The European Data Protection Supervisor (the “EDPS”) recently published an overview of European data protection and privacy case law from 2015 and a summary of pending cases before the Court of Justice of the European Union and the European Court of Human Rights. While the Schrems case and its impact on transatlantic data flows received the most media attention, several other noteworthy cases were decided in 2015, including the following:
The Ryneš case1 - This involved consideration of the scope of the ‘household exemption’. Processing of personal data in the course of a “purely personal or household activity” falls outside the scope of data protection law under Article 3(2) of Data Protection Directive. This case involved the use of a CCTV system in a family home to record the entrance to the home and the public space outside. The CJEU held that the household exemption must be construed narrowly and that where domestic video surveillance covers a public space, even partially, and is directed outwards, it cannot be considered to fall within Article 3(2) since this does not constitute purely personal or household activity. This decision may result in individuals and businesses who assume certain activities are outside the scope of European data protection law being surprised to find that the opposite is the case.
The Bara case2 - The CJEU held that Articles 10, 11 and 13 of the Data Protection Directive preclude the transfer of personal data between public bodies for further processing, in circumstances where the data subjects have not been informed of the transfer and such further processing. Public authorities who are accustomed to sharing personal data with other public authorities based on legislative powers or functions should consider their current practices in light of this decision.
The Weltimmo Case3 - This focussed on the concept of ‘establishment’ of a data controller for the purpose of determining applicability of European data protection law. The CJEU held that a person or entity will be considered to be ‘established’ in an EU State if it meets the criteria set out in the Data Protection Directive, which should be construed purposively as providing that ‘establishment’ may arise where a data controller exercises a ‘real and effective activity’ in the Member State, even if it is minimal. This is particularly relevant to e-commerce businesses, as minimal activities or operational presence in any EU Member State may bring that business within the scope of its local data protection law regime.
The EDPS has also highlighted on-going cases before the CJEU and European Court of Human Rights of particular interest. Notable cases to watch include:
- an Austrian case involving Amazon4 , in which the CJEU has been asked to decide whether an e-commerce business established in one Member State must comply with local data protection laws in other Member States to which its commercial activities are directed;
- a referral from the UK Court of Appeal5 where the CJEU will consider the validity of UK’s Data Retention and Investigatory Powers Act in light of its previous decision on the Data Retention Directive in the Digital Rights Ireland Case; and
- a Slovenian case before the European Court of Human Rights6 regarding whether the disclosure of an IP address to police without a court order is a breach of the right to privacy.