Analysis of Privacy and Data Protection: The Breyer Case
VerifiedAdded on 2020/05/28
|19
|5131
|47
Report
AI Summary
This report provides a comprehensive analysis of the Breyer case, focusing on privacy and data protection within the framework of European law. The report begins with an introduction to the European Data Protection Directive (DPD) and the General Data Protection Regulation (GDPR), highlighting their objectives and the importance of safeguarding individual rights. It then explores the development of the data protection legal framework, including the European Convention on Human Rights (ECHR) and Convention 108. The core of the report is a critical analysis of the Breyer case (C-582/14), which addresses the definition of personal data in relation to dynamic IP addresses. The case examines whether a website publisher can consider a visitor's dynamic IP address as personal data, particularly when the internet access provider can link the IP to a specific individual. The report discusses the CJEU's judgment, the German Telemedia Act, and the concept of legitimate interests under Article 7(f) of the Directive. The analysis includes an examination of the legal arguments, the differing approaches to defining personal data (objective vs. relative), and the implications of the CJEU's decision. The report concludes by summarizing the key findings and their significance for data protection law.
Running head: PRIVACY AND DATA PROTECTION
Privacy and Data Protection
Name of the Student
Name of the University
Author Note
Privacy and Data Protection
Name of the Student
Name of the University
Author Note
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1PRIVACY AND DATA PROTECTION
Table of Contents
Introduction......................................................................................................................................2
Development of Data protection legal framework..........................................................................2
Judgment in case C-582/14: Patrick Breyer v Bundesrepublik Deutschland..................................4
Critical analysis of Breyer case.......................................................................................................5
Conclusion.....................................................................................................................................12
Reference list.................................................................................................................................14
Table of Contents
Introduction......................................................................................................................................2
Development of Data protection legal framework..........................................................................2
Judgment in case C-582/14: Patrick Breyer v Bundesrepublik Deutschland..................................4
Critical analysis of Breyer case.......................................................................................................5
Conclusion.....................................................................................................................................12
Reference list.................................................................................................................................14
2PRIVACY AND DATA PROTECTION
Introduction
The European Data Protection Directive (DPD) 95/46/EC and the General Data
Protection Regulation (GDPR) has been enforced with the sole objective to encourage
consistent free circulation of personal data while safeguarding the individual rights of the
concerned persons (Reidenberg 2014). A high level of shield is ensured to the extent that unless
third countries guarantees a sufficient level of protection, data transfer shall not be allowed
outside EU/EEA as stipulated under Article 25 of the DPD. Such ‘adequacy’ level shall be
determined based on all such circumstances that are associated with data transfer operations
including international agreements, domestic laws and the ‘rule of law’ that is in force in the
concerned third country as stated under Article 25 (2) DPD.
This paper critically analyses the judgment made in the Breyer’s case by Court of Justice
of the European Union (CJEU). The case deals with question whether the dynamic IP address
of a website visitor amounts to personal data for website publisher when the internet access
provider can secure a name to that IP address (Danezis et al. 2015). It further deals with the
question whether the data protection provisions under the German Telemedia Act is consistent
with the EU law, given that it precludes a justification based in legitimate interests provided
stipulated in Article 7(f) of the Directive.
Development of Data protection legal framework
In the context of derogation to privacy rights, the concept of legal grounds and legality
for processing, which includes legitimate interests, have developed into a separate requirement
for data protection.
Introduction
The European Data Protection Directive (DPD) 95/46/EC and the General Data
Protection Regulation (GDPR) has been enforced with the sole objective to encourage
consistent free circulation of personal data while safeguarding the individual rights of the
concerned persons (Reidenberg 2014). A high level of shield is ensured to the extent that unless
third countries guarantees a sufficient level of protection, data transfer shall not be allowed
outside EU/EEA as stipulated under Article 25 of the DPD. Such ‘adequacy’ level shall be
determined based on all such circumstances that are associated with data transfer operations
including international agreements, domestic laws and the ‘rule of law’ that is in force in the
concerned third country as stated under Article 25 (2) DPD.
