BVwG - W108 2274731-1/11E
| BVwG - W108 2274731-1/11E | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 58(2) GDPR |
| Decided: | 28.01.2025 |
| Published: | 31.01.2025 |
| Parties: | Clearview AI |
| National Case Number/Name: | W108 2274731-1/11E |
| European Case Law Identifier: | |
| Appeal from: | DSB (Austria) 2022-0.277.156 |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | GDPRhub (in German) |
| Initial Contributor: | ao |
A court held that the DPA should reconsider its decision dismissing an application to ban Clearview AI’s processing of personal data. The court found that although there is no subjective right to such a ban, the appropriate assessment of the factual circumstances would have revealed that it was the only appropriate measure.
English Summary
Facts
On the 27 May 2021 noyb filed a complaint against Clearview AI, here the controller, with the Austrian DPA (Datenschutzbehörde – DSB). Clearview AI is a company which provides a facial recognition platform allowing users to compare photos of people with images of them found online.
noyb brought forward that the controller could not rely on a legal basis for the processing of personal data of the represented data subject. More importantly, noyb requested for the data processing activities of the controller to be banned by the DPA under Article 58(2)(f) GDPR.
The DSB found that the controller had violated the GDPR (see DSB (Austria) - 2022-0.277.156). However, the DSB decided that the erasure of the personal data was an appropriate measure under Article 58 GDPR and that the additional prohibition therefore would not be necessary.
noyb appealed the dismissal of the prohibition request to the Federal Administrative Court of Austria (Bundesverwaltungsgericht – BVwG).
noyb’s argument
noyb stated that the mere confirmation of a violation did not provide adequate legal protection from future unlawful data processing. noyb explained that even if the controller deleted the data subject’s personal information, it was likely that the controller would again process the data subject’s pictures as its business model is based on finding pictures of people online and processing them.
Further, noyb argued that the data subject did have a subjective right to a prohibition on the processing as it was the only effective option available. The controller continuously scans the internet for pictures so if the data subject’s pictures were deleted it would only be a matter of time until they would be processed again.
Additionally, a subjective right to an injunction was necessary as otherwise data subjects would have to bring a separate action for an injunction. This would put data subjects at a disadvantage particularly in regard to the cost of bringing such an action.
noyb therefore applied for the BVwG to either prohibit the controller from processing the data or to remit the matter to the DSB.
Holding
The BVwG brought forward that C-768/21 showed that DPAs can choose which measure under Article 58(2) GDPR to apply as long as the chosen measure guarantees the adherence to the GDPR. The court stated that this is further detailed in Recitals 7 and 10 as meaning that an equal level of protection must be guaranteed through the chosen measure.
The BVwG concluded that DPAs are therefore obliged to take appropriate actions which will guarantee the GDPR protections. This meant that there is no subjective right and therefore no basis for the application made by noyb for an injunction.
However, the BVwG criticized that the DSB simply disregarded the application as there is no provision for a subjective right to a prohibition on processing without delving into the factual circumstances. The BVwG declared that this omitted the need to assess whether a different measure under Article 58(2) GDPR would have been more appropriate. It further highlighted that the DSB hadn’t properly explained why it assessed erasure to be a more appropriate measure rather than a prohibition on future processing.
The BVwG assessed that the controller willingly accepts violating the GDPR as part of its business model. It highlighted that the controller’s activities had been subject of several injunctions throughout the EU. It clarified that only a prohibition on the processing would undermine future unlawful processing and none of the other options under Article 58(2) GDPR would suffice.
As the BVwG declared that the DSB had inadequately analysed the factual circumstances in its determination, the case was remitted to the DSB.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
