Rb. Amsterdam - 20/4850

From GDPRhub
Revision as of 09:38, 3 October 2022 by Jg (talk | contribs) (→‎Holding)
Rb. Amsterdam - 20/4850
Courts logo1.png
Court: Rb. Amsterdam (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 6(1)(f) GDPR
Decided: 22.09.2022
Published: 28.09.2022
Parties: Autoriteit Persoonsgegevens (AP)
National Case Number/Name: 20/4850
European Case Law Identifier: ECLI:NL:RBAMS:2022:5565
Appeal from:
Appeal to:
Original Language(s): Dutch
Original Source: rechtspraak.nl (in Dutch)
Initial Contributor: Jette

The District Court of Amsterdam referred preliminary questions to the CJEU about the scope of legitimate interest. In particular, whether a commercial interest can be a legitimate interest and under what circumstances.

English Summary

Facts

The controller is a sports club in the legal form of an association. To, in its own words, 'give more meaning' to the sport, its vision and the memberships of its members, the controller worked with sponsors. It provided these sponsors with name and address particulars of its members (the data subjects).

Some members complained to the Dutch DPA that they did not give the controller explicit consent to provide its sponsors with their personal data. The Dutch DPA investigated the case and found that the controller gave its members' personal data to these sponsors without consent or any other legal ground, in breach of Article 5(1)(b) and Article 6(1) read in conjunction with Article 5(1)(a) GDPR. The DPA fined the controller €525,000.

The controller appealed the DPA's decision at the District Court of Amsterdam. It stated that there was, in fact, a legal ground for processing: legitimate interest. The DPA continued to be of the opinion that the controller had no legitimate interest. In addition, the DPA held that the processing was not necessary for the controller's legitimate interest.

The parties were divided on the interpretation and scope of legitimate interest within the meaning of Article 6(1)(f) GDPR. According to the controller, it followed from the grammatical interpretation of this term that there must be an interest laid down in a law (a positive test). According to the data subject, any interest was justified unless prohibited by law.

Holding

The Court noted that there were three cumulative conditions according to established case law of the CJEU for processing on the grounds of legitimate interest: (1) the pursuit of a legitimate interest of the controller, (2) the processing must be necessary and (3) the controller's legitimate interest must outweigh the interest or fundamental fights and freedoms of the data subject(s).

The Court held that it could not without reasonable doubt decide whether the controller had a legitimate interest. There was no established CJEU case law on the subject, and Article 6(1)(f) is not conclusive on the definition and scope of the term 'legitimate interest'. The Court noted that the District Court of Midden-Nederland already expressed an opinion on the subject in the VoetbalTV case. Here, the Court (Midden-Nederland) held that not only legal, but also all kinds of factual, economic and idealistic interests could qualify as a legitimate interest.[1] The Court stated that this seemed to support the data subject's position that any interest, including a purely commercial interest, can be a legitimate interest.

The Court was of the opinion that the desire to make money from personal data without consent (a purely commercial interest) seemed incompatible with the high level of protection that the GDPR intends to ensure. In this regard, the Court found the controller's interpretation acceptable. However, the GDPR clearly prescribes when processing must find its legal basis in law. For example, the prohibition of processing special categories of personal data from Article 9(1) GDPR does not apply if "the data subject has given explicit consent (...), except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject" pursuant to Article 9(2)(a). Article 9(1) also does not apply where "processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law (...)." Thus, the Court also considered the interpretation argued by the data subject acceptable.

The Court stated that it felt compelled to refer the following preliminary questions to the CJEU:

  1. How should the Court interpret the term 'legitimate interest'?
  2. Should that term be interpreted in line with the controller's interpretation? Are those interests exclusively established by law?
  3. Can any interest be a legitimate interest, provided that interest is not contrary to law? More specifically, is a purely commercial interest and the interest as in the case at hand, the provision of personal data against payment without consent of the data subject, under circumstances to be regarded as a legitimate interest? If so, what circumstances determine whether a purely commercial interest is a legitimate interest?

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

COURT OF AMSTERDAM

Administrative law

case number: AMS 20/4850

referral decision of the multiple chamber of 21 September 2022 in the case between

[plaintiff] , in Amstelveen, plaintiff

(Agents: mr. E.W.S. Peperkamp, mr. S.E.A. Vermeer-de Jongh and
mr. G.N.N. camp house),

and

Dutch Data Protection Authority, defendant

(agents: mr. T.N. Sanders, and mr. M.H.L. Hemmer).

