Category: CJEU

Oral Disclosure of Personal Data: To GDPR or not to GDPR? 

Here’s a pub quiz question for you, “Can a Data Controller circumvent the requirements of data protection law by disclosing personal data verbally rather than in writing?” The answer was “Yes” under the old Data Protection Act 1998.
In Scott v LGBT Foundation Ltd [2020] WLR 62, the High Court rejected a claim that the LGBT foundation had breached, amongst other things, the claimants data protection rights by disclosing information about him to a GP. The court held that the 1998 Act did not apply to purely verbal communications.  

Nowadays though, the answer to the above question is no; the oral disclosure of personal data amounts to “processing” as defined by Article 4(2) of the GDPR.
So said the Court of Justice of the European Union (CJEU), on 7th March 2024, in a preliminary ruling in the Endemol Shine Finland

The subject of the ruling is a television company which makes a number of reality TV shows in Finland. It had been organising a competition, and was seeking information from the District Court of South Savo for information about possible criminal proceedings involving one of the competition participants. It requested the District Court to disclose the information orally rather than in writing. The District Court refused the request on the basis that there was no legitimate reason for processing the criminal offence data under Finnish law, implementing Article 10 of the GDPR.
On appeal Endemol Shine Finland argued that the GDPR did not apply as the oral disclosure of the information would not constitute processing of personal data under the GDPR. 

Article 4(2) GDPR defines “processing” as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means”. On the face of it, this covers oral processing. However, Article 2 states that GDPR applies to processing of personal data “wholly or partly by automated means”, and processing by non-automated means which “forms or is intended to form part of a filing system.” Article 4(6) GDPR defines “filing system” broadly, covering “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”. 

The Finnish Court of Appeal requested a preliminary ruling from CJEU on the meaning of Article 4(2) and whether the particular processing in this case came within the material scope of the GDPR under Article 2. The CJEU held the concept of processing in Article 4(2) of the GPDR necessarily covered the oral disclosure of personal data. It said the wording of the Article made it apparent that the EU legislature intended to give the concept of processing a broad scope. The court pointed out that the GDPR’s objective was “to ensure a high level of protection of the fundamental rights and freedoms of natural persons” and that “circumventing the application of that regulation by disclosing personal data orally rather than in writing would be manifestly incompatible with that objective”. 

The CJEU went on to consider whether the oral processing of the data would fall within the material scope of the GDPR under Article 2. It held that it was clear from the request for a preliminary ruling that the personal data sought from the District Court of South Savo is contained in “a court’s register of persons” which appeared to be a filing system within the meaning of Article 4(6), and therefore fell within the scope of the GDPR. 

UK Data Controllers should note the wording of Article 4 and Article 2 of the UK GDPR is the same as in the EU GDPR. So whilst this ruling from the CJEU is not binding on UK courts, it would be wise to assume that picking up the phone and making an oral disclosure of personal data will not allow the UK GDPR to be circumvented.   

This and other GDPR developments will be discussed by Robert Bateman in our forthcoming GDPR Update workshop. We have also just launched our new workshop, Understanding GDPR Accountability and Conducting Data Protection Audits. 


The role of the Court of Justice of the European Union ( CJUE) post Brexit

canstockphoto15724171

By Susan Wolf

In our previous Blog, we examined the European Union (Withdrawal) Act 2018 and explained that the GDPR, EIR and PECR will remain on the domestic statute book post Brexit. In other words they will continue to be legally binding after the date that the UK leaves the European Union in March 2019.

