations are meant to be an exception to rule barring transfers of personal data from the EEA to third countries not otherwise deemed adequate.

The Recommendations emphasize that it is the obligation of both data exporters and data importers to ensure the level of protection set by the EU laws when they transfer data to third countries. To comply with the accountability principle under the GDPR, controllers or processors acting as data exporters must ensure that data importers collaborate with them in ensuring protection travels with the data and jointly monitor the measures taken are effective in achieving that aim.
Continue Reading EDPB adopts final recommendations on Supplementary Measures nearly a year after the CJEU’s Schrems II ruling

On March 12, 2021, the French Council of State (Conseil d’Etat), the highest French administrative court, handed down a ruling (ordonnance des référés) allowing Doctolib, a company in charge of booking COVID-19 vaccination appointments, to rely on a U.S.-based health data host.

In the present case, the servers of Doctolib – whose platform had been entrusted by the French government for booking COVID-19 vaccinations – were hosted by the Luxembourg subsidiary of AWS, a U.S. company. Specifically, in this case, the AWS data was stored in data centers located in the European Union (specifically, in France and Germany).

The French government’s decision to use a platform hosted by the subsidiary of a U.S.-based company raised significant concerns among French associations and trade unions because of the Schrems II decision rendered by the Court of Justice of the European Union (CJEU July 16, 2020, Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd. and Maximilian Schrems), which shed light on the risks that U.S. surveillance laws might pose to data subjects in the event of access requests by U.S. agencies.
Continue Reading Aftermath of Schrems II decision in France: The French Council of State provides significant clarification on the U.S. based data host to provide services in the French health care sector

On 11 November 2020, the Court of Justice of the European Union (CJEU) in Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) (Case C-61/19) delivered its preliminary ruling on the issue of valid consent under the General Data Protection Regulation 2016/679/EU (GDPR) and Directive 95/46/EC. You can read the judgment here.

The CJEU held that a printed contract for mobile telecommunication services containing a clause stating that the customer has consented to the collection and storage of their identity documents does not constitute valid consent where the box referring to that clause has been pre-ticked by the data controller before the contract was signed.

The case follows up on the previous ruling in Planet49 (Case C-673/17) on which we commented last year here and here.

Continue Reading CJEU delivers judgment on conditions for valid consent in an offline context

Today, the Advocate General Henrik Saugmandsgaard Øe (AG) published his opinion on a case brought by privacy rights activist, Max Schrems (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) (Schrems II). The case concerns the validity of the standard contractual clauses (SCCs). The Court of Justice of the European Union (CJEU) press release can be found here, and the AG’s opinion here.

The General Data Protection Regulation (GDPR) provides that personal data may be transferred to a third country if that country ensures an adequate level of data protection. SCCs are one of several mechanisms approved by the European Commission for personal data transfers to countries not found to offer adequate protection for personal data. If the SCCs were invalidated, thousands of businesses would have to review their data transfer arrangements.

Below, we take a look at the AG opinion.
Continue Reading Advocate General gives opinion on Schrems II: an early Christmas present?

“The internet’s not written in pencil, it’s written in ink.”

Advocate General (AG) Szpunar commenced his opinion dated 4 June 2019 in Case C-18/18 (Opinion, available here) with the above quote from the movie The Social Network. In the Opinion the AG analysed the substantive scope of injunctions, in particular if social network providers “may be required to delete, with the help of a metaphorical ink eraser, certain content placed online by users of that platform”, as well as its territorial scope.

I. Background
An Austrian politician applied at the Vienna Commercial Court (Austria) for an injunction requiring a social network provider to cease the publication of a – in her view – defamatory comment about her. A user of the social network shared an article from a news website on their personal page on the network, whereupon the social network generated a ‘thumbnail’ of that post, containing the title, a brief summary of the article and a photograph of the politician. The user also published a disparaging comment about the politician alongside the post (Content in Question). Any user of the social network was able to access the Content in Question.

