Authors: Roxana Ionescu and Iurie Cojocaru
On this 5th anniversary of #GDPR, we reflect on the progress made over the past five years and look towards the future of data protection.
It has been a challenging journey, requiring companies, authorities, and data subjects to keep pace with the evolving regulatory standards.
The past year in particular has seen a significant number of court decisions addressing a broad range of data protection matters. To better understand the implications of these rulings, we take a closer look at the most relevant judgements of the Court of Justice of the European Union and explore their potential impact on the data protection landscape. Additionally, various upcoming cases will be of key importance for the industry, with the potential to reshape to a certain extent the way in which we deal with data protection matters.
For ease of use, we have included our top picks in a booklet that can be downloaded here.
Our top 5 judgements of the Court of Justice of the European Union
(26 MAY 2022 – 25 MAY 2023)
1. Judgement in the Case C-300/21 – Österreichische Post AG (Non-material damage resulting from unlawful processing of data)
- What the Court mainly said: The CJEU held that not every infringement of the GDPR gives rise, by itself, to a right to compensation. The right to compensation under the GDPR is subject to three cumulative conditions: (i) infringement of the GDPR, (ii) material or non-material damage resulting from that infringement and (iii) a causal link between the damage and the infringement. Moreover, the Court stated that there is no provision under the GDPR limiting the right to compensation only to non-material damage that reaches a certain threshold of seriousness.
- What are the practical implications: Companies must be ready to face claims for compensation even in cases where the claimants prove non-material damage resulting from infringements, irrespective of the level of their seriousness. However, the claimants still have to meet the three conditions stated above in the CJEU judgement.
2. Judgement in the Case C-154/21 – Österreichische Post AG (Information on data recipients)
- What the Court mainly said: The CJEU stated that, when exercising their right of access under the GDPR, data subjects must be provided, as a rule, with the concrete name of the data recipients, and not only with the categories of such data recipients. The Court also provided two exceptions from this rule: (i) unless it is not possible to identify the recipients, or (ii) the controller proves that the data subject’s requests for access are manifestly unfounded or excessive. If the controller falls within any of the aforesaid two exceptions, it would be sufficient to inform the data subject only on the categories of recipients concerned, and not also on their concrete identity.
- What are the practical implications: Companies need to update their internal procedures on managing the data subject rights, as well as their access right-related templates, so as to reflect the fact that the recipients must be provided not only as categories, but with concrete names, except the cases indicated by the Court.
3. Judgement in the Case C-487/21 – Österreichische Datenschutzbehörde and CRIF
- What the Court mainly said: The CJEU held, amongst others, that the right to obtain from the controller a “copy” of the personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data. Therefore, a purely general description of the personal data undergoing processing or a reference to categories of personal data does not correspond to that definition. The CJEU further held that the data subject is entitled to obtain copies of documents comprising such data if the provision of such copies is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by the GDPR.
- What are the practical implications: Companies would need to assess to what extent a certain request of data from a data subject must be addressed by providing the copy of documents or whether providing a reproduction of data held in those documents would suffice. In their evaluation, companies need to evaluate if providing the copies of documents is essential for the exercise of the data subject rights, as described above.
4. Judgement in the Case C-184/20 – OT v Vyriausioji tarnybinės etikos komisija
- What the Court mainly said: The CJEU held that it is possible to deduce the declarant’s sexual orientation based on the publication of the name of that person’s spouse. Therefore, indirect revelation of the sexual orientation would be possible, according to the CJEU, by means of an intellectual operation involving comparison or deduction. Thus, the CJEU concluded that personal data that may disclose indirectly the sexual orientation of a natural person constitutes processing of special categories of personal data within the meaning of Article 9 of the GDPR.
- What are the practical implications: While the interpretations of the CJEU and the European Data Protection Board seem to differ on this topic, until a further alignment of their positions, companies need to check their processing activities which may indirectly reveal special categories of data in order to ensure the most adequate approach taking in account the business interests and the applicable legal requirements (e.g., eliminating the information which may lead to such indirect disclosure of special data where possible, implementing additional safeguards, building arguments on the adequacy of the chosen approach).
5. Judgement in the Case C‑534/20 – Leistritz
- What the Court mainly said: According to the CJEU, the increased protection granted by GDPR to the data protection officer (DPO) must not undermine the achievement of the objectives of the GDPR. In this context, the CJEU stated that the GDPR objectives would be compromised, if the legislation prevented any termination of the employment contract of a DPO who no longer possesses the professional qualities required to perform his or her tasks or who does not fulfil those tasks in accordance with the provisions of the GDPR.
- What are the practical implications: In light of the CJEU’s judgement, companies are recognized the normal leeway when it comes to terminating DPO contracts, as compared to the narrow interpretation of the language of the GDPR on this topic. However, companies should exercise caution when making use of this flexibility, as the DPOs must still be strongly safeguarded against intimidation when performing their duties.
