European Data Protection Cases You Should Know About
If you’re taking the CIPP/E or just interested in how European and EU data protection law has developed, here are some important cases you should be aware of. They cover topics including:
- The application of the European Convention of Human Rights Article 8 Right to
Privacy - Jurisdiction of UK/EU courts
- The extra-territorial application of EU data protection laws
- Dynamic IP address as personal data
- Conflicts between national laws and human rights, particularly in the context of data
retention and surveillance - And, of course, Max Schrems and the two data transfer cases bearing his name.
European Convention of Human Rights (ECHR) Article 8
Halford v United Kingdom (1997)
Alison Halford, senior police officer, alleged that her employer, Merseyside Police, intercepted her private telephone calls made from her office, particularly during her legal disputes with her employer. Based on evidence provided as part of the case, it was clear that the interception of calls had taken place.
The European Court of Human Rights held in favour of Halford, finding that the interception of her private phone calls violated her Article 8 right to privacy. The court noted that Halford had a reasonable expectation of privacy in her workplace, and no other legislation allowed the interception of workplace communications by public authorities.
Von Hannover v Germany (2004)
Princess Caroline of Monaco (Caroline von Hannover) appealed a decision of German courts that allowed the publication of photographs depicting her private life, alleging those photos infringed her right to privacy under ECHR Article 8.
The European Court of Human Rights ruled in favour of Princess Caroline, finding that the publication of the photographs violated her right to privacy. The court emphasized that the right to privacy extends to all aspects of a person’s life, even for public figures, and the public’s interest in knowing about the private lives of public figures must be balanced against their right to privacy. The court held that the German courts had failed to strike a fair balance between these competing interests.
Copland v United Kingdom (2007)
Lynetter Copland claimed that her employer monitored her phone calls, emails and internet usage without her knowledge or consent, in breach of her rights under ECHR Article 8. Her employer had no clear policy on workplace monitoring.
The European Court of Human Rights held in favour of Copland, finding that the monitoring constituted a violation of Article 8. The court held that individuals have a reasonable expectation of privacy in the workplace, and any interference with this right must be in accordance with the law and necessary in a democratic society.
MM v United Kingdom (2012)
MM challenged the retention and disclosure of her criminal record information in the United Kingdom. She had been cautioned for child abduction in 2000, and this caution remained on her criminal record. MM argued that the continued retention and disclosure of this information as part of criminal records checks for job applications damaged her chances of employment and were an infringement of her right to privacy. The issue was whether the UK’s system for retaining and disclosing criminal record information, including cautions, was compatible with MM’s right to privacy under Article 8 of the ECHR.
The European Court of Human Rights ruled in favour of MM, finding that the UK’s system interfered with her right to privacy under Article 8. The court accepted that the retention and disclosure of criminal records pursued legitimate aims such as protecting vulnerable individuals and enabling employers to assess the suitability of job applicants. However, the court found that the UK system did not strike a fair balance between the public interest and the individual’s right to privacy. The system lacked flexibility and did not allow for a case-by-case assessment of whether disclosure of the specific information was necessary.
Mosley v The United Kingdom (2011)
Max Mosley, a well-known UK figure, was involved in a fight with the News of the World which published an article and video alleging he took part in a sadomasochistic orgy. Mosely argued his privacy was violated and he should have received prior notification (required under UK law). The News of the World relied on the right to freedom of expression versus breach of Mr Mosley’s ECHR Article 8 right to privacy.
The European Court of Human Rights ruled against Mr Mosley saying that the absence of notice did not violate Article 8. The court emphasised the importance of freedom of expression under Article 10 of the ECHR and determined that requiring pre-notification could have a chilling effect on journalistic freedom. However, the court acknowledged the need for effective legal remedies post-publication for individuals whose privacy is infringed.
This case highlights the tension between the right to privacy and the right to freedom of expression.
