– ECtHR: Hungarian DPA with Insufficient Powers to Control Secret Surveillance –
On 29th September, the ECtHR examined again the Hungarian secret surveillance system in Hüttl v Hungary. As to the facts of the case, the applicant is a lawyer who suspected that his telephone had been tapped. He submitted several complaints to the Hungarian authorities, but they concluded that he had not been subject to unlawful surveillance or did not investigate his complaints. Then, the applicant filed a complaint with the ECtHR, claiming a violation of Article 8 ECHR. When examining the complaint, the Court focused essentially on the question of whether the Hungarian DPA could offer an effective safeguard against unlawful secret surveillance, an aspect which it had not examined in Szabó and Vissy. The Court noted that the DPA could not perform independent legality checks and address the grievances of the applicant, because the DPA does not have unrestricted access to certain sensitive law enforcement, defence and/or national security information. Instead, it relies on the findings of the respective ministries. Hence, it cannot be deemed to be an external, independent supervisory authority in relation to the executive. On that basis, the Court found violation of Article 8 ECHR and did not depart from its findings in Szabó and Vissy.
– AG Advises CJEU that a Mere Infringement of the GDPR Does Not Suffice for Awarding Damages –
On 6th October, AG Campos Sanchez-Bordona delivered his Opinion in UI v Österreichische Post AG on the question of whether a mere infringement of the provisions of the GDPR can trigger a claim for damages. As to the facts of the case, the applicant complained that he had been profiled by the Austrian postal services as concerns his political affiliation. He claimed that he had not given his consent for the profiling, that he ‘was upset by the storage of his party affinity data and angered and offended by the affinity specifically attributed to him by Österreichische Post’ and ‘that the political affinity attributed to him is insulting and shameful, as well as extremely damaging to his reputation. In addition, Österreichische Post’s conduct caused him great upset and a loss of confidence, and also a feeling of public exposure.’ On that basis he claimed a compensation of € 1000 for non-material damages. His claim was turned down by the lower domestic courts and eventually three preliminary ruling questions on the issue of whether a mere infringement of the GDPR suffices to award damages were filed with the CJEU. The AG advised the Court to rule that this is not the case for the following two reasons. First, he argued that ‘there is an unequivocal requirement that the natural person concerned must have suffered damage as a result of an infringement of the GDPR.’ Second, on the related question whether punitive damages can be awarded under the GDPR, the AG reasoned that this is not the case and that there is no presumption of damage when the GDPR is infringed. In his reasoning, the AG focused especially on the point that data subject control is not absolute and not the sole objective of the GDPR. On the second question whether national courts may award other types of damages than financial compensation, the AG advised the Court that such remedies as a declaration that the processing is illegal or payment of a symbolic compensation is not precluded by the GDPR. Finally, on the question of ‘whether, under the GDPR, the award of compensation for non-material damage is conditional on an ‘infringement of at least some weight that goes beyond the upset caused by that infringement’’, the AG concluded that ‘there is a fine line between mere upset (which is not eligible for compensation) and genuine non-material damage (which is eligible for compensation) and I am also aware of how complicated it is to delimit, in the abstract, the two categories and apply them to a particular dispute. That difficult task falls to the courts of the Member States, which will probably be unable to avoid in their rulings the perception prevailing in society at a given time regarding the permissible degree of tolerance where the subjective effects of infringement of a provision in this area do not exceed a de minimis level.’ It remains to be seen what position the Court will take on these delicate questions.
– AG Opinion on the GDPR and Disclosure in Civil Procedures –
On 6th October, Advocate General Ćapeta delivered their Opinion in the case of Norra Stockholm Bygg AB v Per Nycander AB, joined parties: Entral AB. In terms of the facts, the case concerned the construction of a building by the appellant for the respondent. The register of employee activity on the project was held by Entral AB. With regard to the project, the respondent challenged the request for payment, claiming the requested amount was too high. In this regard, in order to prove this claim before court, the respondent requested the disclosure of employee activity records from Entral AB. The request was opposed by the appellant, who suggested that ‘such a disclosure would breach the GDPR, as the requested data were collected for another purpose and cannot be used as evidence in the main proceedings.’ National courts initially ordered the production of the records, a decision which the appellant appealed. In this regard, the referring court submitted two questions to the CJEU:
‘Does Article 6(3) and (4) of the [GDPR] also impose a requirement on national procedural legislation relating to disclosure obligations?’
