EU banking and financial law: the EUCJ opens the way to accessing certain information held by national competent authorities

PartiesJurisdictionFormationJudge RapporteurAdvocate GeneralSubject-matter
Preliminary rulingBundesanstalt für Finanzdienstleistungsaufsicht
Ewald Baumeister
Court of JusticeGrand ChamberJ.L. da Cruz VilaçaY.BotFinancial Services (MiFID) –
Scope of the obligation of professional secrecy on national financial supervision authorities
KeywordsDirective 2004/39/EC (MiFID) — Article 54(1) — Scope of the obligation of professional secrecy on national financial supervision authorities — Concept of ‘confidential information’
Significant pointsA reference for preliminary rule by the EUCJ was made by the Bundesverwaltungsgericht (Federal Administrative Court, Germany) in a case concerning the access to documents related to a financial operator contained in the file of the German Financial Supervisory Authority.

Mr. Baumeister was a client of Phoenix, a financial operator whose business model took the form of a Ponzi scheme. As a result, he suffered loss. In the context of the judicial liquidation of Phoenix, Mr. Baumeister requested the Federal Financial Supervisory Authority of Germany (the “FFSA”) to grant him access to the documents concerning Phoenix. The FFSA refused, arguing that such documents were confidential pursuant to Article 9(1) of the KWG implementing Article 54(1) of Directive 2004/39/EC (MiFID I). Mr. Baumeister then brought an action against this refusal before the Administrative Court of Frankfurt. The Administrative Court duly granted access to the documents except those containing trade secrets and documents from the Financial Supervisory Authority. The FFSA appealed the judgement before the Higher Administrative Court of Hesse, which dismissed the appeal. The FFSA then appealed the judgment of the Higher Administrative Court on a point of law before the Federal Administrative Court. The Federal Administrative Court decided to refer the case to the EUCJ in order to have its interpretation of Article 54(1) MiFID I.

By its first question, the Federal Administrative Court wanted to know if, pursuant to Article 54(1) MiFID, information in possession of the national competent authority (“NCA”) relating to a financial operator must be regarded automatically as confidential and if this is not the case, what are the criteria to assess whether information is confidential or not.

After having pointed out the lack of a definition of what amounts to confidential information under Article 54(1) MiFID I, the EUCJ stated that, due to the absence of any reference to national law to provide guidance on its interpretation (paragraphs 22-23), this notion should be interpreted independently and uniformly throughout the EU (paragraph 24).

In this respect, the EUCJ observed that Article 54(1) MiFID I refers to “confidential information” and not to “information” and accordingly deducted that there is information which is confidential and other information which is not confidential (paragraph 25).

Then, the EUCJ set out that MiFID I has created a framework for the supervision of investment firms based on the home country control principle (with all the necessary powers for NCAs to ensure proper supervision, notably the right to have access to any document and to demand information from any person) and for the exchange of information between NCAs. To work properly, such a framework requires that confidential information provided to the NCA by the supervised entities and exchanged between NCAs remains confidential (paragraph 31).

The Court also stated that the general confidentiality obligation on NCAs applies to information which is on the one hand not public and on the other hand would be detrimental to the person who provided the information or a third party or the proper functioning of the market being supervised (paragraph 35). This is to the extent that other information is not covered by a stricter confidentiality provision (paragraph 36), like the confidentiality granted to the information exchanged between NCAs (paragraph 37).

In addition, the Court explained that the aim of Article 54(1) MiFID I is not to create a general rule of access to documents but a general non-disclosure rule for confidential information with strictly applied and limited exceptions (paragraphs 38-39). Consequently, NCAs may grant access to confidential information only in the cases listed in Article 54 MiFID I (paragraph 43).

Finally, the Court stated that Member States are free to extend the confidentiality obligation or to authorise the disclosure of non-confidential information held by NCAs (paragraph 45).

By its second question, the Federal Administrative Court wanted to know if the classification as confidential information depends on the date of transmission and its classification at that time.

The EUCJ explained that the passage of time may influence the assessment on whether or not information held by a NCA must be qualified as confidential (paragraph 49). Therefore, the EUCJ stated that this assessment must be done at the time of the disclosure request, independently of its qualification when it was received (paragraph 50).

By its third question, the Federal Administrative Court wanted to know if a business secret or any other category of confidential information may be disqualified as business secret after a period of five years.

First, the EUCJ recalled that the protection of business secrets is a general principle of EU law (paragraph 53).

Second, the EUCJ referred to its case law (C-162/15 Evonik Degussa v. Commission) where it has already stated that information that constituted a business secret may, due to the passage of time, notably a period of five years, be disqualified as business secret, except if the concerned party shows that this information still constitutes a business secret despite its age.

