Cases Update June/July 2018

June 16, 2018

Facebook Fan Pages

In Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v
Wirtschaftsakademie Schleswig-Holstein GmbH
, the Court of Justice of the
European Union has held that the administrator of a fan page on Facebook is
jointly responsible with Facebook for the processing of data of visitors to the
page. It goes on to determine a jurisdictional question and rules that the data
protection authority of the Member State in which the administrator has its
seat may, under the (now repealed) Data Protection Directive (Directive
95/46/EC), act both against the administrator and against the Facebook
subsidiary established in that Member State.

Facts

The German company Wirtschaftsakademie
Schleswig-Holstein offered educational services inter alia by means of a ‘fan
page’ hosted on Facebook. The CJEU used the term ‘fan page’ to cover user
accounts that can be set up on Facebook by individuals or businesses, where the
author of the fan page, after registering with Facebook, can use the platform
designed by Facebook to introduce himself to the users of that social network
and to persons visiting the fan page, and to post any kind of communication in
the media and opinion market.

Administrators of fan pages, such as
Wirtschaftsakademie, can obtain anonymous statistical data on visitors to the
fan pages via a function called ‘Facebook Insights’ which Facebook makes
available to them free of charge under non-negotiable conditions of use. The
data is collected by means of evidence files (‘cookies’), each containing a
unique user code, which are active for two years and are stored by Facebook on
the hard disk of the computer or on another device of visitors to the fan page.
The user code, which can be matched with the connection data of users
registered on Facebook, is collected and processed when the fan pages are
opened.

In 2011, the relevant supervisory authority,
Unabhängiges Landeszentrum für Datenschutz SchleswigHolstein, ordered
Wirtschaftsakademie to deactivate its fan page. According to the Unabhängiges
Landeszentrum, neither Wirtschaftsakademie nor Facebook informed visitors to
the fan page that Facebook, by means of cookies, collected personal data
concerning them and then processed the data.

Wirtschaftsakademie brought an action against that
decision, arguing that the processing of personal data by Facebook could not be
attributed to it, and that it had not commissioned Facebook to process data
that it controlled or was able to influence. Wirtschaftsakademie concluded that
the Unabhängiges Landeszentrum should have acted directly against Facebook
instead of against it.

The Bundesverwaltungsgericht (Federal
Administrative Court, Germany) referred the issue to the CJEU

Judgment

The CJEU observed that it was not disputed that the
American company Facebook and, for the EU, its Irish subsidiary Facebook
Ireland must be regarded as ‘controllers’ responsible for processing the
personal data of Facebook users and persons visiting the fan pages hosted on
Facebook. Those companies primarily determine the purposes and means of
processing that data. The Court went on to find that an administrator such as
Wirtschaftsakademie must be regarded as a controller jointly responsible,
within the EU, with Facebook Ireland for the processing of that data.

Such an administrator takes part in the
determination of the purposes and means of processing the personal data of the
visitors to its fan page. In particular, the Court notes that the administrator
of the fan page can ask for demographic data (in anonymised form) – and thereby
request the processing of that data – and geographical data, telling the fan
page administrator where to make special offers and organise events and more
generally enabling it to target the information it offers.

According to the Court, the fact that an
administrator of a fan page uses the platform provided by Facebook in order to
benefit from the associated services cannot exempt it from compliance with its
obligations concerning the protection of personal data.

On jurisdiction, the Court found that the
Unabhängiges Landeszentrum is competent, for the purpose of ensuring compliance
in German territory with the rules on the protection of personal data, to
exercise with respect not only to Wirtschaftsakademie but also to Facebook
Ireland all the powers conferred on it under the national provisions
transposing the Data Protection Directive.

Where an undertaking established outside the EU
(such as the American company Facebook) has several establishments in different
Member States, the supervisory authority of a Member State is entitled to
exercise the powers conferred on it by the Data Protection Directive with
respect to an establishment of that undertaking in the territory of that Member
State even if, as a result of the division of tasks within the group, first,
that establishment (in the present case, Facebook Germany) is responsible
solely for the sale of advertising space and other marketing activities in the
territory of the Member State concerned and, second, exclusive responsibility
for collecting and processing personal data belongs, for the entire territory
of the EU, to an establishment situated in another Member State (in this case,
Facebook Ireland).

Data Retention Judgment

In R
(National Council for Civil Liberties (Liberty)) v Secretary of State for the
Home Department
[2018] EWHC 975
(Admin)
, the Divisional Court was concerned only with one aspect of a wider
claim by Liberty, namely the compatibility of the IPA 2016, part
4 with EU law
. Like the Court of Appeal judgment in Watson, it is a slightly unsatisfactory
case because consideration is being given to provisions that are in the process
of being amended because they are widely acknowledged to be too widely drawn.

