 Good morning, thanks to Dr. Erdos for inviting me and for organising this conference and it's a real pleasure to be back at Cambridge for the day. I've been asked this morning to talk about the jurisprudence of the Court of Justice in the lead-up to or as a background to the Google Spain case. There's been remarkably little case law in front of the Court of Justice dealing with data protection issues despite the fact that we've had the data protection director for almost two decades. But rather than kind of going case by case through the jurisprudence, which might be a little dry for the morning slot, what I've instead tried to do is to demonstrate that the case law prior to Google Spain is entirely consistent with the Court's findings in the Google Spain judgment. And I say this for three reasons. So I guess the subtext here is the reasons why we should have seen Google Spain coming and I think that's for three reasons. So first of all, the Court has continuously insisted upon the broad scope of application of the data protection rules. And that's something that is reflected in the Google Spain judgment and you see that through for instance, the broad scope of territorial application, which the Court gives to the data protection directive in that case, where it says that Google search engine processing is in the context of the advertising activities of its Spanish subsidiary. So broad scope of territorial application there, something which the Advocate General was in agreement with. But then also you see that this broad scope of application is reflected in other ways, which I'll go on to talk about. The second point, which I think is quite evident is that despite a slow start, the Court is now placing increasing emphasis on the EU Charter and in particular on the EU Charter's rights to data protection and to privacy. So unlike other international instruments, the EU Charter includes both a right to privacy in Article 7 and a right to data protection in Article 8. And the Court has been quite forthcoming now in emphasizing the effectiveness of those rights. And then the third point I think we could adduce in order to support the Google Spain finding for good or for bad is that the Court at present seems to be quite emboldened. It has taken several judgments, which illustrate that it is not, in my opinion, entirely concerned about the political fallout that will follow from its decisions. So I'll elaborate on these three points now. So first of all, if we take the broad scope of application of the data protection rules, here, I think you can see that the directive has a broad personal scope in terms of how we define who is a data subject. And also, as we saw in Google Spain, who is a data controller? So in that case, the Advocate General had argued that in order to be viewed as a data controller, so an entity, a company which would be responsible or have obligations pursuant to the data protection rules, there should be a knowledge that the company concerned is processing. I say company could also be a local authority, the entity concerned. There should be a knowledge that there is processing of personal data. Now, a literal interpretation of the directive doesn't include that knowledge criterion, and actually the Court rejected the idea that a data controller has to have knowledge that they are processing personal data in order to have obligations pursuant to the directive. Now, Google here might have been quite a particular case, but I think if you look to the kind of broader issue of the application of data protection rules, that's actually quite a sensible finding, because in the absence of that finding, companies could plead ignorance, so ignorance of the fact that they are processing personal data in order to escape obligations pursuant to the data protection rules. But you see there that the Court is defensive of the broad personal application of the data protection rules. You also have broad material scope of the rules. So here, data processing is pretty much anything that you could do with personal data, and personal data is any information relating to an identified or identifiable person. Now, Jeff has just spoken about identifiability and the issue of public and private in the context of things like anonymization. But I think it's important to highlight here that that definition of personal data goes beyond the type of data that might be covered by the article 80 CIGR, Right to Privacy. It's a very broad definition. So we have this very broad scope of application of the data protection rules. And as I've just said, unlike the Right to Privacy in certain contexts, this will always apply to material in the public domain. This is irrespective of whether or not the information is publicly available or not. And this broad scope of application has been defended by the court in its case law. So it's very protective of the directive scope of application. So I've just indicated a couple of cases here, but in a case like Schwartz, what was concerned was the fingerprinting data of a German national. He was obliged to provide this fingerprint data in order to obtain a passport from his local authority in, well, through the German government at home. And he objected to this on the grounds that it was unnecessary data processing. And the court recognized without hesitation that this type of data, which would also benefit from the Right to Privacy, constitutes personal data from or in the context of the directive. A more complicated case, you might say, is Bavarian Lager. And there you had a query about access to minutes of a meeting between industry representative and European Commission officials. And the commission was refusing to grant access to the minutes of this meeting on the grounds that the names of the industry representatives constituted personal data. And here before the court, so between the Court of First Instance at the time and the Advocate General and the Court of Justice, there was a dispute about whether or not those industry representative names could benefit from the Right to Privacy, because although there's a Right to Privacy in the workplace, here it doesn't seem to sit very well with the reasonable expectation of privacy, given that the access was sought under transparency regulations at EU level and equally with the kind of rationale for privacy in the workplace, which is to allow individuals to develop relations. And clearly the whole aim of transparency legislation is to prevent cozy relationships between Commission officials and industry representatives. So this might not have been covered by the Right to Privacy, but it clearly fell within the scope of the Right to Data Protection and of Data Protection legislation. So you can see again a broad scope. And then I think the most recent notable case on this is a case from last December, where the court was asked to consider whether or not the exception to the scope of the Data Protection rules, which is an exception for personal data, which are processed for purely personal or household purposes, could be applied to the case of Mr. Mr. Renus. And Mr. Renus was an individual who had installed