Example Case Summaries

Here are a few case summaries for recent CJEU cases that came out of my ChatGPT prompt.

01-SIU-2018 Own Volition Inquiry – CCTV Schemes Authorized Under Section 38(3)(a) of Garda Síochána Act 2005


Facts of the Case:

The Data Protection Commission (DPC) conducted an own-volition inquiry into the use of CCTV schemes authorized under Section 38(3)(a) of the Garda Síochána Act 2005 by An Garda Síochána (AGS). The inquiry was initiated to ensure compliance with relevant data protection laws and to establish accountability measures for the collection and processing of personal data through surveillance technologies. The inquiry focused on the operational deployment of surveillance technologies, including CCTV live feeds, recording systems, and Automatic Number Plate Recognition (ANPR) technology.

Summary of the Court’s Issues Raised and Conclusions:

The inquiry raised several issues regarding governance, privacy, accountability, and data protection compliance. Key findings include:

  1. Governance and Oversight: There were no restrictions on bringing personal recording devices into CCTV monitoring rooms, and there was excessive access to these rooms. There was also a lack of auditing of access logs and record-keeping regarding downloads of footage.
  2. Privacy and Accountability: Inadequate signage and general transparency were noted, with insufficient information provided to the public about the CCTV operations and the identity of the data controller.
  3. Absence of Written Contracts: There were no written contracts between AGS and third-party data processors who maintained and serviced the CCTV systems.
  4. Use of ANPR Cameras: The use of ANPR cameras was found to be more intrusive than standard CCTV cameras, and there was a lack of appropriate data protection policies and impact assessments for their use.

The DPC concluded that AGS infringed upon several provisions of the Data Protection Act 2018, including sections related to the general obligations of the controller, security of automated processing, |data protection by design and default, storage limitation, and data logging.

DPC’s Ruling:

The DPC ordered AGS to bring its processing operations into compliance with the Data Protection Act 2018 by implementing specific measures. These include assessing risks, updating technical and organizational measures, implementing a comprehensive training program, designing standardized signage, and establishing written contracts with data processors. A temporary ban on the processing of ANPR data was imposed until compliance with the required measures was demonstrated. Additionally, the DPC issued a reprimand to AGS for the infringements identified.

Relevant Citations/Cases:

The decision references the following:

  1. General Data Protection Regulation (GDPR), specifically Article 2(2)(d), which excludes processing by competent authorities for law enforcement purposes from the GDPR’s scope.
  2. Law Enforcement Directive (EU 2016/680), which provides specific rules for the protection of personal data processed by competent authorities for law enforcement purposes.
  3. CJEU judgment in Volker and Schecke (Combined Cases C-92/09 and C-93/09), which established the principle of proportionality in data protection, requiring measures to be appropriate and not go beyond what is necessary to achieve their objective.

JS v EDPS, CJEU -T-200-21

Facts of the Case:

JS, a former temporary staff member of the Single Resolution Board (SRB), resigned on September 30, 2019. Subsequently, JS requested from the SRB a copy of all his personal data stored there and asked for the erasure of his personal data, objecting to its processing and requesting restriction of processing. The SRB refused, citing legal obligations to retain the data under EU Staff Regulations. JS lodged a complaint with the European Data Protection Supervisor (EDPS), which was rejected. JS then requested a review of the decision, which was also denied by the EDPS. JS brought the case before the General Court seeking annulment of the EDPS’s decisions and compensation for alleged damages.

Summary of the Court’s Issues Raised and Conclusions:

The Court examined whether the EDPS was correct in rejecting JS’s complaint and request for review. The key issues were:

The Court concluded that:

Court’s Ruling:

The General Court dismissed the action in its entirety, ordering JS to pay the costs.

Relevant Citations/Cases:

  • Regulation (EU) 2018/1725: The regulation concerning the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices, and agencies.
  • Staff Regulations of Officials of the European Union: The regulations cited for the legal obligation to retain personal data.
  • Charter of Fundamental Rights of the European Union: Referred to for the fundamental rights to the protection of personal data and the principle of proportionality.
  • Transtec v Commission, T-616/15, EU:T:2018:399: Cited for the conditions required for the European Union to incur non-contractual liability under the second paragraph of Article 340 TFEU.

Mircom International Content Management & Consulting (M.I.C.M.) Limited, C-597/19

Facts of the Case:

Mircom International Content Management & Consulting (M.I.C.M.) Limited, a company incorporated under Cypriot law, holds rights over a large number of pornographic films. M.I.C.M. brought an action against Telenet BVBA, a Belgian company providing Internet access services, seeking the identification data of Telenet customers whose Internet connections were allegedly used to share films from M.I.C.M.’s catalogue on a peer-to-peer network using the BitTorrent protocol. The identification was based on IP addresses collected by a specialized company on behalf of M.I.C.M.

