Privacy and Search Engines like Google: Opinion of Art. 29 Working Party

The Working Party set up pursuant to Article 29 of Directive 95/46/EC on data protection has issued an interesting opinion on the privacy issues raised by search engines like Google or Yahoo.

You can find the opinion ("WP 148") here.

Part of the executive summary reads as follows:

"In this Opinion the Working Party identifies a clear set of responsibilities under the Data Protection Directive (95/46/EC) for search engine providers as controllers of user data. As providers of content data (i.e. the index of search results), European data protection law also applies to search engines in specific situations, for example if they offer a caching service or specialise in building profiles of individuals. The primary objective throughout the Opinion is to strike a balance between the legitimate business needs of the search engine providers and the protection of the personal data of internet users.

This Opinion addresses the definition of search engines, the kinds of data processed in the provision of search services, the legal framework, purposes/grounds for legitimate processing, the obligation to inform data subjects, and the rights of data subjects.

A key conclusion of this Opinion is that the Data Protection Directive generally applies to the processing of personal data by search engines, even when their headquarters are outside the EEA, and that the onus is on search engines in this position to clarify their role in the EEA and the scope of their responsibilities under the Directive. The Data Retention Directive (2006/24/EC) is clearly highlighted as not applicable to search engine providers."

The conclusion that Directive 95/46/EC applies to the processing of personal data by search engines outside the EU needs looking at more closely and is likely to be controversial.

File Sharing, Kazaa, Intellectual Property Rights and Privacy: Case C-275/06

The Court of Justice has handed down an interesting judgment in Case C-275/06 Promusicae v. Telefónica on the balance to be struck between privacy and the effective protection of intellectual property rights to prevent peer-to-peer musical file transfers.

It goes like this. In the blue corner you have several EC Directives protecting intellectual property rights, like Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, Directive 2001/29/EC on the harmonization of certain aspects of copyright and related rights in the information society, and Directive 2004/48/EC on the enforcement of intellectual property rights. In the red corner you have Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector. And in the middle you have folks using Kazaa on the internet, access to which is provided by an internet service provider like Telefónica in Spain.

Promusicae, a Spanish organization of producers and publishers of musical and audiovisual recordings, applied to the Spanish courts for an order that Telefónica should disclose the identities and physical addresses of people whom it provided with internet access services, and who were allegedly using the KaZaA file exchange program to share musical and audiovisual files. It sought disclosure of that information to be able to bring civil proceedings against the persons concerned.

Under Spanish law the communication of the data sought by Promusicae was permitted only in a criminal investigation or for the purpose of safeguarding public security and national defence. What Promusicae wanted to commence were clearly civil, not criminal proceedings. Thus, the question was referred to the Court of Justice whether EC law requires member States to lay down, in order to ensure effective protection of copyright, an obligation to communicate personal data in the context of civil proceedings.

The Court held that EC law as it currently stands does not require member States to render mandatory the disclosure of the sort of information requested by Promusicae to commence civil proceedings to protect intellectual rights.

As a result, the file sharers can have their data protected in Spain and it won't be disclosed to the likes of Promusicae to commence civil proceedings against them.

The question is therefore whether Spain could change its law to render disclosure of the personal data sought obligatory in the context of commencing civil proceedings.

The Court held that EC law does not preclude the mandatory disclosure of such information. But when member States introduce legislation to render such disclosure mandatory, the Court held that they must, when transposing the directives on intellectual property and the protection of personal data, rely on an interpretation of those directives which allows a fair balance to be struck between the various fundamental rights protected by the EC legal order. Further, when implementing the measures transposing those directives, the authorities and courts of the Member States must not only interpret their national law in a manner consistent with the directives but also make sure that they do not rely on an interpretation of them which would be in conflict with those fundamental rights or with the other general principles of Community law, such as the principle of proportionality (see Case C-101/01 Lindqvist, paragraph 87, and Case C-305/05 Ordre des barreaux francophones et germanophones and Others, paragraph 28 - a case we noted here.

A close reading of the Court's judgment and of the Advocate General's Opinion shows a divergence of view on disclosure of such personal data could ever be made mandatory in the context of civil proceedings.

