This month’s data protection and privacy update covers an interesting relevant incidence within the Netherlands, discusses an important case that touches upon the subject of conflict of laws in light of the GDPR, and takes another close look at the Privacy Shield.
I Dutch developments
- Vote compasses adjust their methods following warning from the Dutch Data Protection Authority
The Dutch Data Protection Authority (DPA) investigated 24 interactive vote prior to the recent elections that took place in the Netherlands on March 15, 2017. They found that various vote compasses processed sensitive personal data of individuals, such as their religious and political views, without obtaining their prior consent. This is in breach with the Dutch Data Protection Act (DDPA), even if the information is being processed for research and statistics. In order to be compliant, the vote compass would have to provide voters with clear and sufficient information, and the given consent must be specific, as well as given freely. Following the warning given by the DPA, all 24 vote compasses adjusted their methods, and are no longer in breach with the DDPA.
During an earlier investigation, the DPA had found that 14 vote compasses did not use a secured platform. The DPA urged all 14 owners of these platforms to make the necessary changes within one week in order to be compliant with the DDPA. Following this warning, 4 out of the 14 vote compasses were removed. The remaining 10 met the requirements set by the DPA.
II European developments
- The ECJ considers that there is no right to be forgotten in respect of personal data in companies register
On 9 March 2017, the European Court of Justice (ECJ) considered that ‘the right to be forgotten’, as established by the ECJ in ‘Google Spain’ (ECLI:EU:C:2014:317), cannot easily be invoked with regard to companies registers.
In 2007, Mr. Manni, a contractor of a tourist complex in Italy, brought an action against the Lecce Chamber of Commerce. He argued that his properties were not being sold as a direct result of the fact that the companies register showed that he had been the administrator of another company that went bankrupted a few years earlier. The Court of Lecce ordered the Lecce Chamber of Commerce to anonymize the data linking Mr. Manni to the liquidation of the first company. The Court of Cassation in Italy referred to the ECJ for a preliminary ruling with respect to the question of whether the directive on the protection of personal data (Directive 95/46/EC and the directive on disclosure of company documents) precludes any person from accessing, without any time limit, data relating to natural persons set out in the companies register.
The ECJ considered that the right to respect of private life and the right to protection of personal data is guaranteed by the Charter of Fundamental Right of the EU, and acknowledged the possibility that in specific situations, personal data relating to an individual should be limited in companies registries. It however held that the mere fact that Mr. Manni’s properties were not being sold cannot justify a limitation of access by third parties to that data, in particular given the legitimate interest of potential purchasers in availing such information from company registers. It pointed out that that information is essentially the only safeguard third parties have in relation to joint stock companies.
The ECJ considered that given the diversity of limitation periods provided for in various national laws, and the range of legal relations which may continue even after a company’s dissolution, it seems impossible to identify a certain period of time after which the entry of data in the register would no longer be required. It held that it can therefore not be guaranteed that after a certain period of time following the dissolution of a company, natural persons have the right to the erasure of the personal data concerning them.
- Telecommunication companies based in one Member State may be required by law to provide their subscribers’ data to companies based in another Member State
In this recent preliminary ruling, the ECJ held that telecommunication providers based in one Member State may be required by law to provide their subscribers’ data to companies that provide directories and directory enquiry services, but are based in another Member State. According to the ECJ, this is in accordance with the EU’s objective to ensure the availability of good quality services through effective competition and choice throughout the EU. This ruling also discusses the principle of non-discrimination as well as consent. For our readers who would like to learn more about this ruling, a more thorough summary has been provided below:
The European Directory Assistance NV (EDA) is an undertaking that offers directory enquiry services and is incorporated under Belgian law. The EDA requested Tele2 (Netherlands) BV, Ziggo BV and Vodafone Libertel BV, all three undertakings incorporated under the laws of the Netherlands and who provide subscribers with telephone numbers (the Dutch undertakings), to provide EDA with data relating to their subscribers. The Dutch undertakings refused to provide the requested data.
On 18 January 2012, EDA submitted a dispute resolution request to the Autoriteit Consument en Markt (the ACM) (Authority for Consumers and Markets). By its decision of 5 June 2013, the ACM ruled that on grounds of the Besluit universele dienstverlening en eindgebruikersbelangen (Decree on universal service provision and end-user interests) (the Bude), EDA should be granted the requested data. The Bude provides that companies that assign telephone numbers have to meet all reasonable requests to provide the relevant information necessary for directories, and that it shall do so on fair and non-discriminatory terms. It also provides that the companies that assign telephone numbers have to obtain consent from its subscribers, and that this consent is implied when these companies provide the requested relevant information to a third party for directory purposes.