Part 4 was brought
into force (in part) on 30 December 2016 and substantially re-enacts the ill-fated
Data Retention and Investigatory Powers Act 2014 (DRIPA).
Doubts about
the compatibility of part 4 arise from judgments of the CJEU in Digital Rights Ireland (Case
C-293/12)
and Tele2
Sverige AB v Post-och telestyrelsen
(Case C-203/15)
, which rolled over
into the Court of Appeal judgment in Secretary
of State for the Home Department v Watson MP & Ors
[2018] EWCA Civ 70.
By the time of the Court of Appeal judgment, the doubts had turned to
certainties.

Liberty sought an ‘order of
disapplication’ in respect of Part 4 insofar as it is incompatible with EU law
or is undefended but submitted that the order of disapplication should be
suspended until 31 July 2018 to give the Government and Parliament a reasonable
opportunity to introduce legislation which is compatible with EU law.
On 7 July 2017 the government conceded that part 4 is, in its current
form, inconsistent with the requirements of EU law in two respects
and
commenced a process of consultation with a view to making amendments.

The particular focus was the power given to the
Secretary of State by the IPA 2016, s 87(1) to issue ‘retention notices’ to
telecommunications operators requiring the retention of data. The power relates
to retention and not access to such data. 
It is also important to note that, although the power affects a wide
range of private information to do with communications, it does not concern the
content of such communications, such as emails or text messages.

The Court’s final conclusion, having resisted a
number of applications from Liberty for it to disapply or refer various aspects
of part 4 on wider grounds, was as follows (at [186]-[187]):

this claim for judicial review succeeds in part,
because Part 4 of the Investigatory Powers Act 2016 is incompatible with
fundamental rights in EU law in that in the area of criminal justice:

(1)  access
to retained data is not limited to the purpose of combating ‘serious crime’;
and

(2)  access
to retained data is not subject to prior review by a court or an independent
administrative body.

We have concluded that the legislation must be
amended within a reasonable time and that a reasonable time would be 1 November
2018, which is just over 6 months from the date of this judgment.  We have also concluded that the appropriate
remedy is a declaration to reflect our judgment.

Software Lock and Injunction Refusal

In Blade Motor
Group Ltd v Reynolds & Reynolds Ltd

[2018] EWHC 497 (Ch)
, the claimant (Blade)
made an application for an injunction to require the defendant (R&R) to
provide access to its business software, until the trial of the main action.

The parties
had made a series of agreements which had led to the supply of the software and
which R&R claimed could not be terminated until 2019. Blade sought to
migrate to an alternative supplier in 2016; Blade wrote to R&R
explaining that it required the continued support of R&R during a period of
transition
. Following correspondence, R&R wrote to Blade
to say that it would be suspending performance of its obligations on 26 June
2017 unless payments of sums allegedly due (over £40k) were made.
R&R
then applied a remote lock which prevented Blade from being able to log on to
the system and accessing data in a readable form.

The
injunction was sought on the basis of the irreparable harm being caused to
Blade’s business.
Blade
also, perhaps optimistically, sought rectification of the agreement so as to
remove the obligation not to terminate it before 2019 on the grounds of
mistake.

Mr David Stone (sitting as a Judge of the
Chancery Division) approached the application
for an interim
injunction using the well-known test laid down in American Cyanamid Co
v Ethicom Ltd
[1975] AC 396.Mr Stone was not convinced that damages would not provide an adequate remedy in
the event that Blade made out its primary case on the agreement (about which he
was clearly sceptical). Moreover, applying the balance of convenience test and
rejecting the application, perhaps influenced by his doubts about Blade’s main
case, Mr Stone rejected the idea that granting the injunction was a return to
the status quo, took account of the delay in bringing the claim and weighed the
fact that it was open to Blade to pay the money claimed and reclaim any
overpayment.

Human Rights Judgment on Accessing IP Address
Information

According to the European Court of Human Rights,
police accessing subscriber information associated with a dynamic IP address
needed a court order

In a Chamber judgment from the European Court of
Human Rights, Benedik v Slovenia (application no.
62357/14), it has been held, by six votes to one, that there had been a
violation of Article 8 (right to respect for private and family life) of the
ECHR where the Slovenian police failed to obtain a court order to access
subscriber information associated with a dynamic IP address recorded by the
Swiss law-enforcement authorities during their monitoring of users of a certain
file-sharing network. This led to the applicant being identified after he had
shared files over the network, including child pornography.

The Court found in particular that the legal
provision used by the police to obtain the subscriber information associated
with the dynamic IP address had not met the Convention standard of being ‘in
accordance with the law’. The provision had lacked clarity, offered virtually
no protection from arbitrary interference, had no safeguards against abuse and
no independent supervision of the police powers involved. It stated that a
finding of a violation of Mr Benedik’s rights under the Convention was
sufficient just satisfaction for any non-pecuniary damage.

Advocate General’s Opinion on Disclosure of
Metadata

In Case C-207/16 Ministerio Fiscal, Advocate General Saugmandsgaard Øe has given an
Opinion to the CJEU which proposes that the Court should find that even
criminal offences that are not particularly serious may justify disclosure of
basic electronic communications metadata, provided such disclosure does not
seriously undermine the right to privacy.