When it comes to compliance with European General Data Protection Regulation (GDPR), companies still face significant legal uncertainties. Since the GDPR came into effect in 2018, it was clear that some of its requirements were controversial, and now several potentially significant court proceedings have reached the European Court of Justice (ECJ). We provide you with a non-exhaustive overview of some of the expected landmark rulings by the ECJ.
It is anticipated that these rulings will provide more legal certainty and may – depending on their outcome – require companies to review and adjust their processes when managing with the scope of data subject access requests (DSARs) and requirements for damages claims, as well as the need to identify a member of management’s breach of duty when defending themselves in GDPR proceedings.
1. ECJ to provide guidance on the scope of data subject access requests
When receiving DSARs (in accordance with Art. 15 GDPR) companies face various uncertainties regarding the scope, limitations, and format of their response. In particular, it is unclear whether a data subject may claim the provision of a ‘copy’ of the summary of personal data processed or, by way of broad interpretation, a ‘copy’ of all data (eg each email).
The ECJ will soon decide on the following issues:
- Does the obligation to provide a copy of the personal data undergoing processing apply to copies of documents or just an extract of the data within it?
One of the underlying cases pending before the ECJ is about a doctor facing a DSAR requested by one of his patients. One question before the court is whether he has to provide copies of all parts of a patient’s file containing the patient's personal data, or a copy of all the patient’s data, leaving it up to him on how to compile the personal data concerned? (ECJ C-307/22)
- Does the obligation to provide ‘meaningful information about the logic involved’ in cases of automated decision-making include parts of a company’s algorithm?
In another case pending before the ECJ a credit reference agency is faced with the question whether it has sufficiently complied with a DSAR by providing the data subject with a table of his personal data. Can it refuse the provision of an actual copy of the data (eg a database print out), as Art. 15 (3) GDPR does not require the disclosure of a facsimile of the data? Even if it would have to provide a facsimile, can it rely on trade secret protection to refuse the DSAR as the facsimile would reproduce the logical-mathematical links of the individual data records? (ECJ C-203/22)
- Is a controller’s user log data personal data within the meaning of Art. 15 (1) GDPR?
In the underlying case pending before the ECJ a customer has issued a DSAR to a bank, requesting not only information on which of his personal data has been processed by the bank, but also the names of the bank employees who had reviewed his personal data. Is the requested log data personal data of the customer and thereby subject to the DSAR or not, as it is personal data of the respective employees? (ECJ C-487/21)
Regarding the access to user log data, the Advocate General’s (AG) opinion on the case is expected to be delivered on 15 December 2022. The ECJ’s judgement on the matter will most likely follow no later than June 2023. For the other two questions neither a date for the AG’s opinion, nor an oral hearing has been set at this time.
2. Threshold for claiming non-material damages under scrutiny
There are many court proceedings that involve damages claims from data subjects allegedly affected by cyber incidents and/or insufficient responses to DSARs. Damage claims under Art. 82 GDPR are submitted even if no actual harm has been suffered. In Germany, for example, we see that courts tend to be rather restrictive in awarding compensation in these scenarios. However, some courts have nevertheless awarded non-material damages under certain circumstances.
The question whether compensation may be awarded to a data subject simply for ‘feeling annoyance’ by the unlawful processing of their personal data is currently pending before the ECJ.
In the underlying case a regional Austrian court had awarded compensation to an individual for merely feeling annoyed by the unlawful processing of his political affiliation by the Austrian Post.
AG Campos Sánchez-Bordona has proposed a restrictive approach. Mere annoyance, as felt by the claimant in the referred case, does not suffice. In his view the GDPR only provides for compensation for actual non-material damage. For an in-depth analysis of the AG’s opinion, read our latest blogpost (here).
As the ECJ usually renders its judgement 3 to 6 months after an AG opinion, its decision on the question can be expected within the first half of next year (ECJ C-300/21).
3. Identify natural person’s fault to impose GDPR fine against a company?
Finally, particularly under German and Austrian law it is not clear whether imposing a fine against a company requires identifying the – at least – negligent violation of GDPR by a member of that company’s management or representation (ECJ C-807/21).
In the underlying fine proceedings, the Berlin DPA had issued one of the first hefty GDPR fines in Germany (€14.5m) against a real estate company without establishing a breach of duty on the part of a board member or a legal representative.
As neither a date for the AG’s opinion, nor an oral hearing has been set at this time, it is unclear when exactly the ECJ will issue a decision.