News Update Privacy & Data Protection

In this News Update, we discuss the Amsterdam District Court's TikTok judgment for invading users' privacy, European Data Protection Board (EDPB) guidelines on tracking technologies and European Court of Justice judgments on On Board Diagnostics and maintenance information and administrative fines under the GDPR.

Amsterdam District Court's TikTok judgment

On 25 October 2023, the Amsterdam District Court gave an interim judgment in a class action brought by three claims organisations against TikTok for invading TikTok users' privacy.

The claims organisations in question (Stichting Massaschade & Consument, Stichting Take Back Your Privacy and Stichting Onderzoek Marktinformatie) argued that the use of TikTok caused users to lose the control over their personal data, causing them to experience negative feelings such as anxiety, anger, stress and indignation. This was reason for the claims organisations to file claims for the compensation of non-material damage on behalf of the TikTok users represented by them. In the interim judgment, the District Court ruled that the claims for immaterial damages were inadmissible, as they could not be adequately 'bundled'. It reasoned that TikTok's service was used in diverse ways (ranging from sporadically to intensively) and that the resulting negative experiences could differ per person. Such negative feelings could be totally absent or strongly present and anything in between. As a result, the compensation claims for non-material damage depended on the users' individual situations to such an extent that the claims were insufficiently similar. Similarity is required in class actions based on Article 3:305a of the Dutch Civil Code. This 'similarity requirement' did not undermine the claims organisations' other claims and, according to the District Court, the claims for the compensation of material damage might actually be sufficiently similar. However, whether any material damage was suffered is yet to be established.

EDPB guidelines on tracking technologies

On 14 November 2023, the European Data Protection Board published provisional guidelines to clarify which tracking techniques are subject to the 'cookie regulations'. Among the aspects covered in the guidelines is the scope of "the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a user". Article 5(3) of the ePrivacy Directive (ePD) states that, in principle, this is only allowed with the user's consent. In the Netherlands, this provision is laid down in Article 11.7a(1) of the Telecommunications Act (Telecommunicatiewet). The EDPB guidelines explain the various elements involved, while also noting that terminal equipment includes not only smartphones and laptops, but also connected cars and smart glasses used to store or access information.

In addition, the guidelines list some examples of tracking techniques that are subject to Article 5(3) of the ePD. These include tracking links and tracking pixels, to the extent distributed via an electronic communications network, but also, under certain circumstances, tracking based on IP addressess, insofar as the IP address is accessed via the user's terminal equipment. Finally, Article 5(3) of the ePD can also apply to the use of 'unique identifiers'. In short, in principle all such tracking techniques can only be used with the user's consent.  Any comments on these provisional guidelines can be submitted until 28 December. 

European Court of Justice: manufacturer must provide On Board Diagnostics and maintenance information to independent operators / Vehicle Identification Number is personal data under certain conditions

European Court of Justice 9 November 2023, ECLI:EU:C:2023:837 

On 9 November 2023, the European Court of Justice (ECJ) gave an important judgment on independent operators being granted access to vehicle, repair and maintenance information and on-board diagnostic (OBD) information by a vehicle manufacturer (in this case, Scania). Scania provided this information as a PDF file that could only be saved on a computer, which excluded automated use of data. Gesamtverband Autoteile-Handel, a German trade association accounting for 80% of the turnover in the independent trade in motor vehicle parts in Germany, objected to Scania's methods. The Gesamtverband also disagreed with Scania's refusal to provide vehicle identification numbers (VINs) to independent operators. On the latter aspect, the ECJ ruled that the VIN constitutes personal data, within the meaning of Article 4(1) of the GDPR, of the natural person referred to in the registration certificate, insofar as the persons who have access to the VIN may have means enabling them to use the VIN to identify the owner of the vehicle to which it relates or the person who may use that vehicle on a legal basis other than the owner. On the aspect of access to vehicle, repair and maintenance information and OBD information, the ECJ ruled that manufacturers are required to make this information available to independent operators in files the format of which serves for 'direct electronic processing' of the sets of data contained in those files. PDF files would be insufficient for that purpose.

European Court of Justice: administrative fines under the GDPR may only be imposed for infringements that are committed wrongfully

European Court of Justice 5 December 2023, ECLI:EU:C:2023:949

A Lithuanian court and a German court have asked the Court of Justice to interpret the GDPR regarding the possibility for national supervisory authorities to penalise a GDPR infringement by imposing an administrative fine on the data controller. The ECJ inter alia considers that Article 83(2) of the GDPR lists the factors in the light of which the supervisory authority may impose an administrative fine on the controller. Those factors include, in point (b) of that provision, ‘the intentional or negligent character of the infringement’. It follows from the wording of Article 83(2) of the GDPR, according to the ECJ, that only infringements of the provisions of that regulation which are committed wrongfully by the controller, that is to say, those committed intentionally or negligently, may result in an administrative fine being imposed on that controller pursuant to that article.

Sign up for the News Update Privacy & Data Protection.