– CJEU Rules on Data Processing in Judicial Proceedings –
On 4th May, the CJEU ruled in the case of UZ v Bundesrepublik Deutschland. In essence, the case revolves around a file on a data subject concerning international protection, compiled by the Federal Office, which was subsequently at issue in court proceedings. Issues were raised concerning whether the compilation of this file, as well as its subsequent transfer for use in court proceedings complied with data protection law – including issues concerning accountability obligations and obligations pertaining to joint controllership. This led to a series of questions as to how the data should then be treated before court. In this regard, the referring court posed the following key questions to the CJEU:
- ‘Does the failure of a controller to discharge…its obligation of accountability under Article 5…for example due to the lack of a record…of processing activities…or the lack of an arrangement…in accordance with Article 26…result in the data processing in question being unlawful within the meaning of Article 17(1)(d)…and Article 18(1)(b)…so that the data subject has a right to erasure or restriction’?
- If the answer to the first question is no: ‘does an infringement…of Article 5, 30 or 26’ mean ‘that…a national court may take the data into account only if the data subject expressly consents to that use?’
In summary, the Court concluded:
- ‘Article 17(1)(d) and Article 18(1)(b)’ mean ‘that failure by the controller to comply with…Articles 26 and 30…which relate…to the conclusion of an arrangement determining joint responsibility for processing and to the maintenance of a record of processing activities, does not constitute unlawful processing conferring on the data subject a right to erasure or restriction…where such a failure does not, as such, entail an infringement by the controller of the principle of ‘accountability’ as set out in Article 5(2)…read in conjunction with Article 5(1)(a) and…Article 6(1)’.
- When ‘the controller…has failed to comply with its obligations under Articles 26 or 30…the lawfulness of…taking into account…such data by a national court is not subject to the data subject’s consent’.
The case is well worth reading, not only for its interesting subject matter – the issue of data processing in judicial procedures – but also for the reasoning and observations of the Court – for example concerning the relationship between violations of lawful processing provisions and more procedural obligations, as well as concerning the relationship between the infringement of the right to data protection and these procedural obligations.
– CJEU Rules on Non-Material Damages –
On 4th May, the CJEU ruled in the case of UI v Österreichische Post AG. As to the facts of the case, the applicant complained that he had been profiled by the Austrian postal services as concerns his political affiliation. The applicant, however, ‘had not consented to the processing of his personal data’ and ‘felt offended by the fact that an affinity with the party in question had been attributed to him’. Further, he claimed that the ‘fact that data relating to his supposed political opinions were retained within that company caused him great upset, a loss of confidence and a feeling of exposure’. On that basis he claimed compensation of €1000 for non-material damages. His claim was turned down by the lower domestic courts, and eventually three preliminary ruling questions on the issue of whether a mere infringement of the GDPR suffices to award damages were filed with the CJEU. Specifically:
- ‘Does the award of compensation under Article 82…also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions…in itself sufficient for…compensation?’
- ‘Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?’
- ‘Is it compatible with EU law…that the award of compensation for non-material damage presupposes the existence of a consequence…of the infringement of at least some weight that goes beyond the upset caused by that infringement?’
In this regard, the Court concluded:
- ‘Article 82(1)…must be interpreted as meaning that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation.’
- Article 82(1) precludes ‘a national rule or practice which makes compensation for non-material damage…subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.’
- Article 82 means ‘that for the purposes of determining the amount of damages payable…national courts must apply…domestic rules…relating to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with.’
This is a fascinating case and well worth closer reading. This is particularly the case as the Court goes into detail regarding the scope of critical, but little defined, concepts in the GDPR concerning non-material damages. We would highlight, however, that key questions concerning the scope of non-material damages – for example concerning the range of harms capable of resulting in non-material damages – remain unanswered in the case.
– CJEU Offers a Broad Interpretation of the Notion of a Copy of One’s Data –
On 4th May, the CJEU clarified the concept of a data copy under the right of access to one’s data under Article 15 (3) GDPR in F.F. v Österreichische Datenschutzbehörde. As to the facts of the case, the applicant in the main proceedings requested a copy of the personal data concerning him as processed by a credit rating agency (‘CRIF GmbH’). The latter provided only a summary of these data. Following administrative and judicial battles on national level, the question on the interpretation on the notion of a copy reached the CJEU. The latter provided the following clarifications. First, the Court clarified that the notion of personal data, of which a copy is to be provided, should be interpreted broadly: ‘the broad definition of the concept of ‘personal data’ covers not only data collected and stored by the controller, but also includes all information resulting from the processing of personal data relating to an identified or identifiable person, such as the assessment of that person’s creditworthiness or his or her ability to pay.’ Second, the Court recalled that one of the purposes of the right of access consists in the opportunity for the data subject to verify the lawfulness of the data processing and exercise their other rights, e.g. to rectification, and that Article 12 (1) GDPR anchors the requirement for understandable communication to the data subject. On these premises, the Court concluded that the right to a copy ‘means that the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by that regulation, bearing in mind that account must be taken, in that regard, of the rights and freedoms of others.’ Third, the Court clarified that the notion of ‘information’ contained in Article 15 (3) GDPR ‘relates exclusively to the personal data of which the controller must provide a copy pursuant to the first sentence of that paragraph.’ We note that this judgment forms part of a series of judgments which read the different provisions on the right of access to one’s data broadly, ensuring greater transparency towards concerned data subjects.
On 16th May, the ECtHR delivered three judgments concerning the Dutch legal provisions and practice on the transfer of companies’ and their employees’ personal data from the public prosecutor’s office to the Dutch Competition Authority (‘NMA’) and established that they do not violate Articles 8 and 13 ECHR. Although the three cases concern different companies, they raised similar claims under Article 8 ECHR, namely that ‘the transmission to the NMA of data that were irrelevant to the criminal investigation…constituted a violation of…rights under Article 8 of the Convention’. The Court’s reasoning in the three cases is also similar. The Court first recalled that ‘legal persons may, under certain circumstances, claim rights to respect of their business premises and correspondence under Article 8’ and that ‘the transmission of data obtained through the interception of telecommunications to and their use by other authorities may constitute a separate interference with rights protected by this provision’. Then, the Court found that the interferences had legal basis under Dutch law which was accessible and foreseeable, that they pursued a legitimate aim and that they were proportionate. On the last point, the Court found that ‘the domestic courts carefully examined the facts, assessed the lawfulness of the transmission…and conducted an adequate balancing exercise under Article 8 of the Convention between the interests of the applicant company and the authorities’ interests to protect the economic well-being of the country (…). In that connection the Court also’ observes the lack of arguments to the effect that interferences ‘did not pursue a legitimate aim or as to why the balance struck by the domestic authorities was not fair in their particular case.’ Thus, the interferences were deemed to be overall necessary and proportionate in order to enforce competition law.
https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-224732%22]}
https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-224733%22]}
https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-224734%22]}