EU Data Protection Directive
Bodil Lindqvist V Aklagarkammeran I Jonkoping (2003)
Bodil Lindqvist, a Swedish citizen, created a website that included personal data about her colleagues including their names, details about one worker’s foot injury, and the work situations of others. The website was created using a ‘non-public’ URL (it was 2003!). Mrs Lindqvist did not obtain any consent to the disclosure of information about her colleagues. She asserted that the website was created for her personal or domestic use.
The Court of Justice of the EU (CJEU) ruled that Mrs Lindqvist’s actions constituted “processing of personal data” under the EU Data Protection Directive and, because the information was accessible by the public (even though that would be difficult), she could not rely on the exclusion for personal or domestic use.
The court also held that the fact that the information was on the internet (and accessible from overseas) did not mean that there was a transfer to a third country.
This case clarified the scope of the EU Data Protection Directive regarding the processing of personal data and the notion of data transfers to third countries via the internet. It underscored the requirement for consent in processing personal data.
Google Spain v AEPD and Mario Costeja Gonzalez
This case established the “right to be forgotten” (which was then included as a specific data subject right in the GDPR). Mario Costeja Gonzalez requested that Google remove a link to a newspaper article about a real estate auction related to his social security debts from Google’s search results.
The CJEU ruled that individuals have the right to request the removal of personal data from search engines if the information is no longer relevant or excessive.
Weltimmo Case (2015)
Weltimmo was a company registered in Slovakia (a non-EU country) operating a real estate website targeting people in Hungary (an EU member state). Weltimmo was accused of breaching Hungarian data protection laws by failing to delete the personal data of advertisers who requested their data to be removed. The Hungarian Data Protection Authority fined Weltimmo, but the company argued that Hungarian law did not apply to it as it was registered in Slovakia, and did not have any physical presence in Hungary (even though its site was advertising Hungarian real estate for sale to Hungarians).
The CJEU ruled that the EU Data Protection Directive applies to a company if it processes personal data in the context of the activities of an establishment in the territory of a member state. The court found that Weltimmo had an establishment in Hungary because it pursued real and effective activities there, such as providing services in Hungarian and having a representative in Hungary. Therefore, Hungarian data protection laws applied to Weltimmo’s activities.
The case clarified that a company’s data processing activities are subject to the data protection laws of the member state where it has an establishment, defined by real and effective activity, regardless of where the company is legally registered. The decision reinforced the broad applicability of EU data protection laws, emphasising that organisations targeting users in a specific member state must comply with that state’s data protect regulations, even if the organisation s not established within the EU.
Vidal-Hall v Google Inc (2015)
Vidal-Hall, Robert Hann, and Marc Bradshaw brought a case against Google Inc. alleging that Google unlawfully collected and used their personal data without consent by circumventing the privacy settings in Apple’s Safari browser, in breach of the UK Data Protection Act 1998 (DPA 1998). They sought damages for distress caused by the invasion of their privacy.
Issues considered in the case included:
- Whether misuse of private information is a tort that can be actionable without proof of financial/economic loss or harm
- Whether claimants could seek compensation for distress alone under the DPA 1998 without demonstrating financial loss; and
- Whether the UK courts had jurisdiction to hear the case against Google, a US-based company.
In its decision, the UK Court of Appeal made a decision recognised that:
- misuse of private information is a distinct tort that can be pursued outside of the DPA 1998 and without establishing economic loss;
- Under the DPA 1998, claimants could seek damages for distress alone, without the need for financial/economic loss, which was a significant departure from previous decisions which required a demonstration of financial loss to claim damages for distress’
- UK courts had jurisdiction to hear the case because of Google’s activities in tracking and profiling users in the UK.
Patrick Breyer v Bunderepublic Deutschland (2016)
Patrick Breyer challenged the Federal Republic of Germany over the retention of dynamic IP addresses of websites he visited. Mr Breyer argued that storing these IP addresses, which can be linked to individuals when combined with additional information held by internet service providers (ISPs), violated his right to privacy and data protection under EU law.
