'The Pathway to Google Spain': Orla Lynskey
Duration: 17 mins 1 sec
Share this media item:
Embed this media item:
Embed this media item:
About this item
| Description: |
Dr Orla Lynskey, London School of Economics delivers the third lecture from the "The Pathway to Google Spain" section of the "EU Internet Regulation After Google Spain" conference.
This conference was held at the Faculty of Law, University of Cambridge on 27 March 2015, and brought together leading experts on Data Protection and Privacy from around the World. The conference was held with the support of the Centre for European Legal Studies (CELS). This entry provides an audio source for iTunes U. |
|---|
| Created: | 2015-04-15 10:05 |
|---|---|
| Collection: | EU Internet Regulation After Google Spain: Conference 2015 MOVED |
| Publisher: | University of Cambridge |
| Copyright: | Orla Lynskey, Mr D.J. Bates |
| Language: | eng (English) |
Transcript
Transcript:
Good morning. Thanks to Dr Erdos for inviting me and for organizing this conference, and it's a real pleasure to be back at Cambridge for the day.
I've been asked this morning to talk about the jurisprudence of the Court of Justice in the lead up to, or as a background to, the Google Spain case. There's been remarkably little case law in front of the Court of Justice dealing with data protection issues, despite the fact that we’ve had the Data Protection Directive for almost two decades. But rather than going case by case through the jurisprudence, which might be a little dry for the morning slot, what I’ve instead tried to do is to demonstrate that the case law prior to Google Spain is entirely consistent with the Court's findings in the Google Spain judgment. And I say this for three reasons. So I guess the subtext here is the reasons why we should have seen Google Spain coming, and I think that's for three reasons.
So first of all, the Court has continuously insisted upon the broad scope of application of the data protection rules. And that’s something that is reflected in the Google Spain judgment, and you see that through, for instance, the broad scope of territorial application, which the Court gives to the Data Protection Directive in that case, where it says that Google search engine processing is in the context of the advertising activities of its Spanish subsidiary. So broad scope of territorial application there, something which the Advocate General was in agreement with. But then also you see this broad scope of application is affected in other ways, which I'll go on to talk about.
The second point, which I think is quite evident, is that, despite a slow start, the Court is now placing increasing emphasis on the EU Charter and in particular, on the EU Charter’s rights to data protection and to privacy. So, unlike other international instruments, the EU Charter includes both a right to privacy in Article 7 and a right to data protection in Article 8. The Court has been quite forthcoming now in emphasizing the effectiveness of those rights.
And then the third point I think we could adduce in order to support the Google Spain finding, for good or for bad, is that the Court at present seems to be quite emboldened. It has taken several judgments, which illustrate in my opinion that it is not entirely concerned about the political fallout that will follow from its decisions. So I’ll elaborate on these three points now.
So first of all, if we take the broad scope of application of the data protection rules, here I think you can see that the Directive has a broad personal scope in terms of how we define who is a data subject, and also as we saw in Google Spain, who is a data controller. So in that case, the Advocate General had argued that in order to be viewed as a data controller —so an entity, a company which would be responsible and or have obligations pursuant to the data protection rules — there should be a knowledge that the company concerned is processing as a company, could also be a local authority, the entity concerned. There should be a knowledge that there is processing of personal data. Now, a literal interpretation of the Directive doesn't include that knowledge criterion, and actually the Court rejected the idea that a data controller has to have knowledge that they are processing personal data in order to have obligations pursuant to the Directive. Google here might have been quite a particular case but I think if you look to the kind of broader issue the application of data protection rules that’s actually quite sensible finding. Because in the absence of that finding, companies could plead ignorance of the fact that they are processing personal data in order to escape obligations pursuant to the data protection rules. But you see there that the Court is defensive of the broad personal application of the data protection rules.
You also see broad material scope of the rules. So here data processing is pretty much anything that you could do with personal data, and personal data is any information relating to an identified or identifiable person. Jeff has just spoken about identifiability and the issue of public and private in the context of things like anonymization, but I think it's important to highlight here that that definition of personal data goes beyond the type of data that might be covered by the Article 8 ECHR right to privacy. It's a very broad definition.
