Tag: ECJ

Unwanted Email Advertising: Trivial Damage or Significant Data Protection Violation?

IPlens

In a case concerning damages for unwanted email advertising as a data protection violation, the Federal Constitutional Court in Germany (BVerfG) recently ruled, that the European Court of Justice (ECJ) has to decide on the interpretation of the prerequisites and scope of Art. 82 (1) GDPR. It has to be clarified how Art. 82 (1) GDPR is to be interpreted against the background of Recital 146. In other words, under which conditions the article would grant a claim for monetary compensation.              

The plaintiff, a German lawyer, had received one (!) unintentional advertising email and sued for injunctive relief, access to the stored data and damages of at least 500 €. Whilst the District Court of Goslar (September 7, 2019 – Case No. 28 C 7/19) upheld the claim for injunctive relief and access, it refused to award immaterial damages. The judges claimed that these were not evident. Hence, the threshold for a monetary compensation for a violation of personality rights had not been exceeded. In response, the plaintiff decided to file a constitutional complaint, arguing that the decision of the District Court violated his right to the lawful judge of Article 101 (1) sentence 2 of the German Basic Law (GG). He claimed that the District Court had wrongly refrained from submitting the question of the threshold for GDPR damage claims to the ECJ for a preliminary ruling.            

In the ruling of the BVerfG, the judges now emphasized that the claim for damages under Art. 82 GDPR may not be denied just because of a minor or trivial loss. The Federal Constitutional Court underlined in fact, that the District Court would have had to make a preliminary reference to the ECJ beforehand. Hence, the plaintiff’s right to the lawful judge according to Article 101 (1) sentence 2 of the German Basic Law (GG) had been violated: the District Court did not comply with the obligation to refer the matter to the ECJ by way of preliminary ruling proceedings pursuant to Article 267 (3) of the Treaty on the Functioning of the European Union (TFEU). The District Court disregarded this obligation by interpreting European Union law itself.                

The court in Goslar must now decide anew and it can be assumed that the judges will refer the questions to the ECJ. It is to be hoped, that the European judges will define a de minimis threshold for damages due to data protection violations. At the same time, clarification of all underlying issues is not expected. However, general principles of high practical relevance can be laid down, already discussed in literature and case law.

Dario Haux

German Federal Constitutional Court, Decision of the 2nd Chamber of the First Senate, January 14th 2021, 1 BvR 2853/19 -, 1–24

Right to be forgotten: the first Italian decision after Google Spain

IPlensLeave a comment

By its judgment of 3 December 2015 (full text here), the Court of Rome issued the first decision of an Italian court dealing with the so called “right to be forgotten” after the ECJ leading case of 13 May 2014, C- 131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Costeja Mario González.

The applicant, a lawyer, sued Google, asking the de-listing of 14 links resulting from a list of results displayed following a search made on the basis of his name, on the assumption of the existence of a right to be forgotten. He argued that the links were referring to a court case dating back to the years 2012/2013 and dealing with an alleged fraud in which he was involved (but never condemned) with some representatives of the clergy and other subjects linked to the criminal organization known as “Banda della Magliana”. As a consequence, the lawyer called for the monetary compensation due to the illegal treatment of its personal data.

The Court of Rome dismissed the plaintiff’s request on the assumption that the disclosed personal data were both recent and of public interest.

The Court based its decision on the principles recently recognized by the Court of Justice in Google Spain (and already accepted by Italian previous case law, cfr. Cass. Civ. Sec. III, 05-04-2012, n. 5525).

In this case the ECJ ruled that the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the EU Charter of Fundamental Rights (and in application of Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46/EC), request that the personal data in question no longer be made available to the general public by its inclusion in such a list of results. However, inasmuch as the removal of links from the list of results could, depending on the information at issue, have effects upon the legitimate interest of internet users potentially interested in having access to that information, “a fair balance should be sought in particular between that interest and the data subject’s fundamental rights under Articles 7 and 8 of the Charter” (par. 81).

