CJEU

 

  1. The CJEU “Right to be Forgotten” Ruling.  In May 2014, the Court of Justice of the European Union (CJEU) delivered an important judgement in a referral from Spain’s National High Court involving Google, a Spanish national, and the Spanish data protection authority (Case C-131/12).  The CJEU’s decision re-interpreted European data protection law to include a so-called “right to be forgotten” that enabled individuals to request search engines to block links that appear on searches of their names if the links go to information that is incomplete, inaccurate, irrelevant, or otherwise damaging to an individual’s privacy.  (This right is limited in the case of public figures, however.)  The decision also found that Google was subject to European data protection law because it operated subsidiaries in Europe whose business was to raise advertising revenues in relation to the search engine’s data processing activities.  The decision triggered an immediate tidal wave of tens of thousands of requests to Google and other search engines that continues to raise controversies to this day.
  1. CJEU strikes down the Data Retention Directive as invalid. In April 2014, the CJEU took the rare step of annulling the controversial Data Retention Directive, which mandated the systematic (“bulk”) retention of communications metadata by telecommunications companies in the EU, for potential access by law enforcement authorities (see our blog post here).  The Court criticised the Directive’s indiscriminate targeting of suspects and non-suspects alike, and the law’s general lack of safeguards, finding that it amounted to an “interference with the fundamental rights of practically the entire European population” contrary to Articles 7 and 8 of the Charter of Fundamental Rights of the EU.  The Directive’s invalidation raised questions about the continuing validity of the national laws that had implemented the Directive throughout the EU.  In the UK, this lead to the accelerated adoption of substitute legislation, the Data Retention and Investigatory Powers Act 2014 (“DRIPA”), and its implementing regulations.
    Continue Reading Top 10 International Privacy Developments of 2014

By Fredericka Argent

Last week, the Court of Justice of the European Union (CJEU) ruled that owners of home surveillance cameras could be breaching the EU Data Protection Directive 95/46/EU (the Directive), when those cameras are used to monitor public spaces.  The ruling was made following a request from the Nejvyšší správní soud (The Supreme Administrative Court of the Czech Republic) for interpretive guidance.

According to the facts, Mr Ryneš, from the Czech Republic, had set up a camera to monitor the footpath outside of his home in response to a series of break-ins that he and his family had suffered.  One of the suspects of a break-in was subsequently caught on camera, and the video recording was used as evidence in the criminal proceedings that followed.  However, the suspect separately made a complaint to the Czech Data Protection Office that the surveillance system used by Mr Ryneš was unlawful.  The Czech Data Protection Office agreed. Mr Ryneš then brought an action challenging that decision, which was appealed to the Czech Supreme Court.
Continue Reading The EU’s Highest Court Rules That The EU’s Data Protection Directive Applies To Home Security Surveillance Cameras

On November 25, 2014, the Article 29 Working Party agreed guidelines for data protection authorities seeking to apply the Court of Justice of the European Union (CJEU) ruling reached earlier this year against Google, which has become known as the right to be forgotten or “RTBF” ruling.  The full guidelines have not yet been published, but the Working Party has now released a short statement that already addresses some important issues.

The Working Party guidelines are not legally binding, but will influence enforcement decisions made by Europe’s data protection authorities.

These clarifications are written for data protection authorities, but will also help Google and other search engines understand the requirements set out in the CJEU judgment in better detail; we’ll provide more information in a later blog post when the full guidance is released.Continue Reading Article 29 Working Party Agrees Right to Be Forgotten Guidance Following May 2014 CJEU Ruling Against Google

By Jacqueline Clover

The Court of Justice of the European Union (‘CJEU’) has ruled that an analysis produced by an administrative agency to inform and support the agency’s formal decisions (‘legal analysis’) is not of itself “personal data” as defined under Directive 95/46/EC (the ‘EU Data Protection Directive’).  This is the case even where the legal analysis contains information that is clearly “personal data”, such as an individual’s name, date of birth, nationality and gender.  The ruling of 17 July 2014 in Joined Cases C-141/12 and C-372/12 YS v. Minister voor Immigratie, Integratie en Asiel, and Minister voor Immigratie, Integratie en Asiel v. M, S, is available here.

It is an important decision for two reasons.  First, it clarifies the boundaries of what constitutes “personal data” under EU law. And, second, it clarifies that a data subject’s right of access under the EU Data Protection Directive does not necessarily require access to the actual records containing personal data. In some cases, a full summary of the personal data in an intelligible form suffices.Continue Reading EU Court of Justice clarifies the definition of personal data and scope of access requests