Dear readers,

On May 25, the General Data Protection Regulation (GDPR) will celebrate its fourth birthday. In the past four years, the opinions of the data protection supervisory authorities, among others, have helped to make the abstract-general requirements of the GDPR more concrete and to simplify the practical implementation of data protection measures. In order to keep you up to date in this regard, we will continue to report on current events in data protection law in this month's data protection newsletter, for example, on the current positioning of the supervisory authorities with regard to Facebook fan pages. In the focus topic, we provide information on data processing based on legitimate interests.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Data processing based on legitimate interests

The processing of personal data within the scope of the General Data Protection Regulation (GDPR) is subject to a "prohibition with reservation of permission": it is prohibited unless it is exceptionally permitted on the basis of a legal authorization. Accordingly, such a legal authorization, a legal basis, is required to determine the lawfulness of a processing of personal data.

The main legal bases are enumerated in Article 6 of the GDPR. They include processing on the basis of a legitimate interest pursuant to Article 6(1)(1)(f) of the GDPR, the prerequisites and specifics of which are outlined below.

To the complete main topic

ECJ: Consumer protection associations' right to bring collective actions

Following a request for a preliminary ruling by the German Federal Court of Justice (Bundesgerichtshof, BGH), the European Court of Justice (ECJ) has ruled that consumer protection associations may bring collective actions based on data protection violations (ECJ, judgment of April 28, 2022 - Ref. C-319/20).

The decision is based on an action for an injunction filed by the Federation of German Consumer Organisations (vzbv) against Meta Platforms Ireland. Meta Platforms Ireland is the entity responsible for processing personal data of Facebook users in the EU. The Facebook social network also includes a so-called "App Center", through which users can access free third-party games. When the user accesses certain games, a notice appears stating that the use of the application allows the game provider to collect a number of personal data and entitles it to publish information on behalf of that user. By using the Application, the User agrees to the Game Provider's Terms and Conditions and Privacy Policy. In addition, for a particular game, the user is informed that the application may publish photos and other information on his behalf. The vzbv considered these notices in the app center to be unfair.

Since the BGH had doubts about the admissibility of the vzbv's action, and in particular about its authority to bring the action, the case was referred to the ECJ. In its ruling, the ECJ states that although the GDPR has in principle completely harmonized national laws on the protection of personal data, Article 80(2) of the GDPR nevertheless gives the member states discretionary powers with regard to implementation. On this basis, Member States could therefore provide for associational actions without mandate in the area of data protection infringements in their national law. However, the relevant legislation should not violate the content and objectives of the GDPR.

In order for an institution, organization or association to have standing, it must meet the criteria listed in Article 80(1) of the GDPR. This could include an association for the protection of consumer interests that pursues an objective in the public interest, such as ensuring the rights and freedoms of data subjects in their capacity as consumers. The body could bring an action by association, independently of a mandate given to it, only if it considered that the rights of an individual had been infringed as a result of the processing of his or her personal data. However, it is not necessary to identify in advance the specific individual affected by the alleged data protection breach. Rather, the designation of a category or group of persons affected by such processing was sufficient. Bringing the action was not conditional on the existence of a concrete infringement of a person's rights either; here, the possibility of an impairment was sufficient. The ECJ also pointed out that the infringement of a provision on the protection of personal data could at the same time entail the infringement of provisions on consumer protection or unfair commercial practices.

(Johanna Schmale)

ECJ on data retention

The ECJ has ruled that EU law precludes the general and indiscriminate retention of traffic and location data relating to electronic communications for the purpose of combatting serious crime. A national court cannot set a time limit on the effects of an invalidation of national legislation providing for such retention (ECJ, judgment of April 5, 2022 – Ref. C-140/20, see also the ECJ press release).