So we have this very broad scope of application of the data protection rules, and as I just said, unlike the right to privacy in certain contexts, this will always apply to material in the public domain. This is irrespective of whether the information is publicly available or not. This broad scope of application has been defended by the Court, in its case law. So it’s very protective of the Directive’s scope of application. So I’ve just indicated a couple of cases here but in a case like Schwartz, what was concerned with was the fingerprinting data of a German national who was obliged to provide this fingerprint data in order to obtain a passport from his local authority, in, well, through the German government at home, and he objected to this on the grounds that it was unnecessary data processing. The Court recognized without hesitation that this type of data, which would also benefit from the right to privacy, constitutes personal data in the context of the Directive.
A more complicated case, you might say, is Bavarian Lager. And there you had a query about access to minutes of a meeting between industry representatives and European Commission officials. The Commission was refusing to grant access to the minutes of this meeting on the grounds that the names of the industry representatives constituted personal data. Between the Court of First Instance at the time, the Advocate General and the Court of Justice—there was a dispute about whether or not those industry representative names could benefit from the right to privacy because although there’s right to privacy in the workplace, here it doesn't seem to sit very well with the reasonable expectation of privacy, given that the access was sought under transparency regulations at the EU level and equally, with the rationale for privacy in the workplace, which is to allow individuals to develop relations. And clearly, the whole aim of transparency legislation is to prevent cosy relationships between Commissioner officials and industry representatives. So this might not have been covered by the right to privacy but it clearly fell within scope of the right to data protection, and of data protection legislation. So you can see again a broad scope.
Then, I think the most recent notable case on this is a case from last December, where the Court was asked to consider whether or not the exception to the scope of the data protection rules, which is an exception for personal data which are processed for purely personal or household purposes, could be applied to the case of Mr. Rynes. Mr. Rynes was an individual who had installed a form of closed-circuit TV outside of his front door because his family home had been subject to numerous attacks in the past. So this camera was installed for personal security purposes, and it captured the pathway up to his front door but it also captured part of the public path outside of his front door. This camera happened to capture some footage relating to an attack on his house. The footage was brought forward to be used in the proceedings against the perpetrators, and the question was raised as to whether or not that footage could be used because Mr. Rynes hadn’t received prior authorization for the processing, and hadn’t complied with his obligations as a data controller. So was the capture of this footage compatible with data protection law? He argued that the processing in this instance was for purely personal or household reasons. The footage wasn't automatically recorded over itself; it wasn’t retained. He didn't have a way to examine the footage remotely on a phone or anything else. And yet the Court found that that, in this instance, the footage was not purely personal because it captured a public pavement. So you see there, that that is a remarkably narrow interpretation of the purely household and personal processing exception in order to preserve the broad scope of application of the rules.
But in that case, the Court kind of was at pains to emphasize that just because you fall within the scope of the data protection rules doesn't mean that the processing is unlawful; rather, at that point, once you're within the fold of the rules, there is a system of checks and balances which determines whether or not the processing can be lawful in that particular circumstance. So you have a very strong indication from the Court there that Mr. Rynes would have been able to justify this processing, and that it would have been adequate.
So we have the broad scope of application, which is reflected in Google Spain. We also have an increased emphasis on the effectiveness of the EU Charter rights. So, I would argue that in the early years, prior to the Charter acquiring binding force or becoming a justiciable instrument in 2009, there was an initial reluctance on the Court to point to the Charter right to privacy in order to justify its actions in any given case. I think this kind of narrow interpretation of the Directive is particularly visible in a case like Satamedia . So in that case you an issue about whether or not data on high earners — so those who were earning over 100,000 Euro a year — could be disseminated via text message by a private company. There, the private company had pleaded that this dissemination could benefit from the Directive’s exemption for processing for journalistic purposes. So the argument was the text message dissemination is journalistic, and therefore can fall outside the scope of the data protection rules. And there the Court interpreted that journalistic purposes exception really broadly, so it said that it applies to the disclosure of information, ideas, or opinions to the public.
Fast forward to last year and you can see that clearly the definition of journalistic purposes has changed significantly when it comes to the Google Spain case. So we have seen, I believe, a change in a change in tack when it comes to what could benefit from this exemption for journalistic purposes.