This paper critically analyses the judgment made in the Breyer’s case by Court of Justice
of the European Union (CJEU). The case deals with question whether the dynamic IP address
of a website visitor amounts to personal data for website publisher when the internet access
provider can secure a name to that IP address (Danezis et al. 2015). It further deals with the
question whether the data protection provisions under the German Telemedia Act is consistent
with the EU law, given that it precludes a justification based in legitimate interests provided
stipulated in Article 7(f) of the Directive.
Development of Data protection legal framework
In the context of derogation to privacy rights, the concept of legal grounds and legality
for processing, which includes legitimate interests, have developed into a separate requirement
for data protection.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3PRIVACY AND DATA PROTECTION
European Convention on Human Rights (ECHR)
In 1950, the ECHR incorporated the Right to Privacy under article 8 to ensure that the
family life, home and private life of a person is respected. It prevents intrusion with the privacy
right unless such intrusion amounts to a necessity in an autonomous society and is in accordance
with the law. Such intrusion is conducted to satisfy certain form of compelling and particularly
listed public interests.
The right to privacy stipulated under Article 8 ECHR usually ensures that private life is
safeguarded and any interference with privacy is subjected to justification. This article aims at
safeguarding the private life of persons except under justifiable and stringently defined
circumstances. In case of an intrusion with the privacy of a person, it is crucial to establish a
legal foundation and identify the legal purpose of such interference. This is important to
determine whether such interference with privacy was necessary and justified. Roosendaal and
Wright (2017) states that this approach adopted by the ECHR signifies that it does not set out
any particular list if legal grounds but it simply emphasizes on the necessity of a statutory basis
and the conditions that such legal basis is required to fulfill.
Convention 108
The Council of Europe’s Convention 108 that was signed in 1981 established the need to
protect personal data as a different concept altogether. McGeveran (2016) believes that the
fundamental idea behind the evolution of such concept did not imply that processing of personal
data shall always be perceived as ‘interference with privacy’ instead it was perceived as a
concept that safeguards the fundamental rights and freedoms. In regards to the right of such
persons to privacy, processing of personal data shall be permitted only when certain conditions
European Convention on Human Rights (ECHR)
In 1950, the ECHR incorporated the Right to Privacy under article 8 to ensure that the
family life, home and private life of a person is respected. It prevents intrusion with the privacy
right unless such intrusion amounts to a necessity in an autonomous society and is in accordance
with the law. Such intrusion is conducted to satisfy certain form of compelling and particularly
listed public interests.
The right to privacy stipulated under Article 8 ECHR usually ensures that private life is
safeguarded and any interference with privacy is subjected to justification. This article aims at
safeguarding the private life of persons except under justifiable and stringently defined
circumstances. In case of an intrusion with the privacy of a person, it is crucial to establish a
legal foundation and identify the legal purpose of such interference. This is important to
determine whether such interference with privacy was necessary and justified. Roosendaal and
Wright (2017) states that this approach adopted by the ECHR signifies that it does not set out
any particular list if legal grounds but it simply emphasizes on the necessity of a statutory basis
and the conditions that such legal basis is required to fulfill.
Convention 108
The Council of Europe’s Convention 108 that was signed in 1981 established the need to
protect personal data as a different concept altogether. McGeveran (2016) believes that the
fundamental idea behind the evolution of such concept did not imply that processing of personal
data shall always be perceived as ‘interference with privacy’ instead it was perceived as a
concept that safeguards the fundamental rights and freedoms. In regards to the right of such
persons to privacy, processing of personal data shall be permitted only when certain conditions
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4PRIVACY AND DATA PROTECTION
are fulfilled. Jonason (2017) argues that the Convention 108 did not provide any legal grounds
for processing personal data even after establishing fundamental principles for data protection
law under Article 5. The provision requires that automatic processing of personal data shall be
obtained and processed lawfully and in a fairly manner.
