BVwG - W274 2243175-1: Difference between revisions

From GDPRhub
No edit summary
Line 57: Line 57:
Both data subject and (alleged) controller are natural persons using Facebook. The controller is the admin of several Facebook groups and the data subject had joined one of these groups that dealt with "stress coping". The data subject and the controller engaged in a chat on Facebook, which the controller took screenshots of and disclosed them to the ex-boyfriend of the data subject.
Both data subject and (alleged) controller are natural persons using Facebook. The controller is the admin of several Facebook groups and the data subject had joined one of these groups that dealt with "stress coping". The data subject and the controller engaged in a chat on Facebook, which the controller took screenshots of and disclosed them to the ex-boyfriend of the data subject.


The data subject filed a complaint with the Austrian Data Protection Authority (Datenschutzbehörde - DSB) against the controller, which argued that the GDPR does not apply because the relevant online-activities have not been publicly visible. The DSB interrogated the ex-boyfriend as a witness and then upheld the complaint. It held that the data processing violated § 1 Austrian Data Protection Act (Datenschutzgesetz - DSG) but did not assess the case under the GDPR.
The data subject filed a complaint with the Austrian Data Protection Authority (Datenschutzbehörde - DSB) against the controller, which argued that the GDPR does not apply because the relevant online-activities have not been publicly visible. The DSB interrogated the ex-boyfriend as a witness and then upheld the complaint. It held that the data disclosure violated § 1 Austrian Data Protection Act (Datenschutzgesetz - DSG). However, the DSB did not assess the case under the GDPR.


The controller filed an appeal against this decision with the Federal Administrative Court. (Bundesverwaltungsgericht - BVwG).
The controller filed an appeal against this decision with the Federal Administrative Court. (Bundesverwaltungsgericht - BVwG).


=== Holding ===
=== Holding ===
The BVwG did not issue a decision on the merits of the case but remitted it to the DSB, ordering it to properly establish the facts of the case. It pointed out a variety of omissions and errors by the DSB when establishing the facts of the case. For example, the BVwG held that the DSB failed to assess ''which'' personal data of the data subject have actually been disclosed to the witness (ex-boyfriend of the data subject alleged data recipient) and if the witness already had been in possession of these data before. Furthermore, the DSB had failed to address several relevant questions to the witness, ignored several statements of the controller and ambiguities in the data subject's submissions, failed also to interrogate the data subject and did not explain its consideration of evidence.
The BVwG did not issue a decision on the merits of the case but remitted it to the DSB, ordering it to properly establish the facts of the case. It pointed out a variety of omissions and errors by the DSB when establishing the facts of the case. For example, the BVwG held that the DSB failed to assess ''which'' personal data of the data subject have actually been disclosed to the witness (ex-boyfriend of the data subject alleged data recipient) and if the witness already had been in possession of these data before. Furthermore, the DSB had failed to address several relevant questions to the witness, ignored several statements of the controller and ambiguities in the data subject's submissions, failed to interrogate the data subject and did not explain its consideration of evidence.


On a legal level, the BVwG held that the DSB failed to assess whether the household exemption under Article 2(2)(c) GDPR applied on the case, since the controller is a natural person and the data disclosed stems from a private chat which has only been shared with one other individual. In this regard, the DSB also failed to assess, whether the controller' activity as admin of several Facebook groups was purely personal or - as argued by the data subject - part of the controller's entrepreneurial activities.
On a legal level, the BVwG held that the DSB failed to assess whether the household exemption under Article 2(2)(c) GDPR applied on the case, since the controller is a natural person and the data disclosed stems from a private chat which has only been shared with one other individual. In this regard, the DSB also failed to assess, whether the controller' activity as admin of several Facebook groups was purely personal or - as argued by the data subject - part of the controller's entrepreneurial activities.

