CJEU - C-175/20 - SIA ‘SS’ (Opinion of AG Bobek)

From GDPRhub
CJEU - Opinion of AG Bobek in Case C‑175/20 SIA ‘SS’
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4(1) GDPR
Article 5(1) GDPR
Article 5(2) GDPR
Article 6(1)(c) GDPR
Article 6(3) GDPR
Decided: 02.09.2021
Parties: SIA 'SS'
Valsts ieņēmumu dienests
Case Number/Name: Opinion of AG Bobek in Case C‑175/20 SIA ‘SS’
European Case Law Identifier: ECLI:EU:C:2021:690
Reference from: Administratīvā apgabaltiesa (Latvia)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a

English Summary

In the opinion of AG Bobek, data such as phone number and car chassis number must be considered as personal data in the sense of Article 4(1) GDPR when relating to identified or identifiable individuals selling their cars via a specialized website. AG Bobek is also of the opinion that Article 6(1)(c) GDPR and Article 6(3) GDPR do not preclude national rules from laying down, without any limit in time, an obligation for Internet advertising service providers to communicate certain personal data to a tax authority, as long as there is a clear legal basis in national law for such a type of data transfer and the data requested are suitable and necessary for the tax authority to complete its official tasks.

Facts

SIA ‘SS’ (‘the applicant’) is a company specialized in online advertising services. Private individuals may post and advertise various products on the applicant's website (www.ss.com) with a view of selling them. These products may include vehicles such as second-hand cars or motorbikes.

On 28 August 2018, the director of the Latvian Tax Inspection Office (‘the defendant’) sent to the applicant request for information on the basis of Article 15(6) of the Law on taxes and duties. In that request, the defendant asked the applicant to renew the defendant's access to information, and in particular information on (1) the telephone numbers of advertisers ; (2) the chassis numbers of vehicles featured in advertisements published on the applicant’s website, and (3) information on advertisements published in the ‘Motor Vehicles’ section of the website during the period from 14 July to 31 August 2018.

The applicant was asked to send the information electronically, in a format that would allow the data to be filtered and selected. The applicant was also asked to include the following information in the data file: a link to the advertisement, advertisement text, make of vehicle, model, chassis number, price, vendor’s telephone numbers.

Dispute

The applicant lodged an administrative complaint challenging the request for information of the defendant. According to the applicant, the scope of the request for information, which constitutes personal data within the meaning of Article 4(1) of the GDPR, was not justified by the law. The applicant argued in particular that the defendant, in its capacity as controller, did not comply with the principle of proportionality or the principle of minimisation enshrined in Article 5(1) GDPR.

The defendant dismissed the applicant's complaint and upheld the request for information. The dispute escalated before the national courts. In this context, the referring court referred several questions to the CJEU. On 2 September 2021, AG Bobek rendered its opinion in this case.

Holding

AG Bobek first clarified that the GDPR was applicable in the case at hand as far as it concerned the transfer of data relating to car sellers, such as their phone numbers of the chassis numbers of the advertised cars. AG Bobek then focuses on the main legal issue in the case at hand, which is whether the processing operation intended by the defendant can be considered as lawful. In the opinion of AG Bobek, the central question is therefore to assess what would be the legal basis of such processing operations.

AG Bobek first analyses the purpose of such operation and considers it undoubtedly legitimate. In the opinion of AG Bobek indeed, ensuring the proper collection of tax as well as the detection and prevention of tax evasion can certainly fall under the types of legitimate aims and purposes for data processing pursuant to both Article 6(1) and (3) GDPR.

AG Bobek then analyses the scope and duration of the intended processing operation. In order for the principle of data minimisation to be complied with, it is indeed important to limit the processing of personal data to what is relevant and necessary, keeping in mind the purpose to be achieved. In that case, the defendant argued that the amount of information requested can be considered reasonable in so far as the request for communication only includes advertisements published in the ‘Motor Vehicles’ section of the applicant's website, which is 1 section out of 112 sections of the concerned website. AG Bobek agreed with that argumentation. According to AG Bobek indeed, a national tax authority may in principle request all the necessary data for the type of examination it needs to carry out, without any temporal limitation, provided that there is an appropriate legal basis in EU or national law, and that the data requested are relevant and suitable for the purpose pursued.

AG Bobek then focuses on the central question of the dispute, i.e. the absence or existence of a valid legal basis. Article 6(1)(c) GDPR provides that the processing of personal data, such as a data transfer from a controller to a tax authority, can be considered as lawful when such processing is "necessary for compliance with a legal obligation to which the controller is subject". Article 6(3) GDPR further species that this legal obligation must be laid down by "EU or Member State law". AG Bobek then looks into the applicable Latvian law and considers that both Article 15(6) of the Law on taxes and duties and the specific requests for the disclosure of data made by the tax authority constitute such a legal obligation. AG Bobek however also points out that such legal provisions should comply with the requirement of foreseeability. In other words, the legislation allowing for data transfers must lay down clear and precise rules governing the scope and application of the measure in question and impose minimum safeguards, so that the persons whose personal data is affected have sufficient guarantees that those data will be effectively protected against the risk of abuse. It is the duty of the Member State to ensure that the concerned provisions fulfill those criteria.

At the end of his opinion, AG Bobek proposes that the Court answer the questions referred for a preliminary ruling as follows:

–        Article 6(1)(c) and (3) of the [GDPR] does not preclude national rules from laying down, without any limit in time, an obligation for Internet advertising service providers to communicate certain personal data to a tax authority, as long as there is a clear legal basis in national law for such a type of data transfer and the data requested are suitable and necessary for the tax authority to complete its official tasks.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!