The decision is based on a case in which the defendant was sentenced to life imprisonment for the murder of a woman in Ireland in March 2015. In the appeal against his conviction before the Court of Appeal in Ireland, the defendant accused the court of first instance, among other things, of having wrongly admitted traffic and location data in connection with telephone calls as evidence. In the further course of the proceedings, the Supreme Court of Ireland made a reference for a preliminary ruling concerning the requirements of EU law in the area of the retention of the aforementioned data for the purpose of combating serious crime, as well as concerning the necessary guarantees in the area of access to these data. He also expressed doubts as to the scope and temporal effect of any invalidation regarding a 2011 Irish law that regulated the storage of and access to such data. The law had been enacted to implement Directive 2006/24/EC on data retention, which, however, the ECJ had later declared invalid (ECJ, judgment of April 8, 2014 in Joined Cases C-293/12 and C-594/12).

In its new judgment, the ECJ ruled that European Union law precludes national legislation that provides for the preventive general and indiscriminate retention of traffic and location data relating to electronic communications for the purpose of combatting serious crime.

Data retention could only be considered under certain conditions. Specifically, in order to combat serious crime and prevent serious threats to public security, Union law would allow legislation to provide for:

1. targeted retention of traffic and location data on the basis of categories of data subjects or by means of a geographical criterion;

2. general and indiscriminate retention of IP addresses, assigned to the source of a connection;

3. general and indiscriminate retention of data relating to the identity of users of electronic communications; or

4. immediate backup of traffic and location data available to providers of electronic communications services.

The processing of requests for access to data retained by providers of electronic communications services, made by the police in the context of the investigation and prosecution of serious crimes, could not be assigned by national legislation to a police officer in a centralized manner in conformity with Union law.

In a case in which a national court is obligated, on grounds of incompatibility with the ePrivacy Directive, to invalidate national legislation that requires the operators of electronic communications services to retain traffic and location data in a general and indiscriminate manner, the court cannot, in accordance with European Union law, limit the temporal effects of that invalidation. However, according to the principle of procedural autonomy of the Member States, the admissibility of the evidence obtained by such retention is in principle subject to national law.

In its ruling, the ECJ thus confirmed its established case law regarding data retention.

(Johanna Schmale)

BGH: Right of access to the origin of data

The BGH has ruled that the right to information under Article 15 of the GDPR may also include the name of a whistleblower who passed on information about the data subject (BGH, judgment of February 22, 2022 – Ref. VI ZR 14 /21).

In the case underlying the decision, a landlady demanded out of court that a tenant carry out an inspection of his apartment due to complaints about strong odor nuisance and vermin in the stairwell. The tenant then demanded that the landlady provide information about, among other things, which person had complained about him.

In the opinion of the BGH, the right to information about the person who provided the information could not be denied in the present case on the grounds that the information was contrary to his interests worthy of protection. It is true that the right to information pursuant to Article 15(1)(g) of the GDPR is not unconditional, but may be restricted by the rights and freedoms of other persons. Whether a right to information exists must be determined by weighing the interests of the party entitled to information and the whistleblower. In favor of the tenant entitled to information, the significance, weight and purpose of the right to information about the origin of the data should be taken into account. The data subject should be aware of the processing of the data concerning him and be able to verify its lawfulness and accuracy. In particular, the right of access should enable the data subject to request from the controller, for example, the rectification or erasure of his or her data. The obligation of the controller pursuant to Article 15(1)(g) of the GDPR, in the case of processing of personal data, to also provide the data subject with all available information about the origin of the data, should also enable the data subject to assert possible rights against the person or entity from whom the (possibly inaccurate or wrongfully disclosed) data originate.

In the present case, it cannot be assumed that the interests of the whistleblower prevail. In order to assert possible rights against the whistleblower, the plaintiff needs to know from whom the information originated. Since the statements "strong odor nuisance and vermin in the stairwell" with the establishment of the reference to the plaintiff's apartment were allegations damaging to the tenant's reputation, a claim against the whistleblower for the omission of the allegation was at least obvious in the case of an assumed untruthfulness of this allegation. The refusal to provide information could also not be based on the interest of the defendant property management in the proper and effective performance of its duties, in particular the maintenance of order and peace in the house community.

As a result, the BGH referred the legal dispute back to the lower court so that it could decide the case anew, taking into account the assessment of the BGH. In general, it should be noted for the transferability of the argumentation that the BGH certainly sees the possibility that the whistleblower's interests in secrecy may also prevail, especially if this is explicitly desired by the whistleblower.