Revision as of 16:09, 11 January 2022

BVwG - W274 2243175-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 2(2)(c) GDPR
§ 1 Austrian Data Protection Act (Datenschutzgesetz - DSG)
Decided: 06.12.2021
Published: 07.01.2022
Parties: unnknown data subject
unknown controller
Austrian Data Protection Authority (Datenschutzbehörde - DSB)
National Case Number/Name: W274 2243175-1
European Case Law Identifier: ECLI:AT:BVWG:2021:W274.2243175.1.00
Appeal from: DSB
D124.2423
Appeal to: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: n/a

The Federal Administrative Court (BVwG) remitted a case to the Austrian DPA (DSB) because the DSB had failed to establish the facts of the case properly and to assess whether the household exemption applied.

English Summary

Facts

Both data subject and (alleged) controller are natural persons using Facebook. The controller is the admin of several Facebook groups and the data subject had joined one of these groups that dealt with "stress coping". The data subject and the controller engaged in a chat on Facebook, which the controller took screenshots of and disclosed them to the ex-boyfriend of the data subject.

The data subject filed a complaint with the Austrian Data Protection Authority (Datenschutzbehörde - DSB) against the controller, which argued that the GDPR does not apply because the relevant online-activities have not been publicly visible. The DSB interrogated the ex-boyfriend as a witness and then upheld the complaint. It held that the data disclosure violated § 1 Austrian Data Protection Act (Datenschutzgesetz - DSG). However, the DSB did not assess the case under the GDPR.

The controller filed an appeal against this decision with the Federal Administrative Court. (Bundesverwaltungsgericht - BVwG).

Holding

The BVwG did not issue a decision on the merits of the case but remitted it to the DSB, ordering it to properly establish the facts of the case. It pointed out a variety of omissions and errors by the DSB when establishing the facts of the case. For example, the BVwG held that the DSB failed to assess which personal data of the data subject have actually been disclosed to the witness (ex-boyfriend of the data subject alleged data recipient) and if the witness already had been in possession of these data before. Furthermore, the DSB had failed to address several relevant questions to the witness, ignored several statements of the controller and ambiguities in the data subject's submissions, failed to interrogate the data subject and did not explain its consideration of evidence.

On a legal level, the BVwG held that the DSB failed to assess whether the household exemption under Article 2(2)(c) GDPR applied on the case, since the controller is a natural person and the data disclosed stems from a private chat which has only been shared with one other individual. In this regard, the DSB also failed to assess, whether the controller' activity as admin of several Facebook groups was purely personal or - as argued by the data subject - part of the controller's entrepreneurial activities.

Consequently, the BVwG ordered the DSB to establish the facts of the case properly and to then assess it under the GDPR, taking into account that the household exemption applies.

Comment

The BVwG's decision is in line with it's decision W256 2240235-1 where the BVwG also remitted a case because the DSB has failed to establish the facts of the case properly.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.



court
Federal Administrative Court


Decision date
December 06, 2021


Business number
W274 2243175-1


Saying


W274 2243175-1 / 3E
The Federal Administrative Court, through the judge Mag. Lughofer as chairman and the expert lay judges Prof. KommR Pollirer and Dr. Gogola as observer on the complaint of XXXX, represented by Mag.Philipp MILLER, Heinrichsgasse 4, 1010 Vienna, against the decision of the data protection authority, Barichgasse 40-42, 1030 Vienna, from April 28th, 2021, GZ: D124.2423, Mitbeteiligte XXXX, in closed session the
DECISION:

The complaint is followed up, the decision pursuant to Section 28 (3) VwGVG is revoked and the case is referred back to the data protection authority to supplement the procedure and issue a new decision.

The revision is not permitted in accordance with Art. 133 Para. 4 B-VG.



