T-209/21 is the case number that —regardless of the winner— will change if not the world, at least the industry based on personal data. On 1 November 2021, WhatsApp Ireland challenged before the European Court of Justice a binding decision of the European Data Protection Supervisor, which, in summary, questions how the company informs users and the nature and extent of the legitimate interest to profile users without their consent. The messaging platform’s defence argues on seven points, of which the most relevant are: the fact that the European Supervisor has interpreted the definition of ‘personal data’ in an extensive (and not allowed) way and the violation of the ‘innocent until prove guilty’ principle by requiring Whatsapp to demonstrate the actual effectiveness of its user data anonymisation process instead of leaving the competent authorities with the duty to ascertain violations. These are two deadly blows because they are aimed at the two Achilles heels of the GDPR by Andrea Monti – Initially published in Italian on Strategikon – an Italian Tech blog.
The first is the violation, by the GDPR and therefore by the data protection authorities, of the Engel Criteria established by the European Court of Human Rights on the criminal nature of administrative sanctions that are so “heavy” as to amount to a criminal conviction. In this case, the court holds that the full guarantees of criminal proceedings and not the more limited administrative proceedings should apply. The issue is very technical but, in short, consists of stigmatising those countries’ behaviour that circumvent the right to defense.
The second is the excessive power of the national data protection authorities in interpreting the GDPR. This attitude, for example, has led them to classify the IP number as personal data without distinguishing the cases in which the material computer user is identifiable (as when he or she has registered to overcome a paywall) from those in which, accessing anonymously, he or she remains unknown to the service provider despite the cookies. The European Court of Justice, in the Breyer case, had recognised this difference, but not so clearly do the data protection authorities, as their approach to the issue of cookies shows. The cookie issue is central to another parallel dispute, brought in several EU countries —including Italy— by an Austrian NGO. It challengesn the lawfulness of the transfer to the US of data generated by Google analytics. The national data protection authority agreed with the NGO and ruled that, after the ‘Schrems II‘ judgment, transfers to the US of data generated by Google’s analytics are illegal.
It is pretty bizarre that data protection authorities are only now realising that perhaps analytics of large platforms are a problem. It did not take a court decision to understand that when DNS, email, search engines, and the use of various services stay in the hands of one entity, that entity can identify anyone, anywhere, anyhow. Some would say: ‘better late than never’. Nevertheless —as someone else would say— it is also true that the devil is in the details. Forwarding profiling cookies collected on a computer whose user is anonymous (because, again, for instance, he or she has not registered) cannot be considered as processing of personal data; even if someone else can cross-reference that anonymous information with the one it already (independently) possesses. So banners, notices, and all the paraphernalia littering websites worldwide are just useless. The GDPR regulates the direct processing of personal data, not the processing of someone who receives anonymous data from someone else and then cross-references them with other data they already have. One may not like it, but it is out of the question, also and above all, because the GDPR is a regulation that was born old. It was conceived with its head turned towards the year 2000, when the theme of the excessive power deriving from the accumulation of data was little more than an academic whim or a scarecrow of some civil rights ‘extremist’.
In the Austrian case, however, there is an underrated geopolitical implication. The basis of the Schrems II judgment (and thus of the Austrian decision) is that Google’s accumulated data can be made available to US investigative and intelligence authorities. According to the European Court, this would be enough to make the transfer of data collected by Google on European citizens illegal. However, one wonders, how can a (non)country like the European Union interfere in the internal security policies of a sovereign country like the United States of America? Once data have been consciously sent overseas by European users, their acquisition falls under American legal procedures, which, of course, cannot be questioned by anyone.
In conclusion, the end of these two stories is, most likely, already written. Maybe it is wrong; however, it is reasonable to think that the American platforms will succumb, especially for geopolitical reasons. If this were to happen, it would further accentuate a paradoxical consequence: that of the substantial uselessness of the GDPR. After the Schrems I and II judgments and the warnings of data protection authorities, the exchange of data between EU countries and the United States is still there, and the practical application of the legislation has been reduced to endless ‘privacy policies’ that nobody reads. In the face of the inability of the European Union and its member States to offer technological alternatives to those of the United States, a ‘muscular’ reaction based on prohibitions that nobody —users first of all— will want to respect, wondering about the legal nature of cookies and IPs seems like an academic curiosity, while the world goes elsewhere.