Nonetheless, the EUCJ specified the passage of time consideration (mentioned above) must not be applied “to information held by the competent authorities the confidentiality of which might be justified for reasons other than the importance of that information with respect to the commercial position of the undertakings concerned, such as, in particular, information relating to the supervision methodology and strategy employed by the competent authorities” (paragraph 56).
NoteworthyThis judgment is important as it clarifies the scope of the confidentiality obligation on the national authorities competent for the supervision of financial services providers.

According to the EUCJ judgement, this confidentiality obligation is not absolute as not all information received is confidential.

The Court also stressed the importance of the time factor as it may have an impact on the qualification of information as confidential or as a business secret. Indeed a period of time of five years may disqualify information initially held by the NCA as confidential, especially a business secret. However, for other information received from another NCA, the passage of time may not be relevant.

As far as confidential information is concerned, its disclosure is restricted to the situations laid down in Article 54(1) MiFID I. The exact scope of the situations which may lead to disclosure will also be clarified by the EUCJ in the case C-358/16, which is still pending. It is interesting to note that AG Kokott has considered in her opinion in that case that access to the file of NCAs may only be granted in the case of a criminal investigation/proceeding, even where such access has been requested in the context of an action for annulment of a NCA decision sanctioning a person and the action has been brought by the sanctioned person in order to obtain exculpatory evidence. It will be interesting to see what will be the decision of the EUCJ in this case.

Member States may not derogate from respecting the confidentiality of the NCA files but may extend the confidentiality principle to information which are not confidential or to information which were confidential but have lost this qualification due to the passage of time.

NCAs, to the extent that their national law does not provide more restrictive rules, may no longer simply refuse access to their file. They will need to assess what information is confidential and what information is non-confidential depending on its nature and age. Such considerations may facilitate the access to information held by NCAs.

Furthermore, this interpretation will also be applicable to Article 76(1) of Directive 2014/65/UE (MiFID II), which has superseded MiFID I, as the wording of Article 76(1) MiFID II and Article 54(1) MiFID are identical. In addition, the interpretation of the EUCJ will also be applicable to other legislation relating the banking and financial sector which contain very similar provisions to Directive 2013/36/UE CRD IV, Directive 2009/138/CE Solvency II, Directive 2009/65/CE UCITS and Directive 2011/61/UE AIFM.

Finally, this is clearly a different approach than the one taken by the Transparency Regulation. Indeed, with Article 54(1) of MiFID I, the EU legislator has established a principle of confidentiality of the NCA files while the Transparency Regulation grants an enhanced right of access to documents of the EU institutions of.

Facebook Fan page administrators : mind the personal data processing rules

PartiesJurisdictionFormationJudge RapporteurAdvocate GeneralSubject-matter
Preliminary rulingUnabhängiges Landeszentrum für Datenschutz Schleswig-Holstein contre Wirtschaftsakademie Schleswig-Holstein GmbHCourt of JusticeGrand ChamberA.TizzanoY.BotApproximation of legislation
KeywordsReference for a preliminary ruling — Directive 95/46/EC — Personal data — Protection of natural persons with respect to the processing of that data — Order to deactivate a Facebook page (fan page) enabling the collection and processing of certain data of visitors to that page — Article 2(d) — Controller responsible for the processing of personal data — Article 4 — Applicable national law — Article 28 — National supervisory authorities — Powers of intervention of those authorities
Significant pointsIn this preliminary ruling, reference was made by Bundesverwaltungsgericht (Federal Administrative Court, Germany) in a case concerning a company operating in the field of education, the Wirtschaftsakademie, which offers educational services, inter alia, by means of a fan page hosted on Facebook.

A "fan page" can be created by any user of the social network Facebook subject to acceptance of the general terms and conditions of use. The creation of such a page not only makes it possible to edit content, collect personal data and interact with users (as is not possible with a website), but also - and automatically - to benefit from the results of an audience analysis tool, "Facebook insights", developed by Facebook.

If for websites the creation of audience statistics requires an action from the site editor (installation of an audience analysis tool), in the case of a Facebook "fan page", the administrator benefits from this function without any intervention on his part. Statistics are thus generated by the social network independently of the fan page administrator's request. This difference with the situation of the publisher of a website could suggest that only Facebook is the controller for the processing carried out by "Facebook insights", the administrator of the "fan page" not directly carrying out any processing and having no control over the processing carried out by the social network.

