Case C-210/16 – Wirtschaftsakademie Schleswig-Holstein
The case arose around a dispute between the data protection authority of Schleswig Holstein (Unabhängiges Landeszentrum für Datenschutz Schleswig Holstein, ULD) and the Wirtschaftsakademie Schleswig-Holstein GmbH (Wirtschaftsakademie), a private-law company operating in the field of education. The ULD ordered Wirtschaftsakademie to deactivate its fan page on Facebook, on the grounds that neither Wirtschaftsakademie nor Facebook notified visitors that a cookie was dropped on their devices, nor that this data would subsequently be processed, during the time when the case was ongoing.
Wirtschaftsakademie then issued a complaint against the decision arguing that it is not the responsible entity (i.e. ‘controller’) for the processing of the data by Facebook, or the cookies which were placed by Facebook. The ULD dismissed this complaint and argued that using Facebook to host its fan page meant that it made an active and deliberate contribution to the collection by Facebook of personal data, relating to visitors to the fan page, and that Wirtschaftsakademie profited from this by means of the anonymous statistics Facebook provided to it.
This kicked off the legal battle in the German administrative judicial system – with Wirtschaftsakademie bringing an action against the ULD in the Administrative Court – which ruled in its favour. The ULD appealed until the case reached the highest instance. The Federal Administrative Court then stayed proceedings and referred the case to the CJEU for a preliminary ruling to understand, inter alia, what the term ‘controller’ should be interpreted as.
The Court’s Judgment
The CJEU looked at several aspects of the relationship between Wirtschaftsakademie and Facebook - the goal was to determine whether they are able to decide on the means and purposes of data processing by choosing to put their fan page on Facebook, as opposed to other solutions. In this regard, the CJEU stated that the term ‘controller’ must be interpreted broadly in order to ensure the goals of data protection law can be adequately met.
While the CJEU found that the Wirtschaftsakademie wasn’t able to exercise any influence over the terms of their contractual relationship with Facebook, it did argue that the choice of creating a fan-page on Facebook provides an opportunity for the latter to collect personal data of Wirtschaftsakademie’s followers, by leading potential non-Facebook users to the site and allowing Facebook to place a cookie on their devices.
Furthermore, as the administrator of the page, the Wirtschaftsakademie was able to use Facebook’s filters to see usage statistics for categories of visitors to the page. The CJEU considered that the use of those filters again creates a reason for Facebook to collect personal data about visitors in order to enable this categorisation for the feature which Wirtschaftsakademie uses. Even though the information presented through these filters is not personal data, they allow Wirtschaftsakademie to target users based on their age, gender, relationship status and other categories - i.e. by promoting certain articles to specific segments of their user base.
These findings, combined with the CJEU’s insistence that the term ‘controller’ has to be interpreted broadly, meant that Wirtschaftsakademie must be considered a joint controller with Facebook, as they do have a part to play in the means and purposes of processing personal data. A key factor in this finding is that non-Facebook users could be brought to the Facebook fan-page of Wirtschaftsakademie, which may otherwise not have been within Facebook’s sphere of influence.
Implications of the Judgment
The judgment could be used to make a strong argument that targeted advertising implies joint controllership of advertisers with the platforms or other ad tech providers which help them target their ads to users. Following the CJEU’s logic, if an advertiser uses any service which collects data about users in order to target advertising to them, the advertiser makes a contribution to the processing of personal data because they make use of the tool for which the data was collected.
In general, the judgment also makes two important points for an ecosystem which is so interconnected; first, that the concept of a ‘controller’ will be defined very broadly by the CJEU in order to ensure a high level of protection for personal data, and secondly that joint controllership does not imply equal controllership.
The first point implies broad application of ‘controllership’ – using the argumentation that the CJEU employs here, it may be possible to define many organisations as joint controllers, and this judgment might have ‘opened the floodgates’ to many far-reaching interpretations of the definition. However, the second point may serve as a safeguard to that wide interpretation, to establish that joint controllers may still be able to limit their individual responsibility by choosing to interact very carefully with its other joint controllers.
