Case C-192/15, Rease – secretly spied on, medical data leaked, and left unprotected by the Dutch regulator

Can the Dutch Data Protection Agency exert any control over companies based in the UK and the USA which conduct covert surveillance on Dutch territory? And in the event of an individual’s data processing law rights under Dutch law being breached, what is to be done where the internal rules of the Dutch Data Protection Agency mean that the Agency will never ever act on a complaint coming from an individual?

Mr Rease worked in the United States of America (USA). He became ill but qualified for an occupational sickness benefit. This was paid by an insurance company based in the USA. In 2005, Mr Rease moved to the Dutch city of Amsterdam.

In 2008, the insurance company arranged for Mr Rease to be secretly filmed. Nor was he the only one who was going to be snooped on, his partner was too. The surveillance lasted four days and was carried out by a company that was based in the UK.

The British company made secret films of the personal life of Mr Rease, and of his partner. The company also wrote a report that gathered together the many pieces of data captured on the films, and drew conclusions from what had been observed. This mass of data was given to the insurance company based in the USA.

Two years later, in 2010, the American insurance company organised yet more secret surveillance. Again, it was not only Mr Rease who was secretly spied upon but his partner was too. Again, the secret snooping took place over a period of four days. Again, data about the private lives of the couple was amassed, and a report was written for the American insurance company. This data too was stored in the USA.

There were however two distinct differences with the secret snooping this time. First, it had been done by a company based in Holland. Second, their report also included photographs of the couple plus photographs of the front door to the flat where the couple lived.

The reaction of the American insurance company differed too: it wanted yet more information. Consequently, it decided to instruct a different company based in the UK. That company was to obtain, amongst other things, medical data. Contact was made subsequently made with the relevant Dutch hospital, and a doctor working there duly leaked the medical data!

At the end of 2010, the American insurance company stopped paying the sickness benefit.

At the Dutch Data Protection Agency
Mr Rease and his partner felt that their rights under Dutch law had been violated. Under Dutch law, each of them had a right to have been told about the processing of their data. Under Dutch law, the doctor at the Dutch hospital should not have leaked the information to the UK company let alone forwarded this to the company in the USA. Consequently, the couple asked the Dutch Data Protection Agency [the College bescherming persoonsgegevens] to apply and enforce Dutch law.

They also requested the Agency to look into the involvement of the Dutch company’s sending of their personal data to the company in the USA.

The Agency turned down both of the couple’s requests. In essence, it informed them that it had no jurisdiction over the companies that were based in the UK for those companies were subject to English law. Nor did it have jurisdiction over the insurance company based in the USA.

The Agency admitted to having jurisdiction over the leaking of the medical data by the doctor working at the Dutch hospital to the English company, and to having jurisdiction over the Dutch company.

However, the Agency would do nothing. There were no indications to suspect the Dutch doctor of having seriously infringed data protection law, nor were the infringements of a structural nature. Equally, there was no evidence to suggest that the Dutch company was engaging in the surveillance of private individuals so again there was no serious infringement of data protection law, nor were any infringements of a structural nature. Accordingly, any enforcement of Dutch data protection law against either the doctor or the Dutch company ‘would have made little effective difference’. And under the Agency’s own rules for determining when the Agency would intervene and act, the Agency was justified in refusing to act upon the couple’s request.

The Agency’s response did not satisfy Mr Rease and his partner. They realised that under the Agency’s rules the Agency would never ever act on the basis of a complaint coming from an individual, and would never ever protect an individual’s rights to privacy and data protection. Consequently, the couple decided to go through the internal appeals procedure organised by the Dutch Data Protection Agency. Although the Dutch Agency subsequently modified its legal position ever so slightly, the men still felt that the Agency was wrong as a matter of law and therefore brought an appeal before the Amsterdam District Court. The court found in part for the couple but also for the Agency. The matter was appealed once more, this time to the Dutch Council of State – the highest Dutch court for administrative law matters.

At the Dutch Council of State
The Dutch Council of State turned to the applicable EU legislation, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ [1995] L281/31).

Whether the Dutch agency has jurisdiction depended on the actor concerned. Namely, the Dutch Agency had jurisdiction in respect of data processing by the Dutch hospital, and the Dutch investigation company.

However, when it came to the UK companies Article 28(6) of the Directive applied and this meant that the UK authority was competent for data processing occurring in or from the territory of that Member State.

