-CJEU: Administrative Fines Not Obligatory when GDPR is Infringed-
On 26th September, the CJEU ruled that a supervisory authority is not always required to impose an administrative fine in order to remedy the situation which gave rise to an infringement of the GDPR in TR v Land Hessen. As to the facts of the case, the applicant in the main proceedings – TR – had a bank account at a savings bank. The bank notified the responsible supervisory authority – HBDI – of a data breach. It consisted in the unlawful access by one of its employees to TR’s data. Its data protection officer did not consider it necessary to notify TR of the data breach, since they were of the view that the breach was unlikely to result in risks for the rights and freedoms of TR. The HBDI agreed with the bank, e.g. because the concerned data had not been copied and distributed. It also noted that the bank had taken the necessary measures to prevent further such breaches as it had taken disciplinary action against the employee in question. The HBDI reproached the bank, however, stating that it had set very short storage periods for the access logs (only three months). Nevertheless, the HBDI decided that further action was not necessary. TR disagreed and filed a suit against the HBDI decision, claiming that supervisory authorities are required to exercise their corrective powers pursuant to Article 58(2) GDPR, e.g. to impose an administrative fine, and have no discretion whether to exercise these powers or not. The referring court is uncertain whether this is the case and thus asked the CJEU to help it interpret the GDPR. The CJEU ruled that ‘Article 57(1)(a) and (f), Article 58(2) and Article 77(1) of the GDPR must be interpreted as meaning that, when a breach of personal data has been established, the supervisory authority is not required to exercise a corrective power, in particular the power to impose an administrative fine, under that Article 58(2) where such action is not appropriate, necessary or proportionate to remedy the shortcoming found and to ensure that that regulation is fully enforced’. This would be especially the case when the supervisory authority has diligently examined the complaint and/or the data breach and adequate measures have been taken to remedy the situation, as appears to be the case in the present case.
-CJEU: GDPR Infringement Not Enough to Constitute Damages-
On 4th October, the CJEU ruled that an infringement of the GDPR does not automatically amount to damages, and if damages are established, they might be compensated only with an apology in A v Patērētāju tiesību aizsardzības centrs. As to the facts of the case, the applicant in the main proceedings – A – is a well-known journalist in the automotive branch. The Latvian consumer protection centre (‘PTAC’) used a ‘character imitating the applicant in the main proceedings’ in a video in which it informed consumers about the risks of buying second-hand cars. A requested repeatedly that the video should be taken down and not be further distributed, as he had not consented to the processing of his data. He also requested compensation for damages caused to his reputation. PTAC rejected his complaint and A filed suit, requesting the payment of damages for the violation of the GDPR. The referring court is unsure how to interpret Article 82(1) GDPR, especially the notion of damages and the appropriate compensation for damages. The CJEU ruled first that ‘Article 82(1) of the GDPR, read in the light of Article 8(1) of the Charter, must be interpreted as meaning that an infringement of the provisions of that regulation is not sufficient, in itself, to constitute ‘damage’, within the meaning of Article 82(1)’. Second, it ruled that ‘the making of an apology may constitute sufficient compensation for non-material damage on the basis of that provision, inter alia where it is impossible to restore the situation that existed prior to the occurrence of that damage, provided that that form of redress is such as to compensate in full the damage suffered by the data subject’. It left it to the referring court to examine whether an apology is sufficient or a monetary compensation should be added to the apology. Lastly, the CJEU ruled that ‘Article 82(1) of the GDPR must be interpreted as precluding the taking into account of the attitude and motivation of the controller in order, where relevant, to award compensation to the data subject that is lower than the damage he or she has actually suffered’. This is because Article 82(1) GDPR pursues a compensatory purpose, unlike Article 83 GDPR, which pursues a punitive purpose.
-CJEU Rules on Consent, Sensitive Data, and Personalised Advertising-
On 4th October 2024, the CJEU ruled in the case of Maximilian Schrems v Meta Platforms Ireland Ltd. As to the facts of the case, the applicant complained that Facebook processed their personal data for the purposes of targeted advertising contrary to the GDPR – including contrary to principles on purpose limitation, and consent. They referred especially to two types of data: (1) the personal data provided to Meta, as required by the contractual terms and conditions for using Facebook, including from third party partners (2) data inferred by Facebook, e.g. from events they liked. The applicant also complained that Facebook processed information on their sexual orientation contrary to the purpose limitation principle and the legality requirements on processing sensitive data – whilst the applicant had publicly discussed their sexual orientation themselves, this did not necessarily imply Meta could also process this data as well. In this regard, the Austrian Supreme Court – following a series of deliberations before local courts, also resulting in Schrems, C‑498/16 – decided to refer certain questions to the CJEU. In this regard, the Court considered the following two questions:
- Does Article 5(1)(c) GDPR mean data minimisation ‘precludes any personal data obtained by a controller, such as the operator of an online social network platform, from the data subject or third parties and collected either on or outside that platform, from being aggregated, analysed and processed for the purposes of targeted advertising without restriction as to time and without distinction as to type of data’?
