-CJEU Rules on Remedies and Damages for Illegal Processing under the GDPR-
On 4th September, the CJEU clarified the application of the GDPR framework on remedies and damages in IP v Quirin Privatbank AG. As to the facts of the case, the applicant in the main proceedings applied for a job with Quirin Privantbank. Seemingly by mistake, Quirin Privatbank responded that the applicant’s salary expectations could not be met, but sent this email to one of the previous employers of the applicant. The latter forwarded the email to the applicant and asked him whether he was looking for a new job. The applicant sought a judicial order ‘that Quirin Privatbank, first, refrain from any processing of his personal data in connection with his application that would reiterate the unauthorised disclosure of those data following the sending of the message at issue and, second, pay him damages as compensation for the non-material damage allegedly resulting from that incident’. The national court sent four preliminary ruling questions to the CJEU, basically seeking clarification on whether the GDPR offers such a remedy, especially in Articles 17 and 18 GDPR, and guidance on how to apply the provisions on damages in Article 82(1) GDPR. First, the CJEU ruled that the GDPR does not offer a right to obtain an injunction prohibiting the future illegal processing of personal data where the data subject does not request the erasure of personal data in question. It also ruled that the GDPR does not preclude the provision of such relief in national law. Second, the CJEU clarified that the notion of ‘non-material damages’ in Article 82(1) GDPR ‘encompasses negative feelings experienced by the data subject as a result of an unauthorised transmission of his or her personal data to a third party, such as fear or annoyance, which are caused by a loss of control over those data, by a potential misuse of those data or by harm to his or her reputation, provided that the data subject demonstrates that he or she has such feelings, with their negative consequences, on account of the infringement of that regulation’. Third, the CJEU ruled that Article 82(1) GDPR precludes ‘the degree of fault on the part of the controller from being taken into account for the purpose of assessing the compensation for non-material damage payable under that article’. Fourth, the CJEU established that Article 82(1) GDPR precludes ‘the fact that the data subject has obtained, under the applicable national law, an injunction to prohibit the reiteration of an infringement of that regulation, enforceable against the controller, from being taken into account in order to reduce the extent of the financial compensation for non-material damage payable under that article or, a fortiori, to replace that compensation’.
-CJEU Rules on US Adequacy Decision-
On September 3rd, the CJEU ruled in the case of Latombe v. Commission. In essence, the applicant sought to have the US Adequacy Decision annulled. In support, the applicant relied on four grounds, including: the inadequate respect for Articles 7 and 8 of the Charter due to bulk collection of personal data; the infringement of Article 47 of the Charter and Article 45(2) of the GDPR resulting from the lack of an effective remedy and access to an independent tribunal; infringement of Article 22 of the GDPR on account of the lack of a framework for automated-decision making; and violation of Article 32 in conjunction with Article 45(2) of the GDPR by virtue of inadequate safeguards concerning the security of data. The CJEU dismissed the application for annulment. The Court observed, for example: in relation to the first ground, the clarity of the regulation of bulk collection; in relation to the second ground, that rules relating to the appointment of judges for the Data Protection Review Court do not call into question its independence or impartiality; in relation to the third ground, the relevance of sectoral provisions on automated-decision making in the US; and in relation to the fourth ground, the adequacy of security provisions. This is an involved case on a most significant issue, and we would highly recommend giving it full attention. Whilst the case may not have resulted in an annulment of Adequacy Decision, there is no reason to think further challenges will not emerge in future. Unfortunately, the case is not available in a language spoken by the authors. Consequently, this report has not been compiled using automatic translations and materials other than the case itself and errors cannot be ruled out. Accordingly, we would suggest all interested in the case to consult the original materials.