Finally, I think in addition to that change in tack, there’s perhaps in the Court's case-law, an indifference to the disconnect between law [and] it’s maybe a bit harsh to call it reality, but certainly technological developments, and that, you know is one of the big criticisms of the Google Spain case. That's also a criticism of the Lindqvist case where the Court seemed to have kind of mixed feelings about how the Directive should apply to the Internet. So on the one hand it held that the act of a pensioner who was uploading data to a charitable web site for personal purposes, as part of her data processing course, could be criminally prosecuted for that action because it was personal data processing, because she uploaded information on her colleagues to the Internet. But on the other hand it stopped short of saying that she should have been responsible for international data transfers. So you can see that the Courts have kind of struggled to apply this old Directive to new circumstances.
Finally, I think you see, at the moment, a stronger Court, particularly when it comes to fundamental rights. This is perhaps because of, as I said, the introduction of the Charter, the Charter’s acquisition of binding force in 2009. But that was very visible in last year's judgment in Digital Rights Ireland. The Court, for the first time, struck down an entire piece of legislation on the basis that it was not compatible with the EU Charter rights. In so doing, it ignored the Advocate General's request that that the judgment have a temporal limitation, which would allow Member States to put in place arrangements for data retention while a new Directive would be enacted. So it ignored that.
But equally, I think if you look at something like Opinion 2/2013 , which is where the Court was asked to assess the illegality of the European Union's accession agreement to the ECHR, with EU law. It found that that accession agreement to the ECHR was incompatible with EU law. In an incredibly kind of complicated judgment - which I think could be narrowly read - it effectively said that by signing up to the ECHR as the agreement stands, it would be circumventing things like the preliminary reference procedure before the Court. So again, clearly a case where it wasn’t too concerned about the political implications of its findings.
Then finally, this week before the Court of Justice, we had the hearing in the Schrems case, which was a preliminary reference from the Irish High Court, where the compatibility of the Safe Harbor Principles — so, allowing data transfers between the EU and the US — was challenged on the basis that those principles, which were adopted in the year 2000, no longer reflected a situation where adequate protection was being offered to EU citizens when their data are transferred to the US, as a result of the Snowden revelations. There, I believe, from everything I’ve read and heard about the proceedings, they were quite lively, and that the Commission was left more or less (I think I can say this) on the back foot, in arguing that in order to effectively protect fundamental rights, individuals should possibly not sign up to Facebook.
So, what it remains to be seen, and what will happen with that judgment—the opinion of the Advocate General is due on the 24th of June—but I would say, based on what we've seen so far, the ingredients would indicate that Schrems has a good chance of succeeding in that case.
I've been asked this morning to talk about the jurisprudence of the Court of Justice in the lead up to, or as a background to, the Google Spain case. There's been remarkably little case law in front of the Court of Justice dealing with data protection issues, despite the fact that we’ve had the Data Protection Directive for almost two decades. But rather than going case by case through the jurisprudence, which might be a little dry for the morning slot, what I’ve instead tried to do is to demonstrate that the case law prior to Google Spain is entirely consistent with the Court's findings in the Google Spain judgment. And I say this for three reasons. So I guess the subtext here is the reasons why we should have seen Google Spain coming, and I think that's for three reasons.
So first of all, the Court has continuously insisted upon the broad scope of application of the data protection rules. And that’s something that is reflected in the Google Spain judgment, and you see that through, for instance, the broad scope of territorial application, which the Court gives to the Data Protection Directive in that case, where it says that Google search engine processing is in the context of the advertising activities of its Spanish subsidiary. So broad scope of territorial application there, something which the Advocate General was in agreement with. But then also you see this broad scope of application is affected in other ways, which I'll go on to talk about.
The second point, which I think is quite evident, is that, despite a slow start, the Court is now placing increasing emphasis on the EU Charter and in particular, on the EU Charter’s rights to data protection and to privacy. So, unlike other international instruments, the EU Charter includes both a right to privacy in Article 7 and a right to data protection in Article 8. The Court has been quite forthcoming now in emphasizing the effectiveness of those rights.
