CJEU further clarifies key concepts of data protection law
On 10 July 2018, the EU Court of Justice rendered a judgement in a case relating to the data processing activities of the Jehovah’s Witnesses Community. The Court of Justice was asked by the Supreme Administrative Court of Finland whether a religious community such as Jehovah’s Witnesses could be regarded as a “joint data controller” with respect to the collection of personal data by its members, even if the Community itself did not have access to the data collected by the members and did not give strict instructions relating to the processing hereof.
This judgment clarifies several key concepts of European data protection legislation, which remain very relevant under the EU General Data Protection Regulation 2016/679 (GDPR).
Clarification on the scope of EU data protection legislation
The Court of Justice first of all considered that personal data were collected by members of the Jehovah’s Witnesses Community as a memory aid for later use and possible subsequent visits. Furthermore, these data were used for preaching activities organised, coordinated and encouraged by the Community, in particular when it allocated areas of activity between various members engaging in preaching.
The Court of Justice therefore concluded that this processing activity could not be seen as being “purely personal or domestic” (which would entail that the processing would fall outside the scope of data protection legislation) where its purpose is to make the data collected accessible to an unrestricted number of people. In addition, the processing activity is clearly directed outwards from the private setting of the members of the Community.
Notion of “filing system”
Secondly, the Court of Justice confirmed that the concept of a “filing system” in data protection legislation is a broad one. A “filing system” is “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”.
The content of a filing system must be structured in order to allow easy access to personal data. The requirement that the set of personal data must be structured according to specific criteria is therefore simply intended to enable personal data to be easily retrieved. Apart from that requirement, the practical means by which a filing system should be structured or the form in which it should be presented, can differ from case to case. It does not follow from the law that the personal data must be contained in data sheets or specific lists or in another search method, in order to establish the existence of a “filing system”.
In the present case, the personal data collected by the members of the Community was structured according to criteria chosen in accordance with the objective pursued, in order to enable data relating to specific persons to be easily retrieved. Therefore, the information collected during door-to-door preaching activities and its further processing should be considered as forming part of a “filing system”.
Extensive interpretation of the notion of joint controllership
Finally, the Court of Justice confirms its previous case law on the (broad) scope of the notion of “joint controllership”, and in particular its judgement of 5 June 2018 relating to owners of Facebook Fan Pages (for more information, read our previous newsflash here).
According to the Court of Justice, the definition of a “data controller”, i.e. the person or entity who determines the purposes and means of the processing of personal data, does not need to be interpreted as necessarily requiring written guidelines or instructions by such controller. It is sufficient that this person or entity exercises influence over the processing of personal data for its own purpose and thereby participates in the determination of the purposes and (essential) means of that processing, to be qualified as a joint controller.
Moreover, the Court of Justice recalled that joint responsibility of several actors does not require all of them to have access to the personal data. The Court of Justice referred in this respect to its previous case law relating to owners of Facebook Pages.
In the present case, the members of the Jehovah’s Witnesses Community who engage in preaching determine in which specific circumstances they collect personal data relating to persons visited, which data are collected and how those data are subsequently processed. However, the preaching activity itself is organised, coordinated and encouraged by the Community, and the Community itself also keeps lists of persons who no longer wish to receive a visit. It therefore appears that the collection of personal data relating to persons contacted and their subsequent processing help to achieve the objective of the Community are carried out by members for the purposes of that Community. Not only does the Community have knowledge on a general level of the fact that such processing is carried, but it organises and coordinates the preaching activities of its members.
In these circumstances, the Jehovah’s Witnesses Community, by organising, coordinating and encouraging the preaching activities, jointly with its members, determines the purposes and (essential) means of the processing of personal data.
On the notions of “personal and domestic processing” and “filing systems”, this judgement is not very controversial.
The broad interpretation of the notion of “joint controllership” by the Court of Justice (in line with its judgement of 5 June 2018 in the Facebook Fan Pages case) does however still raise some concerns:
- (non-profit) organisations are highly likely to be considered as joint controllers together with their members if these latter collect personal data for the purpose(s) of the organisation;
- organisations and their members can be joint controllers even if they do not both have access to the personal data; and
- a determinant influence over the purpose(s) of, or the essential means used for, the processing of personal data is sufficient to qualify as a joint controller without written guidelines or instructions being required.In any case, there is no doubt that this judgement will continue to fuel the debate regarding the extent of respective liabilities of joint data controllers.
- The extent of actual control of each “joint controller” will in these cases determine the parties’ respective responsibilities and liabilities (e.g. for compliance with data subjects’ rights, transparency obligations, data security obligations, etc.). Laying down these responsibilities and liabilities in a written contract (a so-called “joint controllership agreement”) is highly advisable.
The full text of the judgement in the case C-25/17, “Tietosuojavaltuutettu - Jehovan todistajat — uskonnollinen yhdyskunta” can be consulted here.