Relevant facts

In Volker und Markus Schecke and Eifert, the CJEU considered the legality of EU rules requiring Member States to publish the names, locations, and subsidy amounts received by beneficiaries of agricultural funds. The case arose after two recipients – an agricultural partnership and a full-time farmer – challenged the publication of their data, arguing it infringed their right to data protection.

Legal question(s)

Crucially, the case raised a fundamental question: Does information relating to professional or economic activity, such as publicly funded business operations, still qualify as personal data subject to protection?

Court’s interpretation

• [49] Article 8(2) of the Charter thus authorises the processing of personal data if certain conditions are satisfied. It provides that personal data ‘must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law’.

• [50] Moreover, Article 52(1) of the Charter accepts that limitations may be imposed on the exercise of rights such as those set forth in Articles 7 and 8 of the Charter, as long as the limitations are provided for by law, respect the essence of those rights and freedoms and, subject to the principle of proportionality, are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others.

• [51] Finally, according to Article 52(3) of the Charter, in so far as it contains rights which correspond to rights guaranteed by the Convention, the meaning and scope of those rights are to be the same as those laid down by the Convention. Article 53 of the Charter further states that nothing in the Charter is to be interpreted as restricting or adversely affecting the rights recognised inter alia by the Convention.

• [52] In those circumstances, it must be considered that the right to respect for private life with regard to the processing of personal data, recognised by Articles 7 and 8 of the Charter, concerns any information relating to an identified or identifiable individual (see, in particular, European Court of Human Rights, Amann v. Switzerland [GC], no. 27798/95, § 65, ECHR 2000‑II, and Rotaru v. Romania [GC], no. 28341/95, § 43, ECHR 2000‑V) and the limitations which may lawfully be imposed on the right to the protection of personal data correspond to those tolerated in relation to Article 8 of the Convention.

Remark(s)

Data concerning professional activities is personal data within the meaning of (now) art. 4(1) GDPR.

Relevant facts 

Peter Nowak, a trainee accountant, failed an exam and requested all personal data held about him from the Institute of Chartered Accountants of Ireland. The Institute refused to provide his exam script, claiming it wasn’t personal data. Nowak challenged this with the Data Protection Commissioner, who also rejected his complaint. After the lower courts dismissed his case, the Supreme Court allowed his appeal and referred the issue to the CJEU.

Legal question(s)

The main question was: Can exam scripts be considered personal data under EU data protection law?

Court’s interpretation

• [33] As the Court has held previously, the scope of Directive 95/46 is very wide and the personal data covered by that directive is varied…
• [34] The use of the expression ‘any information’ in the definition of the concept of ‘personal data’, within Article 2(a) of Directive 95/46, reflects the aim of the EU legislature to assign a wide scope to that concept, which is not restricted to information that is sensitive or private, but potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it ‘relates’ to the data subject.

….

• [37] First, the content of those answers reflects the extent of the candidate’s knowledge and competence in a given field and, in some cases, his intellect, thought processes, and judgment. In the case of a handwritten script, the answers contain, in addition, information as to his handwriting.

….

• [40] It is, moreover, equally true that the written answers submitted by a candidate at a professional examination constitute information that relates to that candidate by reason of its content, purpose or effect, where the examination is, as in this case, an open book examination.
• [41] As is stated by the Advocate General in point 24 of her Opinion, the aim of any examination is to determine and establish the individual performance of a specific person, namely the candidate, and not, unlike, for example, a representative survey, to obtain information that is independent of that person.

….

• [49] Accordingly, if information relating to a candidate, contained in his or her answers submitted at a professional examination and in the comments made by the examiner with respect to those answers, were not to be classified as ‘personal data’, that would have the effect of entirely excluding that information from the obligation to comply not only with the principles and safeguards that must be observed in the area of personal data protection, and, in particular, the principles relating to the quality of such data and the criteria for making data processing legitimate, established in Articles 6 and 7 of Directive 95/46, but also with the rights of access, rectification and objection of the data subject, provided for in Articles 12 and 14 of that directive, and with the supervision exercised by the supervisory authority under Article 28 of that directive.

….

• [62] In the light of all the foregoing, the answer to the questions referred is that Article 2(a) of Directive 95/46 must be interpreted as meaning that, in circumstances such as those of the main proceedings, the written answers submitted by a candidate at a professional examination and any comments made by an examiner with respect to those answers constitute personal data, within the meaning of that provision.

Remark(s)

Answers to an exam can fall within the meaning of personal data in (now) art. 4(1) GDPR. 

