On 4 May 2023, the Court of Justice of the European Union (CJEU) issued three privacy rulings. In it, the court explains the application and interpretation of a number of legal articles from the General Data Protection Regulation (GDPR). In this article, we discuss these statements and what we can learn from them for practice.
1. Right of inspection: the right to a copy of personal data
One of the rights granted by the AVG to a data subject is the right of inspection (Article 15 AVG). This right can be used to request access to personal data processed by an organisation about the data subject. The right of inspection is a fairly absolute right. Only limited exceptions to the right of inspection have been allowed in case law. Article 15 AVG states that the organisation must provide the data subject with a copy of the personal data as part of the inspection to be provided.
What does a copy of personal data mean? For some time, there has been a debate as to what data must be provided to correctly comply with a request for inspection. Where one organisation limits itself to providing sec an overview of the personal data contained in systems and/or documents, another organisation provides the complete documents in which the personal data are contained. Does the right to copy now extend only to the data itself or also to the documents containing that personal data? That was for the Court to decide (CJEU 4 May 2023, C-487/21, ECLI:EU:C:2023:369 (FF v Österreichische Datenschutzbehörde and CRIF).
The case involved the following. A data subject had asked a consultancy for access to his personal data as well as a copy of certain extracts containing his personal data. The consulting firm sufficed by returning a self-contained list of his personal details without sending a copy of the extracts.
Has this satisfied the right of inspection?
The court answers this question by explaining the scope of the right of inspection. According to the Court, this right means that a data subject must receive a true and intelligible reproduction of all his personal data. This right also includes obtaining a copy of extracts from documents or complete documents containing the personal data, if this is necessary for a data subject to effectively exercise their other legal rights (e.g. the right to rectification and oblivion). Then the personal data will have to be provided along with a copy of the documents containing the personal data.
In doing so, the Court does not give a black-and-white answer. However, it is clear that the right to a copy is not always limited to (an enumeration of) personal data itself. It may be that the right to a copy, means a right to a copy of integral documents. It is then up to a data subject to make a plausible case that this is necessary to exercise (other) legal rights. That – given the other rights under the AVG – will soon come into play. Organisations should therefore bear in mind that the scope of the right of inspection will often include a right to a copy of documents.
Note that when an organisation provides documents to comply with a request for inspection (which therefore includes a copy right), it must always be mindful of the rights and freedoms of others. This may mean deleting third parties’ personal data or other confidential information from provided information and documents.
2. Right to oblivion and restriction of processing
Besides the right of inspection, the AVG also includes the right “to be forgotten” and the right to restrict the processing of personal data. Recourse to these rights is possible if, among other things, personal data have been unlawfully processed. When is that up for discussion? Does a breach of the AVG always qualify as ‘unlawful processing’ of personal data? No, says the Court in this case (CJEU 4 May 2023, C-60/22, ECLI:EU:C:2023:373, (UZ v Bundesrepublik Deutschland)).
In this case, the German IND did not have its processing register (Article 26 AVG) in order AND personal data had been transferred from this administrative authority to a judicial authority without regulating joint processing responsibility (Article 30 AVG). One of the questions before the court was whether a data subject could invoke his right to be forgotten or his right to restrict processing because of these violations of the AVG. This is allowed under the articles regulating these rights, namely if there is unlawful processing. The question is therefore what the AVG understands by unlawful processing. Is that every violation of the AVG or only specific violations of the AVG?
The court ruled that a processing operation qualifies as lawful processing if it complies with Article 6 AVG. That article sets out the six possible bases for processing personal data, such as consent, performance of a contract, fulfilment of a legal duty or legitimate interest. The Court then found that unlawful processing occurs when there is processing without a basis in Article 6 AVG.
Non-compliance with the obligations under Articles 26 and 30 AVG is not a situation where there is no basis for the processing and therefore cannot be considered as ‘unlawful’ processing. In short, unlawful processing within the meaning of the AVG only occurs if there is no basis for the processing. Unlawful processing thus means: in violation of Article 6 AVG. If there is an ánother violation of the AVG, it is obviously wrong, but does not qualify as unlawful processing. Such a violation of the AVG then does not ensure that the right not to be forgotten or the right to restrict processing can be invoked. These rights are, of course, means to protect the rights and freedoms of data subjects. Those rights can, however, be used in the event of a breach of Article 6 AVG. And in the other cases provided for in the articles of these rights.
Note: of course, this does not mean that there are no consequences of non-compliance with AVG obligations. The supervisory authority can always impose corrective measures, the data subject can file a complaint with the supervisory authority or directly claim damages for a breach of the AVG. However, invoking oblivion or restriction of processing does not offer a solution in case of a breach other than violation of Article 6 AVG (i.e. processing without a (proper) basis).
3. Damages for breach of the AVG
The latest case (CJEU 4 May 2023, C-300/21, ECLI:EU:C:2023:370, (UI v Österreichische Post AG)) considered by the Court concerns a dispute between a resident of Austria and an Austrian company which, as a dealer in addresses, collected information on the political preferences of the Austrian population. The Austrian claimed non-material damages from the Austrian company because the fact that data about his supposed political views was stored made him “very angry, he lost his trust as a result and he felt embarrassed”. The data had not been passed on to third parties, so material damage could not be proven. So the issue was whether damages should already be compensated because you know your rights have been affected. Under Austrian law, this was not possible as it required a certain degree of serious damage.
In this case, the Court is considering the question whether a breach of the AVG in itself, directly gives rise to a right to (non-material) damages. It answers this question in the negative. Indeed, three cumulative conditions follow from Article 82 AVG: (1) a processing of personal data that infringes the AVG, (2) actual damage suffered and (3) a causal link between this damage and the infringement. Thus, a breach of the AVG in itself is insufficient for a right to damages. This also requires actual damages and a causal link between the infringement and the damages. Incidentally, this is different for the imposition of administrative fines and other sanctions (Articles 83 and 84 AVG), which have a primarily punitive purpose. These do not depend on the existence of damages.
According to the court, the concept of ‘damage’ does need to be interpreted broadly. The Austrian provision of the law whereby immaterial damages are only awarded once the damage has reached a certain degree of severity is not allowed. This will create an impermissible barrier. The court considers this contrary to the aims of the AVG. How the amount of compensation is ultimately determined depends on a member state’s national law, but a threshold, such as ‘serious injury’, is not allowed.
Compensation is intended to compensate the individual for the actual damage suffered. Compensation is not meant to punish anyone (in addition). Legally speaking, compensation is not punitive in nature; there are other means for that. It therefore remains necessary to prove the existence of actual injury. Without damages, no right to compensation. On the other hand, if any form of intangible damage is demonstrable, there is also a right to compensation. This should not be hampered by rules of national law.
Proving actual damages for AVG breaches is often difficult. It is usually unclear what happened to personal data and what the actual damage is. Often, there is no material damage within the meaning of the law. Intangible damages are not easily assumed. So the condition for compensation (damages) is in itself very low, but the crux is in proving those damages. Applied to the case, the Austrian, who experiences negative consequences of the address trader’s action, must show that these consequences would actually cause him immaterial damage. This will have to be decided by the Austrian court.
The court’s ruling does not change the basic requirements for claiming damages. On the contrary, the ruling clarified that a breach of the AVG does not in itself entitle you to damages. Proving damages remains a difficult task for an individual in practice. Once that is in place, the stage is set for compensation.
The privacy attorney at Wille Donker advocaten assist both organisations and data subjects. For example, in complying with the AVG, but also in exercising rights under the AVG. If you have a question about the rulings discussed or about the AVG, please contact us.