Directive 95/46/EC
When the Directive was adopted in 1995, the Directive was built based on the previous
data protection instruments including Convention 108. The directive sets out additional
requirements that are not mentioned in the Convention 108 where such additional requirements
include six legal grounds stipulated under Article 7 of the Directive 95/46/EC.
Judgment in case C-582/14: Patrick Breyer v Bundesrepublik Deutschland
An Internet Protocol address (IP address) is a series of binary numbers that are allocated
to computers or smart phones enabling it to identify and access the electronic communications
network. The IP address is passed on to the server on which the web page that has been accessed
is stored. A dynamic IP address of a website visitor is defined as a part of personal data for a
website publisher. The publisher obtains the statutory means to recognize the visitor with the of
additional information that is available to the internet access provider.
According to Post (2017), European data protection law as in the form of 2016
Regulation and the 1995 Directive qualifies as instances of good and effective law. It sets out
the minimum standards that are applicable to every situation and provides huge number of
voluntary choices. Although the data protection laws are flexible and adaptable, Spiekermann et
al (2015) assert that European data protection laws lack detailed standards. Majority of its
provisions create broad principles but fails to implement such standards in details. In regards to
are fulfilled. Jonason (2017) argues that the Convention 108 did not provide any legal grounds
for processing personal data even after establishing fundamental principles for data protection
law under Article 5. The provision requires that automatic processing of personal data shall be
obtained and processed lawfully and in a fairly manner.
Directive 95/46/EC
When the Directive was adopted in 1995, the Directive was built based on the previous
data protection instruments including Convention 108. The directive sets out additional
requirements that are not mentioned in the Convention 108 where such additional requirements
include six legal grounds stipulated under Article 7 of the Directive 95/46/EC.
Judgment in case C-582/14: Patrick Breyer v Bundesrepublik Deutschland
An Internet Protocol address (IP address) is a series of binary numbers that are allocated
to computers or smart phones enabling it to identify and access the electronic communications
network. The IP address is passed on to the server on which the web page that has been accessed
is stored. A dynamic IP address of a website visitor is defined as a part of personal data for a
website publisher. The publisher obtains the statutory means to recognize the visitor with the of
additional information that is available to the internet access provider.
According to Post (2017), European data protection law as in the form of 2016
Regulation and the 1995 Directive qualifies as instances of good and effective law. It sets out
the minimum standards that are applicable to every situation and provides huge number of
voluntary choices. Although the data protection laws are flexible and adaptable, Spiekermann et
al (2015) assert that European data protection laws lack detailed standards. Majority of its
provisions create broad principles but fails to implement such standards in details. In regards to
5PRIVACY AND DATA PROTECTION
sensitive data provisions, there is no standard provision that is even close to veto to certain
processing activities. The protection of personal data has been identified as fundamental right in
the EU Charter 2000 but the terminology used in the provisions fails to forbid the idea of
dealing with personal information. In the 2015 Schrems case, the CJEU invalidated the decision
of the European Commission 2000 regarding ‘adequacy’ of the EU-US Safe Harbor (SH) rules
ad permitted data transfers from EU to the US for commercial purposes. The regarded the
decision as invalid on the ground of ‘equivalence’ between the extent of protection prevailing in
a third world country and the European data protection system. As per Article 7 of the Directive
stipulates six circumstances under which the processing of personal data can be considered as
lawful.
However, Article 7(f) of the Directive provides a flexible ground that is repeated in the
GDPR. Article 7(f) is the last ground that provides circumstances where dealing out of personal
data is considered legal. However, along with the other reason, the ground under article 7(f) of
the Directive is not as restrictive as the other grounds. The provision permits data processing
without any legal basis or consent, based only on the legal interests of the controller except
where fundamental rights and interests of the data subject supersedes such legal interests. The
privacy logic stipulated under Article 8 of the European Convention on Human Rights
(ECHR) insists to construe the exceptions to rights restrictively and insists to provide a legal
basis provided for proportionality testing and by law. There is a need to trim Article 7(f) of
Directive to bring justice to the fundamental rights status that is accorded to data protection.