Process sequence

By decision of 20 December 2019 (the primary decision), the respondent imposed a fine of € 525,000 on the claimant for violation of the General Data Protection Regulation (GDPR).

By decision of 30 July 2020 (the contested decision), the respondent declared the claimant's objection unfounded.

Plaintiff appealed against the contested decision.

Defendant has filed a statement of defence.

The hearing took place on March 21, 2022. The parties were represented by their authorized representatives. On behalf of the claimant were also present

[the person 1] , [position] and [the person 2] , corporate lawyer. The investigation is closed at the hearing.

Considerations

What preceded the procedure

1.1.

Plaintiff is a sports association in the (legal) form of an association. Its membership base consists of the [association] affiliated with it and their association members. When someone becomes a member of an [association] affiliated with the claimant, that person becomes a member of both that [association] and of the claimant. Plaintiff works together with sponsors in order to give more meaning to the [sport], its vision and the membership of its members. Two of these sponsors are the [company 1] ([company 1]) and [company 2] ([company 2] ).

1.2.

Plaintiff provided these sponsors on three occasions in 2018 with data from some of its association members for promotional campaigns, namely on [date 1] and [date 1] to [company 2] and on [date 1] to [company 1]. . Plaintiff has provided name and address details to [company 2]. In addition to name and address details, Plaintiff also provided [company 1] with data regarding date of birth, telephone number, mobile number, e-mail address and name of the association.

1.3.

At the time of the provision on [date 1], the Personal Data Protection Act (Wbp) applied and during the provision in [date 2] the AVG.1 The member data that the claimant provided to [company 2] was intended for postal mailing in the form of sending a discount flyer. [company 2] then forwarded this member data to PostNL before printing the flyer. The member data that the claimant provided to [company 1] was intended for a call campaign. [company 1] passed this member data on to call centers hired by them. Plaintiff has received compensation from the sponsors concerned for the member data provided.

1.4.

In 2018, the defendant received several reports from various members that the plaintiff had shared personal data of its members with these two sponsors without the members' explicit permission to do so. As a result of this, the defendant initiated an investigation into the plaintiff's compliance with the GDPR when collecting and providing personal data to [company 1] and [company 2] for the purpose of their promotional campaigns in the period [date 3] to [date]. date 4] .

1.5.

That investigation showed, among other things, that in 2007 and 2017 the claimant received permission from her members' council to share the contact details of her members with the aforementioned sponsors. In 2007 permission was given for the provision of data for the purpose of postal mailing and in 2017 permission was given for the provision of data for the purpose of telemarketing. In the summer of 2018, Plaintiff communicated its policy to its members through newsletters and messages on, among other things, its website. Plaintiff informed new members about the new policy in the first months of 2018 via the digital welcome message that every new member received from Plaintiff. Members were informed of their right to object to the provision of their personal data to sponsors on a 'Fan Marketing and Data' webpage created by the claimant. Plaintiff has therefore chosen to deviate from the 'opt-in' that applied until then and to switch to the so-called 'opt-out' method, in which consent is presumed to have been given, unless the member objects to this.

1.6.

The outcome of the investigation was the reason for the defendant to impose a fine of € 525,000 on the plaintiff with the primary decision. According to the defendant, the claimant provided data from its members to the two sponsors mentioned without the members' consent and without her having a lawful basis for providing it. This concerns the two benefits in kind from [date 2]. This procedure therefore only applies to the provisions of the GDPR. According to the defendant, the plaintiff acted in violation of these two provisions:

 Article 5, first paragraph, preamble and under b (purpose limitation) and;

 Article 6, first paragraph, read in combination with Article 5, first paragraph, preamble and under a (the basis for processing) of the GDPR.

The Defendant upheld this decision by means of the contested decision.

The processing basis

2.1.

Under the GDPR, personal data may only be processed if there is a legal basis for that processing. The legal bases are exhaustively listed in Article 6(1) of the GDPR. It is not in dispute between the parties that the claimant did not have permission from its individual members to provide their data to the sponsors and that the processing basis 'consent'2 therefore does not apply. Plaintiff argues that it has a legitimate interest in providing the member data to the two sponsors, as referred to in Article 6, first paragraph, preamble and under f, of the GDPR. According to the defendant, that is not the case.

2.2.

According to settled case law of the Court of Justice of the European Union (the ECJ)3, there are three cumulative conditions that must be met in order to be able to process personal data on this basis:

there must be a representation of a legitimate interest of the controller;

the processing must be necessary for that legitimate interest, and

the legitimate interest of the controller must outweigh the interests or the fundamental rights and freedoms of the person whose personal data are processed.

