In recent months, the EU Court of Justice (“CJEU”) handed down several key judgments touching on privacy, which we will discuss below.
Eva Glawischnig-Piesczek v Facebook Ireland (C-18/18, 3 October 2019)
This case revolved around the following matter. A Facebook user posted on his personal page a message commenting on an Austrian politician, also publishing a photo of and an article about her. The Handelsgericht Wien directed Facebook Ireland to cease and desist from publishing and/or disseminating the message or any identical or similar messages.
The Austrian Supreme Court judged, however, that in relation to messages with identical wording and/or having equivalent content of which Facebook is not aware, the order should only extend to messages of which Facebook is aware, eliminating the need for Facebook to seek out all messages. The Supreme Court also referred the following question to the CJEU for a preliminary ruling: Does Article 15(1) of Directive 2000/31 (on electronic commerce), which does not impose upon providers such as Facebook Ireland a general obligation to monitor the information they store or transmit, preclude the imposition of an order (worldwide or in the relevant Member State or even in respect of the relevant user) to remove the illegal information?
The CJEU concluded that Article 15(1) must be interpreted as meaning that it does not preclude Member States from:
- ordering host providers to remove information it stores, the content of which is identical to the content of information that was previously declared to be unlawful; and
- ordering host providers to remove information it stores, the content of which is equivalent to the content of information that was previously declared to be unlawful, provided that the monitoring of and search for the information concerned are limited to information conveying a message the content of which remains essentially unchanged compared with the content which gave rise to the finding of illegality.
Article 15(1) of Directive 2000/31 does not preclude Member States from ordering host providers to remove information or block access to that information worldwide.
This judgment has clear overlaps with the protection of personal privacy. After all, online statements can be declared to be unlawful for unlawfully infringing a person's privacy. Although this judgment does not open up any new rights for natural persons, it does demonstrate that Directive 2000/13 does not preclude any court injunction ordering removal of a publication.
Verbraucherzentrale Bundesverband eV v Planet49 GmbH (C-673/17, 1 October 2019)
Planet49 organised an online lottery. Internet users wishing to take part in the lottery were required to enter contact details. In addition, there were two checkboxes relating to direct marketing and cookies, the second one of which was preselected. The Verbraucherzentrale brought an action for an injunction, as this way of collecting consent did not satisfy the requirements of German law.
The highest German court thereupon referred questions to the CJEU for a preliminary ruling, asking whether this method of seeking consent was valid within the meaning of the e-Privacy Directive and the Personal Data Protection Directive, and within the meaning of the GDPR? The court also asked whether, for the purposes of answering said questions, it makes a difference whether the information stored or accessed constitutes personal data. In addition, the court sought clarification on the type of information the service provider needs to give whenever cookies are placed.
The CJEU judged as follows:
- For consent to be considered valid, it must be the result of active behaviour on the part of the user. This is not the case when this user is required to deselect a preselected tick in a checkbox in order to refuse consent.
- The above applies likewise when no personal data are processed but “regular” data are.
- Providers of services are required to provide users with information about the duration of the operation of the cookies and whether third parties are given access to the cookies.
Given the working of the GDPR, this judgment does not appear to yield any new information.
Google v CNIL (C-136/17, 24 September 2019)
This judgment revolves around the question whether Google, when receiving a request to dereference links in the list of results displayed by Google's search engine, is required to dereference such links worldwide or whether this obligation is to be restricted to the territory of the EU Member States. The result was that Google is not obliged to accede to a request for de-referencing of links globally.
The case was brought by CNIL, which had demanded that Google remove from the list of search results those links displayed in response to searches against the names of the data subjects. In the end, the French Conseil d’État referred questions to the CJEU for a preliminary ruling on whether the operator of a search engine (Google), having responded positively to a request to de-reference links, is required to de-reference these links.
The CJEU rules that Article 12(b) and Article 14(1)(a) of Directive 96/46/EC and Article 17(1) GDPR must be interpreted as meaning that, in order to comply with the rights laid down in those provisions, the operator of search engine acceding to a request to remove links is not obliged to remove these links from the list of results displayed by all versions of its search engine but only from those versions specific to the relevant Member State. If necessary, measures satisfying the legal requirements and actually making it possible to stop or at the very least strongly discourage internet users in one of the Member States conducting a search against the name of a data subject from having access - through the list of results displayed following the search - to the links to which the request for de-referencing relates.
The CJEU added the observation that in the current situation EU law does not provide for the obligation (following acceding to a request to dereference links) to actually remove the links from all versions of the search engine concerned, but does not prohibit such action either. The consequence is that supervisory authorities or courts of Member States are still authorised in light of national standards for the protection of fundamental rights to strike a balance between the data subject's right to privacy and the protection of personal data, on the one hand, and the fundamental right to freedom of information, on the other hand, and - having struck this balance to order the operator of a search engine to remove links from all versions of its search engine.
Legal advise or more information
If you wish to know what your organisation should do to comply with the GDPR, then simply contact Martin Hemmer.
Authors of this blog: Sophie Hendriks and Dick Poerink.