GDPR | 4-year anniversary - Our top picks of past and upcoming judgements of the Court of Justice of the European Union


AdobeStock_248475500 Green Blue-01
Authors: Roxana Ionescu and Iurie Cojocaru

Today we celebrate 4 years since GDPR became applicable, changing the data protection rules in a significant manner. These past years have been challenging for companies, authorities and data subjects, who had to keep pace with the evolving regulatory requirements. On this occasion, we take a look at some of the most important decisions rendered by the Court of Justice of the European Union to date and analyze their practical implications. We also look to the future and examine several upcoming judgements which are expected to have a major impact in the field. So here are our top picks:

Our top 4 judgements of the Court of Justice of the European Union

1. Judgement of 5 June 2018 – Case C-210/16 – Wirtschaftsakademie Schleswig-Holstein (Facebook Fan Page Case)

  • What the Court mainly said: The CJEU held that two persons may stand as joint controllers even if there is no identity between their means and purposes of data processing. Thus, according to the Court, the administrator of a fan page hosted on Facebook contributes to determining, jointly with Facebook, the purposes and means of processing the personal data of the visitors to the fan page. This is because the administrator, amongst others, may define the criteria based on which the statistics are made and designate the categories of data subjects whose personal data is to be used by Facebook. However, even if two persons have a joint controllership, they may be involved at different stages of the data processing and to different degrees, so that their level of responsibility will have to be assessed with regard to all the relevant circumstances of the particular case.
  • What are the practical implications: The Court giving a broader interpretation of the notion of “joint controller” entails the necessity to re-assess the qualification of the parties in a data processing relationship. If applying the Court interpretation leads to the conclusion that a joint controller capacity is more adequate, controllers will have to amend existing contracts and put in place joint data subject rights management processes.

2. Judgement of 1 October 2019 – Case C-673/17 – Planet49

  • What the Court mainly said: The Court held that the cookie consent must observe the validity rules under GDPR. Thus, the CJEU set forth that the cookie consent is not valid if given by a pre-checked checkbox, as it does not imply an active behavior of the user, as required under GDPR. It is not relevant if the information stored or accessed on the user’s terminal equipment in this context represents personal data or not. The Court also said that the user whose consent is required must be offered clear and comprehensive information, amongst others, about the purposes of the processing, as well as about the duration of the operation of cookies and whether or not third parties may access those cookies.
  • What are the practical implications: Companies that use cookies and similar technologies on their websites and apps have to make sure they obtain an opt-in consent from their visitors/users through an affirmative action to be performed in banners/dashboards, and not just an implicit consent by continuing to browse that webpage.

3. Judgement of 16 July 2020 – Case C-311/18 – Facebook Ireland and Schrems (Schrems II Case)

  • What the Court mainly said: The Court invalidated the decision instituting the Privacy Shield mechanism. According to CJEU, the Privacy Shield decision sets forth that the requirements of US national security, public interest and law enforcement have primacy and although the Privacy Shield provisions lay down requirements with which the US authorities must comply when implementing surveillance programs, the provisions do not grant data subjects actionable rights before the courts against US authorities. As for the decision on standard contractual clauses, while the Court did not invalidate it, it indicated that that decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of data protection is respected in the third country where the data are transferred and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.
  • What are the practical implications: Companies that rely on the Privacy Shield mechanism need to switch to other available data transfer safeguards or derogations. In the case of transfers outside the European Economic Area, based on standard contractual clauses or other safeguards under Article 46 of GDPR, transfer impact assessments in respect of the level of data protection in the recipient’s country became the norm.