Case C-40/17 - FashionID
On 29 July 2019, the CJEU handed down a judgment in Case C-40/17, Fashion ID. The judgment touched on issues relating to consent in situations where there may be multiple controllers; in that sense it built upon the previous judgment handed out in Case C‑210/16, Wirtschaftsakademie in 2018, when the court interpreted that the definition of ‘controller’ needs to be interpreted broadly.
The facts of the case centre around the online retailer ‘Fashion ID’, and it’s inclusion of a Facebook ‘Like’-button plugin on it’s website. A consumer organisation, Verbraucherzentrale NRW, criticised Fashion ID for the use of this ‘Like’ button as its inclusion on their website means that personal data is collected and transferred to Facebook without getting consent and providing transparency. The CJEU confirms that transmission of personal data from the website to Facebook occurs regardless of whether the user is a Facebook member or not, and regardless of whether they have clicked on the ‘Like’ button.
In defending against that claim, Fashion ID asserted that it was not a controller as it had no influence either over the data transmitted by the visitor’s browser from its website or over whether and how Facebook makes use of the data transmitted through the ‘Like’ button.
The Court’s Judgment
The CJEU found that by embedding Facebooks ‘Like’ button, Fashion ID made it possible for Facebook to obtain personal data of visitors to its website. This echoes the judgment in the Wirtschaftsakademie case [link to page] where, by creating an opportunity for another data controller to collect personal data, the website itself also becomes a joint controller.
However, the CJEU noted that Fashion ID was capable of deciding (together with Facebook) only how and for which purposes the personal data of it’s site visitors is passed onto Facebook; not what happens to the personal data after that point. Therefore, it can be considered a joint controller only with respect to the collection and transmission of data to Facebook but not for any further processing actions undertaken by Facebook once that data has been transmitted to Facebook.
Answering another question from the referring Court, the CJEU also touches on the question of which party is responsible for requesting consent for the collection and transmission of personal data in a situation as described in the case. The CJEU here reasons that it must be the operator of the website (the first party) that gets consent on behalf of the provider of the social plugin (the third party), because it is the visitor entering the website that triggers the collection and transmission of the personal data.
That consent only relates to the processing activities that the website operator has control over, however - i.e. the collection of and transmission of information. Consent for other processing purposes needs to be given to the provider of the social plugin, in this case Facebook.
Implications of the Judgment
While the present case concerned Facebook’s ‘Like’ button, the CJEU attempted to interpret the facts of the case in a technologically neutral manner - meaning that the ruling applies to situations where a website operator embeds “a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider the personal data of the visitor”.
Some might interpret this as being analogous to digital advertising banner placements - which technically could similarly be defined as content that is requested by the website operator from a third party through an ad server. Moreover, in the sense that this ruling affects how the definition of ‘controllers’ is to be interpreted, it could be reasonably argued that in any case where a website operator helps other organisations collect data about site visitors (i.e. by allowing vendors to place cookies on their page), they are inherently considered joint controllers because they make it possible for those third parties to collect information there.
The bottom line is that this judgment more or less confirms that publishers are joint controllers with their ad tech and data partners. As a result of this, they are also in charge of gaining consent on behalf of third parties when it comes to allowing the collection and disclosure of personal data on their website by those third parties.
Case C‑673/17 - Planet49
On 1 October 2019, the CJEU ruled on the question of consent for cookies under the ePrivacy Directive (Directive 2002/58/EC) and the GDPR (Regulation (EU) 2016/679) in Case C-673/17, Planet49. The judgment covered some topics which are of relevance to online advertising, such as which actions could be considered as ‘active’ behaviour to signify consent, and whether advertising identifiers can be considered personal data.
Planet49 GmbH organised a promotional lottery online. In order to take part, internet users had to enter their postal code, and subsequently provide their name and address. Alongside the input fields there were two text boxes accompanied by a checkbox.
