Summary of 2023’s Key CJEU Data Protection Judgments
This briefing provides an overview and summary of several of the key data protection judgments from the Court of Justice of the European Union in 2023. The judgments consider issues including compensation under the GDPR, the right of access to personal data and independence of data protection officers.
Information about the recipients or categories of recipients to whom the personal data have been or will be disclosed pursuant to Article 15 GDPR
The judgment in Case C-154/21 (RW v Österreichische Post AG) was delivered by the Court of Justice of the European Union (“CJEU”) on 12 January 2023. Significantly, the CJEU found that data subjects are entitled to obtain either: (a) information about the specific recipients to whom their personal data have been or will be disclosed, where possible; or (b) information about the categories of the recipient. The information provided to the data subject pursuant to the right of access contained in Article 15(1)(c) must be as precise as possible to enable the data subject to effectively exercise his or her rights under the GDPR.
The Court further held that the right of access may be restricted in certain circumstances where it is impossible to disclose the identity of the specific recipients, such as where those specific recipients are not yet known. In those circumstances, the right of access may be restricted to information about the categories of the recipients. The CJEU also noted that, pursuant to Article 12(5)(b) GDPR, the controller may refuse to act in response to a request from a data subject where the controller can demonstrate that those requests are “manifestly unfounded or excessive”.
Key takeaway: In response to an access request. Controllers should provide information to data subjects on the specific recipients of personal data where possible.
Too many hats: independence of the data protection officer
The judgment in Case C-560/21 (ZS v Zweckverband ‘Kommunale Informationsverarbeitung Sachsen’ “KISA”) was delivered by the CJEU on 9 February 2023. This case concerned the dismissal of ZS as Data Protection Officer (“DPO”) by KISA on the basis there was a conflict of interest between ZS’s activities as DPO and other professional activities. The CJEU noted that that DPOs, whether or not they are employees of the controller, must be able to perform their tasks independently.
Each Member State is free to lay down specific and more protective provisions on the removal of the DPO, provided that those provisions are compatible with EU law and with the provisions of the GDPR.
On the same day, the CJEU handed down an almost identical judgment in Case C‑453/21 (X-FAB Dresden GmbH & Co. KG).
Key takeaway: Controllers must ensure that the DPO is independent and adequately resourced to fulfil their statutory duties.
The concept of a ‘copy’ pursuant to Article 15(3) GDPR
The CJEU delivered their judgment in Case C-487/21 (F.F. v Österreichische Datenschutzbehörde, intervening party: CRIF GmbH)on 4 May 2023 whereby it was held that the first sentence of Article 15(3) GDPR cannot be interpreted as creating a distinct right from that provided in Article 15(1) GDPR. The term ‘copy’ does not relate to a document as such, but to the personal data which it contains, and which must be complete. The right to obtain from the controller a “copy of the personal data undergoing processing” means the data subject must be given a faithful and intelligible reproduction of all the data concerning him or her undergoing processing.
The right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain those data, if the provision of such a copy is essential to enable the data subject to exercise effectively the rights conferred on him or her by the GDPR; albeit that the rights and freedoms of others should also be considered.
Key takeaway: Controllers must provide data subjects with a faithful and intelligible reproduction of their personal data, including entire documents or extracts from databases if the provision of such a copy is essential for the data subject to exercise his or her rights under the GDPR.
The right of access and the definition of ‘recipients’ pursuant to Article 15 GDPR
On 22 June 2023, the CJEU held in Case C-579/21 (J.M. intervening parties: Apulaistietosuojavaltuutettu, Pankki S) that the employees of the controller would not be regarded as being ‘recipients’, within the meaning of Article 15(1)(c) GDPR, when the employees processed personal data under the authority of their employer, i.e., the controller, and in accordance with its instructions, unless the information regarding the employees that processed the personal data was essential in order to enable the data subject to fully exercise his or her rights under the GDPR.
The CJEU stated that the right of access provided in Article 15 GDPR should not adversely affect the rights and freedoms of others. In the event of a conflict between, on the one hand, the exercise of a right of access pursuant to Article 15 GDPR and, on the other hand, the rights or freedoms of others, a balance must be struck between the rights and freedoms in question. Wherever possible, controllers should choose the means of providing for the right of access that do not infringe the rights or freedoms of others. The result of those considerations should not be a refusal to provide all information to the data subject.