The Vienna Commercial Court issued the requested injunction and ordered the social network provider to delete and to stop disseminating the Content in Question. Subsequently, the social network provider disabled access to the content in Austria, but not for other countries. After the Vienna Higher Regional Court upheld the injunction, the case was brought to the Austrian Supreme Court. The Austrian Supreme Court referred to the Court of Justice of the European Union (CJEU) the questions of whether the injunction can be extended (i) worldwide, and (ii) to statements with identical wording and/or equivalent content. The Austrian Supreme Court ultimately asked the CJEU to interpret the Directive on electronic commerce (eCommerce Directive) in this context.

Continue Reading Advocate General’s opinion on social networks’ obligations on (worldwide) deletion of illegal content

On 7 August 2018, the Court of Justice of the European Union (“CJEU”) has released another judgment (surprisingly its first copyright judgment of 2018) on the interpretation of the right of communication to the public (case no. C-161/17 – “Judgment”). The CJEU held that the unauthorised re-posting of copyright protected works may constitute an act of communication to the public under Article 3(1) of Directive 2001/29/EC (InfoSoc Directive).

Facts

The fact pattern was very specific. A copyright protected photograph of the city of Cordoba was uploaded to an online travel portal with the consent of the photographer. The photo was freely accessible without any restrictive measures preventing it from being downloaded. A student downloaded the photograph and used it for a written assignment, which was then uploaded to the school’s website.

The photographer brought the underlying main proceedings before the German courts claiming copyright infringement. The German Federal Court of Justice (Bundesgerichtshof) referred the case to the CJEU and asked whether the posting on one website of a photograph that has been previously published without restriction and with the consent of the right holder on another website qualifies as communication to the public.

Opinion of the Advocate General

The Advocate General Sánchez-Bordona (“AG”) took the view that the use of the photograph in this case does not infringe the right of communication to the public. He argued that both the school’s website and the online travel portal addressed the same general internet public. Considering that the original upload was accessible without technical restrictions or a copyright notice, the AG concluded that internet users could assume the right holder does not object to further uploads of the work.

The AG suggested a ‘notice and takedown’ procedure in which right holders have to actively opt out of the use of protected works by means of downloading and uploading.

Continue Reading CJEU decides on re-posting of protected content

Background

On 22 November 2017, the Court of Justice of the European Union (“CJEU”) gave judgment in a case taken by the not-for-profit company, Digital Rights Ireland Limited (“DRIL”). DRIL sought an annulment of the European Commission’s Privacy Shield decision. This decision states that the US ensures an adequate level of protection for personal data transferred from the EU to companies in the US under the EU-US Privacy Shield (the “Contested Decision”).

The CJEU ruled that DRIL’s annulment request was inadmissible for two reasons; (1) it cannot show that it is sufficiently affected by the Contested Decision to bring proceedings in its own name; and (2) a lack of standing to bring proceedings in the name of its members, supporters and the general public.

In this case, the DRIL acted as the applicant and the European Commission was the defendant.

Admissibility of the action brought by DRIL in its own name

DRIL presented three arguments to demonstrate the admissibility of the action brought in its own name.

Argument 1: DRIL argued that, given that it possesses a mobile phone and a computer, its own personal data is liable to be transferred to the US pursuant to the Contested Decision. The CJEU rejected this argument. The CJEU ruled that in its capacity as a legal person, DRIL does not possess personal data. The Data Protection Directive only provides for the protection of personal data of natural persons, not legal entities.

Continue Reading CJEU rules Digital Rights Ireland’s Privacy Shield invalidation action inadmissible

The Summer 2017 Edition of the quarterly IT & Privacy Newsletter by Reed Smith Germany has just been released.

We cover the German GDPR Implementation Act, new case law on processing on the basis of legitimate interests, marketing consent, and provider liability, as well as the paper on Google Analytics by the Hamburg data protection