T-209/21 is the number of the case that – regardless of the winner – will change if not the world, at least the industry based on personal data. On 1 November 2021, in fact, WhatsApp Ireland challenged a binding decision by the European Guarantor before the European Court of Justice which, in summary, questions the way in which the company informs users as well as the nature and extent of the legitimate interest to profile users without their consent. The defense of the messaging platform is based on seven points, of which the most relevant are: having the European Guarantor interpreted the definition of “personal data” extensively (and not allowed) and violation of the “presumption of innocence” by requiring Whatsapp to demonstrate the effective effectiveness of processes that anonymize user data instead of leaving the competent authorities with the duty to ascertain violations.
They are two deadly blows because they are aimed at the two Achilles heels of the GDPR. The first is the violation, by the GDPR and therefore by the guarantors for the protection of personal data, of the Engel Criteria established by the European Court of Human Rights on the criminal nature of administrative sanctions that are so “heavy” as to amount to a criminal sentence. In this case, the court believes, the full guarantees of the criminal trial should apply and not the more limited ones of administrative proceedings. The question is very technical, but, in summary, it consists in stigmatizing the behavior of those countries that circumvent the defensive guarantees.
The second is it excessive power of national data protection authorities in the interpretation of the GDPR which, for example, has led to the IP number being classified as personal data without distinguishing the cases in which the material user of a computer is actually identifiable (as in the case in which he has registered to overcome a paywall) from those in which, by accessing anonymously, the service manager remains unknown despite the cookies. The European Court of Justice, in the Breyer case, had recognized this difference, not as clearly, however, do the data protection authorities as evidenced by the approach to the issue of cookies.
The question of cookies is central in another dispute parallel to the case between Whatsapp and the European Guarantor brought in various EU countries – including Italy – by an Austrian NGO on the illegality of the transfer to the USA of data generated by Google analytics. The national data protection authority gave reason to the NGO that, after the “Schrems II” ruling, the transfers to the USA of data generated by Google analytics are illegal.
It is bizarre enough that data protection authorities are only now realizing that, perhaps, big platform analytics are a problem. There was no need for a sentence to understand that when the DNS, email, search engines and the use of various services are concentrated in the hands of a single subject, this subject is able to identify anyone, anywhere, in any case. Better late than never, some would say; but — as someone else would say — it is also true that the devil is in the details.
Send profiling cookies, when they are collected on a computer whose user is anonymous (because, once again, for example, he has not registered) it cannot be considered as processing of personal data even if someone else – Google, as will be explained later – may cross those anonymous information with what it already (autonomously) possesses. So banners, warnings and all the paraphernalia that plague websites around the world are simply useless.
The GDPR regulates the direct processing of personal data, not that of those who receive anonymous data and then cross them with others for which they have the availability. We may not like this, but it is out of the question, also and above all because the GDPR is an already old legislation because it was conceived with its head turned towards 2000 when the theme of excessive power deriving from the accumulation of data was little more than an academic whim. or some civil rights “extremist”.
In the Austrian affair, however, there is a geopolitical implication which has not been adequately analyzed. At the basis of the Schrems II ruling (and therefore of the Austrian decision) is the fact that the data accumulated by Google can be made available to the American investigative and intelligence authorities. According to the European Court, this would be enough to render illegal transfers of data collected by Google on European citizens. But, one wonders, how can a (non) country like the European Union interfere in the internal security policies of a sovereign country like the United States of America? Once the data has been knowingly sent overseas by European users, their acquisition is regulated by the American legal procedures which, of course, cannot be challenged by anyone.
In conclusion, the ending of these two events is most likely already written. I hope I am wrong but it is reasonable to think that, especially for geopolitical reasons, American platforms will succumb. If this happened, a paradoxical consequence would be further accentuated: that of substantial uselessness of the GDPR.
After the Schrems I and II sentences and the alarms of the personal data guarantors, data exchanges between European Union countries and the United States have not been reduced at all and the practical application of the legislation has been reduced to endless “privacy policies” that nobody reads. Faced with the inability of the European Union and its components to offer technological alternatives to those of the United States, a “muscular” reaction based on bans that no one – users first of all – will want to respect, wondering about the legal nature of cookies and IP seems so much an academic curiosity, while the world goes somewhere else.