Summary of the Court’s Issues Raised and Conclusions:

The Court was asked to interpret several EU directives and regulations, including Directive 2001/29/EC on copyright, Directive 2004/48/EC on the enforcement of intellectual property rights, and Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), in the context of the case.

The key issues raised were:

  1. Whether the act of users downloading and simultaneously uploading pieces of a file on a peer-to-peer network constitutes a ‘communication to the public‘ under Directive 2001/29/EC.
  2. Whether M.I.C.M., as a contractual holder of rights who does not exploit those rights but seeks damages from alleged infringers, can benefit from the enforcement measures under Directive 2004/48/EC.
  3. Whether the systematic registration and processing of IP addresses of a peer-to-peer network’s users by M.I.C.M. and a third party are legitimate under GDPR.
  4. Whether the communication of the names and postal addresses of those users to M.I.C.M. is permissible under GDPR and Directive 2002/58/EC (ePrivacy Directive).

The Court concluded that:

  1. The uploading of pieces of a file by users on a peer-to-peer network does constitute a ‘communication to the public’.
  2. M.I.C.M. can benefit from the enforcement measures under Directive 2004/48/EC, provided that its actions are not abusive.
  3. The systematic registration of IP addresses by M.I.C.M. and a third party is not precluded by GDPR, provided that it is justified, proportionate, and not abusive.
  4. The communication of names and postal addresses to M.I.C.M. is permissible under GDPR and the ePrivacy Directive, subject to the same conditions of being justified, proportionate, and not abusive.

Court’s Ruling:

The Court ruled that:

  1. The uploading of pieces of a file by users on a peer-to-peer network constitutes a ‘communication to the public’ under Article 3(1) and (2) of Directive 2001/29/EC.
  2. M.I.C.M., as a contractual holder of copyright or related rights, can benefit from the enforcement measures under Directive 2004/48/EC, unless it is established that its request is abusive.
  3. The systematic registration of IP addresses by M.I.C.M. and a third party is not precluded by point (f) of the first subparagraph of Article 6(1) of GDPR, provided that it is justified, proportionate, and not abusive.
  4. The communication of names and postal addresses to M.I.C.M. is permissible under GDPR and the ePrivacy Directive, provided that it is based on a national legislative measure that limits the scope of the rules laid down in Articles 5 and 6 of the ePrivacy Directive.

Relevant Citations/Cases:

  • Stichting Brein, C-610/15, EU:C:2017:456: Cited for the concept of ‘communication to the public’ in the context of a peer-to-peer network.
  • Renckhoff, C-161/17, EU:C:2018:634: Cited for the concept of ‘act of communication’.
  • VCAST, C-265/16, EU:C:2017:913: Cited for the concept of ‘act of communication’.
  • VG Bild-Kunst, C-392/19, EU:C:2021:181: Cited for the concept of ‘act of communication’.
  • Stim and SAMI, C-753/18, EU:C:2020:268: Cited for the interpretation of ‘making available to the public’.
  • SNB-REACT, C-521/17, EU:C:2018:639: Cited for the interpretation of persons entitled to apply for the application of measures, procedures, and remedies.
  • NEW WAVE CZ, C-427/15, EU:C:2017:18: Cited for the interpretation of the right of information.
  • Constantin Film Verleih GmbH v. YouTube LLC and Google Inc., C-264/19, EU:C:2020:542: Cited for the interpretation of the right of information.
  • Breyer, C-582/14, EU:C:2016:779: Cited for the definition of personal data.
  • Rīgas satiksme, C-13/16, EU:C:2017:336: Cited for the interpretation of the lawfulness of processing.
  • Probst, C-119/12, EU:C:2012:748: Cited for the interpretation of the lawfulness of processing.
  • La Quadrature du Net and Others, C-511/18, C-512/18 and C-520/18, EU:C:2020:791: Cited for the interpretation of traffic data and the ePrivacy Directive.
  • Ministerio Fiscal, C-207/16, EU:C:2018:788: Cited for the interpretation of the ePrivacy Directive.
  • Coty Germany, C-580/13, EU:C:2015:485: Cited for the interpretation of the ePrivacy Directive.
  • Bonnier Audio and Others, C-461/10, EU:C:2012:219: Cited for the interpretation of the right of information.
  • Prokuratuur (Conditions of access to data relating to electronic communications), C-746/18, EU:C:2021:152: Cited for the interpretation of the right to protection of personal data.
Scroll to Top