GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗». Author Adv. Prashant Mali
under CAP) and Regulation 259/2008 (requiring publication exclusively on the internet). The applicants filed an action in national court to prevent publication of data relating to them.
Question referred: Whether provisions requiring publication of this data on the Internet are valid and consistent with data protection requirements.
Legal persons: Legal persons can claim protection of Articles 7 and 8 of the CFR only insofar as the official title of the legal person identifies one or more natural persons. Here, the name of the legal person directly identifies the natural persons who are its partners.
Consent: The legislation at issue does not seek to base the personal data processing for which it provides on consent of the beneficiaries concerned. Rather, it provides that they are to be informed. Thus, processing is not based on their consent. Therefore, it is necessary to analyse whether interference is justified under Article 52(1) of the CFR.
Articles 7/8 CFR: The validity of legislation requiring publication must be assessed in light of provisions of the CFR, including Article 8. However, CFR Article 52(1) accepts that limitations may be imposed on rights under the CFR, as long as they are provided by law, respect the essence of those rights and are proportionate (necessary and genuinely meet objectives of general interest recognised by the EU or the need to protect the rights and freedoms of others.) Further, CFR Article 52(3) states that for rights in the CFR which correspond to rights in the ECHR, the meaning and scope shall be same as that given in the ECHR.
Publication on the website of data naming beneficiaries and amounts they receive constitutes interference with private life under Article 7 of the CFR. It is irrelevant that the data concerns activities of a professional nature, as under Article 8 ECHR, the CFR has held that no principle justifies exclusion of activities of a professional nature from the notion of private life.
Publication must a) be provided by law, b) respect the essence of the rights and freedoms in Articles 7 and 8 of the CFR, and c) be proportionate (necessary and genuinely meet the objectives of general interest recognised by the EU or the need to protect the rights and freedoms of others). Here, publication is lawful since it is specifically provided for by the Regulation. It meets the general interest requirement because publication is intended to enhance transparency regarding use of CAP funds and sound financial management. Regarding proportionality, it is necessary to analyse whether the EU balanced its interest in guaranteeing transparency and ensuring the best use of public funds with the rights of beneficiaries to privacy and data protection. Derogations to data protection are allowed only insofar as they are strictly necessary.
For natural persons, there is nothing to show that lawmakers made an effort to strike a balance. No automatic priority can be conferred on the objective of transparency over data protection, even if important economic interests are at stake. Thus, the lawmaker exceeded the limits, which the proportionality principle imposes.
Publication of the data in question with respect to the complainant legal person does not go beyond limits imposed by the proportionality principle. The seriousness of the breach manifests itself in different ways for legal persons versus natural persons. It would impose an unreasonable administrative burden on the competent national authorities if they were obliged to examine, before the data are published for each legal person who is a beneficiary, whether the name of that person identifies natural persons. Thus, the legislation requiring publication is valid with respect to the legal persons.
CASE C-70/10, SCARLET EXTENDED SA V. SOCIETE BELGE DES AUTEURS, COMPOSITEURS ET EDITEURS SCRL (SABAM), 24.11.2011 (“SCARLET”)
Reference for a preliminary ruling by the cour d’appel de Bruxelles (Belgium). SABAM, a management company representing authors, composers and editors of musical works, brought proceedings in the Belgian court against Scarlet, an internet service provider (ISP), to take measures to bring an end to copyright infringements committed by Scarlet's customers. Scarlet had been ordered by the Belgian court of first instance to install a system for filtering electronic communications which use file-sharing software (“peer-to-peer”), with a view to preventing file sharing which infringes copyright. Scarlet appealed. The court of appeal referred the question for preliminary ruling.
Question referred: Whether EU Directives on electronic commerce in the internal market, intellectual property rights and data protection, read together and construed in the light of the requirements stemming from the protection of the applicable fundamental rights, must be construed as precluding an injunction on an ISP to introduce such a filtering system.
Definition of personal data: ISP addresses are protected personal data because they allow the concerned users to be precisely identified.
Necessity/proportionality: The contested filtering system may infringe the right to protection of personal data of the ISP's customers, as it would involve a systematic analysis of all content and the collection and identification of the users' IP address from which unlawful content on the network is sent.
Balancing fundamental rights: The injunction to install the contested filtering system did not respect the requirement that a fair balance be struck between, on the one hand, the protection of the intellectual property right enjoyed by copyright holders, and, on the other hand, that of the freedom to conduct business, the right to protection of personal data and the freedom to receive or impart information.
CASE C-461/10, BONNIER AUDIO AB ET AL. V. PERFECT COMMUNICATION SWEDEN, 19.4.2012 (“BONNIER”)
Reference for a preliminary ruling by the Högsta domstolen (Sweden). The applicants, which are publishing companies that hold copyrights to 27 audiobooks, brought proceedings in the Swedish court for copyright infringement by means of a file transfer protocol (FTP) server which allows file sharing and data transfer via the internet. The applicants applied to the Swedish court for an order for the disclosure of the name and address of the person using the IP address from which the files were sent. EPhone, the ISP, challenged the application, alleging that it violated the Data Retention Directive.