Key takeaway: Controllers should ensure that any person acting under their authority who has access to personal data processes those data only in accordance with their instructions.
The CJEU judgment of Case C-300/21, which also involvedOsterreichische Post AG, (UI v Osterreichische Post AG) (the “Post AG Case”), delivered on 4 May 2023, held that it is for each Member State to determine the assessment of non-material damages in line with domestic practice once the EU principles of equivalence and effectiveness are complied with.
There are several decisions awaited in this area from the CJEU and it remains to be seen whether a consistent approach at EU level in awarding compensation for non-material damage under the GDPR, will form.
In the meantime, the recent Irish Circuit Court decision of Kaminski v. Ballymaguire Foods Limited  IECC 5 provides welcome guidance on the assessment of claims for non-material damage under the GDPR and the Data Protection Act 2018.
- Compensation for non-material damage is likely to be ‘modest’.
- The Court suggested that alternative dispute resolution in the format of an independent adjunctive or conciliatory process may be an appropriate way to resolve data-breach disputes in the future.
- While the plaintiff in Kaminski did not undergo medical assessment, the court referred to the Personal Injuries Guidelines 2021 and measured the damage sustained by the plaintiff as “minor psychiatric damages” (which can be valued at less than €500). This is in circumstances where the plaintiff did not establish that he suffered psychiatric damage in the absence of a medical report.
- The court also noted that the above factors will likely impact a claim for legal costs in data-breach cases for non-material damage.
On 4 May 2023, in the Case C-60/22 (UZ v Bundesrepublik Deutschland), the CJEU ruled that not every violation of the GDPR (for instance, of accountability requirements) would render all related processing to be unlawful.
For example, the violation of GDPR requirements to enter into a joint controller agreement or to maintain the records of processing activities by the controller does not render all related processing unlawful under the GDPR.
Key takeaway: An infringement of the GDPR does not automatically render all related or follow-on processing non-compliant.
Meaning of personal data
In Case C-319/22 (Gesamtverband Autoteile-Handel e.V. vScania CV AB) the CJEU ruled that vehicle identification numbers (also known as the chassis number):
- are not personal data; but
- become personal data as regards someone who “reasonably” has means of enabling that data to be associated with a specific person.
This follows CJEU case law that the circumstances of the specific case must be considered in order to determine whether information is personal data. For the definition of the identifiability of a person, the CJEU repeatedly refers back to the Breyer case and points out that for the question of identifiability: “account shall be taken of all the means reasonably likely to be used either by the controller, […] or by any other person, to identify that person, without, however, requiring that all the information enabling that person to be identified should be in the hands of a single entity”. This is in line with Recital 26 of the GDPR.
Key takeaway: When determining ‘what is personal data?’ controllers should consider the broad application given to this term under EU jurisprudence and have due regard to the question of identifiability.
Who is my regulator?
The CJEU handed down its judgment in Case C-252/21 (Meta Platforms Ireland Limited v Bundeskartellant) on 4 July 2023. The case arose out of an investigation by the Bundeskartellant (Federal Cartel Office, Germany) of personalized advertising and the collection of data on and off Facebook and the other online services provided by the Meta Group to create detailed profiles of users.
The CJEU held that a competition authority, when examining the issue of abuse of a dominant position, can have regard to the rules on the protection of personal data, compliance or non-compliance with the GDPR and the decisions of other data protection authorities. In doing so, the competition authority is required to consult with the supervisory authority concerned or, where appropriate, the lead supervisory authority and to seek its cooperation or determine whether it is necessary to wait for that authority to make a decision before commencing its own assessment.
The CJEU also held that, where the controller holds a dominant position on the market for online social networks, this must be considered in assessing whether the data subject has validly and freely given consent, since it is liable to affect the freedom of choice of the user, who may not be able to refuse or withdraw consent without detriment.
Key takeaway: Controllers should consider which regulators may have regard to their data protection compliance, notably in an enforcement context.
The GDPR precludes fees for first copies of medical records
On 26 October 2023 in Case C-307/22 (FT v DW) the CJEU determined that the GDPR precludes national legislation that prescribes a fee for first copies of personal data requested by the data subject. In this case FT, a practicing dentist, sought to rely on German law that provides patients may obtain copies of medical records provided they pay a fee.
