Details about Mr Manni were incorporated in a public register. Data in the register was subsequently processed and used for other purposes by a commercial company. The question in this case is whether Mr Manni can require the administrators of the register to respect his right to privacy in accordance with the CJEU’s ‘right to be forgotten’ Google judgment.
Mr Manni ran a company. In accordance with Italian law, his company was listed in the commercial register that was administered by the local chamber of commerce. His company subsequently failed. The fact that the company had gone into liquidation was also recorded in the register. In 1995, his company was removed from the register.
The problem is that data included in that particular commercial register is permanent. That is to say, there is no ‘weed-out time’ (when data is automatically deleted after a set period).
Mr Manni claims to have suffered harm from the fact that third party companies have been professionally processing the data contained in the commercial register, and subsequently distributing it. Accordingly, Mr Manni requested the chamber of commerce which runs the register to either delete the old data or in some way anonymise it.
Litigation ensued and the dispute ended up at the Italian Court of Cassation. However, that court was faced with the fact that law relating to the enforceability of Mr Manni’s request was unclear.
On the one hand, there is the CJEU’s C-131/12, ‘Google‘ judgment on the ‘right to be forgotten’. The CJEU’s judgment interprets the EU’s data processing Directive 95/46 (OJ  L281/31). The relevant Articles of the data processing Directive are 6 and 7, and they provide:
PRINCIPLES RELATING TO DATA QUALITY
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
2. It shall be for the controller to ensure that paragraph 1 is complied with.
CRITERIA FOR MAKING DATA PROCESSING LEGITIMATE
Member States shall provide that personal data may be processed only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of the data subject; or
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).
On the other hand, there is the EU’s ‘corporate disclosure requirements’ Directive 68/151/EEC, as later amended by 2003/58/EC (OJ  L221/13). (The original Directive is known as the ‘First Council Directive 68/151/EEC on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community’.)
The relevant Articles are: 2, 3, 3a and 4. However, the main difficulty for the Italian Court is Article 3, which provides:
1. In each Member State, a file shall be opened in a central register, commercial register or companies register, for each of the companies registered therein.
2. All documents and particulars which must be disclosed pursuant to Article 2 shall be kept in the file, or entered in the register; the subject matter of the entries in the register must in every case appear in the file.
Member States shall ensure that, by 1 January 2007, the filing by companies, as well as by other persons and bodies required to make or assist in making notifications, of all documents and particulars which must be disclosed pursuant to Article 2 will be possible by electronic means. In addition, Member States may require all, or certain categories of, companies to file all, or certain types of, such documents and particulars by electronic means.
All documents and particulars referred to in Article 2 which are filed as from 1 January 2007 at the latest, whether by paper means or by electronic means, must be kept in the file, or entered in the register, in electronic form. To this end, Member States shall ensure that all such documents and particulars which are filed by paper means as from 1 January 2007 at the latest are converted by the register to electronic form.
The documents and particulars referred to in Article 2 that have been filed by paper means up to 31 December 2006 shall not be required to be converted automatically into electronic form by the register. Member States shall nevertheless ensure that they are converted into electronic form by the register upon receipt of an application for disclosure by electronic means submitted in accordance with the rules adopted to give effect to paragraph 3.
3. A copy of the whole or any part of the documents or particulars referred to in Article 2 must be obtainable on application. As from 1 January 2007 at the latest, applications may be submitted to the register by paper means or by electronic means as the applicant chooses.
As from a date to be chosen by each Member State, which shall be no later than 1 January 2007, copies as referred to in the first subparagraph must be obtainable from the register by paper means or by electronic means as the applicant chooses. This shall apply in the case of all documents and particulars, irrespective of whether they were filed before or after the chosen date. However, Member States may decide that all, or certain types of, documents and particulars filed by paper means on or before a date which may not be later than 31 December 2006 shall not be obtainable from the register by electronic means if a specified period has elapsed between the date of filing and the date of the application submitted to the register. Such specified period may not be less than 10 years.
The price of obtaining a copy of the whole or any part of the documents or particulars referred to in Article 2, whether by paper means or by electronic means, shall not exceed the administrative cost thereof.
Paper copies supplied shall be certified as ‘true copies’, unless the applicant dispenses with such certification. Electronic copies supplied shall not be certified as ‘true copies’, unless the applicant explicitly requests such a certification.
Member States shall take the necessary measures to ensure that certification of electronic copies guarantees both the authenticity of their origin and the integrity of their contents, by means at least of an advanced electronic signature within the meaning of Article 2(2) of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures
4. Disclosure of the documents and particulars referred to in paragraph 2 shall be effected by publication in the national gazette appointed for that purpose by the Member State, either of the full text or of a partial text, or by means of a reference to the document which has been deposited in the file or entered in the register. The national gazette appointed for that purpose may be kept in electronic form.
Member States may decide to replace publication in the national gazette with equally effective means, which shall entail at least the use of a system whereby the information disclosed can be accessed in chronological order through a central electronic platform.
5. The documents and particulars may be relied on by the company as against third parties only after they have been disclosed in accordance with paragraph 4, unless the company proves that the third parties had knowledge thereof.
However, with regard to transactions taking place before the 16th day following the disclosure, the documents and particulars shall not be relied on as against third parties who prove that it was impossible for them to have had knowledge thereof.
6. Member States shall take the necessary measures to avoid any discrepancy between what is disclosed in accordance with paragraph 4 and what appears in the register or file.
However, in cases of discrepancy, the text disclosed in accordance with paragraph 4 may not be relied on as against third parties; such third parties may nevertheless rely thereon, unless the company proves that they had knowledge of the texts deposited in the file or entered in the register.
