Four key decisions mark the end of the EU GDPR's fourth year
The EU GDPR will soon celebrate its fifth birthday. However, yesterday may have been an equally important milestone with the Court of Justice of the European Union ("CJEU") handing down four preliminary rulings related to the application of the EU GDPR.
The following topics were considered by the CJEU:
- The accountability principle. In Case C-60/22 the German Data Protection Authority ("DPA") asked the CJEU to consider whether a controller's failure to demonstrate compliance with the accountability principle (Article 5(2) EU GDPR) means that controller's data processing is unlawful, thereby conferring on the affected data subject a right to erasure or rectification. In particular, the CJEU was concerned with a scenario in which a controller failed to comply with the obligations laid down in Article 26 and 30 of the EU GDPR relating, respectively, to (i) the conclusion of an agreement determining joint responsibility for processing and (ii) the keeping of a register of processing activities.
In its judgment, the CJEU determined that a controller's failure to comply with the Articles 26 and 30 EU GDPR, are not in themselves sufficient to constitute 'unlawful processing', provided that such failure does not as such imply a breach by the controller of the 'accountability' principle, where such requirement is read in conjunction with the fundamental principles of 'lawfulness, fairness and transparency' (Article 5(1)(a) EU GDPR) and the requirements for lawful processing (Article 6(1) EU GDPR).
Whilst the concept that a failure to comply with key obligations (such as maintaining a record of processing) could result in unlawful processing under the EU GDPR, this is not a ground-breaking development. However, the judgment demonstrates the importance of accountability when designing and implementing a compliant data protection programme.
- The right of access under Article 15 EU GDPR. In this case (C-487/21), a data subject requested access to their personal data held by a controller and copies of the relevant documents. The controller sent the data subject a summary list of their personal data but not copies of the individual documents containing their data. The Austrian DPA determined that the controller was not obligated to provide copies of documents, concluding that the obligation under Article 15 EU GDPR only requires a controller to provide the personal data contained in documents.
Upon the data subject's appeal, the Austrian Federal Administrative Court asked the CJEU to clarify the scope of the right to access under the EU GDPR. In particular, the CJEU was asked whether a controller's Article 15(3) EU GDPR obligation is fulfilled by providing a summary list of personal data held, or whether the controller must provide the documents themselves in order to comply with its obligations.
In response, the CJEU outlined that Article 15(3) EU GDPR obliges controllers to give data subjects a faithful and intelligible reproduction of all the relevant data. As such, the right to a "copy" includes the right to obtain actual copies of documents or databases (or extracts thereof) if the provision of such a copy is essential in enabling the data subject to exercise its rights under the EU GDPR. Whether or not a controller is obliged to provide full copies, or even extracts, of documents containing personal data will therefore depend on whether the personal data is clearly intelligible in a standalone summary list. If the context in which personal data is provided to data subjects is not conducive to that data subject being able to completely understand or interpret the personal data, controllers are at risk of enforcement action.
Whilst controllers therefore need to be mindful of how they provide personal data to data subjects in response to requests for access under Article 15 EU GDPR, the CJEU made clear than any right of access must always be balanced with the rights or freedoms of others, including the right to protect trade secrets and intellectual property rights belonging to the third party.
- Compensation under Article 82 EU GDPR. The referral to the CJEU in Case C-300/21 stemmed from Österreichische Post AG using an algorithm to predict the political views of citizens according to socio-demographic criteria without their knowledge or consent. In response to this processing, a data subject claimed to have suffered great upset, a loss of confidence and a feeling of exposure and demanded payment of non-material damages. This claim was dismissed by the first instance Austrian court but, upon an appeal, the Austrian Supreme Court asked the CJEU to clarify the EU GDPR's provisions on compensation. Specifically, does mere infringement of the EU GDPR confer a right to compensation, regardless of the actual harm suffered?
Yesterday, the CJEU clarified that not every infringement of the GDPR gives rise to a right to compensation. Rather, compensation is subject to three cumulative conditions: (i) infringement of the GDPR; (ii) material or non-material damage resulting from that infringement; and (iii) a causal link between the infringement and the damage. The CJEU went on to rule, however, that there is no requirement for non-material damage suffered by data subject to reach a certain threshold of seriousness in order to confer a right to compensation.
In doing so, the CJEU has not clarified what sort of non-material harm needs to be demonstrated to file a compensation claim, nor has it specified how much harm would result in compensation being owed. Rather, the CJEU determined that it is for the laws of individual member states to prescribe the formula for the calculation of compensation where non-material damages are claimed. It follows that this judgment provides little in the way of clarification for member state courts grappling with the threshold for awarding non-material damages under the EU GDPR.
- Joint controllers. In Case C-683-21, the CJEU considered whether joint controllership of data should be exclusively interpreted as involving deliberate, coordinated actions with respect to the determination of the purpose and means of data processing, or whether joint control can also cover situations where there is no clear arrangement or coordinated action between the entities when determining the purpose and means of data processing. This followed a dispute surrounding a Lithuanian COVID-19 'track and trace' app.
The CJEU clarified that joint control only requires two conditions to be fulfilled. Firstly, that each controller must independently fulfil the criteria of a controller as defined by Article 4(7) EU GDPR. Secondly, the controllers' influence over the processing must be exercised jointly. Providing these two criteria are met, joint control can exist in different forms. The absence of an agreement, arrangement or common decision between controllers cannot exclude a finding that two entities are joint controllers.
Despite this ruling, entities who act in a joint controller capacity need to mindful of their obligations under Article 26(1) of the EU GDPR which specifies that joint controllers must determine their respective responsibilities for compliance with the obligations of the EU GDPR in a transparent manner. There is no doubt that contracts provide a useful tool for defining obligations in accordance with Article 26(1) of the EU GDPR.
It follows that contracts can be useful in establishing joint control and complying with transparency obligations, but they are not essential to indicating that a joint controllership exists. This case therefore serves as a reminder to make sure; (i) you are aware of your status as a joint controller; and (ii) where a joint controllership exists, you take steps to transparently document the division of roles and responsibilities accordingly.
Stay tuned for more information about the unfolding impact of these decisions on you or your business.