text
Reason:
 XXXX (hereinafter: Participants, MB) contacted the data protection authority (hereinafter: the authority concerned) by email on April 22nd, 2020 and lodged a complaint against XXXX (hereinafter: the complainant before the Administrative Court, BF ). She stated that the BF was independent and ran various groups on Facebook. The MB itself is also in one of these groups, where it is a matter of dealing with stress properly. The MB had a conversation with the BF and the latter had forwarded the entire chat process to the ex-boyfriend of the MB, who then made her stressful. BF looks after the group as an entrepreneur.
According to the information in the complaint, a "chat history" with the BF and with her ex-boyfriend XXXX is connected.
In fact, there are apparently screenshots of the mobile phone with a message flow between the MB on the one hand and the BF on the other, and a message with a sender “XXXX” on the last sheet.
After the urgency, the BF, represented by a lawyer, expressed itself on October 27, 2020 that it had not forwarded a chat process to anyone. The term “group” is used in the complaint, but a private chat history is presented. This argument is incomprehensible. The MB itself violated the confidentiality of the submitted communication by transmitting pages of private chat history to the authority concerned, from which nothing relevant to the authority could be seen. The BF is not independently active with Facebook. Your internet activities are private and do not fall under the GDPR due to the lack of publicity.
After sending this statement on the party to be heard to the MB, the latter stated by email on December 7th, 2020, "of course the BF has a group".
She submitted a “Screnn from the group”.
The authority in question heard XXXX as a witness on February 18, 2021.
On March 17th, 2021, the MB commented on this protocol by email that the witness XXXX was not telling the truth. The truth is being twisted here on purpose.
With the contested decision, the authority in question upheld the complaint and found that the BF had thereby violated the MB's right to secrecy by illegally disclosing their data to a third party.
The authority concerned made the following factual findings (the names of the parties were adapted):
“The BF founded the“ XXXX ”group on Facebook. The MB became a member of this group at a time that can no longer be determined and has started a chat with the BF. The BF transmitted a chat between itself and the MB to XXXX at an undetectable point in time. "
Legally, the authority in question concluded that the BF's submission that its internet activities did not fall under the GDPR due to the lack of publicity did not apply, since § 1 (1) GDPR grants a comprehensive right to confidentiality of personal data, regardless of the technical and organizational conditions their processing. As stated, the BF had transmitted a chat process that had taken place between itself and the MB to XXXX. Since the processing that is the subject of the proceedings was carried out without the existence of a fundamental encroachment within the meaning of Section 1 (2) DSG, the complaint was to be granted and the violation of the MB's right to secrecy declared.
The BF's complaint against this decision due to "incompetence of the authority concerned, violation of constitutionally guaranteed rights, content unlawfulness, unlawfulness due to the violation of procedural regulations, deficiencies in findings, incorrect legal assessment as well as incorrect evidence and incorrect determination of facts" is directed with the primary application, the decision repeal or change to the effect that it is stated that the BF has not violated the rights of the MB. An oral hearing is also requested.
The authority in question submitted the complaint, including the electronic file, to the BVwG on June 8th, 2021 with reference to the notification with the request to reject the complaint.
The complaint is justified in the sense of the alternative application for annulment:
According to Section 28 (1) VwGVG, the administrative court has to deal with the complaint on the basis of knowledge, unless it is to be rejected or the proceedings are discontinued.
According to Paragraph 2, the administrative court has to decide on the matter itself on complaints according to Art. 130 Paragraph 1 Z. 1 B-VG, if
1. the relevant facts are established or
2. the determination of the relevant facts by the administrative court itself is in the interest of speed or is associated with considerable cost savings.
According to Paragraph 3, the administrative court must decide on the matter itself if the requirements of Paragraph 2 are not met and the authority does not contradict this when submitting the complaint, taking into account the essential simplification or acceleration of the procedure. If the authority has failed to investigate the facts of the matter, the administrative court can set aside the contested decision with a resolution and refer the matter back to the authority for a new decision to be issued. The authority is bound by the legal assessment that the administrative court based its decision on.
According to the case law, the possibility of remittal can only be used in the case of blatant or particularly serious gaps in the investigation, for example if the authority concerned has only taken completely unsuitable investigative steps to determine the relevant facts or has only rudimentarily determined or if specific indications suggest that the administrative authority failed to conduct investigations so that these could then be carried out by the VwG (Fister / Fuchs / Sachs, Verwaltungsgerichtsverfahren² (2018), Section 28 VwGVG, note 13 with further references).