sensitive data provisions, there is no standard provision that is even close to veto to certain
processing activities. The protection of personal data has been identified as fundamental right in
the EU Charter 2000 but the terminology used in the provisions fails to forbid the idea of
dealing with personal information. In the 2015 Schrems case, the CJEU invalidated the decision
of the European Commission 2000 regarding ‘adequacy’ of the EU-US Safe Harbor (SH) rules
ad permitted data transfers from EU to the US for commercial purposes. The regarded the
decision as invalid on the ground of ‘equivalence’ between the extent of protection prevailing in
a third world country and the European data protection system. As per Article 7 of the Directive
stipulates six circumstances under which the processing of personal data can be considered as
lawful.
However, Article 7(f) of the Directive provides a flexible ground that is repeated in the
GDPR. Article 7(f) is the last ground that provides circumstances where dealing out of personal
data is considered legal. However, along with the other reason, the ground under article 7(f) of
the Directive is not as restrictive as the other grounds. The provision permits data processing
without any legal basis or consent, based only on the legal interests of the controller except
where fundamental rights and interests of the data subject supersedes such legal interests. The
privacy logic stipulated under Article 8 of the European Convention on Human Rights
(ECHR) insists to construe the exceptions to rights restrictively and insists to provide a legal
basis provided for proportionality testing and by law. There is a need to trim Article 7(f) of
Directive to bring justice to the fundamental rights status that is accorded to data protection.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6PRIVACY AND DATA PROTECTION
Critical analysis of Breyer case
The Breyer case primarily deals with the definition of personal data and secondly, it is
concerned about clarifying this fundamental concept in the context of European Data Protection
laws. According to Geyer (2016), the CJEU already held that collection of IP addresses can be
considered as personal data when the same is done by the Internet service providers like Scarlet
in Case C-70/10 Scarlet Extended v Sabam [2011] ECLI:EU: C:2011:771, Legislative
Framework.
As per the facts of the case, the Federal Republic of Germany deals with websites, this
enables it to record the IP addresses of the website visitors. Patrick Breyer initiated legal
proceedings against the Federal Republic of Germany for not ceasing obtaining IP addresses,
when it was not technically necessary to store IP addresses of websites visitors on cyber security
grounds. This case was referred to the CJEU by the German Federal Court of Justice to decide
two questions in issue. Firstly, whether the dynamic IP addresses of website visitors amounts to
personal data for the operators of the websites within the meaning of Article 2 (a) of the
Directive 95/46/EC for the public authority owner of that page where the Internet Service
provider has additional knowledge that is required to classify the data subject.
Secondly, the question was if there was any specific provision under German Telemedia
Act relating to data protection is consistent with the EU laws on data protection, where such
provision excludes the justification provided under Article 7(f) of the Directive that is based on
legitimate interests. It seeks to ascertain whether Article 7(f) of the Directive 95/46/EC excludes
national legislation that permits the use of the personal data of the user without his consent.
However, it permits only to the extent necessary to charge and make it possible for the particular
Critical analysis of Breyer case
The Breyer case primarily deals with the definition of personal data and secondly, it is
concerned about clarifying this fundamental concept in the context of European Data Protection
laws. According to Geyer (2016), the CJEU already held that collection of IP addresses can be
considered as personal data when the same is done by the Internet service providers like Scarlet
in Case C-70/10 Scarlet Extended v Sabam [2011] ECLI:EU: C:2011:771, Legislative
Framework.
As per the facts of the case, the Federal Republic of Germany deals with websites, this
enables it to record the IP addresses of the website visitors. Patrick Breyer initiated legal
proceedings against the Federal Republic of Germany for not ceasing obtaining IP addresses,
when it was not technically necessary to store IP addresses of websites visitors on cyber security
grounds. This case was referred to the CJEU by the German Federal Court of Justice to decide
two questions in issue. Firstly, whether the dynamic IP addresses of website visitors amounts to
personal data for the operators of the websites within the meaning of Article 2 (a) of the
Directive 95/46/EC for the public authority owner of that page where the Internet Service
provider has additional knowledge that is required to classify the data subject.