(Johanna Schmale)

Data protection authorities on the data protection compliance of Facebook fan pages

On March 18, 2022, the German Conference of the Independent Federal and State Data Protection Authorities (Data Protection Conference, DSK), published an expert opinion on the conformity of the operation of Facebook fan pages with data protection law. The expert opinion takes into account current case law and the provisions of the new Telecommunications Telemedia Data Protection Act (TTDSG), which came into force on December 1, 2021. In the expert opinion, the DSK comes to the conclusion that no effective legal basis for the processing of personal data is triggered by visiting a fan page on the social network Facebook. In addition, the information requirements under Article 13 of the GDPR are not fulfilled.

Based on the DSK's opinion, the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) concludes that fan pages on Facebook must be shut down if the operators cannot prove their compliance with data protection law. It has informed the Senate administrations about the opinion and called on them to deactivate their Facebook fan pages if they cannot fulfill their obligation to provide proof (cf. the BlnBDI press release of April 8, 2022). The BlnBDI justifies the request to deactivate the fan pages with the special responsibility and exemplary function of the Senate administrations as public bodies.

The Brandenburg State Commissioner for Data Protection and for the Right to Inspect Files (LDA) has also informed the highest state authorities under its supervision about the expert opinion (cf. the press release of the LDA of April 6, 2022). In its view, both the operators of the fan pages and Facebook had failed in recent years to ensure compliance with all legal regulations. It would have to assume that the authorities would not be able to prove that the fan pages were operated in compliance with data protection. In the LDA's view, the authorities would be living up to their role model function if they shut down their Facebook presences in this case. In a next step, the LDA announced that it would specifically check which state authorities currently operate Facebook fan pages and work towards deactivating those pages if the page owners cannot prove that they comply with data protection law.

In their approach, the authorities are guided by a resolution of the DSK, which places the focus initially on public authorities and, among other things, works towards having them deactivate their Facebook fan pages if the responsible parties cannot prove their data protection compliance. According to the DSK, the proof would primarily concern the conclusion of a joint responsibility agreement with Facebook, information on data processing for users, the permissibility of storing and subsequently accessing information in the user's terminal equipment, and the permissibility of transferring personal data to the access area of authorities in third countries. However, the expert opinion also forms an important basis for the members of the DSK in their supervisory activities vis-à-vis non-public bodies. In the future, analogous measures are also conceivable here, which is why non-public bodies should review their own use of Facebook fan pages from a data protection perspective as early as possible and follow the further statements of the supervisory authorities as well as any reactions from Facebook.

(Johanna Schmale)

Data Protection Commissioner Baden-Württemberg: Statement on Microsoft 365 in schools

The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (LfDI) expects schools to offer pupils alternatives to the cloud service Microsoft 365 for school operations by the summer vacations in 2022 (cf. the press release of the LfDI dated April 25, 2022). As of the coming school year, the use of Microsoft 365 at schools is to be terminated or its data protection-compliant operation is to be clearly demonstrated by the responsible schools.

The LfDI has stated that it plans to approach around 40 schools that use Microsoft 365 or Microsoft Teams shortly, inform them of its legal assessment of the online service, and ask them to commit to a timetable for switching to alternatives. The LfDI also says that it not only advises schools in the search for alternatives, but also works with the Ministry of Education to ensure that they can use alternatives according to their needs.

In the past, the LfDI had already recommended to the Ministry of Education and Cultural Affairs of Baden-Württemberg that they refrain from using Microsoft 365 in schools due to the high data protection risks. The Ministry of Education and Cultural Affairs had previously attempted, as part of a pilot project, to enable the use of Microsoft 365 in schools in a manner that was as compliant with data protection law as possible. However, it is unlikely that the assessment can be generally applied to all cases of Microsoft 365 use, because the supervisory authorities also always consider each case on an individual basis, and school use must be classified as particularly problematic in this respect, if only because of the special requirements applying to the personal data of minors.

(Johanna Schmale)