a form of close circuit TV outside of his front door, because his family home had been subject to numerous attacks in the past. And so this camera was installed for personal security purposes. And it captured the pathway up to his front door, but it also captured part of the public path outside of his front door. And this camera happened to capture some footage relating to an attack on his house. And the footage was brought forward to be used in the proceedings against the perpetrators. And the question was raised as to whether or not that footage could be used, because Mr. Renus hadn't kind of received prior authorization for the processing and hadn't complied with his obligations as a data controller. So was the capture of this footage compatible with data protection law? And he argued that the processing in this instance was for purely personal or household reasons. He wasn't the footage wasn't automatically recorded over itself. It wasn't retained. He didn't have a way to live to examine the footage remotely on a phone or anything else. And yet the court found that in this instance, the footage was not purely personal because it captured a public pavement. So you see there that that's a remarkably broad interpretation of the purely, sorry, remarkably narrow even interpretation of the purely household and personal processing exception in order to preserve the broad scope of application of the rules. But in that case, the court was kind of at pains to emphasize that just because you fall within the scope of the data protection rules doesn't mean that the processing is unlawful, rather at that point, once you're within the fold of the rules, and there's a system of checks and balances, which determines whether or not the processing can be lawful in any particular circumstance. So you have a very strong indication from the court there that Mr. Renus would have been able to justify this processing and that it would have been adequate. So we have the broad scope of application, which is reflected in Google Spain. We also have an increased emphasis on the effectiveness of the EU Charter Rights. So I would argue that in the in the early years, prior to the Charter and acquiring binding force or becoming a judicial, just this instrument in 2009, there was an initial reluctance on the court to point to the Charter Right to Privacy in order to in order to justify its actions in any given case. I think this is particularly the kind of narrow interpretation of privacy of the directive is particularly visible in a case like SATA Media. So in that case, you had an issue about whether or not data on high earners, so those who are earning over 100,000 euro a year could be disseminated via text message by a private private company. And there, the private company had pleaded that this this dissemination could benefit from the directive's exemption for processing for journalistic purposes. So the argument was the text message dissemination is journalistic and therefore can fall outside the scope of the data protection rules. And there the court gave the court interpreted that exception, the journalistic purposes exception really broadly. So it said that it applies to the disclosure of information, ideas or opinions to the public. Fast forward to last year and you can see that clearly the definition of journalistic purposes has changed significantly when it comes to the Google Spain case. So we have seen, I believe, a change in a change in tack when it comes to what could benefit from this exemption for journalistic purposes. Finally, I think in addition to that change in tack, there's perhaps in the court's case law an indifference to the disconnect between law, it's maybe a bit harsh to call it reality, but certainly technological developments. And that, you know, is one of the big criticisms of the Google Spain case. That's also a criticism of the Lindquist case, where the court seemed to have kind of mixed feelings about how the directive should apply to the internet. So on the one hand, it held that the act of a pensioner who was uploading data about to a charitable website for personal purposes as part of her data processing course could be criminally prosecuted for that action, because it was personal data processing because she uploaded information on her colleagues to the internet. But on the other hand, it can stop short of saying that she should have been responsible for international data transfers. So you can see that the court has clearly kind of struggled to apply this old directive to new circumstances. And then finally, I think you see at the moment a stronger court, particularly when it comes to fundamental rights. So this is perhaps because of, as I said, the introduction of the Charter, the Charter's acquisition of Binding Force in 2009. But that was very visible in last year's judgment in Digital Rights Ireland. The court for the first time struck down an entire piece of legislation on the basis that it was not compatible with the EU Charter rights. And in so doing, it ignored the Advocate General's request that that judgment have a temporal limitation, which would allow Member States to put in place safeguards for, well, safeguards, maybe the wrong word, arrangements for data retention while a new directive would be enacted. So it ignored that. But equally, I think if you look at something like Opinion 2 of 2013, which was where the court was asked to assess the legality of the European Union's accession agreement to the ECHR with EU law, and it argued or it found that that accession agreement to the ECHR was incompatible with EU law. And an incredibly complicated judgment, which I think could be kind of narrowly read, but it effectively it said that by signing up to the ECHR as the agreement stands, it would be circumventing things like the preliminary reference procedure before the court. So again, clearly a case where it wasn't too concerned about the political implications of its findings. And then finally, this week before the court of justice, we had the hearing in the Shrems case, which was a preliminary reference from the Irish High Court, where the compatibility of the safe harbour principles, so allowing data transfers between the EU and the US, was challenged on the basis that those principles, which were adopted in the year 2000, no longer reflected a situation where adequate protection was being offered to EU citizens when their data are transferred to the US as a result of the Snowden revelations. And there, I believe, from anything I've read or heard about the proceedings, they were quite lively and that the commission was more or less left on the back, I think I can say this, left on the back foot in arguing that in order to effectively protect fundamental rights individuals should possibly not sign up to Facebook. And so it remains to be seen what will happen with that judgment. The opinion of the Advocate General is due on the 24th of June, but I would say based on what we've seen so far, the ingredients would indicate that Shrems has a good chance of succeeding in that case. I'll leave it there, but I hope to discuss further during questions.