Pursuant to Section 39 (2) AVG, if the administrative regulations do not contain any orders, the authority must proceed ex officio and determine the course of the investigation process while observing the regulations contained in this part. In particular, it can hold an oral hearing ex officio or upon request. In all of these procedural orders, the authority has to be guided by considerations of expediency, speed, simplicity and cost savings.
In accordance with the principle of arbitrary order, the authority has to determine which facts are to be proven (subject of evidence), it has to determine the evidence to be taken and their sequence, carefully exhausting all sources of knowledge available to it and ascertaining all circumstances that arise from the facts offer or prove useful. However, it is not obliged to conduct ex officio investigations that are in all probability superfluous (Hengstschläger / Leeb, AVG § 39, margin no. 20, (as of July 1, 2005, rdb.at).
Pursuant to Section 45 (2) AVG, the authority has to judge, with careful consideration of the results of the investigation, whether a fact can be assumed to be proven or not.
According to Paragraph 3, the parties must be given the opportunity to take note of the result of the taking of evidence and to comment on it.
According to Section 46, everything that is suitable for the question of the relevant facts and that is expedient according to the situation of the individual case can be considered as evidence.
According to § 48 and 51 AVG, both witnesses and participants can be heard, whereby §§ 48 and 49 also apply to the questioning of participants for the purpose of providing evidence.
The authority is obliged to carry out an evidence procedure ex officio in accordance with §§ 45ff AVG in order to determine the complete, legally relevant (authoritative) and true facts (Hengstschläger / Leeb, AVG § 45, Rz. 1 mwN). This is the outflow of the official maxim as well as the principle of material truth.
In its complaint, the BF stated in summary that the witness was initially not confronted with the unbelievability of his statement, which the authorities had apparently assumed, according to which he had “made a mistake”. In addition, the assessment of the evidence was inconclusive in this regard, because there was no justification for why the witness was "not very credible". The witness was also not asked what the sentence held up could mean in the context. There is no explanation as to how and why the “submitted message” of the witness should be related to a chat history.
The submission of the BF that they did not forward a chat history to anyone and that the MB did not provide any evidence for this was tacitly ignored by the authority in question. The MB was wrongly not questioned as a testimony. The authority in question had also not dealt with the allegation that the term “group” was used in the complaint, but that a private chat history was presented. Incidentally, it was not even determined whether personal data had been passed on at all. In this context, the authority in question should also have dealt with the question of whether the data was already known, since apparently the witness was the ex-boyfriend of the MB and in the "course" presented was only talking about everyday things. Dislocated findings by the authorities in question indicated that a chat process that had taken place between the BF and the MB had been transmitted to XXXX, but not what data it contained and whether § 1 DSG was applicable to this data.
Incidentally, the alleged violation of the law could also be before the time of the establishment of the authority concerned, so that the responsibility of the data protection commission at the time existed and the authority concerned was not competent. A procedural error also lies in the fact that the BF was not questioned. The authority in question did not determine how the alleged forwarding should have happened. Furthermore, in the reproduction of the submission, the decision stated that “WhatsApp messages” had been submitted, “Facebook” was mentioned elsewhere, then “groups” again. The relationship and meaning of “WhatsApp”, “Facebook” and “Groups” as well as “Chat” is completely open. In its email of April 22nd, 2020, MB sent screenshots that should be in chronological order. Pages 11 and 12 are a chronology, but not comprehensible, so the course makes no sense. So it says on page 12: “Thank you for forwarding it XXXX”. Why you follow this passage, this message, is incomprehensible. After page 15 of the documents submitted by MB, there is a screenshot with the title "XXXX". From this it could not be deduced who had had a conversation with whom, let alone when.
On the occasion of the complaint, the following must first be stated:
The authority concerned established the very brief facts reported above. Essentially, she assumes that MB has become a member of a “Facebook group”. Furthermore, she had a "chat" with the BF, whereby the BF had transmitted the "chat history" to a third party named.
Legally, the authority in question denied the existence of a permit, in particular without addressing the question of whether a “household exception” within the meaning of Art 2 Paragraph 2 lit c GDPR could exist. In this context, it also remains open whether the membership in a "group" accepted by the authority is related to the chat or its forwarding.
