Case C-498/16, Schrems – a Facebook consumer or simply in the business of privacy?

This case concerns a person with a Facebook account. He uses it not only to exchange private photographs and chat with about 250 friends but also for publicity purposes. The legal issue is whether this latter activity stops him from qualifying as a ‘consumer’. The definition matters because if he is a consumer, then he and several thousand other Austrians who are aggrieved at Facebook’s use of their personal data will be able to sue in the Austrian courts.

Continue reading

Case C-698/15, Davis – did the CJEU in Digital Rights Ireland intend to lay down mandatory requirements of EU law?

In 2006, the EU’s ‘data retention’ Directive 2006/24/EC required telecoms companies to store data traffic. In its Digital Rights Ireland judgment of 2014, the CJEU annulled the Directive because the Directive was incompatible with the EU Charter. Six national courts have subsequently declared their national data retention laws to be invalid. However, in other Member States legal uncertainty surrounds what the CJEU actually decided and the legal effects that flow from it. In that context, a Swedish court has already made a preliminary reference to the CJEU. Now, the Court of Appeal of England and Wales has decided to make its own preliminary reference.

Continue reading

Case C-398/15, Manni – data in public registers should be subject to the Google right to be forgotten

Details about Mr Manni were incorporated in a public register. Data in the register was subsequently processed and used for other purposes by a commercial company. The question in this case is whether Mr Manni can require the administrators of the register to respect his right to privacy in accordance with the CJEU’s ‘right to be forgotten’ Google judgment.

Continue reading

Case C-191/15, Verein für Konsumenteninformation – Amazon’s unfair online forum shopping

In the tiny Grand Duchy of Luxembourg is a tiny branch of the corporate king, Amazon. It subjects its customers to buying their goods under Luxembourg law. Is that fair? And what happens to Amazon’s choice of law after it is has been forced through the latticed-meshes of six pieces of EU legislation which determine the applicable national law?

Continue reading

Case C-203/15, Tele2 Sverige – Swedish data retention despite Digital Rights Ireland

Telecoms companies were legally required to store data traffic until the CJEU’s judgment in Digital Rights Ireland. The CJEU annulled the EU’s Data Retention Directive for being incompatible with the EU Charter. Nevertheless, Swedish telecoms companies are still being required to store data. The legal basis for this is an earlier EU Directive, which had been amended by the Data Retention Directive. Is this regulatory approach compatible with the EU Charter?

Continue reading

Case C-192/15, Rease – secretly spied on, medical data leaked, and left unprotected by the Dutch regulator

Can the Dutch Data Protection Agency exert any control over companies based in the UK and the USA which conduct covert surveillance on Dutch territory? And in the event of an individual’s data processing law rights under Dutch law being breached, what is to be done where the internal rules of the Dutch Data Protection Agency mean that the Agency will never ever act on a complaint coming from an individual?

Continue reading

Case A-1/15, The Canada-EU ‘PNR’ Agreement – contrary to the EU Charter?

Canada and the EU have negotiated a new Passenger Name Record Agreement. A plank of the Agreement involves the transfer and processing of data. The European Parliament is asking the CJEU for a legal opinion on the compatibility of that Agreement with the EU Charter.

Continue reading

Case C-582/14, Breyer – seeing the logs from the trees in privacy law

Behind a website, there may be a log. This can record which pages have been viewed, when, and by which dynamic IP address. The legal question is whether this is a processing of ‘personal data’ under the EU’s ‘data processing’ Directive 95/46/EC?

Continue reading

Case C-230/14, Weltimmo – regulatory competence over websites

If a Slovakian company runs a website that advertises Hungarian homes for sale, and Hungarian residents submit their personal data to the company’s website server, then in the event of the Slovakian company breaching data protection laws, does the Hungarian Data Protection Authority retain any regulatory competence to ensure that Hungarian data protection law is complied with? Or should the Hungarian Authority simply have requested its Slovakian counterpart to take action against the Slovakian company?

Continue reading