The CJEU also sought to substantiate the statements it made previously in F.F. v Österreichische Datenschutzbehörde, intervening party: CRIF GmbH (as described above). The CJEU noted that Article 15(3) does not necessarily entitle a data subject to receive a copy of an entire document. Only in special circumstances where such a copy is necessary to ensure the data are intelligible or essential to enable the data subject to exercise their rights effectively, will Article 15(3) entail the right to obtain copies of extracts from documents or even entire documents.
Key takeaway: Controllers are under an obligation to provide data subjects with a first copy of their personal data, free of charge even where the reason for the access request is not for the data subject to be aware of and verify the lawfulness of the processing.
No “strict liability” for GDPR violations
The CJEU delivered its judgment in Case C-683/121 (Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos v Valstybinė duomenų apsaugos inspekcija, interveners: UAB ‘IT sprendimai sėkmei, Lietuvos Respublikos sveikatos apsaugos ministerija) on 5 December 2023. The case concerned a dispute that arose between the Lithuanian National Public Health Centre and the Lithuanian data protection authority concerning the development of an application to register and monitor those persons exposed to COVID-19.
The CJEU ruled, among other things, that:
- Article 4(7) GDPR must be interpreted as meaning that an entity may be regarded responsible and liable not only for any processing of personal data which it itself carries out, but also for any other processing carried on its behalf, unless that entity expressly objected to that processing in advance.
- The classification of two entities as being joint controllers does not require either the existence of an arrangement between them relating to “the determination of the purposes and means of the processing of personal data in question”, nor an arrangement laying down the terms of the joint control.
- Article 83(2) GDPR only permits the imposition of an administrative fine in respect of those GDPR infringements “which are committed wrongfully by the controller, that is to say, those committed intentionally or negligently”. Controllers may, in certain circumstances, have fines imposed on them in respect of processing operations carried out on their behalf by a processor.
Key takeaway: Controllers should ensure that the categorisation of the data protection roles they and other parties play in respect of various processing operations are correct, and that all measures are taken to accurately and consistently record all processing operations carried out on their behalf by processors.
Circumstances in which administrative fines can be imposed
In Case C-807/21 (Deutsche Wohnen SE v Staatsanwaltschaft Berlin), the CJEU handed down a €14 million fine on a German real estate company for storage of tenants’ personal data for longer than necessary. The CJEU ruled that national laws imposing conditions for the imposition of administrative fines beyond Article 83 are precluded by the GDPR and are contrary to the requirements of Article 83(1) GDPR.
The CJEU also confirmed that for a fine to be imposed on a controller for infringements of the GDPR, such infringements must be committed intentionally or negligently. The CJEU affirmed that in certain circumstances, supervisory authorities may refrain from imposing an administrative fine in favour of a reprimand. The CJEU clarified that an administrative fine may be imposed in circumstances where the controller ‘could not be unaware of the infringing nature of its conduct’, regardless of whether it was aware that it was infringing the provisions of the GDPR.
Key takeaway: Supervisory authorities may only impose administrative fines where an infringement was committed intentionally or negligently.
Fear of misuse of data is capable of constituting non-material damage
On 14 December 2023, the CJEU handed down its judgement in Case C‑340/21 (VB v Natsionalna agentsia za prihodite). This decision concerned a cyberattack on the Bulgarian National Revenue Agency (“NAP”), a body responsible for securing and recovering public debts, which resulted in the publishing of personal data of millions of data subjects on the internet. Many data subjects sought compensation from NAP for the fear caused by the potential misuse of their data.
Whilst the CJEU held in the Post AG Case (referred to above) that it is for each Member State to determine the assessment of non-material damages in line with domestic practice once the EU principles of equivalence and effectiveness are complied with, the CJEU did provide some guidance on compensation in this case. The CJEU held that fear of misuse of personal data resulting from an infringement can constitute non-material damage, provided the national court determines that the fear in the given circumstance is well founded.
The CJEU also affirmed that controllers will be liable for compensation where the damage results from the actions of a third party, unless the controller can prove it is in no way responsible for the damage. The courts will not infer from the fact of unauthorised disclosure or access to data that the controller’s security measures are not appropriate. However, the court held that in an action for damages under Article 82 GDPR, the controller bears the burden of proving that the security measures implemented pursuant to Article 32 GDPR are appropriate.
Key Takeaways: Data subjects may seek damages for a well-founded fear of misuse of their personal data. Controllers should ensure that they implement technical and organisational measures that appropriately address the risk of the processing of the relevant personal data.
The authors would like to thank Kerry Burns and Jonathan Guy for their contribution to this briefing.