- Does Article 9(2)(e) GDPR mean that ‘the fact that a person has made a statement about his or her sexual orientation on the occasion of a panel discussion authorises the operator of an online social network platform to process other data relating to that person’s sexual orientation, obtained, as the case may be, outside that platform using partner third-party websites and apps, with a view to aggregating and analysing those data, in order to offer that person personalised advertising’?
In relation to these questions, the CJEU concluded that:
- Article 5(1)(c) means that data minimisation ‘precludes any personal data obtained by a controller, such as the operator of an online social network platform, from the data subject or third parties and collected either on or outside that platform, from being aggregated, analysed and processed for the purposes of targeted advertising without restriction as to time and without distinction as to type of data’.
- Article 9(2)(e) means that ‘the fact that a person has made a statement about his or her sexual orientation on the occasion of a panel discussion open to the public does not authorise the operator of an online social network platform to process other data relating to that person’s sexual orientation, obtained, as the case may be, outside that platform using partner third-party websites and apps, with a view to aggregating and analysing those data, in order to offer that person personalised advertising’. Further, ‘the fact that a person has manifestly made public information concerning his or her sexual orientation does not mean that that person has given his or her consent within the meaning of Article 9(2)(a)…to processing of other data relating to his or her sexual orientation by the operator of an online social network platform’.
-CJEU Rules on LED Provisions regarding Access to Mobile Phones-
On 4th October, the CJEU ruled in the case of CG v Bezirkshauptmannschaft Landeck. As to the facts of the case, a German citizen was caught in Austria with 85g cannabis by the Austrian police. The police confiscated their mobile phone and requested the applicant to provide them the PIN number in order to unlock the phone and look through it in order to discover who provided the applicant with the cannabis. The applicant refused to cooperate. The policemen then tried unsuccessfully to unlock it. The applicant decided to sue the police and the referring court requested an interpretation of the legality of the police attempts to unlock and search though the applicant’s phone data under Articles 5 and 15 of the e-Privacy Directive. In this regard, the following questions were referred to the Court:
- Does Article 15(1) of Directive 2002/58, in the light of Articles 7 and 8 of the Charter, mean authorities’ access to phone data is an interference with fundamental rights, which is so serious that, in relation to law enforcement, such access must be limited to serious crime?
- Does Article 15(1), in the light of Articles 7, 8, 11 and 52(1) of the Charter, preclude national provisions according to which security authorities, when conducting criminal investigations, can obtain extensive and uncontrolled access to mobile phone data without authorisation from a court or other independent body?
- Is Article 47 of the Charter, in light of the principles of equality of arms and effective remedy, contrary to national provisions which allow mobile phones to be searched without the person being informed either before, or at least after, the search has taken place?
The Court bundled these questions into two sets of considerations, which refocussed deliberations onto Article 4(1)(c), and Articles 13 and 54 of the LED, respectively, as the relevant provisions. The Court decided that:
- Article 4(1)(c) of the LED, in light of Articles 7 and 8 of the Charter, allows national legislation enabling authorities to access data stored on mobile phones for the purposes of general law enforcement, provided that legislation: defines the implied offences with adequate specificity; ensures respect for the principle of proportionality; and ensures that such access is subject to prior control by a court or an independent body, apart from in adequately justified cases of emergency.
- Articles 13 and 54 of the LED, in light of Articles 47 and 52(1) of the Charter, preclude national laws which permit authorities to try and access data stored on a mobile phone without informing the person of the reasons for the prior authorisation to access the phone – given by a court or an independent body – where this information can no longer have a negative impact on the actions of the authorities.
At the time of writing, the case is unfortunately not available in English.
-CJEU Rules on the Publication of Personal Data in Commercial Registers-
On 4th October, the CJEU ruled in the case of Agentsia po vpisvaniyata v OL. In terms of the facts, the case concerned the publication, in the Bulgarian commercial register, of a company’s constitutive instrument. Contained in this instrument was the personal data of one of the company’s members. This person objected to this publication, and instigated procedures at national level with the responsible authority, and eventually also before the courts – including a claim for non-material damages. Following a complex back and forth at national level, eight questions were eventually referred to the CJEU, of which the Court considered the following six:
- Does Article 21(2) of Directive 2017/1132 – dealing with company law – impose on Member States an ‘obligation to permit the disclosure, in the commercial register, of a company’s constitutive instrument subject to compulsory disclosure under that directive and containing personal data other than the minimum personal data required, disclosure of which is not required by the law of that Member State’?
- Do Articles 4(7) and (9) GDPR mean ‘the authority responsible for maintaining the commercial register…which publishes, in that register, personal data…in a…constitutive instrument…is both a ‘recipient’…and a ‘controller’ of those data’?