Relevant facts

The case focused on whether the legal analysis contained in a draft decision (or “minute”) in Dutch asylum procedures constituted personal data under Article 2(a) of Directive 95/46. These internal documents included both factual information about the applicant (such as name, date of birth, and ethnicity) and a legal assessment of their application.

Legal question(s)

One of the key questions referred to the CJEU was: whether such legal analysis, when linked to an identifiable individual, qualifies as personal data under the Directive.

Court’s interpretation

• [37] In this respect, it should be noted that Article 2(a) of Directive 95/46 defines personal data as ‘any information relating to an identified or identifiable natural person’.
• [38] There is no doubt that the data relating to the applicant for a residence permit and contained in a minute, such as the applicant’s name, date of birth, nationality, gender, ethnicity, religion and language, are information relating to that natural person, who is identified in that minute in particular by his name, and must consequently be considered to be ‘personal data’…
• [39] As regards, on the other hand, the legal analysis in a minute, it must be stated that, although it may contain personal data, it does not in itself constitute such data within the meaning of Article 2(a) of Directive 95/46.

Remark(s)

The information contained within the minutes (for example, name, date of birth, nationality, ethnicity, religion, etc.) is personal data within the meaning of (now) art. 4(1) GDPR. However, the legal analysis in a minute, while containing personal data, does not constitute personal data in and of itself. 

Relevant facts 

In this case, SABAM, a Belgian copyright management organization, sought to compel the internet service provider Scarlet to prevent its users from illegally sharing copyrighted works via peer-to-peer networks. After an initial court ruling confirmed copyright infringement, a later judgment ordered Scarlet to implement a filtering system to block such activities. Scarlet appealed, arguing that installing such a system would require general surveillance of all user communications and the processing of IP addresses. It claimed this would breach EU privacy and data protection laws, as IP addresses are personal data under Directive 95/46 when they can identify individuals.

Legal question(s)

The Belgian court referred the matter to the CJEU and inter alia, posed the question whether IP addresses constitute personal data.

Court’s interpretation 

• [26] Lastly, Scarlet considered that the installation of a filtering system would be in breach of the provisions of European Union law on the protection of personal data and the secrecy of communications, since such filtering involves the processing of IP addresses, which are personal data.

….

• [50] Moreover, the effects of that injunction would not be limited to the ISP concerned, as the contested filtering system may also infringe the fundamental rights of that ISP’s customers, namely their right to protection of their personal data and their freedom to receive or impart information, which are rights safeguarded by Articles 8 and 11 of the Charter respectively.
• [51] It is common ground, first, that the injunction requiring installation of the contested filtering system would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content on the network is sent. Those addresses are protected personal data because they allow those users to be precisely identified.
• [52] Secondly, that injunction could potentially undermine freedom of information since that system might not distinguish adequately between unlawful content and lawful content, with the result that its introduction could lead to the blocking of lawful communications. Indeed, it is not contested that the reply to the question whether a transmission is lawful also depends on the application of statutory exceptions to copyright which vary from one Member State to another. Moreover, in some Member States certain works fall within the public domain or can be posted online free of charge by the authors concerned.
• [53] Consequently, it must be held that, in adopting the injunction requiring the ISP to install the contested filtering system, the national court concerned would not be respecting the requirement that a fair balance be struck between the right to intellectual property, on the one hand, and the freedom to conduct business, the right to protection of personal data and the freedom to receive or impart information, on the other.
• [54] In the light of the foregoing, the answer to the questions submitted is that Directives 2000/31, 2001/29, 2004/48, 95/46 and 2002/58, read together and construed in the light of the requirements stemming from the protection of the applicable fundamental rights, must be interpreted as precluding an injunction made against an ISP which requires it to install the contested filtering system.

Remark(s)

IP addresses are capable of precisely identifying users on the Internet and thus fall within the concept of personal data under (now) art. 4(1) GDPR. 

Relevant facts 

Mr. Breyer accessed publicly available websites operated by German federal institutions, which stored user data – including dynamic IP addresses – for security reasons. He challenged this practice, arguing that it violated his data protection rights, and sought an injunction to prevent the storage of his access information. While the first court rejected his claim, the appellate court partially upheld it, ruling that a dynamic IP address, when combined with other data that could identify the user, could constitute personal data if the user had revealed their identity during the session. However, it held that if only the internet service provider could link the IP to an identity, the IP address alone was not personal data. Both parties appealed, and the German Federal Court referred the matter to the CJEU.

Legal question(s) 

The German Federal Court posed the question whether dynamic IP addresses should be considered personal data under Directive 95/46.