Secondly, the question was if there was any specific provision under German Telemedia
Act relating to data protection is consistent with the EU laws on data protection, where such
provision excludes the justification provided under Article 7(f) of the Directive that is based on
legitimate interests. It seeks to ascertain whether Article 7(f) of the Directive 95/46/EC excludes
national legislation that permits the use of the personal data of the user without his consent.
However, it permits only to the extent necessary to charge and make it possible for the particular
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7PRIVACY AND DATA PROTECTION
use of the telemedium by the concerned user under which the purpose of ensuring the general
functioning of the telemedium does not justify the data use after using the telemedium.
In regards to the first question in issue that deals with whether ‘personal data’ includes
dynamic IP address, the German government, on behalf of the Federal Republic of Germany
contradicted with the plaintiff’s contention that IP addresses are subjected to the legal
requirements of German data protection laws as it qualifies as persona data. The court upheld the
contention of the plaintiff stating that a dynamic IP address amounts to personal data when the
operator has statutory means to identify the visitor using the extra information that the operator
receives from the internet service provider of the visitor.
However, Geyer (2016) argues that although the court had addressed the first question in
issue directly but CJEU had only determined for the internet service providers that the IP
addresses qualify as personal data as was provided in the judgment of ‘Scarlet Extended’ case.
CJEU did not determine whether IP addresses are considered personal data for the online media
service providers as well other than the internet service providers. However, Post (2017) asserts
that the referring court was uncertain about the fact whether a dynamic IP address amounts to
personal data for the Internet Service provider where the communication company offering
network access deal with the additional data, when combined with the address, to identify the
person accessing the web page, operated by the former.
According to the Federal Justice of German, Breyer’s IP address does not permit the
website publisher to recognize Breyer directly and the website publisher can identify Breyer only
if the internet service provider reveals the information about Breyer’s identity to the website
publisher. The Federal Justice of Germany uses ‘objective and a relative’ approach, referring to
use of the telemedium by the concerned user under which the purpose of ensuring the general
functioning of the telemedium does not justify the data use after using the telemedium.
In regards to the first question in issue that deals with whether ‘personal data’ includes
dynamic IP address, the German government, on behalf of the Federal Republic of Germany
contradicted with the plaintiff’s contention that IP addresses are subjected to the legal
requirements of German data protection laws as it qualifies as persona data. The court upheld the
contention of the plaintiff stating that a dynamic IP address amounts to personal data when the
operator has statutory means to identify the visitor using the extra information that the operator
receives from the internet service provider of the visitor.
However, Geyer (2016) argues that although the court had addressed the first question in
issue directly but CJEU had only determined for the internet service providers that the IP
addresses qualify as personal data as was provided in the judgment of ‘Scarlet Extended’ case.
CJEU did not determine whether IP addresses are considered personal data for the online media
service providers as well other than the internet service providers. However, Post (2017) asserts
that the referring court was uncertain about the fact whether a dynamic IP address amounts to
personal data for the Internet Service provider where the communication company offering
network access deal with the additional data, when combined with the address, to identify the
person accessing the web page, operated by the former.
According to the Federal Justice of German, Breyer’s IP address does not permit the
website publisher to recognize Breyer directly and the website publisher can identify Breyer only
if the internet service provider reveals the information about Breyer’s identity to the website
publisher. The Federal Justice of Germany uses ‘objective and a relative’ approach, referring to
8PRIVACY AND DATA PROTECTION
legal scholarship in Germany, in order to determine whether IP addresses should be considered
as personal data. Kaczorowska-Ireland (2016) asserts that there is an academic disagreement on
the use of different approaches to determine whether personal data includes IP addresses.