Whilst “it should be held that those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name”, the Court also recognised the existence of an exception to this general rule when “for particular reasons, such as the role played by the data subject in public life […], the interference with [the] fundamental rights [of the data subject] is justified by the preponderant interest of the general public in having, on account of [the] inclusion [of the information] in the list of results, access to the information in question” (par. 97).

The Article 29 Data Protection Working Party (hereinafter only “WP”) in its Guidelines on the implementation of the ECJ Judgement on Google Spain, adopted on 26 November 2014 for the purpose of establishing a list of common criteria to be used by European data protection authorities to evaluate whether data protection law has been complied with, stated that “no single criterion is, in itself, determinative”.

However among these criteria there are both whether the data are temporally relevant and not  excessive (i.e. closely related to the data’s age) and whether the data subject play a role in public life (s.c. public figures criterion).

With reference to the second criterion, even if it is not possible to establish with certainty the type of role in public life an individual must have to justify public access to information about them via a search result, the WP pointed out that “by way of illustration, politicians, senior public officials, business-people and members of the (regulated) professions can usually be considered to fulfil a role in public life”.

Under this test, the Court of Rome rejected the plaintiff’s request on the assumption that the treated personal data were both recent and of public interest and denied that the data subject had a right that the information relating to him should, at this point in time, no longer be linked to his name.

The decision can be welcomed to the extent it shows the benefits of the process of EU harmonization realized by means of the interpretative ruling of the ECJ and of the WP on the right to prevent indexing of personal data published on third parties’ web pages.

The judgement, in any case, works in the direction to limit the scope of application of the right to consign personal data to oblivion, since it affirms that the “public figure role” can be recognized not only to politicians and public officials but also to the large class of “business-people”, belonging to regulated professional orders.

Jacopo Ciani

Court of Rome, 3 December 2015, No. 23771, Dott.ssa Damiana Colla

Topographic maps as databases: CJEU

IPlens1 Comment

The CJEU ruled that topographic maps may fall within database protection under Directive 96/9 (full text here). The dispute concerned the use by Verlag Esterbauer, an Austrian travel books publisher, of certain topographic maps published by the Land of Bavaria. In particular, Verlag Esterbauer scanned the maps and extracted the underlying geographic data with a graphics programme to produce and market its own maps dedicated to walkers and cyclists.

According to the Court, the concept of “database” must be interpreted widely, as collections of works and/or other data, in any form, without technical or material restrictions, therefore applying also to analog databases. Indeed, the Court stressed the “functional” nature of database protection and its aim at fostering investment in data processing systems.

The main requirement of a database under Art. 1(2) of Directive 96/9 is the existence of “independent materials”, i.e. separable without affecting their value. Independent materials can also consist of combination of pieces of information, if they have autonomous informative value after being extracted. This may be the case of geographical information (e.g., “geographical coordinates point” plus “the numbered code used by the map producer to designate a unique feature, such as a church”), as long as the extraction of such data from the map does not affect their autonomous value. Under the broad definition of database, this autonomous value shall be assessed vis-à-vis the degree of interest of third parties to the extracted material, irrespective of the fact that such value might diminish after the extraction.

The Court found that in the captioned case: (i) Verlag Esterbauer made an autonomous commercial use of the information extracted from the Land of Bavaria’s maps, and (ii) it provided its customers relevant geographical information. Thus, such geographical information constitutes “independent material” from a database.

It seems all too evident that the Court, in line with its settled case-law (see our comments on the Ryanair case here), keeps broadening the notion of database under Directive 96/9 with the aim of further protecting investments in the information market.

Francesco Banterle

CJEU, 29 October 2015, Case C-490/14, Freistaat Bayern v Verlag Esterbauer GmbH

ECJ: the Owner of an Online Database not Protected by Copyright or Sui Generis Right May Limit its Use by Contract

IPlens2 Comments

On January 15, 2015 the Court of Justice of the European Union (ECJ), in Ryanair Ltd v PR Aviation BV, C-30/14, handed down a decision concerning the interpretation of Directive 96/9/EC on the legal protection of databases (full text here). The case concerned the unauthorized extraction of flight data (so called ‘screen scraping’) from Ryanair’s website by the PR Aviation, which operates a price comparison website where users can also book a flight on payment of commissions. Access to Ryanair’s website requires acceptance of the air company’s T&Cs, by ticking a box, which prohibit unauthorized ‘screen scraping’ practices.