Court’s interpetation

• [32] According to that provision, ‘personal data’ ‘mean any information relating to an identified or identifiable natural person (“data subject”)’. Pursuant to that provision, an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
• [33] As a preliminary point, it must be noted that, in paragraph 51 of the judgment of 24 November 2011, Scarlet Extended (C-70/10, EU:C:2011:771), which concerned inter alia the interpretation of the same directive, the Court held essentially that the IP addresses of internet users were protected personal data because they allow users to be precisely identified.
• [34] However, that finding by the Court related to the situation in which the collection and identification of the IP addresses of internet users is carried out by internet service providers.
• [35] In the present case, the first question concerns the situation in which it is the online media services provider, namely the Federal Republic of Germany, which registers IP addresses of the users of a website that it makes accessible to the public, without having the additional data necessary in order to identify those users.

….

• [38] In that connection, it must be noted, first of all, that it is common ground that a dynamic IP address does not constitute information relating to an ‘identified natural person’, since such an address does not directly reveal the identity of the natural person who owns the computer from which a website was accessed, or that of another person who might use that computer.

….

• [41] The use by the EU legislature of the word ‘indirectly’ suggests that, in order to treat information as personal data, it is not necessary that that information alone allows the data subject to be identified. 

….

• [44] The fact that the additional data necessary to identify the user of a website are held not by the online media services provider, but by that user’s internet service provider does not appear to be such as to exclude that dynamic IP addresses registered by the online media services provider constitute personal data within the meaning of Article 2(a) of Directive 95/46.

….

• [47] Although the referring court states in its order for reference that German law does not allow the internet service provider to transmit directly to the online media services provider the additional data necessary for the identification of the data subject, it seems however, subject to verifications to be made in that regard by the referring court that, in particular, in the event of cyber attacks legal channels exist so that the online media services provider is able to contact the competent authority, so that the latter can take the steps necessary to obtain that information from the internet service provider and to bring criminal proceedings.
• [48] Thus, it appears that the online media services provider has the means which may likely reasonably be used in order to identify the data subject, with the assistance of other persons, namely the competent authority and the internet service provider, on the basis of the IP addresses stored.
• [49] Having regard to all the foregoing considerations, the answer to the first question is that Article 2(a) of Directive 95/46 must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.

Remark(s) 

Dynamic IP addresses do constitute personal data within the meaning of (now) art. 4(1) GDPR where additional data can be provided by legal means and enables the identification of the person. 

Relevant facts

Meta Platforms Ireland (formally known as Facebook) has collected data relating to users’ activities outside Facebook, through the use of cookies, social plug-ins, pixels and comparable technologies integrated into third-party websites. Meta processed the collected data to identify users’ interests in sensitive topics, such as sexual orientation, and to direct targeted advertising at the users.

Maximilian Schrems was a Facebook user. He never consented to the processing by Meta of his personal data concerning activities outside Facebook. Nonetheless, he received advertisements which, among others, targeted homosexual persons (which was based on Meta’s analysis of the interests of Schrems and his friends). Schrems did not disclose his sexual orientation on his Facebook profile, although he had once made it public during a panel discussion that was open to the public.

Relevant question before the CJEU

Question 4 – Is Article 5(1)(b) of the GDPR, read in conjunction with Article 9(2)(e) thereof, to be interpreted as meaning that a statement made by a person about his or her own sexual orientation for the purposes of a panel discussion permits the processing of other data concerning sexual orientation with a view to aggregating and analysing the data for the purposes of personalised advertising?

CJEU’s interpretation

[77] It follows that, for the purposes of the application of the exception laid down in Article 9(2)(e) of the GDPR, it is important to ascertain whether the data subject had intended, explicitly and by a clear affirmative action, to make the personal data in question accessible to the general public (judgment of 4 July 2023, Meta Platforms and Others (General terms of use of a social network), C‑252/21, EU:C:2023:537, paragraph 77).

[78] In the present case, it is apparent from the order for reference that the panel discussion organised in Vienna on 12 February 2019, in the context of which Mr Schrems made a statement about his sexual orientation, was accessible to the public, who could obtain a ticket to attend the event, subject to seating availability, and that it was streamed. Moreover, a recording of the round table was subsequently published as a podcast, as well as on the Commission’s YouTube channel.

[79] In those circumstances, and subject to verifications which it is for the referring court to carry out, the possibility cannot be ruled out that that statement, although forming part of a broader discussion and made solely for the purpose of criticising the processing of personal data by Facebook, constitutes an act by which the person concerned in any event manifestly made his sexual orientation public within the meaning of Article 9(2)(e) of the GDPR.

