Recent CJEU case law on personal data protection

The Court of Justice of the EU (CJEU) has issued several judgements concerning personal data protection. In several aspects, some of them diverge from the current approach of the Office of Personal Data Protection and from previous CJEU case law.

In one of its rulings, the CJEU commented on a practice of Planet49, a German company that had been using a pre-ticked checkbox to obtain user consent with its online advertising lottery. The CJEU found such consent insufficient, as it was neither freely given, specific, explicit, informed, nor an active expression of the user’s will.

The CJEU’s conclusion is not at all surprising, considering the wording of the GDPR and e-Privacy directive. The Czech Act on Electronic Communication, however, stipulates that users do not have to give consent to cookies as long as they are given an option to express their dissent (an ‘opt-out’ regime). The act is therefore contrary to EU law; as a result of the incorrect implementation of the respective EU Directive. The Office of Personal Data Protection is currently preparing an update to its recommendation on how to use cookies correctly.

In another decision, the CJEU followed up on its ground-breaking judgment of 2014 whereby it had granted users ‘the right to be forgotten’. The court now relativised this right, stating that it has to be assessed in light of the proportionality principle and weighted against other fundamental rights, including the right to free access to information. The court held that Google did not have to remove data on persons that requested so from all language versions of its search engine; it shall suffice to do so on domains belonging to EU member states.  Yet, according to the CJEU, Google should use measures to prevent or at least discourage users from EU member states from using non-EU versions of the search engine.

Another crucial CJEU verdict concerned the interpretation of the EU Directive on Electronic Commerce. Under Article 15 of the directive, providers of information society services (e.g. also webhosting providers such as Facebook) have no general obligation to monitor the content they store. However, in its decision the CJEU stated that the directive does not preclude a court of a member state from ordering a host provider to remove stored information whose content is identical or equal to the content of information that had previously been declared unlawful. Surprisingly, the CJEU also added that such court orders may have a worldwide effect.

If you are interested in the above decision, you may read more about them in our blog: www.kpmglegal.cz/blog.