As per the objective approach, the IP addresses used through the website that were at
issues in this case, may be considered as personal data even if a third party that is, the internet
service provider of Breyer, is only capable of identifying the data subject. On the contrary, the
use of relative approach determines that IP address would form a part of personal data for the
internet access provider of Breyer and not for the website publisher. CJEU states that as per the
definition of personal data under the Data Protection Directive, personal data refers to any
information linked to an identifiable or identified data subject or natural person. An identifiable
person is a person who is subjected to identification directly or indirectly. Therefore, based on
such assumptions, the court stated that the dynamic IP address of Breyer is not regarded as
information that is associated with an ‘identified’ person for the website publisher. This is
because the IP address does not directly disclose the identity of the natural person owning the
computer from which the website was accessed or any other person who might have operated
that computer.
(Koops (2014) argues that the court while determining whether IP addresses amounts to
personal data did not expressly abstained from using the ‘absolute/objective’ approach. It pointed
out that the concept of ‘personal data’ must be assessed using the relative/subjective approach.
However, in order to address the question whether the IP address amounts to personal data, the
court stated that it is not sufficient that only a third party may recognize the individual that has
information about the data. The additional data possessed by the third party holds is necessary to
recognize an individual is relevant if the possibility to merge this data provides a means that is
legal scholarship in Germany, in order to determine whether IP addresses should be considered
as personal data. Kaczorowska-Ireland (2016) asserts that there is an academic disagreement on
the use of different approaches to determine whether personal data includes IP addresses.
As per the objective approach, the IP addresses used through the website that were at
issues in this case, may be considered as personal data even if a third party that is, the internet
service provider of Breyer, is only capable of identifying the data subject. On the contrary, the
use of relative approach determines that IP address would form a part of personal data for the
internet access provider of Breyer and not for the website publisher. CJEU states that as per the
definition of personal data under the Data Protection Directive, personal data refers to any
information linked to an identifiable or identified data subject or natural person. An identifiable
person is a person who is subjected to identification directly or indirectly. Therefore, based on
such assumptions, the court stated that the dynamic IP address of Breyer is not regarded as
information that is associated with an ‘identified’ person for the website publisher. This is
because the IP address does not directly disclose the identity of the natural person owning the
computer from which the website was accessed or any other person who might have operated
that computer.
(Koops (2014) argues that the court while determining whether IP addresses amounts to
personal data did not expressly abstained from using the ‘absolute/objective’ approach. It pointed
out that the concept of ‘personal data’ must be assessed using the relative/subjective approach.
However, in order to address the question whether the IP address amounts to personal data, the
court stated that it is not sufficient that only a third party may recognize the individual that has
information about the data. The additional data possessed by the third party holds is necessary to
recognize an individual is relevant if the possibility to merge this data provides a means that is
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9PRIVACY AND DATA PROTECTION
likely reasonable to be used to recognize the individual. This requires that the recognition of the
data subject is practically and statutorily possible for such party. In other words, it considers the
party holding the data, which, in this case, the internet service provider and the existing means
that are available for recognizing the individual by combining the same with the knowledge held
by the third party.
In regards to the second question, that the court decided was related to the interpretation
of Article 7(f) of the Data Protection Directive which is also known as the balancing provision.
Cini (2016) asserts that as per the Telemedia law in Germany, the provisions stringent when it
comes to storing of IP addresses. This is because the legal provisions permit website publishers
to store IP addresses only if the visitor of the website has obtained consent to store the IP address
or when such storage is made for ensuring proper functioning of the website or billing purposes.
According to Howorth (2014), the Data Protection Directive sets out another legal provision that
permits processing of personal data if the processing is done as per the requirements stipulated in
the directive. One of such requirements is that processing of personal data must be done on legal
basis. Article 7 of the Directive 95/46/C lays down six legal bases that data processing should
comply with in which Article 7(f) is considered as the balancing provision.
