GDPR in the CJEU

There have been two significant judgments in the Court of Justice of the European Union (‘CJEU’) on aspects of the General Data Protection Regulation (‘GDPR’). The first is case C-300/21, which examined GDPR damages. The second is case C-487/21, which gives further guidance on data subject access requests. There is also case T-557/20, which was before the General Court, on pseudonymisation and anonymisation under the GDPR.

(i) Case C-300/21: UI v Österreichische Post AG (GDPR Damages)

Austria’s Supreme Court asked the CJEU for a preliminary ruling in relation to the scope of damages under the GDPR. In particular, asking if a person must have suffered harm, or if an infringement of the GDPR is enough to receive an award of damages. It also asked if there is a minimum threshold for non-material damage caused by a GDPR infringement. The ruling is available here.

Österreichische Post AG was an address broker that had collected various information on Austrian citizens to infer their political affinities. It then sold the data to third parties for targeted advertising. UI became aware that the company had been processing his personal data without his consent and had assumed he had an affinity to a particular political party. He brought a claim, seeking compensation for ‘upset, loss of confidence and a feeling of exposure’.

According to Article 82(1) of the GDPR “any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. The CJEU highlighted the necessity for a causal link between the damage and the infringement in the wording of this provision.^[1] The court concluded that an infringement by itself would not give rise to an award.^[2]There must be three conditions present for the right to compensation, set out in Article 82(2) of the GDPR, namely^[3]:

Processing of personal data,
Which infringes a provision of the GDPR,
Which causes damage suffered by the data subject.

Where a data subject has not suffered any ‘damage’ from the infringement, the provisions in Articles 77, 78, 83 and 84 of the GDPR provide legal remedies in the form of regulatory enforcement action.^[4]

On the question of a threshold for seriousness, the court pointed out that recital 146 of the GDPR states that the concept of damages should be interpreted broadly, in line with caselaw of the CJEU, which has not adopted a narrow definition.^[5] Furthermore, the GDPR is designed to provide a high level of protection to individuals in the use of their personal data and to ensure consistency of regulation in the EU.^[6] If compensation for non-material damage depended on a minimum threshold, it would “risk undermining the coherence of the rules established by the GDPR” and be contrary to the purpose of the regulation.^[7]

This ruling resonates with the conclusion of the UK Supreme Court in the case of Lloyd v Google LLC [2021] UKSC 50. My blog article on this case can be found here.

(ii) Case C-487/21: Österreichische Datenschutzbehörde and CRIF (data subject access requests)

CRIF is a business consulting agency that provides information on the creditworthiness of individuals when requested by third parties. An individual made a data subject access request to CRIF, asking for copies of emails and database extracts that contained his personal data. CRIF sent him a summary of the processing of his personal data in the form of a list. The individual objected and filed a complaint with his data supervisory authority, who agreed with CRIF.

After proceedings were brought, the Austrian Federal Administrative Court requested a preliminary ruling on the interpretation of the right of access to personal data under Article 15 of the GDPR. In particular, whether Article 15(3) of the GDPR, taken with Article 12(1) must be interpreted as meaning that a data subject has the right not only to obtain a copy of personal data being processed, but also a copy of extracts from documents, entire documents, or extracts from databases in which the personal data is found. The ruling is available here.

The CJEU noted the broad definition of personal data, which can encompass opinions and assessments so long as it ‘relates’ to the data subject.^[8] Information ‘relates’ to a data subject if “by reason of its content, purpose or effect, it is linked to an identifiable person”.^[9] Citing the Advocate General’s Opinion with approval, the court agreed that the broad definition includes all information from the processing of personal data and any further related processing.^[10]This would include, in the present case, an assessment of a person’s creditworthiness.^[11]

Recital 63 of the GDPR states that the purpose of Article 15 is to enable a data subject to be aware of and verify the lawfulness of the processing of his or her personal data. The right of access is also necessary to enable a data subject to exercise other rights, for example the right to rectification, the right to object and the right to be forgotten.^[12] The principle of transparency requires that a data subject knows about the processing operation and its purpose (see Article 5(1)(a) and recitals 58 and 60 of the GDPR).^[13]

Therefore, the court concluded that under Article 15(3), a data subject must be given a “faithful and intelligible reproduction” of the personal data.^[14] This may entail the provision of copies of extracts from documents, entire documents, or extracts from databases that contain the personal data if contextualisation is required to enable him or her to understand how the personal data is being processed.^[15] It may also include showing where there is an absence of information about a data subject where other data is processed with the personal data (for example an empty field in a database).^[16]

(iii) Case T-557/20, SRB v European Data Protection Supervisor (‘EDPS’) (pseudonymised personal data)

In Case T-557/20 SRB v EDPS, the General Court of the European Union held that pseudonymized data transmitted to a data recipient will not be considered personal data if the data recipient does not have the means to re-identify the data subjects. The ruling can be found here.