The Advocate General in paragraphs 84 to 86 of her opinion came to the conclusion that Directive 2002/58 does not allow member States to render mandatory disclosure of personal data in the context of civil proceedings brought to protect the rights of others. She pointed out that Article 15(1) of Directive 2002/58 set out two types of bases for exceptions, namely, on the one hand, in the first four alternatives, national security (that is, State security), defense, public security, and the prevention, investigation, detection and prosecution of criminal offenses and, on the other, in the fifth alternative, unauthorized use of the electronic communication system. In addition, Article 15(1) of Directive 2002/58 refers to Article 13(1) of Directive 95/46, which contains further grounds of exception. The question was what exactly did that reference to Article 13(1) of Directive 95/46 mean. She noted that Article 13(1)(g) of Directive 95/46 allows the communication of personal data for the protection of the rights and freedoms of others. Unlike the grounds of exception in Article 13(1) of Directive 95/46, this ground is not expressly listed in Article 15(1) of Directive 2002/58.
Viewed in isolation, that could be understood as a reference to all the grounds of exception under Article 13(1) of Directive 95/46. However, that is contradicted, she opined, by the fact that Article 15(1) of Directive 2002/58 itself mentions grounds of exception which are intended to allow a restriction ‘in accordance with Article 13(1) of Directive 95/46’. Those grounds correspond only in part to the grounds in Article 13(1) of Directive 95/46 and do not include the exception for the rights of others, mentioned under (g). Consequently, the grounds mentioned in Article 13(1) of Directive 95/46 are applicable in the electronic communications sector only in so far as they are expressly included in Article 15(1) of Directive 2002/58. As the protection of the rights and freedoms of others was clearly omitted from the list in Article 15(1) of Directive 2002/58, the reference to Article 13(1) of Directive 95/46 could not incorporate it indirectly.

The Court of Justice took the opposite view in its judgment. It held in paragraph 53 of its judgment:

"It is clear, however, that Article 15(1) of Directive 2002/58 ends the list of the above exceptions with an express reference to Article 13(1) of Directive 95/46. That provision also authorises the Member States to adopt legislative measures to restrict the obligation of confidentiality of personal data where that restriction is necessary inter alia for the protection of the rights and freedoms of others. As they do not specify the rights and freedoms concerned, those provisions of Article 15(1) of Directive 2002/58 must be interpreted as expressing the Community legislature’s intention not to exclude from their scope the protection of the right to property or situations in which authors seek to obtain that protection in civil proceedings."

Transparency and Privacy: Case T-194/04

There's an obvious tension between transparency and privacy. Now the Court of First Instance has stepped right into the fight and sided categorically with transparency. In its recent judgment in Case T-194/04 The Bavarian Lager Co. Ltd. v. Commission the Court of First Instance renders almost nugatory the protection afforded by Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the EC institutions.

The story goes like this. The Commission commenced Article 226 EC proceedings against the United Kingdom because of some legislation in force at the time that restricted the import of foreign beer. The Commission, with a view to finding a satisfactory solution to the case, organized a meeting with British government officials and trade representatives. Ultimately, a solution was reached and the case closed. But then, an importer of German beer wanted to know the names of the individuals who attended the meeting. For what purpose you may well ask. The Commission asked the individuals concerned whether they agreed to have their names revealed. Five of those attendees, no doubt fearing retribution or harassment by the importer, refused to have their identity revealed. The Ombudsman got involved and handed down a scathing report denouncing the Commission for not revealing the identity of those who had refused to have their names disclosed, claiming they had no right to privacy. The Article 29 Working Party then handed down a report in response (but the Court of First Instance pays scant attention to that inconvenient truth). The German importer made a request for the minutes of the meeting with the names of attendees included under Regulation 1049/2001 (the public access to documents regulation). The Commission refused to disclose the names invoking data protection and the terms of Regulation 45/2001. The importer then challenged the Commission's refusal before the Court of First Instance.

The Court of First Instance annulled the Commission's refusal. The judgment must be read to be believed.

The Court held that the list of participants in the minutes contained personal data, since the persons who participated at that meeting could be identified there. Notwithstanding the fact that it was personal data, it was not protected by Regulation 45/2001 because the mere fact that a document contains such data does not necessarily mean that the privacy or integrity of the persons concerned is affected, even though professional activities are not in principle excluded from the concept of "private life".

It also held that the privacy and integrity of a person is not compromised even if personal data relating to that person is revealed. As a consequence, any objection by such a person to disclosure of the personal data cannot prevent disclosure under Regulation 1049/2001.

What was quite extraordinary was the way in which the European Data Protection Supervisor intervened to plead that the very regulation that established his office did not apply, referring to his "paper" on public access to documents and data protection.

Damages for Breach of Data Protection Regulation by OLAF: T-259/03

The Commission's anti-fraud office, OLAF, has a reputation for carrying out investigations in a manner unworthy of a public authority in a modern, liberal, democratic society. For an example of its modus operandi, see our post here.

In a discreet judgment, the Court of First Instance has found the Commission liable in damages for egregious breaches of the Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. In its judgment in Case T-259/03 Kalliopi Nikolaou v. Commission, the Court of First Instance ordered the Commission to pay €3 000 (US$4,165.65) in compensation because OLAF leaked information about its investigation and published derogatory statements about Ms. Nikolaou which, although they did not name her expressly, were such that she could be identified personally.

Ms. Nikolaou had originally claimed €900 000 (US$ 1,249,559) in damages. The Court of First Instance finally awarded a very low amount because it found that the other instances of illegal conduct by OLAF had not actually caused the loss and damage claimed.

This is the first judgment awarding damages for a breach of Regulation 45/2001. It is a shame that it is only available in Greek and French in summary form. The Court published a press release in French which gives much more information than the judgment.

New EU/USA PNR agreement published

The new agreement between the USA and the EU about the transfer of Passenger Name Record data by air carriers to the US Department of Homeland Security has been published.