The Council of State also took the view that in respect of the storing of the data by the Dutch and UK companies, that data that had been transferred to the American insurance company’s computer systems in the USA. Again, this aspect of the case did not fall within the Dutch Agency’s jurisdiction because this processing had not occurred on Dutch territory.

Nevertheless the Dutch Council of State could not resolve the dispute. It was unclear to the Council of State whether the Dutch Agency enjoyed jurisdiction by dint of the fact that the first UK company had processed the couple’s data on Dutch territory.

The answer to that question turned on the issue of who was the controller responsible for the processing of the data, and how must Article 4(1)(a) and (c) of the Directive be applied?

Article 2 of Directive 95/46 states that ‘[f]or the purposes of this Directive:

(d) “controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;

Article 4 of Directive 95/46, entitled ‘National law applicable’, provides:

1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:
(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;
(b) the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law;
(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

Applied here, the Dutch Council of State was minded to find that the US company was the data controller and the other companies (and the doctor at the Dutch hospital) were data processors, as defined in Article 2 and Article 2(d) and (e) of the Directive. However, since the US company had no subsidiaries in the EU, Article 4(a) of the Directive did not apply.

Could there be jurisdiction on the basis of Article 4(c) since the UK companies had used ‘automated equipment’ in Holland? In that context, the Council of State recalled the reasoning of the CJEU’s Grand Chamber judgment in Google Spain Case C-131/12, ECLI:EU:C:2014:317:

53 Furthermore, in the light of the objective of Directive 95/46 of ensuring effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data, those words cannot be interpreted restrictively (see, by analogy, Case C‑324/09 L’Oréal and Others EU:C:2011:474, paragraphs 62 and 63).

54 It is to be noted in this context that it is clear in particular from recitals 18 to 20 in the preamble to Directive 95/46 and Article 4 thereof that the European Union legislature sought to prevent individuals from being deprived of the protection guaranteed by the directive and that protection from being circumvented, by prescribing a particularly broad territorial scope.

55 In the light of that objective of Directive 95/46 and of the wording of Article 4(1)(a), it must be held that the processing of personal data for the purposes of the service of a search engine such as Google Search, which is operated by an undertaking that has its seat in a third State but has an establishment in a Member State, is carried out ‘in the context of the activities’ of that establishment if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable.

56 In such circumstances, the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed.

57 As has been stated in paragraphs 26 to 28 of the present judgment, the very display of personal data on a search results page constitutes processing of such data. Since that display of results is accompanied, on the same page, by the display of advertising linked to the search terms, it is clear that the processing of personal data in question is carried out in the context of the commercial and advertising activity of the controller’s establishment on the territory of a Member State, in this instance Spanish territory.

58 That being so, it cannot be accepted that the processing of personal data carried out for the purposes of the operation of the search engine should escape the obligations and guarantees laid down by Directive 95/46, which would compromise the directive’s effectiveness and the effective and complete protection of the fundamental rights and freedoms of natural persons which the directive seeks to ensure (see, by analogy, L’Oréal and Others EU:C:2011:474, paragraphs 62 and 63), in particular their right to privacy, with respect to the processing of personal data, a right to which the directive accords special importance as is confirmed in particular by Article 1(1) thereof and recitals 2 and 10 in its preamble (see, to this effect, Joined Cases C‑465/00, C‑138/01 and C‑139/01 Österreichischer Rundfunk and Others EU:C:2003:294, paragraph 70; Case C‑553/07 Rijkeboer EU:C:2009:293, paragraph 47; and Case C‑473/12 IPI EU:C:2013:715, paragraph 28 and the case-law cited).

59 Since the first of the three conditions listed by the referring court suffices by itself for it to be concluded that an establishment such as Google Spain satisfies the criterion laid down in Article 4(1)(a) of Directive 95/46, it is unnecessary to examine the other two conditions.

The Council of State also took into consideration an opinion of the Article 29 working group, in which there was a definition of ‘automated equipment’. Pursuant to the group’s definition of automated equipment, this would seem to cover the situation in which both cameras and other materials had been used to make notes and observations. That could give the Agency jurisdiction. However, the CJEU had not already ruled on such a situation and so the Council of State would ask a question on this point.

A second issue concerned the Dutch Council of State, namely, the Agency’s priorities when it came to enforcement and the effective protection of an individual’s rights.

