The highest court of the European Union has today delivered some remarkable data protection rulings.
A (Case C-300/21) deals with compensation for breaches of the bloc’s General Data Protection Regulation (GDPR); and the second (Case C-487/21) clarifies the nature of the information individuals exercising GDPR rights to obtain a copy of the data held about them should expect to receive.
Read on for a summary of the rulings and some possible implications.
No automatic right to compensation – but no threshold for damage either
The AVG compensation of the CJEU pronunciation relates to a reference from an Austrian court in which a person sought to sue the national postal service for damages after it used an algorithm to predict citizens’ political views according to socio-demographic criteria without their knowledge or consent – leaving the individual feeling exposed, upset and with a blow to their confidence, according to the court press release.
In terms of regional damages for privacy violations, there have been a number of attempts in recent years to initiate class action lawsuits seeking compensation for data protection breaches. This CJEU ruling may make it easier to do this within the EU, although the court has put a limit on such claims, as the judges have held that the mere fact of a breach of the GDPR does not automatically give rise to a right to damages: meaning there is a responsibility for litigants to prove personal injury.
At the same time, the ECJ has ruled that it is no requirement that the immaterial damage suffered reach a certain threshold of severity in order to confer a right to compensation.
In other words, the court has avoided setting a limit on how much/what kind of damage must be proven in order to make a claim for damages. That seems like a big problem.
“(T)The Court rules that the right to compensation is not limited to immaterial damage that reaches a certain threshold of seriousness,” it writes in a press release accompanying the judgment. “The GDPR has no such requirement and such a limitation would conflict with the broad concept of ‘harm’ as adopted by the EU legislator. Indeed, the graduation of such a threshold, upon which whether or not such damages are awarded depends, could fluctuate according to the assessment of the courts seised.”
As the GDPR contains no rules for assessing damages, the judges say it is for the courts in EU member states to define criteria for determining the amount of compensation to be paid – pointing out that such rules should comply with the GDPR principles of equivalence and effectiveness, to ensure that individuals can receive full and effective compensation for harm suffered.
This creates a patchwork of outcomes on damages for privacy violations, depending on where in the EU a user can sue, based on how national courts interpret the mandate.
Peter Church, a technology practice counsel at law firm Linklaters, commented on the outcome in a statement: “[It]is possible that even minor fear or upset could warrant a damages claim. This, in turn, could open the way for not only frivolous or vexatious claims, but also large-scale class actions in the event of, for example, a data breach (which is currently the subject of a separate pending decision in Case C-340/21).”
He also predicted a disagreement between the EU and the UK (which is no longer part of the bloc) on the issue, as in 2021 the UK Supreme Court finally denied a long-running lawsuit against Google that had attempted the tricky step of proving individual harm in favor of seeking class action damages for privacy violations related to ad tracking of users of Apple’s Safari browser.
In that case, the British courts concluded that proof of damages was necessary; and, per church, that it must “reach a threshold of severity to be eligible for compensation”. Hence his prediction that the EU and the UK will “divide on this issue”, as the CJEU has ruled that the severity of the harm experienced is not compromised.
So if you live in the EU and have your privacy violated by a data mining giant like Meta, you might feel a little annoyed, a little upset, a little uncomfortable or a little alarmed. injury. (And this summer, member states must transpose the Collective Redress Directive into national law – a piece of pan-EU legislation that aims to make it easier for consumers to seek collective redress through class actions.)
Privacy Rights Group no, which was behind numerous data breach complaints against giants like Meta and Google, reads the CJEU ruling as confirming that claims for “emotional harm” have been upheld. In a statement, founder and honorary chairman Max Schrems wrote: “We welcome the CJEU’s clarifications. An entire industry tried to reinterpret the GDPR to avoid paying damages to users whose rights they violated. This seems to be rejected. We are very happy with the result.”
Faithful copy of data
In a separate pronunciation today the CJEU clarified the scope and content of an individual’s right of access under the GDPR to obtain a copy of their data – determining the wording of the regulation they aim to obtain”a faithful and understandable representation” of their data, so that they can check for themselves whether they, for example their information is correct and processed lawfully.
The reference here is to a legal challenge brought by an individual thereafter a business consultancy that provides third-party creditworthiness data for its clients had processed its personal data. The person had asked for a copy of the documents on him “in a standard technical format” but had instead been given a list with a summary of the data, not a full copy.
“That right (Article 15(3) GDPR) includes the right to obtain copies of extracts from documents or even complete documents or extracts from databases containing, inter alia, those data, if the provision of such a copy is essential to to enable the data subject to effectively exercise the rights conferred on him or her by the GDPR, taking into account that this must take into account the rights and freedoms of others,” the Court said in a press release.
It further notes that the controller must take appropriate measures to provide the data subject with all their data “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”; providing the information in writing or otherwise, including, where appropriate, electronically.
“It follows that the copy of the personal data being processed, which the controller must provide, must have all the characteristics necessary for the data subject to effectively exercise his rights under that Regulation and must therefore represent those data completely and faithfully” , the court adds.
This ruling seems important to the ongoing effort to use the GDPR to shed light on the often dysfunctional algorithmic management of platform workers – such as the legal challenges of recent years against Uber and Ola in the UK and the Netherlands, brought by trade unions and the data trust, Worker Info Exchange, on behalf of a number of drivers, including about robo-firing claims.
As we’ve reported, taxi drivers have had limited success getting their data through the GDPR access rights route, with platforms blocking requests for security and privacy reasons and/or sending only partial information.
So it will be interesting to see whether the CJEU’s clarification that the right to a copy of data does indeed mean true copy supports such efforts in the future.
Admittedly, the judgment touches on the issue of conflicting rights, ie between the right to full and full access to personal data; and the rights or freedoms of others – with judges saying “a balance will have to be struck”. So there may still be room for platforms to keep pushing back.
“Wherever possible, means should be chosen to transfer personal data that do not infringe on the rights or freedoms of others, bearing in mind that the result of those considerations should not be that we refuse to provide all information to the data subject”, adds the Court. in his press release.