Must the ‘interests of the data subjects [be considered] when a decision on disclosure must be made which involves…personal data? In such circumstances, does EU law establish any requirements concerning how…that decision should be made?’
With regard to the questions, the AG concluded:
‘Article 6(3) and (4) of the [GDPR] imposes requirements on national procedural legislation relating to disclosure obligations whenever disclosure…[involves] personal data. National procedural legislation cannot prevent…the interests of data subjects [being] taken into consideration. Those interests will be safeguarded if national courts respect the rules of…[the GDPR regarding] disclosure.’
When deciding on the order for disclosure in civil proceedings…[involving] personal data, the national court must undertake a proportionality analysis…[considering] the interests of data subjects…and balance them in relation to the interest of the parties to the procedure to obtain evidence. That proportionality assessment is guided by the principles set out in Article 5 of [the GDPR].’
As always, it remains to be seen whether, and to what extent, the Court will follow the Opinion. This is an interesting Opinion which touches on a number of pertinent issues in data protection law – e.g. judicial bodies’ obligations, the conditions of secondary use, pseudonymisation, proportionality – and, for that reason is well worth reading.
– EDPB Announces Publication of Biannual CSC Report of Activities –
On 5th October, the EDPB announced the publication of the ‘2020-2022 Coordinated Supervision Committee Report of Activities’ – adopted in July. The Committee consists of ‘the national Supervisory Authorities (SAs) and the European Data Protection Supervisor (EDPS)’ and aims at ensuring ‘the coordinated supervision by Supervisory Authorities of large-scale IT systems and of EU bodies, offices and agencies falling under its scope.’ In terms of more substantive content, the Report first discusses the set-up of the Committee – including its ‘Rules of Procedure’, the ‘Organisation of meetings’, and its ‘Working methods’. The report then goes on to elaborate the activities of the Committee, in relation to which discussions proceed under four headings: i) ‘Promote and facilitate the exercise of data subject rights’; ii) ‘Examine difficulties of interpretation or application of EU and national law’; iii) ‘Exchange information and conduct joint audits or coordinated inspections’; iv) ‘Prepare for the start of the EPPO’s activities and other EU bodies and information systems that will fall under the Committee’s scope.’ The report finally goes on to discuss ‘Main Objectives for 2022-2024 – including discussions of preparations for new large-scale systems as well as of ‘Coordination and effective supervision’. Whilst the report will likely be of most interest to those who are interested in the subject matter of the Committee’s work, the report should nevertheless be of interest to the broader data protection community – e.g. with regard to the discussion of the procedures of the Committee.
– EDPB Holds 70th Plenary Meeting –
On 10th October, the EDPB held its 70th plenary meeting. From the agenda of the meeting, the EDPB is focusing, inter alia, on the following topics: complaints with the Ombudsman on access to documents, ‘Statement on digital euro’, selection of strategic cases, ‘Art. 64 Opinion on the approval of Europrivacy certification criteria’, ‘Targeted update of the Guidelines for identifying a controller or processor’s lead supervisory authority’, ‘Targeted update of the Guidelines on data breach notification’, and ‘Annual reports of SAs: dedicated Annex with standardised content and format regarding key information’.
– DPC Draft Article 60 Decision on Meta –
On 3rd October, the Irish DPC announced it had ‘submitted a draft decision in a large scale inquiry into Meta Platforms Ireland Limited (“MPIL”) to other Concerned Supervisory Authorities across the EU.’ The submission follows an investigation into the company which started in April 2021. The investigation concerned reports that ‘a collated dataset of Facebook user personal data had been made available on the internet’ – allegedly including hundreds of millions of users’ personal data. The investigation focussed on Meta’s compliance with ‘Articles 25(1) and 25(2) GDPR (“data protection by design and by default”)’. Other DPAs now have one month to provide feedback. The feedback procedure can yield significant input and the subsequent progress of the decision is worth following with interest – not least concerning possible insights into the application of Articles 25(1) and 25(2).