Following this decision of the ACM, the Dutch undertakings brought an action before the College van Beroep voor het bedrijfsleven (Administrative Court of Appeal for Trade and Industry) and asked whether the above reasoning also applies across EU Member States. To this respect, the Court pointed out that since art. 25(2) of the Universal Service Directive (Directive), which concerns the processing of personal data and the protection of privacy in the telecommunications sector (Directive 2002/22/EC), is transposed into the Bude, the scope and the purpose of art. 25(2) of the Directive requires to be determined in order to address the question. In light of this determination to be made, the Court referred to the ECJ for a preliminary ruling.
On March 17, 2017, the ECJ held that in accordance with art.25(2) of the Directive, telecommunication providers based in one Member State may be required by law to provide their subscribers’ data to companies that provide directories and directory enquiry services, but are based in another Member State.
The ECJ considered that the provision concerns all reasonable requests for the purpose of publicly available directory enquiry services, and that the relevant information should therefore be provided in a non-discriminatory manner. It points out that no distinction is made with regard to whether the request comes from the same Member State as the Member State where the receiver of the request is based. According to the ECJ, this is in accordance with the objective pursued by this Directive, which is to ensure the availability of good quality publicly available services through effective competition and choice throughout the European Union.
With regard to the question relating to the subject of renewed consent, the ECJ held that if the subscriber has been informed by the undertaking that assigned the telephone number of the possibility that their personal data might be passed on to a third-party, and that there telephone number might be published in a public directory, and that if the subscriber consented to this publication, then renewed consent is not required for the passing of the same data to another third-party undertaking, provided it is for the same purpose. In other words, the purpose of the first publication of the subscriber’s personal data to which the subscriber gave its consent is decisive for the purposes of determining the scope of that consent.
In addition to answering the two questions, the ECJ pointed out that telecommunication companies within the European Union operate within a highly harmonized regulatory framework. According to the ECJ, this makes it possible to ensure that the same respect of requirements relating to the protection of subscribers’ personal data is safeguarded throughout the Union.
This judgment is particularly interesting from a data protection perspective as it touches upon the question of how to balance respect for the principle of non-discrimination on one hand, and privacy on the other, particularly within the context of EU Competition Law. Whilst competition provisions of the EU Treaties were more reflected in the GDPR’s predecessor, the EU Data Protection Directive (Directive 95/46/EC), the GDPR does retain the objective of ensuring free movement of personal data within the European Union. This can for example be found in art. 20, which provides for the right to data portability. Whether it assigns enough weight to the objective of effective competition and choice throughout the EU in the eyes of the EU Commission remains to be seen. We do know however that the EU Commission places immense importance upon EU Competition Law, taking into account the various cases it is currently pursuing for example, including three against Google. In light of the case at subject, it will be interesting to see what implications the GDPR will have when courts are faced with the choice of law.
III International developments
- LIBE votes for the Privacy Shield to be considered inadequate
On March 23, 2017, the Members of the European Parliament’s civil liberties, justice and home affairs committee (LIBE) narrowly voted to support a resolution declaring the Privacy Shield to be inadequate. 29 voted in favor of the resolution, 25 against, with one abstention. The resolution, which is still provisional, is expected to be voted on by the European Parliament in full this April.
The Privacy Shield, formally adopted in July 2016 following the invalidation by the ECJ of its predecessor the Safe Harbor, the current trans-border data transfer framework has been under constant criticism.
The resolution points out the following identified shortcomings:
- New U.S. procedures that will allow the NSA to share signal intelligence (SIGNIT) with numerous other agencies without a court order, raises significant concerns with regard to the implications this will have on the Privacy Shield.
- The Privacy Shield remains to be a self-certification scheme, meaning that it still does not apply to all U.S. companies. This voluntary nature of the framework, combined with the fact that many companies that do self-certify use U.S. based arbitrators to do so, raises questions regarding the practical application of the framework. LIBE worries that it will remain to be a cumbersome process for EU citizens to get redress if their data is misused.
- There is still no definition of ‘bulk surveillance’. Thus whilst the Privacy Shield stresses that any form of mass surveillance is in breach of European law, it remains unclear as to what will constitute such a breach, especially considering the details that emerged in October 2016 regarding the software that Yahoo created to scan users’ email at the request of the NSA or FBI.
LIBE has called on the European Commission to thoroughly review the framework during its first annual joint review, which is expected to take place this summer. It has urged the Commission to take into account the shortcomings identified in the resolution during its review. We will of course closely follow the developments concerning the Privacy Shield, and will keep our readers updated on this.
Compliments of Loyens & Loeff – a member of the EACCNY