You can find the agreement itself here. Council Decision 2007/551/CFSP/JHA on the signing of the agreement is available here.

This new agreement - that applies provisionally from the date of signing (July 26th 2007) - replaces the agreement concluded on October 19th 2006 which expired on July 31st 2007 at the latest. (See also Council Decision 2006/729/CFSP/JHA). It is intended to be a long-term arrangement between the two parties that should set this matter to rest.

For previous posts on the matter, see here, here, here and here (there may have been others too, but that is enough for now).

EDPS Opinion on the Combating Terrorism Initiative

A short while ago, fifteen member States took an initiative with a view to adopting a Council Decision on stepping up cross-border cooperation, particularly in combating terrorism and cross-border crime.

The European Data Protection Supervisor has now issued an interesting and detailed opinion on that initiative. He does not appear opposed to the idea of cooperation between member States in combating terrorism and takes note of the "unique nature" of the initiative. Nevertheless, he makes a certain number of criticisms of the text and proposes some changes to reinforce the protection of personal data.

Worth reading.

SWIFT, the US Department of the Treasury, the Terrorist Finance Tracking Program and Privacy

As a follow-up to our post of February 5th, 2007 on the SWIFT issue, the US Department of the Treasury and the European Union have exchanged letters about the practical safeguard and controls on the use of personal data under the Treasury Departments's Terrorist Finance Tracking Program.

The Treasury Department letter is available here. It makes clear that the Treasury Department will allow an "eminent European" to oversee that EU-originating data is properly protected.

The working of the Terrorist Finance Tracking Program and the actual safeguards and controls of data are described in this document here.

The EU response is available here.

Interestingly, the French Government issued a statement on the matter authorizing the Council Presidency to sign the draft response above.

The Council issued a handy press release on the matter, available here.

Ombudsman and EDPS conclude agreement, non-aggression pact

The European Ombudsman and the European Data Protection Supervisor have concluded a "memorandum of understanding" that has been published recently.

The idea behind this agreement is to avoid the duplication of procedures should the same complaint be received by both. The Ombudsman undertakes to consult the EDPS on the interpretation of Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data if a difficult point comes up in a pending complaint. Interestingly, the memorandum makes clear that in principle breaches of Regulation 45/2001 are for the EDPS to look into whereas refusals to give access to documents under Regulation 1049/2001 on public access to European Parliament, Council and Commission documents are for the Ombudsman.

The potential for conflict between the EDPS and the Ombudsman is great as this opinion dated May 17th 2001 of the Data Protection Working Party (Article 29 Working Party) on the Ombudsman's Special Report to the European Parliament following complaint 713/98IJH shows. In those documents, the Article 29 Working Party and the Ombudsman took diametrically opposite views as to whether the identity and addresses of persons who had attended meetings with the Commission services were protected personal data.

Rather disingenuously, the memorandum of understanding makes no mention of that particular spat. A case of maladministration, perhaps ?

Privacy, SWIFT and the EDPS

The European Data Protection Supervisor ("EDPS") has made public an interesting opinion on the SWIFT case.

SWIFT is communication system based in Belgium that enables banks and other financial institutions to exchange data. Back in June 2006 the press alleged that the US had set up a secret terrorist finance tracking system. As a consequence, questions were raised on compliance with European data protection legislation and in particular with Directive 95/46. According to the EDPS press statement complaints were lodged with data protection authorities all over Europe. SWIFT itself took issue with the presentation of some of the facts in the press, as its own statements on compliance make clear. SWIFT also issued a legal rebuttal of the Belgian Privacy Commission findings on the case.

The EDPS opinion on the SWIFT case concentrates on the role and responsibility of the European Central Bank ("ECB"). The opinion finds that the ECB had failed to discharge its supervisory role properly and shares blame for a large scale breach of European privacy legislation.

The Data Protection Working Party, constituted under Article 29 of Directive 95/46/EC issued its own Opinion on November 22nd 2006.

Article on the Data Retention Directive

Professor Francesca Bignami has published a thoughtful and informative article entitled "Protecting Privacy against the Police in the European Union: The Data Retention Directive".

You can download here.

The abstract reads :

This paper examines a recent twist in EU data protection law. In the 1990s, the European Union was still primarily a market-creating organization and data protection in the European Union was aimed at rights abuses by market actors. Since the terrorist attacks of New York, Madrid, and London, however, cooperation on fighting crime has accelerated. Now, the challenge for the European Union is to protect privacy in its emerging system of criminal justice. This paper analyzes the first EU law to address data privacy in crime-fighting—the Data Retention Directive. Based on a detailed examination of the Directive’s legislative history, the paper finds that privacy—as guaranteed under Article 8 of the European Convention on Human Rights and the Council of Europe’s Convention on Data Protection—was adequately protected in the Directive. This positive experience can serve as guidance for guaranteeing other fundamental rights in the rapidly expanding area of EU cooperation on criminal matters.

Highly recommeded!

For a previous post on the Data Retention Directive, see here.