The key issues were whether:
- Dynamic IP addresses constitute “personal data” under the EU Data Protection Directive; and
- Websites can retain such data without the explicit consent of the user, given that IP addresses alone do not directly identify individuals but can potentially do so when combined with other information.
The CJEU decided that dynamic IP addresses are considered personal information if the website operator has the legal means to access additional information from the ISP that together would identify an individual. IP addresses can be personal data if there is a realistic possibility of combining them with other data to identify an individual.
The CJEU also decided that ISPs can rely on legitimate interests to retain dynamic IP addresses, such as ensuring the proper functioning and security of the website (provided this is balanced against the rights and freedoms of the individual). To do this, data controllers would have to demonstrate that their data retention practices are necessary and proportionate to achieve their legitimate interests.
EU GDPR
Soriano v Forensic News LLC (2021)
Mr Soriano, a British businessman, bought a case against Forensic News LLC, an American news website and its journalists. The case alleged that a number of articles published on the website were defamatory and involved the processing of Mr Soriano’s personal data in breach of the GDPR. The main issue was a jurisdictional one: Did the GDPR apply to Forensic News, a US company. The High Court of England and Wales found that the GDPR did apply because Forensic News was targeting UK readers, which brought it within the scope of the GDPR. The decision confirmed that EU courts could assert jurisdiction over foreign entities like Forensic News when their activities are directed at people in the EU and involve the processing of personal data.
Fashion ID Case (2019)
Fashion ID, a German online clothing retailer, embedded a Facebook “Like” button on its website. This integration resulted in the automatic transmission of personal data (such as the user’s IP address and browser string) to Facebook when users visited Fashion ID’s website, regardless of whether they interacted with the button or had a Facebook account. Verbraucherzentrale NRW, a German consumer protection organization, brought a case against Fashion ID, arguing this breached EU data protection laws.
One of the questions raised was whether Fashion ID could be considered a joint data controller with Facebook in relation to the collection and processing of personal data through the “Like” button.
The Court of Justice of the EU determined that Fashion ID and Facebook were joint controllers. This joint responsibility covered the stages of data collection and transmission but did not extend to the subsequent processing of data by Facebook. Fashion ID enabled Facebook to obtain the personal data of visitors to its website and thus played a role in determining the purposes and means of processing.
Lloyd v Google LLC (2021)
Richard Llyod brought a representative action against Google LLC on behalf of over 4 million iPhone users in England and Wales. The claim centred on Google’s alleged unlawful tracking of users’ internet activity through Safari, Apple’s default web browser, between 2011 and 2012.
Lloyd argued that Google bypassed Safari’s default privacy settings to collect personal data without users’ consent, in breach of the Data Protection Act 1998 (DPA 1988).
Issues for consideration included:
- whether a representative action (a form of collective redress) could be brought on behalf of a large group of individuals without their explicit consent or involvement; and
- whether individuals could claim damages for the “loss of control” over their personal data without needing to prove specific financial loss or distress.
The UK Supreme Court ruled in favour of Google, reversing the Appeal Court decision and allowing the case to proceed. The Supreme court held that:
- The representative action could not proceed because the members of the represented class did not have the “same interest” as required by Rule 19.6 of the Civil Procedure Rules. The court emphasized that there were significant differences in the circumstances of each individual user, including variations in how they were affected by the alleged data breach; and
- Damages required proof of material damage (e.g. some sort of financial loss). Losing control of data without evidence of any specific harm was insufficient to claim compensation.
The ruling underscored the challenges of bringing collective actions for data protection breaches in the UK. To meet the “same interest” requirement, claimants must demonstrate that all affected individuals share identical circumstances regarding the alleged harm. Claimants seeking compensation for data protection breaches must show evidence of specific harm, such as financial loss or emotional distress, resulting from the breach. General assertions of “loss of control” over personal data are insufficient for claims under the DPA 1988. The decision has significant implications for future data protection claims, particularly regarding collective actions. It limits the scope for individuals to claim damages for data breaches without concrete evidence of harm.
