– CJEU Rules on Non-Material Damages –
On 11th April 2024, the CJEU delivered its judgment in the case of GP v juris GmbH. The case concerned a self-employed lawyer, who was a client of the legal database company juris. The plaintiff revoked all consents, and objected to the processing of their data for the purposes of marketing. Despite this, the plaintiff received further marketing leaflets. The plaintiff then ‘reminded juris of his prior objection to any marketing,…informed juris that the creation of those prospectuses had given rise to unlawful processing of his data and requested compensation for the damage suffered by him under Article 82 of the GDPR’. A further advertising leaflet then arrived, after which the plaintiff ‘reiterated his objection, which was this time served on juris by bailiff’. Accordingly, the applicant brought proceedings before the national courts. The plaintiff sought ‘on the basis of Article 82(1)…compensation for his material damage, relating to the costs…incurred by him, and for his non-material damage’. The plaintiff claimed that ‘that he…suffered a loss of control over his personal data as a result of the processing of those data by juris despite his objections, and that he’ was entitled ‘to obtain compensation on that basis, without having to show the effects or gravity of the infringement of his rights, guaranteed by Article 8 of the Charter’ and the GDPR. The defendant, however, claimed that ‘it had indeed established a system for managing objections to marketing and that the late taking into account of those of the applicant…was due either to the fact that one of its employees had not complied with the instructions given or to the fact that it would have been excessively onerous to take those objections into account’ and that ‘the mere breach of an obligation under the GDPR, such as that under Article 21(3) thereof, cannot, in itself, constitute ‘damage’ within the meaning of Article 82(1)’. In this regard, four questions were referred to the CJEU, which the Court bundled into three sets of considerations:
- Whether Article 82(1) GDPR means ‘an infringement of provisions…which confer rights on the data subject is sufficient…to constitute ‘non-material damage’…irrespective of the degree of seriousness of the harm suffered’.
- Whether Article 82 GDPR means ‘it is sufficient for the controller, in order to be exempted from liability under paragraph 3…to claim that the damage…was caused by the failure of a person acting under his authority’ according to Article 29.
- Whether Article 82(1) GDPR means ‘that, in order to determine the amount of damages due as compensation…it is necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83…and, second, to take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation’.
In this regard, the Court considered that:
- Article 82(1) means ‘an infringement of provisions…which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’…irrespective of the degree of seriousness of the damage suffered by that person’.
- Article 82 means ‘it is not sufficient for the controller, in order to be exempted from liability…, to claim that the damage in question was caused by the failure of a person acting under his or her authority’ under Article 29.
- Article 82(1) means ‘that in order to determine the amount of damages…, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines…in Article 83…and, second, to take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation’.
There is much to recommend a closer reading of this case, not least the Court’s subtle differentiations regarding the concepts of infringement and damage, its discussion of the criteria for claiming non-material damages, and its discussion of the distinctions between provisions relating to compensation, and those relating to administrative fines.
– AG Opinion on the Powers of Supervisory Authorities–
On 11th April 2024, the AG delivered their Opinion in the case of TR v Land Hessen. The case concerned a savings bank, which had chosen not to inform a data subject of a data breach – presuming this would not constitute a high risk. The data subject complained to the DPA of ‘a breach of Article 34 of the GDPR’ and ‘of the short period of three months for which the savings bank’s access logs were retained, and the fact that all savings bank employees had comprehensive access rights’. The DPA, however, took the matter no further claiming ‘the savings bank had not infringed Article 34’. Subsequently, the data subject ‘lodged an action against the decision…before the Verwaltungsgericht Wiesbaden…the referring court, asking it to order the’ DPA ‘to take action against the savings bank’. The data subject asserted they were entitled to have the ‘complaint handled and to be informed of the outcome’, submitted that the DPA ‘was obliged to establish the facts underpinning the savings bank’s risk assessment without confining itself to the measures expressly requested, and that it should have fined the savings bank’. According to the plaintiff, ‘where a breach is established, the principle of expediency does not apply, so that the’ DPA ‘did not have the discretion to decide whether or not to act but that, at most, its discretion extended to which measures it was considering adopting’. In this regard, the following question was referred to the Court: ‘Are Article 57(1)(a) and (f), Article 58(2)(a) to (j) and Article 77(1)’ GDPR ‘to be understood as meaning that, where the supervisory authority finds that data processing has infringed the data subject’s rights, the supervisory authority must always take action in accordance with Article 58(2)’ GDPR? In response, the AG concluded, building on the SHUFA case, that the Articles in question mean that ‘where the supervisory authority finds that data processing has infringed the data subject’s rights, the supervisory authority must take action under Article 58(2)’ of the GDPR ‘to the extent necessary to ensure full compliance…. In that respect, it is required to select, taking into account the specific circumstances of each individual case, the appropriate, necessary and proportionate action to remedy the infringement and ensure that the data subject’s rights are respected’. The AG also stated, however, that ‘the data subject does not have the right to require the adoption of a particular measure’ and that the stated ‘principles also apply to the system of administrative fines’. It remains, however, as always, to be seen to whether, and to which extent, the Court will follow the AG’s Opinion.
– ECtHR: The Bulgarian Regime on Data Storage of Conviction Data is Unforeseeable –
On 16th April, the ECtHR, in Borislav Tonchev v Bulgaria, ruled that the legal framework in Bulgaria which regulates the storage of data on substitute administrative penalties is not foreseeable, and thus not in accordance with the law. As to the facts of the case, the applicant was employed as a prison guard. In the meantime, he was caught driving drunk and issued with an administrative fine as a substitute for a criminal conviction. The data in the record were subsequently disclosed to his prospective employer when the applicant applied for a new post and also to his current employer, which resulted in his dismissal. The applicant complained to the ECtHR that his right to private life under Article 8 ECHR had been breached because of the continued retention of his data in the record, and the disclosure of this data to his previous employer. The Court first noted that the processing of data on convictions constitutes an interference with an individual’s right to private life. As to the justification of the interference, the Court started by examining whether the interference was in accordance with law and focused specifically on the foreseeability of the law. The Court noted that: ‘Those regulations lay down clear a time-limit (five years up until February 2013, and fifteen years since then) for keeping record cards for substitute administrative penalties (…). By contrast, the regulations appear to contain ambiguity on the question of whether the electronic data derived from those cards are to be deleted alongside the record cards themselves, or whether they are to be retained for longer or indeed indefinitely (…). With the digitalisation of the relevant records (…), this question takes on considerable importance’. It concluded that such ‘vague’ regulations, coupled with the rulings of the Supreme Administrative Court which justified the indefinite retention of the criminal records in question, cannot be considered to be foreseeable. The Court did not go into the question of the necessity of the data retention regime, as criticised by Judge Pavli in his Concurring Opinion.
– Updates from the EU Institutions and Bodies –
In the past two weeks, the EDPS and the EDPB adopted the following documents:
- On 9th April, the EDPS adopted its annual report – available here.
- On 17th April, the EDPB adopted an Opinion, in which it criticized Meta’s ‘Pay or Consent’ Policy – available here.
- On 18th April, the EDPB adopted its Strategy for 2024 – 2027 and information on the implementation of the redress mechanism in the EU-US Data Privacy Framework – see here.