In 2017, the Single Resolution Board (‘SRB’) decided to write down and convert Banco Popular Español’s capital instruments. The following year, it began a compensation process, inviting shareholders and creditors to register to be heard. To do so, they had to provide proof of identity and proof of ownership of the relevant capital instruments (‘registration’). They also had to complete an online form that sought their response to several questions (‘the comments’).^[17]

The SRB staff that processed the comments only received them in a pseudonymised form: an alphanumeric code was allocated to each individual comment.^[18] The SRB staff did not have the data collected in registration and did not have the data key for the alphanumeric code to identify the participants. Using an algorithm to remove any duplicated comments, the comments were filtered and then the SRB grouped them into themes. The comments were then further analysed to divide them by relevance, specifically to group those relating to a particular valuation (‘Valuation 3’).

The SRB asked the company Deloitte, which was the independent valuer, to assess the comments of shareholders and creditors for Valuation 3. These 1,104 comments were shared with Deloitte via a virtual server and only specific staff members of Deloitte were able to access them. The comments were labelled by alphanumeric code. Deloitte was able to link those replies in the registration phase with those in the consultation phase, but it did not have access to the registration database to identify those persons.

A number of shareholders and creditors complained to the EDPS, on the basis that they had not been informed that the data contained in the online form would be transmitted to a third party. The EDPS found that SRB had infringed Article 15 of the GDPR by failing to inform them in its privacy statement that their comments might be disclosed to Deloitte. The SRB objected, arguing that the information transmitted to Deloitte was anonymised data, not pseudonymised data, and thereby did not fall within the definition of personal data in the GDPR.

The EDPS did not agree, finding that the data shared with Deloitte was pseudonymous data and therefore subject to the obligations of the GDPR. The view of the EDPS is that the assessment is an objective one, such that the fact that Deloitte did not have access to the information held by SRB to re-identify the pseudonymised data, did not make the data anonymous (para 79).^[19] According to the EDPS, whether or not re-identification by Deloitte was reasonably likely is not relevant to this definition, the fact that there exists ‘additional information’ that can identify a data subject brings it within the definition of pseudonymised data, whether held by the third party or not.^[20]

The court considered the CJEU case of Breyer,^[21] where it was found that a dynamic internet protocol address could be personal data because the internet service provider was able to identify the person who had registered it, and this information could be obtained by legal means.^[22] In the present case the court was of the view that it was necessary to consider Deloitte’s position as a recipient of the data and not SRB’s position as the transferor of the data.^[23] For Deloitte the data was anonymised data because it did not have the ‘additional information’ required to re-identify the persons to whom the data related.

However, of note is the fact that the court reached this decision on the basis that the EDPS did not investigate whether or not Deloitte had any legal means available to it, through which it could access the additional information.^[24] The EDPS has not commented on the outcome of this case, and it is not known if an appeal to the CJEU will be brought.^[25] There is currently a request for a preliminary ruling from the CJEU in another case that raises the question of the status of data received by a third party who does not have the legal means to access ‘additional identifying information’. The request was lodged in September 2022 and will provide further guidance on this issue.

If you are interested in any further information or advice, please contact my clerks on 020 3179 2023 or privacylawbarrister@proton.me

^[1] Paragraph 32 of the ruling.

^[2] Paragraphs 33 and 34 of the ruling.

^[3] Paragraph 36 of the ruling.

^[4] Paragraph 39 of the ruling.

^[5] Paragraph 46 of the ruling.

^[6] Paragraphs 47 and 48.

^[7] Paragraph 49 and 50.

^[8] Paragraph 23 of the ruling.

^[9] Paragraph 24, citing the case Nowak C-434/16 EU:C:2017:994.

^[10] Paragraph 26 of the ruling.

^[11] Ibid.

^[12] Paragraph 35 of the ruling.

^[13] Paragraph 36 of the ruling.

^[14] Paragraph 45 of the ruling.

^[15] Paragraphs 41 and 45 of the ruling.

^[16] Paragraph 42 of the ruling.

^[17] Paragraph 12 of the ruling.

^[18] Paragraph 15 of the ruling.

^[19] Paragraph 79 of the ruling.

^[20] Paragraphs 79 and 81 of the ruling.

^[21] Case C-582/14 EU:C:2016:779.

^[22] Paragraphs 88 and 89 of the ruling.

^[23] Paragraphs 97 to 99 of the ruling.

^[24] Paragraph 105 of the ruling.

^[25] As of the date of writing this blog article, the pleadings are available on the EDPS website but there is no press release on the outcome of the case.

privacy law barrister

A BLOG ABOUT PRIVACY, DATA PROTECTION AND INFORMATION LAW, BY MELISSA STOCK

Share this:

Like this: