This case concerns a person with a Facebook account. He uses it not only to exchange private photographs and chat with about 250 friends but also for publicity purposes. The legal issue is whether this latter activity stops him from qualifying as a ‘consumer’. The definition matters because if he is a consumer, then he and several thousand other Austrians who are aggrieved at Facebook’s use of their personal data will be able to sue in the Austrian courts.
Continue readingCategory Archives: Privacy and data processing
Case C-207/16, Ministerio Fiscal – Digital Rights Ireland robs Spanish police of telephone data request
If data retention powers are designed to combat serious crime such as terrorism, then can they be used to investigate a relatively minor offence such as robbery?
Continue readingCase C-698/15, Davis – did the CJEU in Digital Rights Ireland intend to lay down mandatory requirements of EU law?
In 2006, the EU’s ‘data retention’ Directive 2006/24/EC required telecoms companies to store data traffic. In its Digital Rights Ireland judgment of 2014, the CJEU annulled the Directive because the Directive was incompatible with the EU Charter. Six national courts have subsequently declared their national data retention laws to be invalid. However, in other Member States legal uncertainty surrounds what the CJEU actually decided and the legal effects that flow from it. In that context, a Swedish court has already made a preliminary reference to the CJEU. Now, the Court of Appeal of England and Wales has decided to make its own preliminary reference.
Continue readingCase C-424/15, Ormaetxea Garai – dismissed so unfairly as to query the independence of regulators
Many of Spain’s national regulators have been merged into one mega regulator. People formerly running those regulators have been made redundant even with retroactive effect. Is retroactive dismissal contrary to the general principles of EU law? And since people have been removed from their jobs prior to the end of their fixed-term contracts, is this not contrary to EU law’s requirement that national regulators be completely independent, as per the EU’s ‘communications networks’ Directive 2002/21/EC?
Continue readingCase C-398/15, Manni – data in public registers should be subject to the Google right to be forgotten
Details about Mr Manni were incorporated in a public register. Data in the register was subsequently processed and used for other purposes by a commercial company. The question in this case is whether Mr Manni can require the administrators of the register to respect his right to privacy in accordance with the CJEU’s ‘right to be forgotten’ Google judgment.
Continue readingCase C-191/15, Verein für Konsumenteninformation – Amazon’s unfair online forum shopping
In the tiny Grand Duchy of Luxembourg is a tiny branch of the corporate king, Amazon. It subjects its customers to buying their goods under Luxembourg law. Is that fair? And what happens to Amazon’s choice of law after it is has been forced through the latticed-meshes of six pieces of EU legislation which determine the applicable national law?
Continue readingCase C-203/15, Tele2 Sverige – Swedish data retention despite Digital Rights Ireland
Telecoms companies were legally required to store data traffic until the CJEU’s judgment in Digital Rights Ireland. The CJEU annulled the EU’s Data Retention Directive for being incompatible with the EU Charter. Nevertheless, Swedish telecoms companies are still being required to store data. The legal basis for this is an earlier EU Directive, which had been amended by the Data Retention Directive. Is this regulatory approach compatible with the EU Charter?
Continue readingCase C-192/15, Rease – secretly spied on, medical data leaked, and left unprotected by the Dutch regulator
Can the Dutch Data Protection Agency exert any control over companies based in the UK and the USA which conduct covert surveillance on Dutch territory? And in the event of an individual’s data processing law rights under Dutch law being breached, what is to be done where the internal rules of the Dutch Data Protection Agency mean that the Agency will never ever act on a complaint coming from an individual?
Continue readingCase A-1/15, The Canada-EU ‘PNR’ Agreement – contrary to the EU Charter?
Canada and the EU have negotiated a new Passenger Name Record Agreement. A plank of the Agreement involves the transfer and processing of data. The European Parliament is asking the CJEU for a legal opinion on the compatibility of that Agreement with the EU Charter.
Continue readingCase C-582/14, Breyer – seeing the logs from the trees in privacy law
Behind a website, there may be a log. This can record which pages have been viewed, when, and by which dynamic IP address. The legal question is whether this is a processing of ‘personal data’ under the EU’s ‘data processing’ Directive 95/46/EC?
Continue reading