And then the third point I think we could adduce in order to support the Google Spain finding, for good or for bad, is that the Court at present seems to be quite emboldened. It has taken several judgments, which illustrate in my opinion that it is not entirely concerned about the political fallout that will follow from its decisions. So I’ll elaborate on these three points now.
So first of all, if we take the broad scope of application of the data protection rules, here I think you can see that the Directive has a broad personal scope in terms of how we define who is a data subject, and also as we saw in Google Spain, who is a data controller. So in that case, the Advocate General had argued that in order to be viewed as a data controller —so an entity, a company which would be responsible and or have obligations pursuant to the data protection rules — there should be a knowledge that the company concerned is processing as a company, could also be a local authority, the entity concerned. There should be a knowledge that there is processing of personal data. Now, a literal interpretation of the Directive doesn't include that knowledge criterion, and actually the Court rejected the idea that a data controller has to have knowledge that they are processing personal data in order to have obligations pursuant to the Directive. Google here might have been quite a particular case but I think if you look to the kind of broader issue the application of data protection rules that’s actually quite sensible finding. Because in the absence of that finding, companies could plead ignorance of the fact that they are processing personal data in order to escape obligations pursuant to the data protection rules. But you see there that the Court is defensive of the broad personal application of the data protection rules.
You also see broad material scope of the rules. So here data processing is pretty much anything that you could do with personal data, and personal data is any information relating to an identified or identifiable person. Jeff has just spoken about identifiability and the issue of public and private in the context of things like anonymization, but I think it's important to highlight here that that definition of personal data goes beyond the type of data that might be covered by the Article 8 ECHR right to privacy. It's a very broad definition.
So we have this very broad scope of application of the data protection rules, and as I just said, unlike the right to privacy in certain contexts, this will always apply to material in the public domain. This is irrespective of whether the information is publicly available or not. This broad scope of application has been defended by the Court, in its case law. So it’s very protective of the Directive’s scope of application. So I’ve just indicated a couple of cases here but in a case like Schwartz, what was concerned with was the fingerprinting data of a German national who was obliged to provide this fingerprint data in order to obtain a passport from his local authority, in, well, through the German government at home, and he objected to this on the grounds that it was unnecessary data processing. The Court recognized without hesitation that this type of data, which would also benefit from the right to privacy, constitutes personal data in the context of the Directive.
A more complicated case, you might say, is Bavarian Lager. And there you had a query about access to minutes of a meeting between industry representatives and European Commission officials. The Commission was refusing to grant access to the minutes of this meeting on the grounds that the names of the industry representatives constituted personal data. Between the Court of First Instance at the time, the Advocate General and the Court of Justice—there was a dispute about whether or not those industry representative names could benefit from the right to privacy because although there’s right to privacy in the workplace, here it doesn't seem to sit very well with the reasonable expectation of privacy, given that the access was sought under transparency regulations at the EU level and equally, with the rationale for privacy in the workplace, which is to allow individuals to develop relations. And clearly, the whole aim of transparency legislation is to prevent cosy relationships between Commissioner officials and industry representatives. So this might not have been covered by the right to privacy but it clearly fell within scope of the right to data protection, and of data protection legislation. So you can see again a broad scope.
Then, I think the most recent notable case on this is a case from last December, where the Court was asked to consider whether or not the exception to the scope of the data protection rules, which is an exception for personal data which are processed for purely personal or household purposes, could be applied to the case of Mr. Rynes. Mr. Rynes was an individual who had installed a form of closed-circuit TV outside of his front door because his family home had been subject to numerous attacks in the past. So this camera was installed for personal security purposes, and it captured the pathway up to his front door but it also captured part of the public path outside of his front door. This camera happened to capture some footage relating to an attack on his house. The footage was brought forward to be used in the proceedings against the perpetrators, and the question was raised as to whether or not that footage could be used because Mr. Rynes hadn’t received prior authorization for the processing, and hadn’t complied with his obligations as a data controller. So was the capture of this footage compatible with data protection law? He argued that the processing in this instance was for purely personal or household reasons. The footage wasn't automatically recorded over itself; it wasn’t retained. He didn't have a way to examine the footage remotely on a phone or anything else. And yet the Court found that that, in this instance, the footage was not purely personal because it captured a public pavement. So you see there, that that is a remarkably narrow interpretation of the purely household and personal processing exception in order to preserve the broad scope of application of the rules.
