CJEU will rule on whether bailiffs can sell databases with personal data in enforcement proceedings

Written By

izabela kowalczuk pakula module
Izabela Kowalczuk-Pakula

Partner
Poland

I am an AI and Cyber partner and Head of our Privacy & Data Protection team in Warsaw

emilia stepien module
Emilia Stepien

Of Counsel
Poland

I'm an Of Counsel in the Privacy & Data Protection team in Warsaw.

A Warsaw district court (the “Court”) has referred a question to the Court of Justice of the European Union (the “CJEU”) C-693/22 for a preliminary ruling to establish whether the database containing personal data that by law is transferable under the local implementation of Directive 96/9/EC on legal protection of databases (the “Data Base Directive”), may still be subject of sale in the enforcement proceedings without the data subject’s consent.

Background

The bailiff terminated the proceedings because the debtor did not have sufficient assets to satisfy the creditor.

The creditor was unsatisfied with the ruling because it could not recover his receivables from the debtor. The creditor sued the debtor’s board member, claiming that the board member is liable for the debt since the creditor could not satisfy the claim from the debtor’s assets. The defendant filed for dismissing the claim, as in his opinion, the debtor had assets to satisfy the creditor. In particular, the debtor had an internet portal with trademarks and two databases, which contained personal data of the debtor's customers.

The Court had doubts whether the database with personal data of hundreds of thousands of users can be sold in enforcement proceedings taking the GDPR into consideration. The sale of such database would constitute processing of personal data because it directly leads to sharing the personal data with a third party, i.e. the buyer.

In the course of the enforcement proceedings, the bailiff who sells the database becomes a data controller. Personal data processing is lawful only in cases where one or more of the conditions described in Art. 6 of the GDPR are met. As in the matter at hand there is no customers’ consent for selling their data during enforcement proceedings, the Court considers the following legal bases as alternatives:

  • legal obligation - Art. 6 (1)(c) of the GDPR,
  • task carried out in the public interest - Art. 6 (1)(d) of the GDPR.

The Court excluded the possibility of relying on legitimate interest (Art. 6 (1)(f) since the public authorities, in this case the bailiff, cannot rely on legitimate interest when performing their duties.

The Court’s reasoning

The below-mentioned concerns led the Court to submit a preliminary question to the CJEU on whether the GDPR (Arts. 6(1)(a) [consent], (c) [legal obligation] and (e) [task carried out in public interest], as well as 6(3) GDPR) precludes a national law that permits the sale, in enforcement proceedings, of a database, which contains personal data, if the data subject did not consent to such a sale?

The Court explained that there are national provisions that can justify the bailiff relying on the legal obligation for the processing of personal data or carry out a task in the public interest.

However, the Court pointed out that Art. 6(3) of the GDPR implies that the Union’s or the Member State’s law should meet an objective of public interest and be proportionate to the legitimate aim pursued.

Public interest

On one hand, enforcement proceedings serve the interests of a creditor. On the other hand, ensuring that a creditor can realistically enforce a court judgment, serves to strengthen public trust in the state and is in the general interest of justice, which can be seen as a public interest.

Proportionality

The Court’s considers whether selling the database would be proportionate. That is due to the risks involved in the sale of the database. The Court pointed out that there are no provisions of national law that impose specific restrictions on the database buyer, except for their full legal capacity. This means that the buyer may also be a non-EU entity, which could not guarantee compliance with the GDPR (although in our view such processing in relation to an asset deal may trigger GDPR application to the buyer). The database could also be obtained by the central authorities, which could collect more personal data about citizens than necessary for the performance of their tasks.

These issues raised the Court’s doubts as to whether a legal obligation or task carried out in the public interest justify selling the database in enforcement proceedings.

The GDPR and the Data Base Directive

The Court also considers whether the personal data contained in the database referred to in the Data Base Directive are protected by the GDPR. If the GDPR applies, the data controller should in particular provide an appropriate legal basis for sharing such personal data with a third party.

Summary

This case could contribute to a debate on whether the fact that a database contains personal data influences its tradability, and if so, whether the requirement to perform a legal obligation or carry out a public task may justify such sale and disclosure of data to the buyer.

In its question the Court does not address, that at the time of acquiring a database, the buyer would also be subject to the GDPR and therefore is obliged to assure GDPR compliance. The case in fact focuses only on the seller’s (i.e. the bailiff’s) legal basis of sharing the data and is silent on the legal basis for the buyer acquiring and further processing the data.

The Court seems to struggle with the criteria for balancing between the interests of the creditor, for whom enforcement from the database is the only way to obtain money, and the interests of perhaps hundreds of thousands of data subjects whose personal data may be transferred to the entity offering the highest price in the enforcement proceedings.

However, it seems that if the database buyer complies with their GDPR obligations (in particular those set in Art. 5 of the GDPR), the sale should not be deemed as infringing the data subject’s rights.

The CJEU’s response is likely to be case specific and will not necessarily influence other asset deals unless the Advocate General or the CJEU will make some general comments relating to asset deals (which we would very much be looking for).

The fact that cases concerning asset sale that include personal data reach the highest courts in the EU comes as no surprise. Personal data are very often becoming the heart and core of M&As or asset deals. We would welcome more judgements in this respect.

Latest insights

More Insights
Curiosity line yellow background

China Cybersecurity and Data Protection: Monthly Update - December 2024 Issue

17 minutes Dec 23 2024

Read More
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
Curiosity line pink background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More