Data Protection Directive

Background

On 22 November 2017, the Court of Justice of the European Union (“CJEU”) gave judgment in a case taken by the not-for-profit company, Digital Rights Ireland Limited (“DRIL”). DRIL sought an annulment of the European Commission’s Privacy Shield decision. This decision states that the US ensures an adequate level of protection for personal data transferred from the EU to companies in the US under the EU-US Privacy Shield (the “Contested Decision”).

The CJEU ruled that DRIL’s annulment request was inadmissible for two reasons; (1) it cannot show that it is sufficiently affected by the Contested Decision to bring proceedings in its own name; and (2) a lack of standing to bring proceedings in the name of its members, supporters and the general public.

In this case, the DRIL acted as the applicant and the European Commission was the defendant.

Admissibility of the action brought by DRIL in its own name

DRIL presented three arguments to demonstrate the admissibility of the action brought in its own name.

Argument 1: DRIL argued that, given that it possesses a mobile phone and a computer, its own personal data is liable to be transferred to the US pursuant to the Contested Decision. The CJEU rejected this argument. The CJEU ruled that in its capacity as a legal person, DRIL does not possess personal data. The Data Protection Directive only provides for the protection of personal data of natural persons, not legal entities.

Continue Reading CJEU rules Digital Rights Ireland’s Privacy Shield invalidation action inadmissible

On 27 September 2017, the European Court of Justice (“ECJ”) handed down its preliminary ruling to the Supreme Court of the Slovak Republic (“Supreme Court”) regarding the interpretation of “a task carried out in the public interest” as a legitimate basis for processing personal data under Article 7(e) of the Data Protection Directive (95/46/EC) (“Directive”) (Puskar v Finance Directorate of the Slovak Republic, Case C-73/16, 27 September 2017).

The ECJ ruling also considered: (i) an individual’s right to an effective remedy before a court, and (ii) the admissibility of evidence obtained unlawfully, under Article 47 of the Charter of Fundamental Rights of the European Union. In this blog, however, we will look at the ECJ’s interpretation of Article 7(e) of the Directive.

Background

The request for a preliminary ruling of the ECJ was made by the Supreme Court following a dispute between Mr. Puškár and the Slovakian tax authorities.

Mr. Puškár sought a decision to prevent the tax authorities from including his personal information in a confidential list of so-called ‘front-men,’ prepared by the tax authorities for the purpose of collecting taxes and combatting fraud (“Contested List”), and to delete any reference to him in such lists. ‘Front-men’ are individuals who purport to act as ‘fronts’ in company director roles. Mr. Puškár argued that the Contested List was drawn up without a legal basis and that his personal data was processed without his consent.

The Supreme Court referred several questions to the ECJ, including whether the provisions of Article 7(e) of the Directive permits a Member State to process personal data (i.e. creating the Contested List) for the purpose of collecting tax and combatting tax fraud without the consent of the individuals concerned.
Continue Reading European Court of Justice provides guidance on “tasks carried out in the public interest.”

In June, the Attorney General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued his opinion (English translation pending) in the case of Verein für Konsumenteninformation v Amazon EU Sàrl (Case C-191/15). The opinion makes potentially important observations about which law should apply to the processing of personal data under the Data

Following adoption by the EU Council of the draft General Data Protection Regulation (the ‘draft Regulation’) in June, the Article 29 Working Party has published an opinion based on draft proposals set out by the various EU institutions, and which is likely to be referred to during the trilogue negotiations currently underway.

The opinion follows publication of the Council’s general approach and sets out a common position taken by the Working Party on the various key topics within the draft Regulation, including the definitions, scope of application, main principles, data subjects’ rights, power of authorities and governance model.

The Working Party are keen to ensure that this new regulatory framework does not lower the existing levels of data protection currently, nor undermine the existing data protection principles provided for within the Data Protection Directive.

Continue Reading Article 29 Working Party publishes opinion on draft Data Protection Regulation