Schrems I and II
Schrems v Data Protection Commissioner 2015 (Schrems I)
Max Scrhems challenged the European Commission’s finding of the adequacy of the EU-US Safe Harbor program, which allowed for the transfer of personal data from the EU to US organisations that had agreed to be subject to the program.
The CJEU found that the Safe Harbor program did not provide adequate protection for EU citizens’ personal data against US government surveillance and, consequently, that the European Commission’s adequacy decision for the Safe Harbor scheme was invalid. As a consequence of this finding, the EU-US Privacy Framework was developed (to replace the Safe Harbor Program).
Data Protection Commissioner v Facebook Ireland Ltd and Schrems 2020 (Schrems II)
Following the invalidation of Safe Harbor in Schrems I, data transfers continued under the new EU-U.S. Privacy Shield and Standard Contractual Clauses (SCCs).
Schrems filed another complaint challenging the adequacy of these mechanisms, particularly focusing on U.S. surveillance laws. The main issue was whether the EU-U.S. Privacy Shield and SCCs provided adequate protection for data transfers to the U.S. in light of U.S. surveillance practices.
The CJEU invalidated the EU-US Privacy Shield, stating that it did not sufficiently protect the data of people in the EU from US surveillance and lacked adequate address mechanisms (non-US citizens had limited rights to appear in US courts in regard to surveillance matters). However, in response to concerns about how transfers between the EU and the US could continue, the CJEU upheld the validity of SCCs but suggested that, depending on the local laws in the place where the data is being transferred, additional (or supplemental) protections may be required (on top of the SCCs).
As a result, data exporters and importers must ensure that the data protection level required by EU law is respected in the jurisdiction where the data is to be exported, potentially requiring supplementary measures to safeguard transferred data. (In practice, a Transfer Impact Assessment is required to consider the laws of the jurisdiction where the data is to be exported and identify whether any supplementary measures are required.)
Other Important Cases
Digital Rights Ireland Ltd v Minister for Communications Marine and Natural Resources (2014)
This case challenged the legality of the EU Data Retention Directive, which required telecommunications companies to retain all metadata created in the use of telecommunications services for law enforcement purposes/
The CJEU found the EU Data Retention Directive to be invalid, citing it as a disproportionate interference with the fundamental rights to privacy and protection of personal data.
Tele2 Sverige and Tom Watson (2016)
These are two cases that both concerned the legality of national data retention laws.
Tele2 Sverige AB challenged a Swedish law requiring telecommunications providers to retain metadata (such as the time and duration of calls, IP addresses, and location data) for law enforcement purposes.
Similarly, Tom Watson and others challenged the UK’s Data Retention and Investigatory Powers Act 2014 (DRIPA), which mandated similar data retention.
The central question was whether these national data retention laws were compatible with EU law, particularly the Charter of Fundamental Rights of the EU and the EU Data Protection Directive.
The Court of Justice of the EU ruled that general and indiscriminate retention of all traffic and location data of all subscribers and registered users is incompatible with EU law. Such blanket retention is considered a severe interference with the fundamental rights to privacy and protection of personal data under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.
The CJEU established that any data retention regime must be targeted and based on objective criteria. Data retention must be limited to what is strictly necessary and should cover specific categories of data, persons or geographic areas. As well, access to retained data must be restricted and subject to prior review by a court or an independent administrative body.
The CJEU emphasized that any legislation involving data retention must ensure that such measures are strictly necessary in response to serious crimes, etc, and are proportionate to the aim pursued.