Questions referred: (1) Whether Directove 2006/24 precludes the application of a national provision which permits an internet service provider in civil proceedings, in order to identify a particular subscriber, to be ordered to give a copyright holder or its representative information on the subscriber to whom the internet service provider provided a specific IP address, which it is claimed was used in the infringement; (2) whether the answer to the first question is affected by the fact that the Member State has not implemented Directive 2006/24.
Scope of Directive 2006/24: Directive 2006/24 deals exclusively with the handling and retention of data generated by electronic communication service providers for the purpose of the investigation, detection, and prosecution of serious crime and their communication to competent national authorities. Thus, a national provision transposing the EU intellectual property directive, which permits an ISP in civil proceedings to be ordered to give a copyright holder information on the subscriber to whom the ISP provided an IP address allegedly used in an infringement, is outside the scope of Directive 2006/24 and therefore not precluded by that Directive. It is irrelevant that the Member State concerned has not yet transposed Directive 2006/24.
Definition of processing: Communication of the name and address sought by applicants constitutes processing of personal data.
Scope of Directive 2002/58: The communication of the name and address in question falls within the scope of Directive 2002/58 (and within the scope of Directive 2004/48, dealing with copyright).
Balancing fundamental rights: The national legislation in question requires, for an order for disclosure of the data in question to be made, that there be clear evidence of an infringement of an intellectual property right, that the information can be regarded as facilitating the investigation into a copyright infringement and that the reasons for the measure outweigh the potential harm to the person affected. Thus, it enables the national court seized of an application for an order for disclosure of personal data to weigh the conflicting interests involved, and thereby in principle ensures a fair balance between protection of intellectual property rights and protection of personal data.
JOINED CASES C-468/10 AND C-469/10, ASOCIACION NACIONAL DE ESTABLECIMIENTOS FINANCIEROS DE CREDITO (ASNEF) AND FEDERACION DE COMERCIO ELECTRONICO Y MARKETING DIRECTO (FECEMD) V. ADMINISTRACION DEL ESTADO, 24.11.2011 (“ASNEF”)
Reference for a preliminary ruling by the Tribunal Supremo of Spain. The applicants in national proceedings challenged the validity of Royal Decree 1720/2007 implementing Organic Law 15/1999. These national rules provide that, in the absence of the interested party's consent, and to allow processing of his personal data that is necessary to pursue a legitimate interest of the controller or recipients, it is necessary not only that the fundamental rights and freedoms of the data subject should not be prejudiced, but also that the data should appear in public sources. These requirements go beyond the provisions of Article 7(f) of Directive 95/46.
Questions referred: Whether a Member State can add new principles relating to the lawfulness of processing of personal data to those specified in Article 7 of Directive 95/46 or impose additional requirements that have the effect of amending the scope of one of the six principles provided for in Article 7; Whether Article 7(f) has direct effect.
Transposition/harmonisation: Harmonisation of national laws is not limited to minimal harmonisation but harmonisation which is generally complete. Directive 95/46 is intended to ensure free movement of personal data while guaranteeing a high level of protection for the rights and interests of data subjects, equivalent in all Member States. Consequently, Article 7 of Directive 95/45 sets out an exhaustive and restrictive list of cases in which the processing of personal data can be regarded as lawful. That interpretation is corroborated by the term “may be processed only if”, which demonstrates the exhaustive and restrictive nature of the list appearing in that Article. Thus, the Member States cannot add new principles relating to the lawfulness of processing or impose additional requirements.
Article 5 authorises Member States to specify the conditions under which the processing of personal data is lawful, within the limits of Article 7, inter alia. That margin of discretion can be used only in accordance with the objective pursued by the Directive of maintaining a balance between the free movement of personal data and the protection of private life. A distinction must be made between national measures that provide for additional requirements amending the scope of a principle referred to in Article 7 (precluded) and national measures which provide for a mere clarification of one of those principles (allowed). Thus, Article 7(f) precludes any national rules which, in the absence of the data subject’s consent, impose requirements that are additional to the two cumulative conditions set out in that Article.
Balancing fundamental rights: The second condition of Article 7(f) (the interests of the controller or recipients must not be overridden by the fundamental rights and freedoms of the data subject) necessitates a balancing of the opposing rights and
interests concerned, which depends on the individual circumstances of the particular case. In relation to the balancing, it is possible to take into consideration the fact that the seriousness of the infringement of the data subject’s fundamental rights resulting from that processing can vary depending on whether or not the data in question already appear in public sources. The processing of data appearing in non-public sources necessarily implies that information relating to the data subject’s private life will thereafter be known by the data controller and recipients, which is a more serious infringement of the data subject’s rights enshrined in Articles 7 and 8 of the Charter of Fundamental Rights, and must be properly taken into account in the balancing. However, it is no longer a precision within the meaning of Article 5 if national rules exclude the possibility of processing certain categories of personal data by definitively prescribing the result of the balancing thereby not allowing a different result by virtue of the particular circumstances of an individual case.
Direct applicability: Whenever the provisions of a Directive appear to be
Comments (0)