The first text explained that the user, by clicking the checkbox, indicated their consent to sponsors and ‘partners’ of Planet49 contacting the user about offers - in simple terms, the user was asked to consent to receiving direct marketing by those companies. This first text was not accompanied by a pre-selected checkbox.
The second text indicated the user’s consent to the use of a web analytics service being used which placed cookies. Those cookies would be used by Planet49 to ‘evaluate’ surfing and use behaviour on websites of advertising partners’ - enabling interest-based advertising. The checkbox accompanying this text was pre-selected (pre-ticked), and participation in the lottery was only possible if at least the first checkbox had been selected.
The German Federation of Consumer Organisations brought an action against Planet49 for this, asserting that these declarations of consent did not satisfy the requirements of the law in place at the time. The Case was appealed numerous times, before the German Federal Court of Justice referred the question to the CJEU as this issue depends on the interpretation of the ePrivacy Directive’s cookie provision as well as the definition of consent under the GDPR (and previously, the data protection directive).
The Court’s Judgment
First the CJEU clarifies that the German Federal Court of Justice had noted that the cookies described by Planet49 contain an identifying number, linked to the registration data of the user (name and address). Such linking means that the collection of this data by means of cookies constitutes processing of personal data, which was also confirmed by Planet49. Hereby, the CJEU confirms that consent is required in this situation.
In discussing whether a pre-ticked checkbox can be considered a valid method of providing consent, the CJEU considers that ‘only active behaviour on the part of the data subject’ can signify consent, leading the CJEU to conclude that it is impossible in practice to objectively ascertain whether a user gives consent by ‘ not deselecting a pre-ticked checkbox’.
While Planet49 considered that the act of choosing to participate in the promotional lottery indicated the user took an action signifying consent,the CJEU did not consider that this would satisfy the requirement for consent to be specific. In other words, consent has to be given specifically to the use of advertising cookies, rather than being considered as part of consenting (or choosing) to take part in a lottery.
Implications of the Judgment
In this case the CJEU provided clarity on the definition of personal data and on what constitutes an affirmative action signifying consent. For the former, the CJEU formally acknowledged the interpretation that cookie identifiers, tied to personal information about users such as browning history and identifiers, constitute personal data. This is clearly relevant to our industry as it confirms that most data gathering techniques used in the industry fall within the scope of the GDPR.
Additionally, the CJEU’s discussion of what constitutes an affirmative action is helpful in understanding how consent can be given validly in an online context. Essentially, by describing that there must be a way to objectively ascertain that consent has been given specifically to a particular data processing purpose, we know that consent must be indicated through an observable and recordable action in close proximity to the text which describes what the user is consenting to.
For Germany specifically, this judgment has had a bigger impact. In the German Federal Court of Justice’s final ruling on the Planet49 case, they have now confirmed that Section 15(3) TMG should be read as requiring an opt-in - in line with the requirements of the GDPR and with the application of the cookie consent requirement of the ePrivacy Directive as implemented in other EU Member States.
While the GDPR already clearly states that ‘pre-ticked’ boxes can never constitute valid consent, the German legal situation was somewhat more complicated. There is a general consent requirement for placing cookies in the ePrivacy Directive, which was to be transposed into national law in all the EU Member States. However, in Germany’s implementation law, the Telemediagesetz (TMG), Section 15 (3) provided that cookies could be placed for tracking purposes as long as an opt-out was provided. This was effectively overturned by the CJEU, and subsequently confirmed by the German Federal Court of Justice on May 28th, 2020.
Case C-311/18 - Schrems II
In a request for a preliminary ruling by the Irish High Court, the CJEU found that the level of protection of personal data provided by US law cannot be considered to be essentially equivalent to that provided by the GDPR, due to the latitude given to US public authorities to engage in disproportionate collection and processing of EU citizens’ personal data, notably in the context of a certain surveillance programmes, and because US law does not provide EU citizens with access to adequate redress.