But in that case, the Court kind of was at pains to emphasize that just because you fall within the scope of the data protection rules doesn't mean that the processing is unlawful; rather, at that point, once you're within the fold of the rules, there is a system of checks and balances which determines whether or not the processing can be lawful in that particular circumstance. So you have a very strong indication from the Court there that Mr. Rynes would have been able to justify this processing, and that it would have been adequate.
So we have the broad scope of application, which is reflected in Google Spain. We also have an increased emphasis on the effectiveness of the EU Charter rights. So, I would argue that in the early years, prior to the Charter acquiring binding force or becoming a justiciable instrument in 2009, there was an initial reluctance on the Court to point to the Charter right to privacy in order to justify its actions in any given case. I think this kind of narrow interpretation of the Directive is particularly visible in a case like Satamedia . So in that case you an issue about whether or not data on high earners — so those who were earning over 100,000 Euro a year — could be disseminated via text message by a private company. There, the private company had pleaded that this dissemination could benefit from the Directive’s exemption for processing for journalistic purposes. So the argument was the text message dissemination is journalistic, and therefore can fall outside the scope of the data protection rules. And there the Court interpreted that journalistic purposes exception really broadly, so it said that it applies to the disclosure of information, ideas, or opinions to the public.
Fast forward to last year and you can see that clearly the definition of journalistic purposes has changed significantly when it comes to the Google Spain case. So we have seen, I believe, a change in a change in tack when it comes to what could benefit from this exemption for journalistic purposes.
Finally, I think in addition to that change in tack, there’s perhaps in the Court's case-law, an indifference to the disconnect between law [and] it’s maybe a bit harsh to call it reality, but certainly technological developments, and that, you know is one of the big criticisms of the Google Spain case. That's also a criticism of the Lindqvist case where the Court seemed to have kind of mixed feelings about how the Directive should apply to the Internet. So on the one hand it held that the act of a pensioner who was uploading data to a charitable web site for personal purposes, as part of her data processing course, could be criminally prosecuted for that action because it was personal data processing, because she uploaded information on her colleagues to the Internet. But on the other hand it stopped short of saying that she should have been responsible for international data transfers. So you can see that the Courts have kind of struggled to apply this old Directive to new circumstances.
Finally, I think you see, at the moment, a stronger Court, particularly when it comes to fundamental rights. This is perhaps because of, as I said, the introduction of the Charter, the Charter’s acquisition of binding force in 2009. But that was very visible in last year's judgment in Digital Rights Ireland. The Court, for the first time, struck down an entire piece of legislation on the basis that it was not compatible with the EU Charter rights. In so doing, it ignored the Advocate General's request that that the judgment have a temporal limitation, which would allow Member States to put in place arrangements for data retention while a new Directive would be enacted. So it ignored that.
But equally, I think if you look at something like Opinion 2/2013 , which is where the Court was asked to assess the illegality of the European Union's accession agreement to the ECHR, with EU law. It found that that accession agreement to the ECHR was incompatible with EU law. In an incredibly kind of complicated judgment - which I think could be narrowly read - it effectively said that by signing up to the ECHR as the agreement stands, it would be circumventing things like the preliminary reference procedure before the Court. So again, clearly a case where it wasn’t too concerned about the political implications of its findings.
Then finally, this week before the Court of Justice, we had the hearing in the Schrems case, which was a preliminary reference from the Irish High Court, where the compatibility of the Safe Harbor Principles — so, allowing data transfers between the EU and the US — was challenged on the basis that those principles, which were adopted in the year 2000, no longer reflected a situation where adequate protection was being offered to EU citizens when their data are transferred to the US, as a result of the Snowden revelations. There, I believe, from everything I’ve read and heard about the proceedings, they were quite lively, and that the Commission was left more or less (I think I can say this) on the back foot, in arguing that in order to effectively protect fundamental rights, individuals should possibly not sign up to Facebook.
So, what it remains to be seen, and what will happen with that judgment—the opinion of the Advocate General is due on the 24th of June—but I would say, based on what we've seen so far, the ingredients would indicate that Schrems has a good chance of succeeding in that case.