2.3.

The respondent primarily takes the position that the claimant has no legitimate interest in providing the personal data to the two sponsors. To that extent, according to the respondent, the test ends at step 1. In the alternative, the respondent believes that the processing is not necessary either (step 2) or that the interests of the members of the claimant that their personal data are not processed should prevail (step 3). According to the defendant, there is therefore a violation of Article 5, first paragraph, preamble and under a, of the GDPR, read in combination with Article 6, first paragraph, of the GDPR. Plaintiff is of the opinion that it does have a legitimate interest in the data processing and that it also meets the other two requirements.

Views of the parties on the interpretation and scope of the concept of legitimate interest

3.1.

In particular, the parties are divided over the interpretation and scope of the term 'legitimate interest' within the meaning of Article 6, paragraph 1, under f of the GDPR. According to the respondent, it follows from the grammatical interpretation of this term that there must be a legitimate and thus concrete interest 'belonging to the law, being law, laid down in a law'. So a positive test. According to the respondent, the view of the claimant that every interest is justified, unless prohibited by law, is not consistent with the essence of the provision. If that had indeed been the intention, it would have been more logical, in the opinion of the defendant, to have worded the provision in the opposite direction. So, for example, instead of talking about a 'legitimate interest', to speak of 'an interest, unless prohibited by law'.

3.2.

In that context, the defendant refers to a passage from recital 47 of the GDPR: "such a legitimate interest may exist, for example, if there is a relevant and appropriate relationship between the data subject and the controller". Respondent reads this as meaning that the processing of personal data of persons who should not reasonably expect this cannot be based on a legitimate interest. It must concern a pre-recognized interest of the controller that the data subject can take into account. An interest that is not a legitimate interest and therefore not an 'interest belonging to the law, being law, established by law', is not sufficiently known in advance. Defendant believes that support for this explanation can be found in the position of the European Council (the Council) at the first reading of the GDPR. In it, the Board considers that: “the existence of a legitimate interest must be demonstrated, including checking whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for the protection of that interest can be take place. The processing of personal data for direct marketing4 can be regarded as carried out with a view to a legitimate interest. The processing of personal data by public authorities in the performance of their tasks is not based on the legal basis of legitimate interest, as it is the national legislator which determines the legal basis for the processing of personal data by public authorities.”5

3.3.

According to the defendant, his explanation is also the explanation that best fits in the system of the GDPR and European fundamental rights. To this end, he refers to Article 8 of the Charter of the European Union (the Charter), which includes the right to the protection of personal data. Restrictions on this right must be provided for by law pursuant to Article 52 of the Charter and must respect the essence of those rights and freedoms. According to the respondent, the GDPR in fact implements Article 52 of the Charter and this follows from recital 4 of the GDPR. It considered that: “the processing of personal data must be for the benefit of people. The right to the protection of personal data is not absolute, but must be considered in relation to its function in society and must be weighed up against other fundamental rights in accordance with the principle of proportionality. This Regulation respects all fundamental rights as well as the freedoms and principles recognized by the Charter as enshrined in the Treaties, in particular respect for private and family life, home and communication, the protection of personal data, the freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and the right to cultural, religious and linguistic diversity (…).' The importance of protecting personal data may conflict with other general principles recognized by law and/or the rights of others. In that case, according to the defendant, an assessment must take place, whereby the Charter and the GDPR offer a concrete assessment mechanism in the form of Article 6, first paragraph, preamble and under f of the GDPR, read in combination with Article 52 of the Charter. An interest within the meaning of Article 6, first paragraph, preamble and under f of the GDPR must (because of the limitation it entails with the fundamental right to the protection of personal data) in view of the Charter at least affect public interest objectives that are recognized by the Union or necessary to protect the rights and freedoms of others. Public interest objectives are "lawful, lawful, law-enforced" interests, as are the rights and freedoms of others. It must concern interests that are regarded as worthy of protection by the Union or national legislator. They have social importance and everyone can be expected to take these interests into account in society.

3.4.

According to the defendant, the collection and processing of data of a person in order to resell it without the consent of the data subject constitutes an infringement of Article 8 of the European Convention on Human Rights (ECHR). According to the defendant, the explanation of the claimant of Article 6, first paragraph, preamble and under f of the GDPR (which is an interpretation of Article 52 of the Charter) is therefore contrary to Article 8 of the ECHR. This would mean that the GDPR represents a setback in protection compared to the situation before the entry into force of the Charter. Under the Charter and the GDPR, a lower level of protection would then in fact apply than before, when only the ECHR applied. After all, if the claimant has a legitimate interest (and could therefore possibly process the data), then the limitation of Article 8 of the ECHR is provided for by law (namely: the AVG). In that case, the GDPR would in fact remove the previously existing conflict with Article 8 of the ECHR, according to the defendant. According to the defendant, this limitation of the fundamental rights of the members was not provided for by law before the introduction of the AVG, but under the AVG it was. This is contrary to Article 53 of the Charter.