In this context, the BF combats, among other things, the finding that the chat process had been forwarded to this third party and complained in this regard of the failure to question the BF and the MB.
The assessment of the evidence on which the determination that "a chat history" is supposed to have been transmitted is based does not even come close to meeting the criteria resulting from Section 45 (2) AVG:
The authority concerned refers to part of a screenshot submitted by the MB, based on “XXXX”, which in the original reads: “And ned you write to whom, but you! XXXX has forwarded it to me !! "The authority in question questioned XXXX as a witness, but contented itself with the decisive question (page 3 of the protocol) with an apparently unimproved, hardly informative protocol:
“I made a mistake, I didn't mean to continue writing, but to pass on. Ms. "XXXX" asked me whether this XXXX was my ex-girlfriend (Ms. XXXX and XXXX are apparently the same person, namely MB XXXX, note from the court). I don't know whether it was a phone call or a chat message. "
The authorities in question did not question the contradicting statements that the witness made a mistake, that he did not “write on” something but “passed it on” and, on the other hand, he no longer knew whether it was a phone call or a chat message . She also refrained from any questioning of when something was said to have been passed on to the witness. Quite generally, and in particular with regard to the lack of clarity of the witness’s statements, there is also the requirement that the BF should be confronted with the witness’s testimony “XXXX sent it to me”.
Since it is undisputed that a chat process took place between the BF and the MB, only its “forwarding” could possibly be of relevance under data protection law.
In the event that such a forwarding is established, however, it would also be necessary to determine what content the chat history transmitted to the witness should have had. Since a complaint due to a breach of the right to secrecy is relevant, what is essential is what content may have been unlawfully transmitted to a third party. The ruling only mentions “the complainant's data” which are said to have been unlawfully disclosed to a third party. The assessment of the evidence shows that the authority in question apparently assumes that the messages presented correspond to the chat history that was transmitted to XXXX. In fact, in this regard, express statements are required on the basis of a comprehensible evaluation of evidence.
In the case of a justified determination of the forwarding of the chat process or any parts of it, should this be assigned the character of the processing of personal data of the MB, it would finally have to be checked whether Art 2 Paragraph 2 lit c GDPR, the household exception, applies:
According to this provision, the GDPR does not apply to the processing of personal data by natural persons for the exercise of exclusively personal or family activities, so-called household exemption.
This only includes activities that belong exclusively to the private or family life of individuals (Bergauer in Jahnel, commentary on the General Data Protection Regulation, Art. 2 Rz. 21).
Such activities exist when they are carried out without reference to a professional or economic activity, even if they concern or may concern data of other people. For example, the use of social networks and online activities in the context of such activities are mentioned (as above, margin no.22).
The fact that the private use of social networks should generally be excluded from the scope is not convincing and is excessive. Rather, it can be assumed that the household exemption will not apply if personal data is published on the Internet, so that this data is made available to an unlimited number of people. As already stated by the Supreme Court, the exception of Article 2 (2) (c) GDPR is to be interpreted restrictively. A personal or family activity is hostile to the public, which is why, for example, putting online family trees or personal information about other people, be they related or friends, is not covered by the exception (as above, margin no.26).
The exclusively private use of messenger services such as WhatsApp or Skype will therefore be excluded from the scope of the GDPR, provided that it is not associated with the publication of personal data of data subjects. A private posting on the Facebook pin board or via Twitter, which can be accessed without restriction on the Internet and contains personal data of third parties, is subject to the GDPR (as above, RZ 27).
According to the ECJ, processing of personal data only falls under the exception if it is carried out in the exclusively personal or family sphere of the person who processes the data. The exchange of information within an organization (association, community, interest group) is not purely personal. If privacy is left, whether for commercial or non-commercial activity, the law applies (OGH 20.12.20018 6 Ob 131 / 18k).
Examples for the private sector are leisure, vacation, private consumption, sport or entertainment. The key criterion is attributability to the private sector. The use of social networks and online activities are only included if this is restricted to a certain group of users. If photos and videos are made available to a manageable number of friends on a private Facebook page, the household privilege applies (Hotl in Knyrim, DatKomm Art 2 GDPR margin nos. 63, 67, 68, 70, 71 - as of December 1, 2018 - rdb.at) .