7. Third parties may, moreover, always rely on any documents and particulars in respect of which the disclosure formalities have not yet been completed, save where non-disclosure causes them not to have effect.
8. For the purposes of this Article, ‘by electronic means’ shall mean that the information is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received in a manner to be determined by Member States by wire, by radio, by optical means or by other electromagnetic means.
The First Council Directive was recently interpreted by Advocate General Jääskinen in C-138/11 Compass-Datenbank GmbH. The case was all about the data of the companies register that was stored inside a database. The Advocate General said:
48. The storage of data on the undertakings register, on the basis of a legal obligation to do so, is an activity undertaken in the general interest of legal certainty. The legal subjects referred to in Article 2 of the FBG are obliged to provide the information mentioned in Article 3 of the FBG in order to comply with the requirements of registration provided under Articles 4, 5, 6 and 7. They are also required to communicate without delay any changes to information that has already been registered (see Article 10 of the FBG). The Austrian State can impose administrative sanctions in order to ensure that the information that requires declaration is communicated in its entirety in a timely fashion (Article 24 of the FBG). This is relevant because the vesting of rights and powers of coercion which derogate from ordinary law is an established indicator of the exercise of public powers.
Advocate General Jääskinen also went on to discuss ‘Allowing inspection of the undertakings register’, and said:
51. This activity too is unquestionably a public function. It is evident that public registers such as the undertakings register cannot fulfil their essential purpose, namely the creation of legal certainty through transparent availability of legally reliable information, unless access to them is provided to everybody.
Making the matter more unclear still, was a passage in the CJEU’s judgment in Case C-112/00 Schmidberger. Now the aspect of that judgment which was relevant to Mr Manni was that the CJEU had discussed fundamental rights and the principle of proportionality. In that context, the CJEU had reasoned:
80. Thus, unlike other fundamental rights enshrined in that Convention, such as the right to life or the prohibition of torture and inhuman or degrading treatment or punishment, which admit of no restriction, neither the freedom of expression nor the freedom of assembly guaranteed by the ECHR appears to be absolute but must be viewed in relation to its social purpose. Consequently, the exercise of those rights may be restricted, provided that the restrictions in fact correspond to objectives of general interest and do not, taking account of the aim of the restrictions, constitute disproportionate and unacceptable interference, impairing the very substance of the rights guaranteed (see, to that effect, Case C-62/90 Commission v Germany  ECR I-2575, paragraph 23, and Case C-404/92 P X v Commission  ECR I-4737, paragraph 18).
Hence, the key point to emerge from the Schmidberger judgment was to determine the social function of the data. Applied here, the function of the data seemed to be to ensure that creditors could bring a claims against people.
However, Judge Forte did not know what the correct interpretation of EU law should be and therefore decided to make a preliminary reference to the CJEU.
In essence, he wants to know whether data that is capable of identifying a person, and which – per Article 6(e) of the EU’s data processing Directive 95/46 – can be stored no longer than is necessary for realising the purpose for which it was initially gathered, has priority over, or indeed precludes, the obligation to set up a commercial register under the EU’s First Directive 68/151, when that obligation was intended to protect third party interests, and which requires that anyone should be able to see the personal data recorded in that register without temporal limitation.
He also wanted to know if – contrary to the rule that the data published in the commercial register and which is permanently stored and should be able to be consulted by everyone – the publication requirement in Article 3 of the First Directive could be interpreted as being limited in time and that data should only be made available to a limited group of people, that group being determined by the administrator of the data in accordance with the particular circumstances of an individual case.
The Curia website has yet to publish the official translation of the questions.
The supply of data for one purpose and whether it can be used for another purpose is at stake in Bara. The CJEU is due to hand down its judgment very soon.
Other passages of the CJEU’s ‘right to be forgotten’ Google judgment are at stake in a preliminary ruling from the Dutch Council of State; see further, Rease.
Update – 23 September 2015
Readers interested in the commercialisation of data in public registers and the CJEU’s data processing judgment in Case C-73/07, Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia might be interested in my review of that judgment; see further, ‘Satamedia and the Single European Audiovisual Area’ (2009) European Intellectual Property Review 527-533.
Update – 26 October 2015
The official translation of the questions asked has been published in today’s Official Journal (C354/15), and reads:
1) Must the principle of keeping personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed, laid down in Article 6(e) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, […] implemented by Legislative Decree No 196 of 30 June 2003, take precedence over and, therefore, preclude the system of disclosure through the commercial registers provided for by the First Council Directive 68/151/EC of 9 March 1968, […] and by national law in Article 2188 of the Civil Code and Article 8 of Law No 580 of 29 December 1993, in so far as it is a requirement of that system that anyone may, at any time, obtain the data relating to individuals in those registers?
2) Consequently, is it permissible under Article 3 of the First Council Directive 68/151/EC of 9 March 1968 [on coordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies, within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community], by way of derogation from [the principles] that there should be no time limit and that anyone may consult the data published in the companies register, for the data no longer to be subject to ‘disclosure’, in both those regards, but to be available for only a limited period and only to certain recipients, on the basis of an assessment case by case by the data manager?
Update – 3 April 2016
The issue of when a data controller can disclose information to a third party is at stake in a recent reference from a Latvian court; see further, Case C-13/16, Rīgas satiksme – our police data request is necessary for our legitimate interest.
Update – 20 May 2016
The Second Chamber is due to hear Manni on 15 June 2016.
Update – 12 August 2016
The Opinion of Advocate General Bot is due to be given to the Second Chamber on 8 September 2016.
Update – 3 February 2017
The judgment of the Second Chamber is due on 9 March 2017.