In answering to this question, CJEU highlights the points it mentioned in the judgment it
made in ASNEF [2011] that dealt with the balancing provision Article 7(f) of the Directive. In
ASNEF, the CJEU held that Article 7 of the Directive provides restrictive and exhaustive
grounds under which data processing can regarded as legal. Further, the Member States are also
prohibited from amending the scope of six principles that are stipulated under Article 7 of the
Directive.
likely reasonable to be used to recognize the individual. This requires that the recognition of the
data subject is practically and statutorily possible for such party. In other words, it considers the
party holding the data, which, in this case, the internet service provider and the existing means
that are available for recognizing the individual by combining the same with the knowledge held
by the third party.
In regards to the second question, that the court decided was related to the interpretation
of Article 7(f) of the Data Protection Directive which is also known as the balancing provision.
Cini (2016) asserts that as per the Telemedia law in Germany, the provisions stringent when it
comes to storing of IP addresses. This is because the legal provisions permit website publishers
to store IP addresses only if the visitor of the website has obtained consent to store the IP address
or when such storage is made for ensuring proper functioning of the website or billing purposes.
According to Howorth (2014), the Data Protection Directive sets out another legal provision that
permits processing of personal data if the processing is done as per the requirements stipulated in
the directive. One of such requirements is that processing of personal data must be done on legal
basis. Article 7 of the Directive 95/46/C lays down six legal bases that data processing should
comply with in which Article 7(f) is considered as the balancing provision.
In answering to this question, CJEU highlights the points it mentioned in the judgment it
made in ASNEF [2011] that dealt with the balancing provision Article 7(f) of the Directive. In
ASNEF, the CJEU held that Article 7 of the Directive provides restrictive and exhaustive
grounds under which data processing can regarded as legal. Further, the Member States are also
prohibited from amending the scope of six principles that are stipulated under Article 7 of the
Directive.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10PRIVACY AND DATA PROTECTION
The CJEU held that as per Article 7(f) of the Data Protection Directive prevents the
Member states from not including the processing of certain categories of personal data without
permitting the opposed interests and rights at issue strike a balance between each other in any
particular case. The provision of Telemedia law is more constraining than the balancing
provision of Article 7(f). Therefore, to answer the question raised in Breyer’s case, the CJEU
held that Article 7(f) of the Data Protection Directive should be construed as one that precludes
the legislation of Member State under which an online media service provider may collect and
use personal data in relation to the user of such service without the user’s consent. This would
take place despite the objective of the service provider would be to ensure general operability of
such services and justifying the use of such data after consulting with the websites.
According to Koops and Leenes (2014), it can be said that Article 7(f) of the Directive
stipulates that the legitimate interests of the controller must be balanced against the fundamental
rights and freedoms of the data subject. The result of such balancing test shall significantly
determine if Article 7(f) of the Directive provides a legal ground for processing data. Zuiderwijk
and Janssen (2014) argue that it is an intricate assessment to conduct the balancing test as it
requires assessment of number of factors. Firstly, it is important to assess what constitutes the
legitimate interest that is pursued by the controller to whom data are disclosed. Secondly, it is
required to examine what constitutes ‘fundamental rights and freedoms or interests’ of the data
subject.
Reid (2017) asserts that the first five grounds stipulated under Article 7(f) is dependent
on the consent of data subject, legal obligation and contractual arrangement or other identified
grounds that are considered as legitimate. The processing of data subject on these five grounds is
considered as a ‘priori legitimate grounds’ hence, it is subjected to compliance with other
The CJEU held that as per Article 7(f) of the Data Protection Directive prevents the
Member states from not including the processing of certain categories of personal data without
permitting the opposed interests and rights at issue strike a balance between each other in any
particular case. The provision of Telemedia law is more constraining than the balancing
provision of Article 7(f). Therefore, to answer the question raised in Breyer’s case, the CJEU
held that Article 7(f) of the Data Protection Directive should be construed as one that precludes
the legislation of Member State under which an online media service provider may collect and
use personal data in relation to the user of such service without the user’s consent. This would
take place despite the objective of the service provider would be to ensure general operability of
such services and justifying the use of such data after consulting with the websites.