Ryanair brought proceedings against PR Aviation before Dutch courts for infringement of copyright and sui generis right on its database as well as breach of contract. Upon preliminary ruling requested by the Dutch Supreme Court, the ECJ ruled that the Directive 96/9/EC is not applicable to databases which are not protected either by copyright or by the so-called sui generis database right granted to the maker of the database (whether Ryanair’s website may be entitled to such protection shall be determined by the competent national court).

Therefore, according to the ECJ, mandatory exceptions to restricted acts laid down by Articles 6 and 8 of the Directive (allowing the ‘lawful user’ of the same to use the protected database without the author’s or maker’s consent, in certain cases and if certain conditions are met) do not prevent the database owner from laying down contractual limitations on its use by third parties, while the same contractual limitations are null and void vis-à-vis lawful users of those databases which benefit from copyright and/or sui generis right protections.

While the interpretative principle outlined by the ECJ is actually not very striking (insofar as it is rather clear from the literal text of the Database Directive that the legal regime implemented by it – including the mandatory rights of ‘lawful users’ – only apply to those databases which can be protected with copyright or the sui generis right), it is important to highlight that, according to general principles of contract law, any contractual provisions governing the use of unprotected databases may only be binding on third parties who accepted those provisions (and that, accordingly, should be deemed to be already aware of their content) and, conversely, cannot bind any third parties extraneous to the contractual relationship with the website owner. In the Ryanair case discussed above, the ECJ makes clear that the company that had ‘scraped’ Ryanair’s flight data without authorization had previously accepted Ryanair’s general T&Cs by ticking a box to that effect. What about if ones were to take the disputed flight data not from Ryanair’s website but from the price comparison’s website? In this scenario, Ryanair’s T&Cs, notably the ‘screen scraping’ prohibition, should not be deemed to apply.

Federica De Santis

Court of Justice, 15 January 2015, C-30/, Ryanair Ltd v PR Aviation BV, C-30/14

ECJ: the “supplementary protection certificate” for protein D in Synflorix. A tough interpretation of Regulation (EC) No.469/2009

IPlensLeave a comment

On January 15, 2015, the Court of Justice of the European Union (ECJ), in Arne Forsgren v. Österreichisches Patentamt C-631/13, issued a decision regarding the granting of a Supplementary Protection Certificate (SPC), requested by Arne Forsgren, for Protein D used in Synflorix, a vaccine authorized in European Union to protect from diseases caused by the bacterium S.Pneumoniae (full text here). As per the Regulation (EC) No.469/2009, the SPC covers the cost of research leading to the discovery of new “products” in order to ensure sufficient protection to encourage pharmaceutical research, which plays a decisive role in the continuing improvement in public health. In the present case, the Protein D contained in Synflorix is bond to some polysaccharides as a “carrier” and not associated to any pharmacological effect on its own. Based on the concepts provided in Regulation (EC) No.469/2009, can a SPC be attributed to the Protein D, even if this substance is not considered an active ingredient? The commission rejected the request, based on the interpretation of Regulation (EC) No.469/2009 article 1, lett.b and article 3, lett.a and b. according to which the “carrier” protein could be protected by a SPC. Otherwise, in respect of the article 3, lett.b the SPC protection is granted only if Protein D may be categorised as an “active ingredient” and if this action is covered by the therapeutic indications of the marketing authorization. The decision to provide the SPC protection should be carefully taken: potential misapplications may result in risk to monopolize the market, viceversa the refusal to grant supplementary protection might take the interested company in a disadvantageous position in relation to market competitors.

Grazia Maria Gaspari

Court of Justice, 15 January 2015, C-631/13,  Arne Forsgren v. Österreichisches Patentamt