Legal updates on Data Privacy: an outline of the European Court of Justice notable GDPR rulings of 2023 and rulings to look out for in 2024
To navigate the complexities of compliance with the General Data Protection Regulation 2016/679 (GDPR), organisations must prioritize safeguarding data privacy, effectively managing data security, and staying abreast of key regulatory developments. In today’s data-driven world, these imperatives are essential for maintaining trust and integrity in handling personal data.
This article analyses ten rulings delivered by the European Court of Justice (the “CJEU” or the “Court”) in 2023, that have provided significant guidance on the interpretation of GDPR and identifies cases to look forward to in 2024.
These rulings not only provide clarity on the interpretation of GDPR provisions, but also underscore the importance of striking a balance between data subjects' rights and the legitimate interests of controllers.
Compensation for Non-material Damage \\ Case C-300/21 (UI v Österreichische Post AG)
The facts of this case involved information collected about the applicant without his consent, which led to infer his affinity to a certain political party. The CJEU was asked to interpret Article 82 relating to the right of compensation for non-material damage. The CJEU ruled that a mere infringement of GDPR does not automatically give rise to the right to compensation for non-material damage under Article 82 of GDPR. The Court’s rational stems from the language used in Article 82 of GDPR, noting that the “existence of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in that provision, as does the existence of an infringement of GDPR and of a causal link between that damage and that infringement, those three conditions being cumulative”. It was further noted that there is no minimum threshold of seriousness for entitlement to compensation, rather, it is up to national courts to determine if compensation is applicable under their national laws, provided these are in line with the principles of equivalence and effectiveness of EU law.
Right of Access to Copies of Personal Data \\ Case C-487/21 (F.F. v Österreichische Datenschutzbehörde)
In a case about the right to obtain from the controller a copy of the personal data undergoing processing under Article 15(3) of GDPR, the CJEU held that the said Article must be interpreted as meaning that “the data subject must be given a faithful and intelligible reproduction of all those data”. This may require controllers to provide copies of extracts from documents or even entire documents or extracts from databases which contain those data, essential for data subjects to effectively exercise their rights under GDPR. However, when controllers provide copies of the data to the data subjects, they must also bear in mind the rights and freedoms of others whose personal data may appear on such copies.
Right of Access and Definition of “Recipients” \\ Case C-579/21 (J.M.)
Addressing the right of access and the definition of “recipients”, the CJEU clarified that employees processing data under the authority of their employer, also being the controller, are not automatically considered “recipients” of the personal data they are processing. Further, it was clarified that a data subject’s right of access, does not extend to accessing information about the identity of the employees of the controller who processed their personal data (under the controller’s authority and in accordance with its instructions), unless that information is essential in order to enable the data subject to effectively exercise their rights and provided that the rights and freedoms of those employees are taken into account.
Unlawful Processing \\ Case C-60/22 (UZ v Bundesrepublik Deutschland)
In this case, the CJEU ruled that not every infringement of GDPR renders all related processing to be unlawful. Specifically, a violation of GDPR requirements to enter into a joint controller agreement does not automatically render all related processing unlawful.
The Court also clarified that when a court processes personal data, the data subject’s consent is not required, as such processing is necessary for performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Meaning of Personal Data \\ Case C-319/22 (Gesamtverband Autoteile-Handel e.V. v Scania CV AB)
The CJEU, in this case, determined that vehicle identification numbers (VINs) are not inherently personal data. However, they become personal data when someone has reasonable means of associating a VIN with a specific person, the owner. This does not, however, mean that a single person shall possess all the information to enable them to link the VIN with the owner.
No "Strict Liability" for GDPR Violations \\ Case C-683/21 (NVSC v Valstybinė duomenų apsaugos inspekcija)
This landmark case explored whether fines can be imposed in the absence of any fault on the basis of strict liability, concluding that the specific wording of Article 83 of GDPR indicates that fines may only be imposed for violations committed "intentionally or negligently." According to the Advocate General’s Opinion, the possibility of imposing fines of up to €10 million or up to 2% of total annual turnover, whichever is higher, shows that such fines have a punitive purpose, at least in some situations, and present a high degree of severity such that they are liable to be regarded as criminal in nature. Therefore, as per the CJEU ruling “it would be disproportionate to impose fines in cases where not even negligence is established”.
Additionally, the Advocate General’s Opinion considered the concepts of "controller," "joint controllers," and "processing" and emphasised the need to consider elements of factual, rather than formal, nature in determining the role of a “controller”. For someone to be regarded as a controller they must in fact be in a position to influence and determine the purposes and means of processing, irrespective of whether they were formally appointed as such. The Advocate General also noted that a controller may be fined even in circumstances where the unlawful processing is carried out by a processor acting on the controller’s behalf. However, if the processor processes personal data outside of, or contrary to, the instructions of the controller, and the parties are not ‘joint controllers’, then the controller cannot be fined in relation to the unlawful processing which took place.
