The Danish DPA issued a guide on the procedure for exercise of the “right to be forgotten” – or more accurately, the procedure for having a person’s name removed from search engine results, as based upon the European Court of Justice’s judgement against Google Spain and Google Inc. This includes the criteria used by the DPA in assessing these cases.
On 12 May 2016, Advocate General (AG) Manuel Campos Sánchez-Bordona released an Opinion in the Case P. Breyer v. Germany. For the AG, dynamic IP addresses should be considered as personal data even if the website operator in question is not able to identify the user using the IP address, since the users’ internet access providers have data which can, by linking it with the IP address, identify the users in question. Moreover, the AG considered that both the use and collection of IP address data could be justified on the grounds of “balancing of legitimate interests” test under the Data Protection Directive 95/46/EC (DPD), despite more restraining national legislation in Germany.
Background of the case
The case involves Patrick Breyer (a member of the Pirate Party) and the Federal Republic of Germany (the “BRD”). The BRD operates a number of websites and records the IP addresses of users visiting them. The plaintiff sued the BRD as he considers that IP addresses qualify as personal data following article 2 of the DPD and hence, the BRD would be compelled to have consent for processing such data. Indeed, by retaining IP addresses the BDR could profile the visitors of its websites. The Regional Court of Berlin ruled on appeal that IP addresses held by website operators should be considered as personal data when users provide supplementary information to the website operator (for instance: telephone number, address, etc.). The General Federal Court of Justice took responsibility of the case after both the plaintiff and the defendant appealed the Regional Court decision. The Federal Court referred two preliminary questions to the CJEU: whether, under article 2a of the DPD, IP addresses qualify as personal data when the IP address is stored by a website provider and a third party possesses sufficient additional information to identify the user and, whether article 7 of the DPP precludes to a provision in National Law according to which a website provider may collect and process personal data of users without their consent only to the extent it is necessary to enable the functioning of the website or to arrange payment.
The decision relates to the use of a employee evaluation and assessment remuneration and salary systems. An Opinion was requested on the use of the remuneration systems in a white collar chemical industry. These systems produce a numerical or verbal assessment of each employee, which impacts upon their salary. Union representatives asked questions regarding if the complexity of data used in the scoring system constituted personal data, if the personal (non-numeric) assessment of an employee’s performance associated with their record constituted personal data, and if the named employee had the right to see the records. The Ombudsman indicated that data on tasks themselves (e.g. their complexity, scores associated with different tasks) were not personal data, but that based upon both Finnish and EU law on data protection, when this information was combined with personal data on the employee for the purposes of paying wages, then this is a case of processing personal data. Employers have a right to deal with personal data under the Personal Data Protection Act (523/1999). The Ombudsman considers that the payment of the personal component of the employee’s salary on the basis of assessment is the kind of information that relates to the exercise of rights and obligations of the parties to the employment relationship. Supervisor felt that every worker has the right to inspect the records of the employer’s control of personal information relating to themselves, including produced by the employers assessment, unless required by law, subject to the exemption provided. This right is closely linked to the right to be assessed on the basis of accurate and relevant information. If the employer obtains data on the employee from third party sources (that they have not collect themselves, or has not been given to them directly by the employee), they are obligated to inform the employee themselves. The employer must consult with employee representatives when deciding on the introduction of new information systems and their content, as other information to be collected, including information on a variety of tests available.