By decision of 3 November 2011, the Unabhängiges Landeszentrum für Datenschutz (hereafter “ULD”) Schleswig-Holstein (Independent Data Protection Centre for the Land of Schleswig-Holstein, Germany) ordered Wirtschaftsakademie to de-activate its fan page. The ULD made this order in its capacity as supervisory authority within the meaning of Directive 95/46 on data protection, with the task of supervising the application in the Land of Schleswig-Holstein of the provisions adopted by Germany pursuant to that directive.

The ECJ was called upon to rule upon several points of law which conditioned the application of the Member States' national laws on the protection of personal data, namely the concept of controller and the question of determining the applicable law and competent authority in a situation where the social network has several establishments on the territory of the European Union.

1. Recalling the objective of Article 2(d) of the Directive 95/46 to ensure effective and complete protection of the persons concerned, through a broad definition of the concept of ‘controller’ (following thus the Google Spain reasoning), the Court found that an administrator, such as Wirtschaftsakademie, must be regarded as a controller jointly responsible, within the EU, with Facebook Ireland for the processing of data. Indeed, the administrator of a fan page hosted on Facebook, by creating such a page, gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account (paragraph 35).

The administrator of a fan page hosted on Facebook defines the personal data to be processed by Facebook for the purposes of drawing up statistics. Consequently, such an administrator takes part in the determination of the purposes and means of processing the personal data of the visitors to its fan page (paragraphs 36 and 39).

The Court also emphasises that in case of joint data processing, it is not necessary that each of the controllers has access to the personal data concerned (paragraph 38).

Moreover, fan pages hosted on Facebook can also be visited by persons who are not Facebook users and so do not have a user account on that social network. In that case, the fan page administrator’s responsibility for the processing of the personal data of those persons appears to be even greater, as the mere consultation of the home page by visitors automatically starts the processing of their personal data (paragraph 41).

However, the existence of joint responsibility does not necessarily imply equal responsibility on the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all relevant circumstances of the particular case (paragraph 43).

2. The Court found secondly that the ULD is competent to ensure compliance not only of Wirtschaftsakademie with the rules on the protection of personal data in Germany and can use all the powers conferred by it under national law but also the compliance of Facebook Germany, as a secondary establishment of Facebook Ireland which is responsible for the data protection even though Facebook Germany is, only responsible for promoting and selling advertising spaces. Given that a social network such as Facebook generates a substantial part of its income from adverts posted on the web pages set up and accessed by users and given that Facebook’s establishment in Germany is intended to ensure the promotion and sale in Germany of advertising space that makes Facebook’s services profitable, the activities of that establishment must be regarded as inextricably linked to the processing of personal data at issue in the main proceedings, for which Facebook Inc. is jointly responsible with Facebook Ireland. Consequently, such treatment must be regarded as being carried out in the context of the activities of an establishment of the controller within the meaning of Article 4(1)(a) of the Directive 95/46 (paragraph 60), knowing that that provision does not require that such processing be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities of’ the establishment (paragraph 57).

3. The Court found, thirdly, that in the case of a data controller located in another Member State, ULD is, independently of the authority of that Member State, competent to (i) assess whether the data controller has acted lawfully in Germany and (ii) exercise its intervention powers.
NoteworthyThe main contribution of this judgment lies in the broad interpretation given to the notion of ‘controller’. It is, thus, not necessary to technically process personal data. The simple parameterization of the data to be processed is sufficient to qualify the person having carried out this action as "responsible for the processing of personal data". In our view, this definition should also be applicable under the GDPR, which uses the same definition of the notion of ‘controller’ as the one employed in Directive 95/46. It should be stressed that, in the presence of two controllers, Article 26 of the GDPR will have to be applied and that the controllers will have to comply with the formalities set out therein, in particular by jointly and transparently defining the responsibilities of each party. An infringement of Article 26 of the GDPR may lead the authority in charge of the protection of personal data to impose significant penalties (e.g. among others: injunction to comply with the RGPD fine up to an amount of EUR 10 million or 2% of the turnover of the last financial year, injunction to cease temporally or definitively the personal data processing).

The interpretation given by the ECJ to the notion of personal data controller is, in our opinion, very broad. Indeed, it will increase the administrative burden and the liability of the administrator of a fan page on Facebook and on other administrators of similar pages on other social media. And this when these administrators do not have any control over the personal data processing by the social media provider and do not have the possibility to negotiate and discuss with the social media provider, given that the general conditions of use of such pages are not negotiable.

On the other hand, it appears that, on the basis of a preliminary analysis, the two last points developed by the Court are not relevant anymore in the context of the introduction of the new GDPR, as it created a new concept, the lead supervisory authority competent to rule on matters regarding cross-border processing carried out by controllers (Article 56 of the Regulation 2016/679 GDPR).