Independence of DPOs \\ Case C-560/21 (ZS v Zweckverband ‘Kommunale Informationsverarbeitung Sachsen’)
This case examined whether national legislation permitting a controller to terminate the employment of a Data Protection Officer (DPO) who is an employee of the controller, solely where there is just cause, even when the dismissal is not related to the performance of that DPO’s tasks, is consistent with Article 38(3) of GDPR. The case concerned the dismissal of a DPO wearing various hats (i.e. DPO of parent company and subsidiaries, chair and vice-chair for various undertakings in a group of companies) on the basis that there is a conflict of interest. The CJEU noted that a conflict of interest may exist where a DPO “is entrusted with other tasks or duties, which would result in him or her determining the objectives and methods of processing personal data on the part of the controller”. It was further noted that whether the DPO is entrusted with such other tasks that may lead to a conflict of interest may be determined by national courts, on a case by case basis, by assessing of all the relevant circumstances, the organisational structure of the controller and all the applicable rules and policies of the controller.
Fear of Misuse as Non-material Damage \\ Case C-340/21 (VB v Natsionalna agentsia za prihodite)
This case raised the question of whether the "worries, fears, and anxieties suffered by the data subject" following a cyberattack, regarding the possible misuse of his or her personal data in the future are sufficient (in themselves) to justify receiving compensation for non-material damage. The CJEU ruled that the mere fear of misuse of personal data resulting from an infringement can indeed constitute non-material damage, provided that such fear is well-founded and offered guidance to national courts in determining the validity of such claims. The Advocate General further noted such fear “can constitute non-material damage which gives rise to a right to compensation only if it is actual and certain emotional damage and not simply trouble or inconvenience”.
The CJEU also highlighted that unauthorised disclosure or access to data by a third party alone is not enough to show that a controller’s technical and organisational measures are inappropriate.
Credit Score Constitutes Automated Decision Making \\ Case C-634/21 (OQ v Land Hessen)
In this case, the CJEU addressed the question of whether the automated establishment, by a credit information agency, of a probability value, based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes 'automated individual decision-making' under Article 22(1) of GDPR.
The court highlighted that for Article 22(1) to apply, three cumulative conditions must be met, namely (a) there must be a "decision," broadly defined to include acts significantly affecting the data subject, (b) the decision must be based solely on automated processing, including profiling, and (c) the decision must produce legal effects concerning the individual or similarly significantly affect them. The CJEU found that the broad scope of the concept of 'decision' in the context of Article 22 of GDPR, can include calculating a credit score based on a probability value where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person. Additionally, the Court noted that the probability value's transmission to a bank, for the purposes of obtaining a loan, strongly influences the bank's decision to grant or refuse such loan, thus fulfilling the third condition.
It is noted that, under Article 22 of GDPR, automated decision-making is only permitted where the decision is necessary for the entering into or performance of a contract, or it is based on the data subject’s explicit consent, or it is authorised under EU or EU Member State law and subject to the controller implementing suitable measures to safeguard the data subject’s rights. An example of such safeguards is allowing individuals to obtain human intervention, express their views, and contest such decisions made about them.
Personalised Content and Advertising \\ Case C-252/21 (Meta Platforms Ireland Limited v Bundeskartellant)
Last but not least, in this notable case, the CJEU addressed the abuse of dominant position by Meta in its collection and use of data for personalised content and advertising purposes.
As a first question, the Court clarified that a competition authority, when examining an abuse of a dominant position, can take into account the rules on the protection of personal data laid down by GDPR and shall consult with the relevant supervisory authority and seek cooperation before making its assessment.
The CJEU also held that if a controller holds a dominant position in the market for online social networks, this must be taken into consideration when assessing whether the data subject has validly and freely given consent, which “should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment”. The Court noted that for processing to be regarded as “necessary” for the performance of a contract under Article 6(1)(b) of GDPR, it shall be “objectively indispensable for a purpose that is integral to the contractual obligation intended for those users, such that the main subject matter of the contract cannot be achieved if that processing does not occur”. More specifically, the decisive factor when applying this justification is that “the processing of personal data by the controller must be essential for the proper performance of the contract concluded between the controller and the data subject and, therefore, that there are no workable, less intrusive alternatives”.
Even though personalised content can be useful to users, the Court held that it is not necessary when offering the services of an online social network. Emphasis was placed on the fact that the processing in this case related to “potentially unlimited data”, which can have a significant impact on a user, as it “may give rise to the feeling that his or her private life is being continuously monitored”.
Moreover, the CJEU set out specific requirements for lawful consent to such processing, including providing users with the freedom to refuse individually to give consent to processing that is not necessary for the performance of the contract for an appropriate fee, without having to stop using the services offered.
CJEU Cases to look out for in 2024
In 2024, we can anticipate several important judgments by the CJEU interpreting the application of GDPR, with numerous data protection cases already pending.
Pending cases seek to address important questions, including:
(a) whether the oral transfer of personal data constitutes processing of personal data within the meaning of Articles 4(2) and 2(1) of GDPR;
(b) whether the disclosure of first name, surname, signature and contact information of a natural person as the director or representative of a legal person, made exclusively for the purpose of identification of that legal person constitutes processing of ‘personal data’;
(c) whether a limited partner with negligible liability has a 'legitimate interest' in obtaining information about all partners in such partnership holding shares indirectly through a trustee, including their contact details; and
(d) whether processing of personal data for the purposes of personalised advertising should be based on the justification that the data subject has given their consent rather than it being necessary for the performance of a contract where the general terms of service provide that instead of paying for the service, by using the controllers’ service covered by those terms, users agree to personalised advertisements.
More information
If you would like to learn more about GDPR compliance, please contact Aptus Legal by clicking here or send an email to info@aptuslegal.com