The Court did not challenge the validity of Commission Decision 2010/87/EU on standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries. But the ruling highlights the degree to which such clauses cannot be used as a substitute for the Privacy Shield, since they create binding obligations only on the contracting parties, and not on the US Government (or any other third country government), and can therefore do nothing to mitigate the flaws in the Privacy Shield.
The provisions in the judgement relating to SCCs leave companies in a situation of uncertainty as to whether they have any practical means of ensuring that data transfers to the US comply with EU law. The ruling also puts DPAs under significant pressure to make assessments about law and practice in third countries that they will likely struggle to make, and may prompt large numbers of requests for suspensions of transfers that DPAs will either need to accede to or substantiate rejections of.
The judgment follows the CJEU’s annulment of the Commission’s Safe Harbour Decision in 2015 in case C-362/14, decided in the context of an earlier request for a preliminary ruling by the Irish High Court. Following the CJEU’s ruling on Safe Harbour, Max Schrems submitted a new complaint to the Irish Data Protection Commissioner challenging the legality of data transfers based on SCCs, on the basis that such clauses could also not ensure adequate protection of EU citizens’ personal data and suffered from the same inherent flaws as the Safe Harbour arrangement. The Irish Data Protection Commissioner was sympathetic to Schrems’s assessment and brought an action before the Irish High Court seeking to have that Court refer a question on the validity of the SCC Decision to the CJEU. In the event, the High Court referred a total of eleven questions to the CJEU. The detailed questions may be read in the English version of the judgment here.
The Court’s Judgment
In its decision, the CJEU found that the Privacy Shield Decision is incompatible with the requirements of Article 45(1) of the GDPR, read in light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, and is therefore invalid.
On the other hand, the Court’s examination of the SCC Decision has, in its own words “disclosed nothing to affect the validity of that decision”, as far as it goes. However, data controllers seeking to leverage SCCs going forward will need to make their own assessment of whether those SCCs, potentially with additional provisions inserted, can in and of themselves ensure an adequate level of data protection. If they cannot, then the data transfers must be suspended or stopped.
In addition, the mere fact that personal data transferred for commercial purposes by an economic operator established in an EU Member State to another economic operator established in a third country may incidentally be the object of collection and processing by a public authority for the purposes of public safety, defence, or national security does not mean that such transfers fall outside the scope of the GDPR.
In the absence of a Commission adequacy decision pursuant to Article 45 GDPR, DPAs are required to suspend or prohibit a transfer of data to a third country covered by SCCs if, in their judgment, the SCCs are not, or cannot be, complied with in that third country and the protection of the data required under Articles 45 and 46 GDPR and by the Charter, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.
Finally, the annulment of the Privacy Shield Decision does not leave a legal vacuum, since the GDPR’s Article 49 prescribes other conditions under which transfers of personal data to third countries not covered by an adequacy decision (e.g. explicit consent of the data subject or performance of a contract).
Implications of the judgment on data transfers to the US
This judgment has several far-reaching implications. First and foremost, data transfers to the US based on the current SCCs are now vulnerable to challenges, and DPAs will have to act on requests for suspensions or prohibitions of such transfers going forward if there are complaints against specific companies.
Additional contractual commitments may be added to existing SCCs, but as those of necessity are not capable of having binding effect on the US government, they will likely be incapable of ensuring that data transfers to the US are in compliance with the GDPR. This is because they are powerless to prevent indiscriminate collection and processing of EU citizens’ personal data by the US intelligence agencies or of providing sufficient means of redress if personal data is processed illegally.
The European Data Protection Board (EDPB) has confirmed that it is “looking further into what these supplementary measures could consist of and will provide more guidance” in due course (see FAQ document issued by the EDPB on 23rd July here.
