GDPR court decisions still only a trickle: there might be a deluge yet

Court decisions relating to privacy since GDPR came into force have not exactly been pouring out. But some key decisions have been made. Right now, it feels like regulators are waging a phoney war – it won’t last.

“You haven’t seen anything yet” Nicola McKilligan Regan, one of the leading experts on privacy regulations in the UK, told GDPR Report on the eve of the regulation coming into force.

Well, since then, we have seen more than nothing, but is there anything to startle the world?

The ECJ – The European Court of Justice – has made some important decisions.

On June 5th, it did decide, for example, that administrators of fan pages on Facebook were jointly responsible, along with Facebook, for the processing of data related to visitors to the site. This particular case began when Wirtschaftsakademie Schleswig-Holstein (a training academy), appealed against a decision in 2011 by the state of Schleswig Holstein to deactivate its Facebook page because Facebook was able to collect data on visitors via a cookie. Wirtschaftsakademie argued that it was not responsible for Facebook’s data processing. Not only did the court decide that Wirtschaftsakademie has joint responsibility for data collected, this even applied when one of the parties involved does not have full access to the data. In this case, Facebook only supplied anonymous data to Wirtschaftsakademie on traffic to its site, even so, the court decided that the academy had joint responsibility for the non anonymous data processed by Facebook. However, the court did decide that joint responsibility does not imply equal responsibility.

The ECJ has also decided that Jehovah’s Witnesses need consent from data subjects to process any information they collect in the course of day-to-day preaching. The presiding judge said: “A religious community, such as the Jehovah’s Witnesses, is a controller, jointly with its members who engage in preaching, for the processing of personal data carried out by the latter in the context of door-to-door preaching.”

The judgement also had important implications regarding joint ownership of data. It stated: “As expressly provided in Article 2(d) of Directive 95/46, the concept of ‘controller’ refers to the natural or legal person who ‘alone or jointly with others determines the purposes and means of the processing of personal data’. Therefore, that concept does not necessarily refer to a single natural or legal person and may concern several actors taking part in that processing, with each of them then being subject to the applicable data protection provisions.”

Meanwhile, Max Schrems has been busy. The Austrian privacy activist formally won an appeal at the ECJ against Facebook. The decision meant that the Safe Harbour agreement between the US and EU did not provide sufficient protection, creating the need to form the Privacy Shield.

Schrems is still pursuing Facebook and the way data is transferred between the EU and US, putting a big question mark over the sustainability of the Privacy Shield. This particular case has not reached the ECJ. The Irish Supreme Court has recently reached a somewhat surprising Judgement to hear Facebook’s appeal. Justice Frank Clarke said: “I am satisfied that this court should proceed on the basis that it is at least arguable that Facebook might be in a position to persuade this court that some or all of the facts under challenge should be reversed.”

Turning to Germany, ICANN – The Internet Corporation for Assigned Names and Numbers – has lost a legal dispute with the German domain registrar to force the inclusion of more detailed information on individuals behind websites.

ICANN publishes WhoIs – a database that can be used by security forces, companies or individuals to check out the name of the owners of a website. The German domain registrar EPGA supplies this information, but ICANN also wanted additional information, in particular, technical and administrative contacts. EPGA said that it was forbidden to do this under GDPR, so ICANN filed a law suit with the Regional Court of Bonn.

The court heard in favour of EPGA. It concluded that details of the “domain holder, which continues to be indisputably collected and stored” is sufficient information required for the purpose that the data is collected.

The court said: ICANN “can only claim loyalty to the contract from [EPAG] to the extent that the contractual agreements are in accordance with applicable law”.

It continued: “[ICANN] has not demonstrated that the storage of other personal data than that of the domain holder, which continues to be indisputably collected and stored, is indispensable for the purposes of [ICANN].”

Explaining further, the court said: “Against the background of the principle of data minimisation, the [court] is unable to see why further data sets are needed in addition to the main person responsible.”

It would be a mistake to assume that the relatively modest level of court activity since May 25th when the GDPR came into force is a sign of things to follow. After all, it takes time to prepare a legal case, and very little time has elapsed since the end of May.

More cases are surely set to follow.

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.