In this blog we briefly examine the role of the Court of Justice of the EU (or CJEU) post Brexit. We explain how, despite leaving the EU, the interpretive rulings of the CJEU in relation to the following legislation, will continue to have relevance for UK organisations and practitioners:

  • The GDPR 2016
  • The Law Enforcement Directive 2016/680
  • The Directive on Public Access to Environmental Information 2003/4
  • The Privacy and Electronic Communications Directive 2002/58

Preliminary Rulings of the CJEU

Any national court or tribunal of a Member State has the right to request a ‘preliminary ruling’ from the CJEU, where it considers that a ruling is ‘necessary’ to enable it to give judgment in a case involving the interpretation of EU law.  The CJEU has jurisdiction to interpret EU Law, but it does not rule on the outcome of a case. This task falls to the national court that has requested the ruling. However, the national court is bound to follow the interpretive ruling, which is binding. The ruling is also authoritative and must be followed by the courts and tribunals of all the Member States.

For example in East Sussex County Council v the ICO (2013), the First Tier  (Information Rights) Tribunal requested a ruling from the CJEU on the meaning of the ‘reasonable charges’ for the supply of environmental information.  Quite clearly, the CJEU’s interpretation has had major implications for public authorities subject to the EIR 2004, particularly those providing property search information. But the interpretation given by the CJEU is also binding on public authorities throughout the EU.

The purpose of the procedure is to ensure that EU Law is interpreted ‘uniformly.’ This is particularly important given that the EU currently comprises 28 Member States and has 24 official languages and each country has a different and unique legal tradition and culture.

A Red Line not to be crossed

The role of the Court of Justice, post Brexit, has been one of the controversial aspects of the Brexit negotiations, with the Prime Minister Teresa May suggesting that its continued jurisdiction was a ‘red line’ not to be crossed.  In fact the position is more complex and nuanced.

Under the terms of the EU Withdrawal Act 2018, the UK national courts and tribunals, including the First Tier (Information Rights) Tribunal, will no longer be allowed to refer questions about the interpretation of EU law to the Court of Justice. However, in the interest of certainty, these previous rulings, in so far as they relate to retained EU law provisions, are still to be regarded as binding.  Therefore, anyquestions as to the meaning of EU retained law will be determined by the UK courts by reference to the CJEU’s case law as it exists on the day the UK leaves the EU.  For example, the CJEUs ruling on the interpretation of the Privacy and Electronic Communications Directive in a German case  (Deutsche Telekom AG v Bundesrepublik Deutschland (2011) continues to be binding on the UK courts.

The Supreme Court

The position is different for the Supreme Court  (or High Court of Justiciary in Scotland). Under the EU (Withdrawal) Act both the English and Scottish highest courts can depart from any retained EU case law if it appears ‘right to do so’. In deciding whether to do this the court must apply the same test as it would apply in deciding whether to depart from its own case law. In practice, this power is exercised rarely and there is no reason to suggest that the Supreme Court will seek to depart from any existing CJEU rulings, at least in the immediate future.

What about future CJEU rulings?

There can be no doubt that the GDPR and the Law Enforcement Directive 2016 will raise significant questions of interpretation in the future.  Inevitably the  CJEU will soon be faced with preliminary ruling requests on key questions, such as the interpretation of the ‘right to be forgotten’in the GDPR.  However, given the time it takes to obtain a preliminary ruling (often over a year), it will be some time before the Court is able to cast some light on these new provisions.

As one might expect, the EU Withdrawal Act makes it clear that the domestic national courts and tribunals are no longer bound by any principles laid down, or any decisions made by the CJEU on or after the date of exiting the EU. This comes as no surprise. However, what is perhaps less well known is that the national courts and tribunals may have regardto post Brexit rulings if the national court ‘considers it appropriate to do so’.  Of course, it remains to be seen how willing the national courts will be to ‘follow’any future rulings. However, it would be prudent to suggest that information rights /data protection practitioners and lawyers should still play close attention to future CJEU rulings on the interpretation of EU information rights and data protection laws, post March 2019.

(Future CJEU preliminary rulings will be posted on the Act Now Blog).

We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now.

There is one space remaining on our GDPR Practitioner Certificate Intensive course in London starting on 20th August. Book now.

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.

Dont forget about our GDPR Helpline, its a great tool to use for some advice when you really need it.