According to Koops and Leenes (2014), it can be said that Article 7(f) of the Directive
stipulates that the legitimate interests of the controller must be balanced against the fundamental
rights and freedoms of the data subject. The result of such balancing test shall significantly
determine if Article 7(f) of the Directive provides a legal ground for processing data. Zuiderwijk
and Janssen (2014) argue that it is an intricate assessment to conduct the balancing test as it
requires assessment of number of factors. Firstly, it is important to assess what constitutes the
legitimate interest that is pursued by the controller to whom data are disclosed. Secondly, it is
required to examine what constitutes ‘fundamental rights and freedoms or interests’ of the data
subject.
Reid (2017) asserts that the first five grounds stipulated under Article 7(f) is dependent
on the consent of data subject, legal obligation and contractual arrangement or other identified
grounds that are considered as legitimate. The processing of data subject on these five grounds is
considered as a ‘priori legitimate grounds’ hence, it is subjected to compliance with other
11PRIVACY AND DATA PROTECTION
applicable legal provisions. In other words, it is presumed that there is a balance between various
rights and interests of the data subject and that of the controller taking into account their
compliance with other data protection laws. However, Reid (2017) further states that Article 7(f)
requires a specific test, for cases that are do not qualify the grounds stipulated in Article 7 (a-e)
of the Directive, in particular. This article ensures that beyond the other grounds, any data
processing must establish that it fulfilled the balancing test, taking into consideration the
fundamental rights and interests of the data subject.
In order to determine whether the interest of the controller is legitimate, the interest
should be legitimate otherwise; it would not qualify the threshold stipulated under Article 7(f) of
the Directive. The interest is considered as legitimate until the controller can attain the interest in
a manner that is conformity with the data protection and other relevant laws. For instance,
controllers may have a legal interest to know about the preferences of customers, as it would
help them offer goods and services as per the preferences of the controllers, thus, meeting the
desires and needs of the customers. In this context, Article 7(f) may be considered as an
appropriate legal ground to carry out off-line and on-line activities provided there are appropriate
measures. Nevertheless, this does not imply that the controllers are entitled to monitor the off-
line and on-line activities of their respective customers based on Article 7(f) or combine all the
data that they collected from various sources share them without any workable mechanism to
object or informing them about the same. This would amount to invasion of privacy of customers
resulting in overriding of the controller’s interest and rights of the data subject (Leenes et al.
2017).
Borgesius (2017) states that the Working Party on the Protection of Individuals in
respect of personal data processing that is, set up by Directive 95/46/EC of the European
applicable legal provisions. In other words, it is presumed that there is a balance between various
rights and interests of the data subject and that of the controller taking into account their
compliance with other data protection laws. However, Reid (2017) further states that Article 7(f)
requires a specific test, for cases that are do not qualify the grounds stipulated in Article 7 (a-e)
of the Directive, in particular. This article ensures that beyond the other grounds, any data
processing must establish that it fulfilled the balancing test, taking into consideration the
fundamental rights and interests of the data subject.
In order to determine whether the interest of the controller is legitimate, the interest
should be legitimate otherwise; it would not qualify the threshold stipulated under Article 7(f) of
the Directive. The interest is considered as legitimate until the controller can attain the interest in
a manner that is conformity with the data protection and other relevant laws. For instance,
controllers may have a legal interest to know about the preferences of customers, as it would
help them offer goods and services as per the preferences of the controllers, thus, meeting the
desires and needs of the customers. In this context, Article 7(f) may be considered as an
appropriate legal ground to carry out off-line and on-line activities provided there are appropriate
measures. Nevertheless, this does not imply that the controllers are entitled to monitor the off-
line and on-line activities of their respective customers based on Article 7(f) or combine all the
data that they collected from various sources share them without any workable mechanism to
object or informing them about the same. This would amount to invasion of privacy of customers
resulting in overriding of the controller’s interest and rights of the data subject (Leenes et al.
2017).
Borgesius (2017) states that the Working Party on the Protection of Individuals in
respect of personal data processing that is, set up by Directive 95/46/EC of the European
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 19
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.