Lopez Ribalda v Spain (2019)
The case involved five employees (including Laura López Ribalda) who worked as cashiers at a supermarket in Spain. The employer installed both visible and hidden surveillance cameras in response to suspicions of theft. The visible cameras were aimed to monitor the store, while the hidden cameras were positioned to focus on the checkout area, where the employer believed the thefts were occurring. The employees were not informed about the hidden cameras. Eventually, the hidden cameras captured footage of the employees committing theft, leading to their dismissal.
On appeal, it was held that there was no violation of any Article 8 right to privacy. The Grand Chamber took into account the legitimate aim of the employer (preventing theft), the limited duration of the surveillance, the narrow scope (only targeted areas were monitored), and the fact that a restricted number of people viewed the footage. The Grand Chamber emphasized that national courts had adequately balanced the interests of the employer and the privacy rights of the employees.
The ruling highlighted that:
- covert surveillance by employers can be justified if it pursues a legitimate aim (such as preventing theft) and is proportionate, meaning it is limited in scope and duration and used only when necessary
- While prior notification is generally required, exceptions can be made when informing employees would defeat the purpose of the surveillance, provided that the measures are proportionate and subject to adequate safeguards
Big Brother Watch and Others v United Kingdom (2018 and 2021)
The case involves several privacy and human rights organisations, including Big Brother Watch, challenging the UK’s surveillance practices under the Regulation of Investigatory Powers Act 2000 (RIPA) and the Investigatory Powers Act 2016 (IPA). The applicants argued that the UK’s bulk interception of communications, intelligence sharing with foreign governments, and the acquisition of communications data from service providers violated their rights to privacy and freedom of expression.
Specific issues:
- Bulk interception of communications: Whether the UK’s bulk interception regime under RIPA was compatible with the right to privacy under Article 8 and the right to freedom of expression under Article 10 of the European Convention on Human Rights (ECHR).
- Intelligence Sharing: Whether the UK’s intelligence-sharing arrangements with foreign governments were compatible with Articles 8 and 10 of the ECHR
- Acquisition of Communications Data: Whether the regime for obtaining communications data from service providers under RIPA was compatible with Articles 8 and 10 of the ECHR.
The European Court of Human Rights (ECtHR) issued rulings on two separate occasions, in 2018 and 2021, addressing different aspects of the case:
2018 Ruling
Bulk interception:
The ECtHR found that the UK’s bulk interception regime violated Article 8 of the ECHR due to insufficient oversight and safeguards. The regime lacked adequate guarantees to prevent abuse and ensure data protection. However, the court did not rule out bulk interception in principle but emphasized the need for robust safeguards and oversight mechanisms.
Intelligence Sharing:
The ECHR found that the UK’s intelligence-sharing practices were not inherently incompatible with the ECHR but there needed to be sufficient safeguards in place to ensure that the shared data was not misused.
Acquisition of Communications Data
The ECtHR found that the UK’s regime for acquiring communications data from service providers violated Article 8 due to the lack of prior review by a court or an independent administrative body.
2021 Ruling:
Bulk interception and oversight
The Gand Chamber of the EtCHR affirmed the 2018 decision, reiterating that while bulk interception is not inherently incompatible with the ECHR, the UK’s regime lacked necessary safeguards. It emphasized the need for a robust legal framework to ensure effective oversight and prevent abuse.
The case underscored the importance of robust safeguards and independent oversight mechanisms in bulk interception regimes to protect individuals’ privacy rights. It also confirmed that intelligence sharing with foreign governments is permissible under the ECHR if adequate safeguards are in place to protect against misuse.
This case significantly influenced the development of surveillance laws in the UK and other Council of Europe member states, emphasizing the need for robust legal safeguards to protect individual privacy and ensure compliance with human rights standards
Conclusion
The above are just some of the most relevant decisions that have built up data protection law in Europe, helping define the fundamental purpose and principles and provide much needed direction to both regulators and the regulated community.
Wouldn’t it be great to be in a country with substantial jurisprudence around privacy rights or where, at the very least, the right to privacy had been seriously considered by the courts?