The applicability of the household exception in the area of the DSG is controversial:
According to Thiele / Wagner, Section 4 (1) GDPR declares that the GDPR is applicable in addition to the GDPR, without referring to the exceptions in Article 2 (2), (3) and (4) of the GDPR. In principle, the GDPR does not apply in the Austrian legal system for the areas of application mentioned in Art. 2, Paragraphs 2, 3 and 4. However, in the absence of a corresponding catalog of exceptions for the DSG, according to Section 4 this is very applicable for these areas. According to part of the teaching, the budget exception is not transferable to the DSG, which is why this remains applicable (Thiele / Wagner, practical comment on the Data Protection Act § 4 margin nos. 63 and 64).
On the other hand, another part of the teaching, the legal materials and the authorities concerned, as far as can be seen, assume a fundamental applicability of the budget exception also in the scope of the DSG:
In the legal materials on § 4 Paragraph 1 DSG it is stated that processing that is excluded from the scope of the GDPR due to Art. 2 Paragraph 2 lit. c should also not be covered by the DSG (see AB 1761 BlgNr XXV, GP 4 and 8, margin no.29).
Regarding GZ 2021-0.285.169 of May 3, 2021, the authority concerned comes to the result, for example, that if a matter falls within the scope of Article 8 EU-GRC, any constitutional provisions that would offer the same guarantee would remain "dormant in force" and the assessment is based exclusively on the provision of Union law. In the case of the disclosure of sensitive health data via WhatsApp to a third person to be assessed there, it cannot be said that the scope of protection of § 1 DSG goes beyond that of Art 8 EU-GRC, so that § 1 DSG does not apply at all. Even if one were to see an area of application of § 1 DSG, the complaint (there) would not be successful. From the circumstances (further shown there) it can be concluded that the Austrian legislature did not want to extend the scope of protection of the DSG to circumstances that exclusively concern the personal or family area.
A similar legal assessment emerges from the decision GZ 2020-0.204.246 of August 10, 2020, where the household exception was considered inapplicable because tape recordings were made exclusively for potential use in divorce proceedings, so that it cannot be exclusively attributed to the private sector. Although the DSB based the breach of confidentiality on § 1 DSG, the further reasoning only dealt with the DSGVO and the inapplicability of the household exception.
In the further proceedings or a new decision to be issued, the authority concerned will have to deal with these legal circumstances based on the factual findings to be supplemented (see above) and the aspect of the personal or private area (insofar as the findings to be supplemented indicate this) in theirs legal considerations have to be included, especially since data has apparently only been made accessible to a third person. To what extent the fact that the BF operates “Facebook groups” or “as an entrepreneur” has significance for the question to be solved here regarding the data protection relevance of forwarding a chat process to a third person who, according to the previous findings, has no direct connection with a Facebook group of the BF or any entrepreneurial activity of the BF, will not be accessible according to the underlying decision and will have to be legally clarified at the level of the facts.
In any case, the BF shows that the authority concerned neglected essential investigative steps and made only very inadequate determinations with regard to the legal assessment to be carried out:
Even if the applicability of the budgetary privilege is denied, a violation of the right to secrecy on the basis of Section 1 (1) DSG, according to which a claim to secrecy of personal data exists only if there is a legitimate interest in it, would at least require the determination, which specific data was disclosed, on a case-by-case basis, which content of any communication via internet service was disclosed.
In addition, it may be necessary to determine when the chat process and the transmission of its content took place.
It is true that the authorities concerned took an investigative step with the questioning of witness XXXX. Due to the incomplete survey - as shown above - and the failure to survey the BF, this proves to be inadequate or unsuitable.
In addition, as explained above, the findings are so inadequate, and the verdict on the essential point of the data disclosure is completely indefinite, so that a referral back to supplement the investigations and a new decision while establishing the relevant facts is appropriate with regard to procedural economy and cost savings.
On the basis of an additional investigation procedure, the authority concerned will have to base the decision to be issued on a sound assessment of the evidence, taking into account the evidence obtained.
The omission of these at least necessary investigative steps justifies blatant or particularly serious gaps in the investigation within the meaning of the above-mentioned case law on Section 28 (3) VwGVG.
The ruling that the revision is inadmissible is based on the fact that, based on Section 28 VwGVG, individual questions regarding the required extent of the investigative steps and the findings made do not justify revisibility.


European Case Law Identifier
ECLI: AT: BVWG: 2021: W274.2243175.1.00