Tallinna Halduskohus - 3-19-579: Difference between revisions

Revision as of 13:01, 31 January 2020

Tallinna Halduskohus - 3-19-579

Court:	CE (France)
Jurisdiction:	France
Relevant Law:	Article 4(11) GDPR Articles 8, 20 and 82 of the French Data Protection Act ePrivacy Directive 2002/58/EC
Decided:	16. 10. 2019
Published:	n/a
Parties:	La Quadrature du Net, Caliopen and CNIL
National Case Number:	3-19-579
European Case Law Identifier:	n/a
Appeal from:	CNIL (France)
Language:	French
Original Source:	CONSEIL D'ETAT (in FR)

22 November 2019, the Tallinn administrative court finds that the AKI (Estonian DPA) must act and issue a decision based on the intent of the submission received, not merely its formal characteristics.

English Summary

Facts

The complainant made a submission to the Estonian DPA, which the DPA interpreted as a request for information and not as a complaint in terms of 77(1) GDPR. The complainant, however, expected the submission to be processed as a GDPR 77(1) complaint.

Dispute

The issue was mainly to know the margin of discretion within which the AKI assesses the complaints submitted and to what extend the administative judge can review it.

Holding

The court found that the complainant's submission to the DPA clearly requested DPA assistance in preventing unlawful use of the complainant's personal data and interpreting it merely as a request for information was not justified. The court emphasized that the intent of a submission must be considered by the DPA and that a more convenient process cannot be selected merely because a complaint is vaguely formulated or the content briefly stated. The court further noted that a complainant does not need to outline which data protection measures they expect the DPA to undertake, nor do they even need to understand what are the measures available to the DPA - rather, the DPA must evaluate the substance of a complaint and decide for itself which measures are appropriate and accompany any refusal to process a complaint with the required justification.

The decision references GDPR 77(1) and Estonian Data Protection Act §28 p 1.

Comment

Share your comment on the decision here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the French original for more details.

to be completed..

@@ Line 1: / Line 1: @@
 {| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
-!colspan="2"| CE - N° 433069
+! colspan="2" |Tallinna Halduskohus - 3-19-579
 |-
-|colspan="2" style="padding: 20px; background-color:#ffffff;"|[[File:Conseil_D'Etat_photo.png|center|150px]]
+| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:Conseil_D'Etat_photo.png|center|150px]]
 |-
-| Court: || [[:Category:CE (France)|CE (France)]] [[Category:CE (France)]]
+|Court:||[[:Category:CE (France)|CE (France)]]
+[[Category:CE (France)]]
 |-
-| Jurisdiction: || [[Data Protection in France|France]] [[Category:France]]
+|Jurisdiction:||[[Data Protection in France|France]]
+[[Category:France]]
 |-
-| Relevant Law: ||
+|Relevant Law:||
+[[Article 4 GDPR#11|Article 4(11) GDPR]]
-[[Article 4 GDPR#11|Article 4(11) GDPR]] [[Category:Article 4(11) GDPR]]
+[[Category:Article 4(11) GDPR]]
 Articles 8, 20 and 82 of the [https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=LEGITEXT000006068624&dateTexte=20190212 French Data Protection Act]
@@ Line 17: / Line 19: @@
 |-
-| Decided: || 16. 10. 2019
+|Decided:||16. 10. 2019
 [[Category:2019]]
 |-
-| Published: || n/a
+|Published:||n/a
 |-
-| Parties: || [https://www.laquadrature.net/en/ La Quadrature du Net], [https://www.caliopen.org/en/ Caliopen] and [https://www.cnil.fr/ CNIL]
+|Parties:||[https://www.laquadrature.net/en/ La Quadrature du Net], [https://www.caliopen.org/en/ Caliopen] and [https://www.cnil.fr/ CNIL]
 |-
-| National Case Number: ||  N°433069
+|National Case Number:||3-19-579
 |-
-| European Case Law Identifier: || n/a
+|European Case Law Identifier:||n/a
 |-
-| Appeal from: ||  [[CNIL (France)]]
+|Appeal from:||[[CNIL (France)]]
 |-
-| Language: || French [[Category:French]]
+|Language:||French
+[[Category:French]]
 |-
-| Original Source: || [https://www.conseil-etat.fr/ressources/decisions-contentieuses/dernieres-decisions-importantes/conseil-d-etat-16-octobre-2019-plan-d-action-de-la-cnil-en-matiere-de-publicite-ciblee CONSEIL D'ETAT (in FR)]
+|Original Source:||[https://www.conseil-etat.fr/ressources/decisions-contentieuses/dernieres-decisions-importantes/conseil-d-etat-16-octobre-2019-plan-d-action-de-la-cnil-en-matiere-de-publicite-ciblee CONSEIL D'ETAT (in FR)]
 |}
-Council of State (''Conseil d'Etat'') confirms the [[CNIL (France)|CNIL]]'s discretion to initiate consultation process to define new practical arrangements for expressing consent in targeted advertisement and to provide stakeholders with a period of adaptation to comply with it.
+November 2019, the Tallinn administrative court finds that the AKI (Estonian DPA) must act and issue a decision based on the intent of the submission received, not merely its formal characteristics.
 ==English Summary==
 ===Facts===
-In July 2018 the [[CNIL (France)|CNIL]] adopted a decision clarifying the new rules on consent for targeted advertisement under GDPR. It initiated a consultation process for the first quarter of 2020 to define the practical arrangements for obtaining consent. It determined a six-month adaptation period.
+The complainant made a submission to the Estonian DPA, which the DPA interpreted as a request for information and not as a complaint in terms of 77(1) GDPR. The complainant, however, expected the submission to be processed as a GDPR 77(1) complaint.
-Two associations requested to annul the decision of [[CNIL (France)|CNIL]] on grounds of excess of power and to instruct it to publish both on its website and on the pages of its press releases of 28 June and 18 July, a reference to the decision of the Conseil d'Etat which should indicate that "continued navigation" does not constitute a valid means of expressing consent for cookies and online tracking devices, while every day of delay would imply a penalty of 500 euros.
 ===Dispute===
-The Council has to assess whether the [[CNIL (France)|CNIL]] had the power to initiate such a process.
+The issue was mainly to know the margin of discretion within which the AKI assesses the complaints submitted and to what extend the administative judge can review it.
-=== Holding===
+===Holding===
-The Council found that the [[CNIL (France)|CNIL]] is an independent administrative authority with wide discretion in the exercise of its missions. In this sense, the CNIL can initiate such an action plan in order to achieve more effective compliance with the data protection law.
+The court found that the complainant's submission to the DPA clearly requested DPA assistance in preventing unlawful use of the complainant's personal data and interpreting it merely as a request for information was not justified. The court emphasized that the intent of a submission must be considered by the DPA and that a more convenient process cannot be selected merely because a complaint is vaguely formulated or the content briefly stated. The court further noted that a complainant does not need to outline which data protection measures they expect the DPA to undertake, nor do they even need to understand what are the measures available to the DPA - rather, the DPA must evaluate the substance of a complaint and decide for itself which measures are appropriate and accompany any refusal to process a complaint with the required justification.
-The Council ruled that the six-month period of tolerance which the CNIL provided the stakeholders in order to fully comply with the rules is legal. Finally, the CNIL’s decision does not prevent the Commission from carrying out controls during the mentioned period and imposing sanctions for serious breaches of the new data protection framework.
+The decision references GDPR 77(1) and Estonian Data Protection Act §28 p 1.
 ==Comment==