The key provisions here were in Article 28 of the Directive entitled ‘Supervisory authority’. Article 28(3) is worded as follows:

Each authority shall in particular be endowed with:
– investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,
– effective powers of intervention, such as, for example, that … of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing …

However, the Council of State also considered that Article 22 was relevant here because the individuals could still have gone to court and sought protection via the courts:

Article 22
Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question.

Since the Agency’s resources and manpower were limited, and the Agencies own rules prioritised when the Agency would enforce data protection law, the Dutch Council of State therefore agreed with the Agency’s decision not to do anything; however, the question did arise as to the relationship between the rules limiting the Agency’s interventions and the effective protection of an individual’s rights under Article 28(3) and (4) of the Directive. Again, the CJEU had not already ruled on this point and so it was appropriate to ask a question about this too.

Questions Referred
My unofficial translation of the questions asked by the Dutch Council of State reads:

1. Where a detective agency based in the EU receives a commission from a data controller, as defined in Article 2 and Article 2(d) of the Directive … from outside the EU to deploy equipment for the processing of personal data on the territory of a Member State, does this fall within the scope of ‘makes use of equipment’ for the purposes of Article 4(1) and Article 4(1)(c) of the Directive?

2. When it comes to enforcing an individual’s rights and protections enshrined in the Directive, and in light of the aim of the Directive, does the Directive and Articles 28(3) and (4) in particular, permit national authorities to allow the national supervisory authority to set priorities which lead to a situation in which it will not follow up a complaint about the Directive being infringed if that complaint originates from only one individual, or only a small group of individuals?

The Dutch Council of State seems rather deferential to the Dutch Agency’s plea of limited finances justifying a failure to act in an infringement of either an individual’s – or an unspecified ‘small group’ of people’s – fundamental rights to privacy and data protection.

The effect of the Dutch Agency’s policy would seem to send a green light of approval to powerful organisations who would ride roughshod over an individual’s rights – be they hospitals, care homes, schools, or employers.

Nor would such a green light seem to be turned to a red one by the mere possibility that individuals can go to court to enforce their rights. The Dutch Council of State makes no mention of the fact that instructing lawyers to prepare and pursue a case will probably cost an individual a great deal of money upfront. After all, this is a complex area of regulation that is evolving rapidly via difficult case law and policy coming from both the EU and the Council of Europe. The Council of State also does not explain whether, as a matter of right, a person whose privacy and data processing rights have been infringed will be guaranteed all of their legal costs being refunded by the losing party. Therefore, it might be wondered whether it is desirable for the existence of the rights enshrined in the EU Charter to depend on an individual’s ability to pay for an expensive lawyer and costly litigation.

In any event, this reference from the Dutch Council of State is interesting for it flags up a number of issues which have either recently been touched upon in the CJEU’s case law or indeed are the object of proceedings currently pending before it.

That is to say, the CJEU has handed down a judgment on the obligation to inform and the activity of a private detective: IPI, Case C-473/12, ECLI:EU:C:2013:715. In respect of data processing, CCTV and personal activity, there is also the CJEU’s judgment in Ryneš, Case C-212/13, ECLI:EU:C:2014:2428.

The issue of the ‘relevant’ national supervisory authority in the event of an infringement taking place on the territory of another Member State, is currently at stake in Case C-230/14, Weltimmo – regulatory competence over websites.

Equally, the issue of the jurisdiction of a Member State’s national supervisory authority over personal data being transferred from the EU to the US, is alive in Case C-362/14, Schrems – does a ‘safe harbour’ shelter states that deprive EU citizens of their EU Charter rights?

Furthermore, the processing and transfer of personal data to third states, such as from the EU to Canada or Mexico, may be affected by Case A-1/15, The Canada-EU ‘PNR’ Agreement – contrary to the EU Charter?

And the issue of data obtained for one purpose but used for another in the context of social rights, is at stake in Case C-201/14, Bara – giving personal data and consent to processing for just one purpose.

Update – 21 June 2015
There is now a reference from the Austrian Supreme Court which also touches upon the applicable national law when it comes to data processing; see further, Case C-191/15, Verein für Konsumenteninformation – Amazon’s unfair online forum shopping.

Update – 3 March 2016
The Official Journal of the EU dated 29 February 2016 records that by Order of the President of the CJEU, the Rease reference has been removed from the CJEU’s register.