The explicit consent and contract exceptions under Article 49 may be relevant alternatives to SCCs, although they are intended to apply under exceptional circumstances. The use of explicit consent is conditional on the consent being specific – that is, specific for a particular data transfer or set of transfers – and informed, e.g. users must be made aware of the specific risks resulting from the fact that data will be transferred to a country that does not provide adequate protection and that no adequate safeguards aimed at providing protection for the data are being implemented (see EDPB guidance from 2018 here).
Other GDPR Case Law
The Breyer case pre-dates the GDPR by a number of years but it is an important milestone case in understanding how far the definition of personal data was always intended to reach under European data protection law. The question before the Court was whether an IP address can be considered personal data, even where only a third party (an internet service provider, or ISP) holds additional information with which to identify the person behind the IP address.
The CJEU concluded that although a website operator (in this case, the German Federal government) might not be able to identify a person directly from their dynamic IP address, the IP address still constitutes information about an identifiable natural person, and is therefore personal data. This applies where the data subject’s ISP holds additional information with which the data subject can be identified, and where there are reasonable means at the disposal of the website operator with which they can obtain that additional information.
In this case, the Federal Government could make use of legal means to obtain the additional information, as they held onto the IP addresses of visitors for reasons of cybersecurity. As a result, if any suspicious activity or even a cyber attack was detected from a certain IP address they would seek to obtain information about the identity of the person behind that IP address - therefore proving that it is possible and practical for the website operator to obtain this information.
Even outside of the specific use-case of IP addresses, this also opens up a lot more types of data to fit within the definition of personal data. Information that, in and of itself doesn’t identify a person, but that could be combined with other information by a third party, would now be considered personal data when the controller holding the original information is practically and legally able to obtain the additional information from a third party.
In this case, the Finnish Supreme Administrative court referred questions for the CJEU around the concept of controllership related to a religious organisation. In order, the questions were 1) whether religious organisations are exempt as acting under either government authority or as personal use, 2) whether the simple collection of data by Jehovah’s Witnesses about which houses were or were not religious is considered a filing system, and by 3) and 4) whether a religious community can be considered a Controller.
The court essentially answered: 1) no, 2) yes, 3 and 4) yes. Even though the Jehovah’s Witnesses Community doesn’t “order” people to preach door-to-door and collect information about the people living in those houses, it’s encouraged by the Community, and such collection helps the objectives of the Community. This is despite the fact that the members of the community may not have access to the data (as a whole - only that which they submit).
On the question of whether something is processed manually (i.e. not by electronic means) the CJEU clarifies that you can consider something a filing system within the meaning of data protection law when it enables the easy retrieval of a particular piece of personal information.
JOINT CASES: Google v CNIL: Case C‑136/17, Case C-507/17
C-136/17 - clarifying certain aspects of the right to be forgotten; in particular when it can sometimes be justified not to erase personal data, and explaining where the right to freedom of information must be balanced against protection of personal data and privacy.
C-507/17 was about whether Google had to obey the de-referencing request for ALL of its domains (globally). The CJEU said that there’s a limit to the application of the law here to those domains that are intended for use by the EU, and it cannot apply or require that beyond this test. Google still should take reasonable measures within the law to effectively prevent or at the very least discourage internet users conducting a search within Europe from finding any articles/pages related to the data subject who has asked for de-referencing.
Case C‑708/18, TK v Asociata de Proprietari bloc M5A-ScaraA - on legitimate interest
This case concerned the complaint of TK, who owned an apartment in a building managed by M5A (association of co-owners), which placed security cameras in parts of the building due to vandalism and several thefts and burglaries taking place; the idea was to monitor who entered and left the building. TK felt this violated data protection law, the association of co-owners argued it was in their LI, which the CJEU agreed with.
The only really interesting and applicable part of this case is that it references previous case law on the legitimate interest legal basis, and notes some things with which to test; namely, proportionality is examined in terms of which methods could have been (and indeed in this case, were) used to achieve the same goal of preventing burglaries and thefts.