4.1.

Plaintiff is of the opinion that a legitimate interest does not have to be based on a fundamental right or legal principle, as the defendant argues. After all, it follows from the legal text of the GDPR that other types of interests (not being fundamental rights and/or legal principles) can qualify as a legitimate interest. In that context, it refers to recital 47 of the GDPR, in which 'direct marketing' is regarded as a legitimate interest. According to the claimant, the contested decision is therefore based on an incorrect interpretation of Article 6, first paragraph, preamble and under f, of the GDPR. According to the claimant, in principle there is in principle a legitimate interest, unless that interest is in conflict with the law. So a negative test. In this context, she refers, among others, to Kamara & De Hert, who argue that "a legitimate interest (…), might not be specifically foreseen in a legal instrument, but in any case has to be in accordance with the law, in the sense that it does not violate the law”6 and according to the Opinion of Advocate General [name 1] on the judgment of the ECJ on [company 3]7, in which he considers that, provided legal in itself, there is no type of interest which is per se excluded.” Plaintiff also refers to case law of the ECJ in which there is a legitimate interest, but there is no question or no reference is made to a fundamental right or legal principles.8 In addition, she refers to the judgment of the Midden-Nederland District Court of [date 5], in which it is assumed that the determination of a legitimate interest involves a negative test.9 According to the plaintiff, the defendant wrongly concluded that there is no legitimate interest, because the interest pursued by the plaintiff with the processing cannot be traced back to a fundamental right or According to the plaintiff, the defendant's strict interpretation of standards is contrary to the purport of the regulation, the coherence mechanism and the market forces intended by the GDPR.

The court's considerations

5.1.

Pursuant to Article 6(1)(f) of the GDPR, the processing is only lawful if and to the extent that the processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where the interests or the fundamental rights and freedoms of the data subject which require the protection of personal data outweigh those interests, in particular where the data subject is a child.

5.2.

The question whether Plaintiff has a legitimate interest in the processing of the personal data of its members cannot be answered without reasonable doubt. There has been no evidence of an acte éclairé with regard to this question, since the answer to this question cannot be found on the basis of settled case law of the ECJ in comparable cases. In addition, there has been no acte clair with regard to this question, since Article 6, first paragraph, preamble and under f of the GDPR does not provide a definitive answer about the definition and scope of the term 'legitimate interest'. Moreover, the provision has not been formulated so clearly that it can be said that there can be no reasonable doubt about its interpretation or its scope of application.

5.3.

In the aforementioned judgment10, the Midden-Nederland District Court was the first Dutch court to rule on the concept of 'legitimate interest' and in its decision refers to the Opinion of Advocate General M. [name 1] in the judgment of the ECJ in the case [company 3].11 In it he explains that Directive 95/46 also does not contain a definition or list of what exactly the concept of 'legitimate interest' means. The Midden-Nederland District Court considers: “According to [name 1], this concept is fairly flexible and open in nature and he refers for this to his own conclusion in the judgment of the ECJ on [name 2],12 in which he reads the ECJ's judgments on [name 3] and [name 4] ,13and [name 5]14names(…). Provided in itself legal, according to [name 1], there is no type of interest that is per se excluded. [name 1] bases this conclusion, among other things, on the opinion of the Article 29 Working Group (WP29, the predecessor of the European Data Protection Board (EDPB)). In its 2014 opinion,15 the WP29 wrote that the legitimate interest should be interpreted as a concept that can cover a range of different interests, whether they are trivial or overriding, and whether these are evident or more controversial, provided it is a real and present (and therefore not speculative) interest. Not only legal, but also all kinds of factual, economic and idealistic interests can therefore qualify as a legitimate interest.”16 This seems to support the claimant's position that any interest, including a purely commercial interest, can be a legitimate interest.

5.4.

On the other hand, according to the court, it does not seem to be consistent with the high degree of protection that the GDPR aims to offer if the wish to earn money with other people's personal data without the consent of the data subject is regarded as a legitimate interest. In the case of a fundamental right such as the right to the protection of personal data, the court finds the defendant's explanation acceptable. Incidentally, the court notes that even before the entry into force of the GDPR, the requirement of Article 8 of the ECHR that a breach of the protection of personal data must be provided for in a law was already met. The processing basis 'legitimate interest' was included in Article 8, opening words and under f, of the Wbp.