[80] In the second place, if the consequence of the fact that the data subject has manifestly made public data concerning his or her sexual orientation is that those data may be processed, by way of derogation from the prohibition laid down in Article 9(1) of the GDPR and in accordance with the requirements deriving from the other provisions of that regulation (see, to that effect, judgment of 24 September 2019, GC and Others (De-referencing of sensitive data), C‑136/17, EU:C:2019:773, paragraph 64), that fact alone does not, contrary to the contentions of Meta Platforms Ireland, authorise the processing of other personal data relating to that data subject’s sexual orientation.

[81] Thus, it would be contrary to the restrictive interpretation that should be made of Article 9(2)(e) of the GDPR to find that all data relating to the sexual orientation of a person fall outside the scope of protection under Article 9(1) thereof solely because the data subject has manifestly made public personal data relating to his or her sexual orientation.

[82] Moreover, the fact that a person has manifestly made public information concerning his or her sexual orientation does not mean that that person has given his or her consent within the meaning of Article 9(2)(a) of the GDPR to processing of other data relating to his or her sexual orientation by the operator of an online social network platform.

[83] In the light of the foregoing, the answer to the fourth question is that Article 9(2)(e) of the GDPR must be interpreted as meaning that the fact that a person has made a statement about his or her sexual orientation on the occasion of a panel discussion open to the public does not authorise the operator of an online social network platform to process other data relating to that person’s sexual orientation, obtained, as the case may be, outside that platform using partner third-party websites and apps, with a view to aggregating and analysing those data, in order to offer that person personalised advertising.

Relevant facts 

The case concerned Mrs. Lindqvist, a Swedish catechist who created personal webpages to assist parishioners preparing for confirmation. On these pages, she published personal information about herself and 18 colleagues – such as names, roles, hobbies, contact details, and even medical information about one person – without their knowledge or consent. She also linked the pages to the Swedish Church’s official website. Swedish authorities prosecuted her for violating the Personal Data Act (PUL), alleging she had processed personal and sensitive data without prior notice to the data protection authority, consent from the individuals concerned, or authorization to transfer data to a third country.

Legal question(s) 

Multiple questions were brought before the Court with three of them especially focusing on the consequences of making personal data available in a public (online) manner:

1. Does entering personal data on a webpage and making it accessible online qualify as “processing of personal data by automatic means” under Directive 95/46?
2. Does the processing of personal data such as that described in the first question is covered by one of the exceptions in Article 3(2) of Directive 95/46?
3. Does the inclusion of sensitive personal data (such as health information) on a publicly accessible webpage fall under the special categories of data subject to enhanced protection under the Directive?

Interpretation of the Court 

First question (above)

• [24] The term ‘personal data’ used in Article 3(1) of Directive 95/46 covers, according to the definition in Article 2(a) thereof, ‘any information relating to an identified or identifiable natural person’. The term undoubtedly covers the name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies.
• [25] According to the definition in Article 2(b) of Directive 95/46, the term

  ‘processing’ of such data used in Article 3(1) covers ‘any operation or set of operations which is performed upon personal data, whether or not by automatic means’. That provision gives several examples of such operations, including disclosure by transmission, dissemination or otherwise making data available. It follows that the operation of loading personal data on an internet page must be considered to be such processing.

• [26] It remains to be determined whether such processing is ‘wholly or partly by automatic means’. In that connection, placing information on an internet page entails, under current technical and computer procedures, the operation of loading that page onto a server and the operations necessary to make that page accessible to people who are connected to the internet. Such operations are performed, at least in part, automatically.
• [27] The answer to the first question must therefore be that the act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes ‘the processing of personal data wholly or partly by automatic means’ within the meaning of Article 3(1) of Directive 95/46.

Second question (above)

• [46] As regards the exception provided for in the second indent of Article 3(2) of Directive 95/46, the 12th recital in the preamble to that directive, which concerns that exception, cites, as examples of the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, correspondence and the holding of records of addresses.
• [47] That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people.
• [48] The answer to the third question must therefore be that processing of personal data such as that described in the reply to the first question is not covered by any of the exceptions in Article 3(2) of Directive 95/46.

Third question (above) 

• [50] In the light of the purpose of the directive, the expression ‘data concerning health’ used in Article 8(1) thereof must be given a wide interpretation so as to include information concerning all aspects, both physical and mental, of the health of an individual.
• [51] The answer to the fourth question must therefore be that reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.

Remark(s)

The act of referring to individuals and identifying characteristics of said individuals on an internet page constitutes “processing of personal data” and due to its public nature does not benefit from the exception of the now Article 2(2)(c) GDPR. Furthemore, publication concerning the injury of an individual on that same internet page constitutes publication of “personal data” within the meaning of the GDPR and is, in fact, a special category of data that would now be governed by Article 9 GDPR.