CJEU - C-25/17 - Jehovan todistajat
| CJEU - C-25/17 Jehovan todistajat / Tietosuojavaltuutettu | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 1(1) Directive 95/46 Article 2 Directive 95/46 Article 3 Directive 95/46 Recital 10, 12, 15, 26, 27 Directive 95/46 Paragraph 2 of The henkilötietolaki 523/1999 (Law on Personal Data No 523/1999, ‘Law No 523/1999’). Paragraph 3(3) of The henkilötietolaki 523/1999 (Law on Personal Data No 523/1999, ‘Law No 523/1999’). Paragraph 44 of The henkilötietolaki 523/1999 (Law on Personal Data No 523/1999, ‘Law No 523/1999’). |
| Decided: | 10.07.2018 |
| Parties: | |
| Case Number/Name: | C-25/17 Jehovan todistajat / Tietosuojavaltuutettu |
| European Case Law Identifier: | ECLI:EU:C:2018:551 |
| Reference from: | Supreme Administrative Court (Finland) |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion Judgement |
| Initial Contributor: | Elaine Thuo |
This was decided in the context of the Data Protection Directive 95/46.
English Summary
Facts
Following a request from the Finnish DPA, the Finnish Data Protection Board adopted a decision prohibiting the Jehovah’s Witnesses Community from collecting or processing personal data in the course of door-to-door preaching carried out by its members unless the legal requirements for processing were satisfied. Furthermore, the Data Protection Board imposed a ban on the collection of personal data by the Jehovah’s Witnesses Community for a period of six months unless those conditions were observed.
The Jehovah’s Witnesses Community appealed the decision before the Administrative Court in Helsinki, Finland (Helsingin hallinto-oikeus). That court annulled the decision on the ground, inter alia, that the Jehovah’s Witnesses Community was not a controller and that its activity did not constitute unlawful processing.
The DPA challenged that judgment before the Supreme Administrative Court in Finland (Korkein hallinto-oikeus). The Supreme Administrative Court referred questions to the CJEU for a preliminary ruling on the following matters:
(1) Whether the collection and other processing of personal data carried out by the members of a religious community in connection with door-to-door preaching fall outside the scope of the Data Protection Directive 95/46 under the exception under Article 3(2) of the Data Protection Directive 95/46?
(2) Whether personal data collected otherwise than by automatic means in connection with the door-to-door preaching constitute a 'filing system' in light of Article 2(c) of the Data Protection Directive 95/46?
(3) Whether the phrase “alone or jointly with others determines the purposes and means of the processing of personal data” in light of Article 2(d) of the Data Protection Directive 95/46 must be interpreted as meaning that a religious community that organises an activity in the course of which personal data is collected may be regarded as a controller, in respect of the processing of personal data carried out by its members, even if the religious community claims that only the individual members who engage in preaching have access to the data?
(4) Whether in order for a religious community to be considered a controller in the light of Article 2(d) of the Data Protection Directive, does it have to take specific measures, such as give written instructions or orders directing the collection of data, or is it sufficient that that religious community can be regarded as having de facto control of its members’ activities?
Holding
On the first question, the court observed that Article 1(1) and Recital 10 is clear that the Directive seeks to ensure a high level of protection of fundamental rights and freedoms of natural persons, in particular, their right to privacy concerning the protection of personal data as was held in Google Spain and Google, C‑131/12 at paragraph 66, and Wirtshaftsakademie Schleswig-Holstein, C‑210/16, at paragraph 26. Also, Article 3(1) provides the scope of the Directive which applies to the processing of personal data wholly or partly by automatic means which form or is intended to form part of a filing system. However, Article 3(2) lays down exceptions to the application of the Directive in processing personal data which must be interpreted strictly as was held in Ryneš, C‑212/13 at paragraph 29, and Puškár, C‑73/1, at paragraph 38. The court noted that in the present case, the activities carried out by the Jehovah’s Witness Community do not fall under the two exceptions of activities carried out by state authority and simply personal or household activities. Pure household activity was defined in the case of Ryneš, C‑212/13 at paragraphs 31 and 33 as the activity of the person processing the personal data and not to the person whose data is processed. The court emphasized that for this exception to apply it must be an activity carried out in the context of the private or family life of individuals. This was not the case in this present matter and hence doesn’t fall under the exception.
On the second question, the court observed that the concept of a filing system as defined under Article 2(1)(c) Directive 95/46 is any structured set of personal data which are accessible according to specific criteria whether centralized, decentralized or dispersed on a functional or geographical basis. Besides, according to Recital 15 and 27 of Directive 95/46, the content of a filing system must be structured to allow easy access to personal data. In light of this, the court observed that the personal data collected during door-to-door preaching collected as a memory aid, allocated by geographical sector to organize subsequent visits fall within the scope of Article 2(1)(c) and the question on the specific criterion or form that it is structured is irrelevant.
On the third and fourth question, the court looked at the definition of a controller under Article 2(1)(d) Directive 95/46. A controller is defined as a natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data. The court observed that the scope of this definition is wide to ensure effective and complete protection of the persons concerned. Besides, the level of responsibility of joint controllers must be assessed concerning all relevant circumstances of the particular case as was held in Wirtschaftsakademie Schleswig-Holstein, C‑210/16 at paragraphs 28, 43 and 44. Furthermore, it was held, in that same case, that the joint responsibility of several actors for the same processing doesn’t require that each of them has access to the personal data concerned. In the present case, it was clear that Jehovah’s Witness Community who engage in preaching determine the specific data collected and how that data is subsequently processed. The collection of personal data helped in achieving the objective of the Jehovah’s Witness Community which was/is to spread its faith.
The court concluded that, in light of the activities of the Jehovah’s witness community, the community encourages its members who engage in preaching to carry out data processing activities in the context of their preaching activity. As such, the court further held that, by organizing, coordinating and encouraging preaching activities of its members intended to spread its faith, the Jehovah’s Witness Community participated jointly with its members in determining the purposes and means of processing personal data.
The court noted that this finding can be called into question by the principle of organizational autonomy of religious communities under Article 17 TFEU but stated that every person has an obligation to comply with the rules of the EU on the protection of personal data. This position was reiterated in Egenberger, C‑414/16 at paragraph 58.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