5.5.

Finally, the court notes that the GDPR clearly prescribes when a processing must find its legal basis in a provision of Member State or Union law. For example, Article 9(1) of the GDPR clearly prescribes which personal data are prohibited from processing: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a person, or data about health, or data related to a person's sexual behavior or sexual orientation. In the second paragraph, preamble and under a of that article, it is stipulated that the first paragraph does not apply if the data subject has given explicit permission for the processing of those personal data for one or more specific purposes, except where provided by Union or Member State law. that the prohibition referred to in paragraph 1 cannot be lifted by the person concerned. On the basis of the second paragraph, preamble and under g, the first paragraph also does not apply if the processing is necessary for reasons of important public interest, on the basis of Union law or Member State law, whereby proportionality with the aim pursued is guaranteed, the essence of the right to the protection of personal data is respected and appropriate and specific measures are taken to protect the fundamental rights and interests of the data subject. Now that the GDPR clearly prescribes when a processing must find its legal basis in a legal provision, the court also finds the explanation that the plaintiff argues acceptable.

Conclusion

6. The court is therefore compelled to refer the following questions to the Court of Justice for a preliminary ruling:

How should the court interpret the term "legitimate interest"?

Should that term be interpreted as the defendant interprets it? Are they exclusively lawful, being law, interests established in a law? Or;

Can any interest be a legitimate interest, provided that interest is not in conflict with the law? More specifically: is a purely commercial interest and the interest as discussed here, the provision of personal data for payment without the consent of the person concerned, can be regarded as a legitimate interest under certain circumstances? If so, what circumstances determine whether a purely commercial interest is a legitimate interest?

Decision

The court:

- reopens the investigation;

- requests the Court of Justice to give a preliminary ruling under Article 267 of the Treaty on the Functioning of the European Union on the questions referred under paragraph 6 of the law;

- suspended the investigation and stayed further proceedings in this case until the Court of Justice has given its ruling.

This statement was made by mr. J.C.S. van Limburg Stirum, chairman, and

mr. J.A.W. Jansen and mr. A. Rodriguez Galvis, members, in the presence of mr. L.N. Linzey, clerk. The decision was pronounced in public on September 22, 2022.

clerk

chair

Copy sent to parties on:

Remedy

An appeal can be lodged against this interim decision at the same time as an appeal against the final decision in this case.

1 The GDPR came into effect on 25 May 2018. The Wbp was withdrawn on that date.

2 Article 6, first paragraph, preamble and under a, of the GDPR.

3 See, among other things, the judgment of the ECJ of 29 July 2019, no. C-40/17, ECLI:EU:C:2019:629 ( [company 3] ).

4 In the Netherlands, this has been given a legal basis in Article 11.7 of the Telecommunications Act.

5 Justification of the Council: Position (EU) No 6/2016 of the Council at first reading with a view to the adoption of a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 951461EC (General Data Protection Regulation), (2016/C 159/02), p. 86-87.

6 I. Kamara & P. de Hert, 'Understanding the balancing act behind the legitimate interest of the controller ground: a pragmatic approach', Brussels Privacy Hub 2018, vol. 4, no. 12, p. 12.

7 Conclusion AG of the ECJ, 19 December 2018, no. C-40/17, ECLI:EU:C:2018:1039, r.o. 122.

8 Including ECJ 13 May 2014, CA 31112, ECLI EU:C:2014:317 (Google Spain).

9 ECLI:NL:RBMNE:2020:5111.

10 The judgment of [date 5] , ECLI:NL:RBMNE:2020:5111.

11 Conclusion AG ECJ, 19 December 2018, no. C-40/17, ECLI:EU:C:2018:1039.

12 Conclusion AG ECJ, 27 January 2017, no. C-13/16, ECLI:EU:C:2017:43.

13 Judgment of the ECJ, 9 November 2010, nos. C-92/09 and C-93/09, ECLI:EU:C:2010:662, paragraph 77.

14 Judgment of the ECJ, 11 December 2014, no. C-2012/13, ECLI:EU:C:2014:2428, paragraph 34.

15 Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, Article 29 Data Protection Working Party, 9 April 2-14, p. 24.

16 See para. 15 of the ruling of the Central Netherlands.
  1. With reference to: Conclusion A-G CJEU, 19 December 2018, no. C-40/70, ECLI:EU:C:2018:1039.