Our top 5 upcoming judgements of the Court of Justice of the European Union
1. Judgement in the Case C-634/21 – SCHUFA Holding and Others (Scoring)
- What the matter mainly refers to: The CJEU will interpret, amongst others, whether the automated establishment of a probability value concerning the ability of a natural person to benefit of a loan in the future already constitutes an automated decision in the sense of Art. 22 GDPR, where that value, determined by means of personal data of the data subject, is transmitted by the controller to a third-party controller and the latter draws strongly on that value for its decision on the establishment, implementation or termination of a contractual relationship with the data subject. The Advocate General, in his opinion of 16 March 2023, answered giving a positive response to that question.
- What are the practical implications: If the Court will adopt the position of the Advocate General answering in a positive manner, companies need to be ready to apply the automated decision restrictions under Art. 22 GDPR also in certain cases when they only perform the automated assessment, while the decision is taken by another entities to which such assessment is communicated and which strongly rely on the communicated assessment.
2. Judgement in the Case C-621/22 – Koninklijke Nederlandse Lawn Tennisbond
- What the matter mainly refers to: The CJEU has to interpret the term “legitimate interest”. Specifically, the Court will have to determine if a purely commercial interest, such as the provision of personal data in return for payment without the consent of the data subject concerned, is to be regarded as a legitimate interest under certain circumstances and, if the answer is positive, the Court will have to say what are the circumstances which determine whether a purely commercial interest is a legitimate interest.
- What are the practical implications: If the Court rules that the purely commercial interest is not sufficient for a legitimate interest, companies would need to re-assess the applicable grounds of processing to the extent they initially relied on such a purely commercial interest. Companies will also have to check their purely commercial legitimate interests, if the Court says that such legitimate interests would work, but only in certain circumstances.
3. Judgement in the Case C‑683/21 – Nacionalinis visuomenės sveikatos centras
- What the matter mainly refers to: The CJEU must assess, amongst others, whether the joint control of data under GDPR is to be interpreted exclusively as involving deliberately coordinated actions in respect of the determination of the purpose and means of data processing, or it may also cover situations in which there is no clear arrangement in respect of the purpose and means of data processing and/or actions are not coordinated between the entities. The Advocate General, in his opinion of 4 May 2023, stated that for two or more controllers to be regarded as “joint controllers”, (i) each joint controller must independently fulfil the criteria listed in the GDPR definition of “controller” and (ii) the controllers’ influence over the ‘purposes and means’ of the processing must be exercised jointly. Moreover, according to the Advocate General, the absence of any agreement or even coordination between the controllers cannot exclude a joint controllership.
- What are the practical implications: The Court has the possibility to adjust its position reflected in previous case law on joint controllership (e.g., Fashion ID case C-40/17), which the companies have real difficulties applying in practice. The optic of Advocate General in this case, at least, seems to be a bit more flexible than such previous CJEU case law. Depending on the verdict of the Court, companies may need or may want to adjust their capacity in the context of data processing activities (opting for separate or joint controllership, as the case may be).
4. Judgement in the Case C-252/21 – Meta Platforms and Others (General conditions of social network use)
- What the matter mainly refers to: The CJEU must interpret, amongst others, if an undertaking which operates a digital social network funded by advertising and offers personalized content and advertising, network security, product improvement and continuous, seamless use of all of its group products may justify collecting data for these purposes from other group services and third-party websites and apps via integrated interfaces or via cookies or similar storage technologies and using them, on the ground of necessity for the performance of the contract or on the ground of the pursuit of legitimate interests. The Advocate General, in his opinion of 20 September 2022, answered in the sense that the contractual legal basis is justified if the processing is objectively necessary for the provision of the services relating to the account. As for the legitimate interest, the Advocate General indicated that this legal ground may be relied on if the processing is necessary for the envisaged purposes of processing, and it does not have a disproportionate effect on the fundamental rights and freedoms of the data subject.
- What are the practical implications: While the Advocate General provided a rather general and cautious assessment, the Court may provide more concrete criteria based on which companies may rely on the legal grounds of contract and legitimate interest, not only in the area covered by the judgement, but also in other business fields. If the Court adopts the approach of the Advocate General, companies will need to be more careful in documenting the necessity in the case of contractual legal ground, as well as the necessity and proportionality in case of legitimate interest.
5. Judgement in the Inteligo Case (no number allotted yet)
- What the matter mainly refers to: The CJEU must interpret, amongst others, whether Art. 83 paragraph 2 of GDPR means that a supervisory authority imposing an administrative fine is required to assess and explain within the sanctioning document the impact of each of the criteria provided at letters (a) to (k) upon the decision to impose a fine and, respectively, upon the decision with regard to the amount of the fine applied.
- What are the practical implications: Depending on the answer of the Court, the supervisory authorities may need to redraft their sanctioning document templates or at least to change the manner in which such documents are filled in, so as to reflect therein the criteria assessing the decision to impose the fine and its amount. In this case, companies may have a reason to challenge the sanctioning document if the supervisory authorities do not adequately explain such sanctioning criteria.