-Court of Justice Decides on the Scope of the Concept of Personal Data-
On 4th September the Court of Justice ruled in the case of EDPS v SRB. In terms of the facts, the case essentially concerns the exchange of data by the Single Resolution Board (SRB), to Deloitte, as part of a ‘right to be heard process’ relating to a ‘resolution scheme for Banco Popular Español S.A’. The data in question had been pseudonymised by the SRB prior to transfer to Deloitte, and the latter was only provided with unidentifiable data. Deloitte was, however, not listed as a third-party recipient of data in the SRB’s privacy policy, leading to a set of complaints by participants in the right to be heard process to the EDPS. The EDPS concluded that the data shared with Deloitte were pseudonymous data and that the ‘fact that Deloitte was not mentioned in SRB’s’ privacy statement ‘as a potential recipient of the personal data collected and processed by the SRB as the controller in the context of the’ right to be heard ‘process constitutes an infringement of the information obligations laid down in Article 15(1)(d)’ of Regulation 2018/1725. The SRB then appealed to the General Court seeking an annulment of this Decision. The General Court sided with the SRB, agreeing that ‘the information transmitted to Deloitte did not constitute personal data’. Against this background, the EDPS appealed to the Court of Justice, seeking that the judgment be set aside and that final decision on the dispute be offered. The EDPS raised the following significant ground of appeal – a second ground was raised, which the Court did not consider – ‘that, by holding that he had incorrectly concluded, in the decision at issue, that the information at issue in the present case constituted personal data, the General Court erred in law in its interpretation of Article 3(1) and (6) of Regulation 2018/1725’. The Court upheld the EDPS’s appeal, but found that the state of the proceedings did not allow for a final judgment to be offered. As a result, the matter has been referred back to the General Court. In this regard, The Court considered the EDPS’s ground of appeal to consist of two parts. ‘The first part concerns the condition, laid down in Article 3(1) of that regulation, that the information ‘relates’ to a natural person, and the second part concerns the condition, laid down in that same provision, relating to the ‘identifiable’ nature of that person’. In this regard, the Court considered, in relation to the first part that, ‘the General Court erred in law in holding…that the EDPS, in order to conclude that the information contained in the comments transmitted to Deloitte ‘related’, within the meaning of Article 3(1) of Regulation 2018/1725, to the persons who submitted those comments, should have examined the content, purpose or effects of those comments, since it was common ground that they expressed the personal opinion or view of their authors’. In turn, in relation to the second part, the Court considered ‘the General Court erred in law in holding…that, in order to assess whether the SRB had complied with its obligation to provide information under Article 15(1)(d) of Regulation 2018/1725, the EDPS should have examined whether the comments transmitted to Deloitte constituted, from Deloitte’s point of view, personal data’. The case is complex but fascinating, and well worth reading. We would, in particular, highlight the Court’s discussion of the significance of the position of the actor in question, when considering whether pseudonymous data constitute personal data, as likely to be of interest.
-AG Advises on the Relationship Between the GDPR and the LED and on the Right to Erasure-
On 4th September, AG Szpunar opined that the GDPR, and the right to erasure therein, apply to the processing of personal data in the personnel file of a police officer in the framework of investigations against him in CL v Prokuratura na Republika Bulgaria. As to the facts of the case, the applicant in the main proceedings was a police officer with the Ministry of the Interior in Bulgaria over a long period of time. In 2016, he was arrested on suspicion of theft and placed in police custody for 24 hours. He was subsequently released, the investigative measures against him were discontinued, and a decision that no further action should be undertaken was adopted. The applicant continued being a police officer and applied several times, unsuccessfully, for promotion within the Ministry. The applicant suspected that this was due to the fact that he had been previously under investigation. Thus, he opened court proceedings against the Prosecutor of the Republic of Bulgaria, requesting, amongst others, the erasure of the mention that he had been suspect in a crime in his personnel file. The referring court sought guidance on whether the GDPR or the LED should be applied when resolving the dispute and how to interpret the right to erasure in the framework of the conflict. The AG first noted that the storage of the data in the personnel file was not carried out by the department responsible for criminal investigations against its employees for law enforcement purposes (as the latter seems to process data for law enforcement purposes in other files). He thus advised the CJEU to rule that ‘Article 2(1) of the GDPR and Article 9(1) of Directive 2016/680 are to be interpreted as meaning that the GDPR applies to the storing, by a public authority in the personnel file of one of its officials, of data regarding that official’s status as a suspect in a criminal investigation, where the data have been collected by an organisational unit within that public authority in the performance of its duties as a competent authority within the meaning of Directive 2016/680, provided that the storage of that data pursues purposes other than those set out in Article 1(1) of Directive 2016/680’. Second, he suggested that Article 17(3) GDPR, read in conjunction with Article 6(1)(c) and Article 6(3) GDPR, ‘must be interpreted as meaning that the storage, in a police officer’s personnel file, of personal data relating to a criminal investigation in which that officer was the subject of investigative measures, as a suspect, and which was discontinued, cannot be considered lawful for the purposes of compliance with a legal obligation to which the public authority that is his employer is subject under national law, as controller, merely on account of the nature of the duties which that officer is required to perform’.
-Four AG Opinions and Two ECtHR Judgments-
In the period of 1st August until 12th September, there were four AG opinions issued and two ECtHR judgments. Due to space limitations, we will only briefly list these here.
- AG Szpunar Opinion (4th September) in ND v Legal Newsdesk Sweden AB, formerly Garrapatica AB: publication of criminal convictions online (scope of application of the journalistic purpose; legal remedies).
- AG Richard de la Tour (4th September) in Datenschutzbehörde, Dr. G S: relationship between administrative and judicial remedies.
- AG Szpunar Opinion (1st August) Comdribus: on the strict necessity of the collection of biometric data for law enforcement purposes.
- AG Medina Opinion (1st August) in Integritetsskyddsmyndigheten v AB Storstockholms Lokaltrafik: on the right to information in relation to the usage of body cams in public transportation by ticket inspectors.
- ECtHR judgment (11th September) in Charki v France: publication of a transcript of conversations between the ex-Minister of the Interior and his daughter in the framework of judicial proceedings against the former.
- ECtHR judgment (11th September) in Yakymchuk v the Ukraine: covert video surveillance of a judge in her office in bribery proceedings.