Case C-498/16, Schrems – a Facebook consumer or simply in the business of privacy?

This case concerns a person with a Facebook account. He uses it not only to exchange private photographs and chat with about 250 friends but also for publicity purposes. The legal issue is whether this latter activity stops him from qualifying as a ‘consumer’. The definition matters because if he is a consumer, then he and several thousand other Austrians who are aggrieved at Facebook’s use of their personal data will be able to sue in the Austrian courts.

Continue reading

Case C-434/15, Asociación Profesional Élite Taxi – Uber’s new software destroys the old order of labour

Traditionally, people wanting to be driven from A to B could hail a cab on the street. Subsequently, cabs could be hailed by telephoning for one. Now it is possible to use a smartphone to organise an ‘electronic hail’. However, if the smartphone uses Uber’s software, then the car that comes to pick them up will not be a licensed taxi. The question is: can Uber’s new software destroy the old order of labour that governs the life of a taxi-driver, a legal order characterised by the state-licensing of taxi cabs?

Continue reading

Case C-191/15, Verein für Konsumenteninformation – Amazon’s unfair online forum shopping

In the tiny Grand Duchy of Luxembourg is a tiny branch of the corporate king, Amazon. It subjects its customers to buying their goods under Luxembourg law. Is that fair? And what happens to Amazon’s choice of law after it is has been forced through the latticed-meshes of six pieces of EU legislation which determine the applicable national law?

Continue reading

Case C-192/15, Rease – secretly spied on, medical data leaked, and left unprotected by the Dutch regulator

Can the Dutch Data Protection Agency exert any control over companies based in the UK and the USA which conduct covert surveillance on Dutch territory? And in the event of an individual’s data processing law rights under Dutch law being breached, what is to be done where the internal rules of the Dutch Data Protection Agency mean that the Agency will never ever act on a complaint coming from an individual?

Continue reading

Case A-1/15, The Canada-EU ‘PNR’ Agreement – contrary to the EU Charter?

Canada and the EU have negotiated a new Passenger Name Record Agreement. A plank of the Agreement involves the transfer and processing of data. The European Parliament is asking the CJEU for a legal opinion on the compatibility of that Agreement with the EU Charter.

Continue reading

Case C-72/15, Rosneft – challenging the EU’s sectoral sanctions against Russia

Russian activities in Ukraine have prompted the EU to adopt a package of sanctions aimed at various Russians and Russian companies. These sanctions have been enshrined in various pieces of EU legislation and implemented by the EU Member States in their national laws. These sanctions are affecting an oil company which is part-owned by a British oil company ‘BP’, and part-owned by a Russian oil company that belongs to the State of Russia. To begin with, the company is challenging the legality of the UK’s implementing legislation. However, the validity of the EU’s legislation is also at stake. Does the CJEU have jurisdiction to rule on the validity of a Decision adopted pursuant to the EU’s Common Foreign and Security Policy? And if so, then does the drafting of the EU’s legislation satisfy the requirements of legal certainty and foreseeability in circumstances where that legislation forms the basis of criminal penalties?

Continue reading

Case C-547/14, Philip Morris Brands – the Second Tobacco Products Directive is invalid

Is the EU’s Second Tobacco Products Directive 2014/40/EU invalid?

Continue reading

Case C-484/14, McFadden – a mere conduit?

If a person offers non-password-protected access to the Internet, and an unknown user passes a piece of copyright-infringing music over that Internet connection, then can the person offering the Internet access be absolved of legal liability on the basis that he is but a ‘mere conduit’ under the EU’s ‘E-Commerce’ Directive 2000/31/EC?

Continue reading

Case C-230/14, Weltimmo – regulatory competence over websites

If a Slovakian company runs a website that advertises Hungarian homes for sale, and Hungarian residents submit their personal data to the company’s website server, then in the event of the Slovakian company breaching data protection laws, does the Hungarian Data Protection Authority retain any regulatory competence to ensure that Hungarian data protection law is complied with? Or should the Hungarian Authority simply have requested its Slovakian counterpart to take action against the Slovakian company?

Continue reading

Case C-362/14, Schrems – does a ‘safe harbour’ shelter states that deprive EU citizens of their EU Charter rights?

If the EU Commission deems a non-EU state to be a ‘safe harbour’ for the purposes of data processing, then personal data about EU citizens can be sent to companies in that non-EU state. This is not new. For example, in 2000 the EU Commission had decided that the USA was a ‘safe harbour’. However, in 2013 Edward Snowden made a series of revelations concerning the USA’s blanket interception of Internet and telecoms systems. These revelations have generated a question of EU law. Namely, can an EU Member State’s national data protection regulator now disregard the EU Commission’s finding that the USA is a ‘safe harbour’, and do so on the basis that the USA’s laws and practices do not adequately protect and respect an EU citizen’s EU Charter rights to privacy and data protection?

Continue reading