Five years ago, probably the most common concern of companies across the European Union was to reach compliance with the General Data Protection Regulation. In the recent years, tempers have calmed down, nevertheless the application of the GDPR raises interesting legal questions from time to time. To celebrate the GDPR’s fifth birthday, we collected five landmark decisions of the Court of Justice of the European Union interpreting the GDPR that made a high impact on data controllers’ lives.
#1 The DIGI case about purpose limitation (Case No. C-77/21)
In 2020 Hungarian telco company DIGI was fined for HUF 100 Million by the Hungarian supervisory authority since an ethical hacker revealed that a test database is available online which contains the personal data of DIGI’s clients collected for the purposes of the conclusion and performance of subscription contracts. DIGI created the test database following a technical malfunction but after correcting the error, forgot to delete it.
DIGI challenged this decision before the administrative court which wanted CJEU to answer the question whether the principle of purpose limitation precludes the controller from using personal data in a test database which were previously collected in another database.
The Luxembourg Court clarified that the principle of purpose limitation does not preclude the controller from storing personal data in a database set up for testing and error correction purposes if such further processing is compatible with the initial data collection purposes.
#2 The Fashion ID case about joint controllers (Case No. C-40/17)
In this case, the CJEU confirmed that the capacity of being a data controller is independent of the fact whether the data controller has access or not to the data.
Fashion ID, an online clothing retailer embedded on his webpage the Like social plugin of Facebook, which means that the personal data of the webpage visitors is transmitted to the Facebook. A consumer protection association started a litigation against Fashion ID and the national court referred the case to Luxembourg.
In this context, the CJEU ruled that the fact that Fashion ID does not have access to the collected and transmitted data, does not preclude him from being a controller. In fact, Fashion ID is regarded as a joint controller with Facebook, given that the data processing is carried out in the economic interest of both parties for their jointly determined purposes.
#3 The Austrian Post case about the right to compensation (Case No. C-300/21)
Data controllers can keep calm, as in a fresh decision, the CJEU ruled that not every infringement of the GDPR gives rise to a right to compensation.
The Austrian Post collected information on the political affinities of the Austrian people and used a special algorithm to categorize and send them targeted advertising. An individual claimed that he suffered non-material damages as a consequence of this data processing and started a litigation to seek compensation.
The Austrian Supreme Court asked the CJEU whether a mere infringement of the GDPR is sufficient to confer a right to compensation. The CJEU clarified that while administrative remedies can be sought in case of an infringement of the GDPR, the right to compensation offered by the GDPR is conditional upon a damage suffered.
#4 Hungarian case about the admissibility of parallel proceedings (Case No. C-132/21)
In a case connected to Hungary, the CJEU needed to answer the question whether administrative and civil remedies offered by the GDPR may be exercised parallelly.
Regarding the factual background, after the company only partially complied with the access request of a shareholder, the latter started an administrative litigation against the decision of the Hungarian supervisory authority and parallelly filed a civil lawsuit against the company.
The administrative court sent the case to the CJEU which found that the administrative and civil remedies provided for by the GDPR may be exercised concurrently with and independently of each other.
#5 The Schrems II case about annulling the Privacy Shield (Case No. C-311/18)
Undoubtedly, the decision that made the highest impact on data controllers’ lives was the one delivered in the case started by Maximilian Schrems, the nemesis of Mark Zuckerberg in relation to data transfers to the United States.
In this case, the CJEU found that the EU-U.S. Privacy Shield mechanism, which facilitated data transfers to the United States, did not provide an adequate protection to personal data transferred to the U.S., therefore considered it as invalid.
Companies who transferred personal data to the U.S. based on the Privacy Shield needed to find other ways to be able to transmit personal data the U.S. lawfully, for example using the standard contractual clauses.
Now, at least, the new Transatlantic Privacy Framework is on the horizon, so hopefully data transfers to the U.S. will be significantly easier.
By Anita Vereb, Attorney-at-law, SmartLegal Schmidt & Partners