- Do Articles 16 of Directive 2017/1132 and 17 GDPR preclude ‘legislation or a practice…which leads the authority responsible for…the commercial register…to refuse any request for erasure of personal data, not required by that directive or by the law of that Member State, contained in a company’s constitutive instrument…where a copy…in which those data have been redacted has not been provided to that authority, contrary to the procedural rules laid down by that legislation’?
- Does Article 4(1) GDPR mean ‘that the handwritten signature of a natural person is covered by the concept of ‘personal data’’?
- Does Article 82(1) GDPR mean ‘a loss of control, for a limited period…over…personal data, on account of those data being made available online to the public, in the commercial register…may…cause ‘non-material damage’ or’ does ‘non-material damage’ require ‘tangible adverse consequences be demonstrated’?
- Does Article 82(3) GDPR mean a supervisory authority’s opinion issued ‘on the basis of Article 58(3)(b)…is sufficient to exempt from liability, under Article 82(2)…the authority responsible for maintaining the commercial register’ which is a controller?
In this regard, the Court concluded that:
- Article 21(2) of Directive 2017/1132 does not impose on Member States ‘an obligation to permit the disclosure, in the commercial register, of a company’s constitutive instrument subject to compulsory disclosure under that directive and containing personal data, other than the minimum personal data required, disclosure of which is not required by the law of that Member State’.
- Articles 4(7) and 9 of the GDPR mean the ‘authority maintaining the commercial register…which publishes…the personal data contained in a…constitutive instrument…subject to compulsory disclosure under Directive 2017/1132…is both a ‘recipient’ of those data and…in so far as it makes them available to the public, a ‘controller’ of those data…even where’ personal data are not required by law.
- Articles 16 and 17 of the GDPR precludes ‘legislation or practice which leads the authority responsible for…the commercial register…to refuse any request for erasure of personal data not required by’ law, ‘contained in a…constitutive instrument published in that register, where a copy…in which those data have been redacted has not been provided…, contrary to the procedural rules laid down’.
- Article 4(1) of the GDPR means ‘the handwritten signature of a natural person is covered by the concept of ‘personal data’’.
- Article 82(1) of the GDPR means ‘a loss of control, for a limited period…over…personal data, on account of those data being made available online to the public, in the commercial register…may suffice to cause ‘non-material damage’, provided that that data subject demonstrates that he or she has actually suffered such damage, however minimal, without that concept of ‘non-material damage’ requiring that the existence of additional tangible adverse consequences be demonstrated’.
- Article 82(3) of the GDPR means that a supervisory authority’s opinion, ‘issued on the basis of Article 58(3)(b)…, is not sufficient to exempt from liability, under Article 82(2)…the authority responsible for maintaining the commercial register…which has the status of ‘controller’.
-AG Pikamäe: National Courts which Rule on the Disclosure of Personal Data Are Not Controllers–
On 4th October, AG Pikamäe advised the CJEU to rule that a national court which decides whether to grant a national supervisory organ access to the banking data of magistrates is not a controller and does not have to ensure that the personal data to be disclosed will not be illegally processed in Inspektorat kam Visshia sadeben savet. As to the facts of the case, there is an Inspectorate which overlooks the work of the judges and prosecutors (‘the magistrates’) in Bulgaria. The Inspectorate may request a court to order the disclosure of data about the bank accounts of the magistrates and their family members. It was noted that previously the Inspectorate published on its website, illegally, the names and addresses of several magistrates and the names of their family members. While the legal framework which regulates the Inspectorate and its workings have given rise also to another legal question in the present case, the below summary will focus on two data protection question which were submitted for a preliminary ruling. The first question is whether the court which decides to grant access to the bank account information of the magistrates and their family members should be classified as a controller in the meaning of Article 4 (7) GDPR. The second question is whether this court should require the Inspectorate to guarantee the protection of the personal data in question in view of the illegal processing by the Inspectorate of the magistrates’ personal data in the past. In answer to the first question, AG Pikamäe advised the CJEU to rule that since the court may only check whether the request for access to the above-mentioned banking information is submitted by a public organ such as the Inspectorate and concerns the magistrates and their family members, the court may not be classified as a data controller. In addition, the court does not receive the banking information itself as it is directly provided by the banks to the Inspectorate. In answer to the second question, AG Pikamäe advised the CJEU to rule that Article 79(1) GDPR, read in light of Article 47 CFREU, does not require the court which decides on the disclosure of banking information of the magistrates in Bulgaria to ensure that the Inspectorate which requests the data will adequately guarantee their protection, e.g. their security. This is the responsibility of the Inspectorate and magistrates have to have the means to exercise their rights to effective judicial remedy against the controller where they believe the Inspectorate has infringed their rights as guaranteed by the GDPR.