4. Judgement of 22 June 2021 – Case C-439/20 – Latvijas Republikas Saeima (Penalty Points Case)

  • What the Court mainly said: The CJEU stated that Article 10 of GDPR (covering data on criminal convictions and offences, as well as related security measures) must be interpreted as applying to the processing of data relating to penalty points imposed on drivers of vehicles for road traffic offences. According to the Court, the notion of “criminal offence” under such Article 10 requires an autonomous interpretation. Three criteria must be taken into consideration here: (i) the classification of the offence under national law, (ii) the intrinsic nature of the offence (i.e., whether the penalty has a punitive purpose, even if it may also cumulatively have a deterrent purpose) and (iii) the degree of severity of the penalty that the person is liable to incur. Even if an offence is not classified as “criminal” under national law, its intrinsic nature and degree of severity may result in it being criminal in nature.
  • What are the practical implications: Companies must reassess the qualification of the personal data they process, so as to ensure that the qualification as “criminal offence-related data” is made also based on the additional criteria provided by the Court in this case. The criminal offence-related data processing can be done only under the control of an official authority or when the processing is authorized by EU or national law, also ensuring adequate safeguards for data subjects.

Our top 4 upcoming judgements of the Court of Justice of the European Union

1. Judgement in the Case C-300/21 – UI v Österreichische Post AG

  • What the matter mainly refers to: CJEU will interpret, amongst others, whether a GDPR infringement is sufficient to award compensation under GDPR Article 82 or whether applicants must also prove they have suffered harm from that non-compliance. The Court will have to interpret if, for obtaining compensation, there must be at least some harm that goes beyond the upset that is caused by the said non-compliance.
  • What are the practical implications: Potential significant increase of court proceedings against companies in case CJEU will interpret no proof of harm is required to award compensation for GDPR infringements. Under current Romanian law, in order to receive compensation, one must prove, amongst others, that he/she suffered material or moral damages due to the non-compliance.

2. Judgement in the Case C-77/21 – Digi Távközlési és Szolgáltató Kft. v Nemzeti Adatvédelmi és Információszabadság Hatóság

  • What the matter mainly refers to: CJEU must interpret, amongst others, if creating a database for testing purposes with personal data that were initially collected and stored for other purposes is consistent with the purpose and storage limitation principles under Article 5 of the GDPR. The Opinion of Advocate General of 31 March 2022 is that compliance is ensured insofar the subsequent processing serves to or at least is compatible with the initial purposes for which the personal data were collected, and the database is not stored beyond what is necessary.
  • What are the practical implications: Subject to a confirmation of Advocate General’s position by the Court, controllers may rely on the CJEU interpretation for their argumentation when considering processing personal data for other purposes than those for which the personal data were initially collected.

3. Judgement in the Case C-446/21 – Maximilian Schrems v Facebook Ireland Ltd

  • What the matter mainly refers to: CJEU was asked to interpret, amongst others, whether processing personal data for personalized advertising purposes should be based on consent instead of contract as legal basis, for the case where the general terms of service provide that instead of paying for the service, by using the controllers’ service covered by those terms, users agree to showing personalized ads.
  • What are the practical implications: The future CJEU judgement will have an impact on the interpretation of the contract necessity when relying on the agreement as a legal basis for processing. This, in turn, may generate the need for companies to reassess their legal bases, switching from contract to legitimate interest or consent, and to undergo the data protection formalities pertaining to the new legal basis.

4. Judgement in the Case C-184/20 – OT v Vyriausioji tarnybinės etikos komisija

  • What the matter mainly refers to: The Court was asked to interpret, amongst others, if the regime of special categories of data under Article 9 of GDPR also applies to data relating to declarations of private interests which may indirectly disclose such special categories of data (e.g., political views, trade union membership, sexual orientation). Before the judgement of the Court, the Advocate General has already issued his Opinion on the matter on 9 December 2021, answering in the affirmative to this question.
  • What are the practical implications: Depending on CJEU’s answer and argumentation on the matter, companies may need to reassess the qualification of certain processed data and, to the extent they fall under Article 9 of GDPR, to meet the related additional requirements (e.g., identifying an adequate safeguard) or to eliminate such data from the scope of processing.