On Thursday, May 4 2023, the ECJ handed down three judgements relevant to data protection law. The article provides an overview of the respective proceedings, the decisions and potential effects. The indicated marginal numbers refer to the respective judgement.
A. Case C-60/22 – Federal Republic of Germany (Boîte électronique judiciaire)
In Case C-60/22 – Federal Republic of Germany (Boîte électronique judiciaire), the ECJ ruled by way of a preliminary ruling that breaches of the obligations under Artt. 26 and 30 GDPR do not constitute unlawful processing conferring on data subjects a right to erasure or to restriction of processing, because it does not follow without further ado that the controller has also violated the principle of “accountability” within the meaning of Art. 5(2) in conjunction with Art. 5(1)(a) and Art. 6(1) GDPR. Even if a data controller has breached its obligations under Art. 26 or 30 GDPR, personal data may be lawfully processed without the consent of the data subject – in this case by a national court.
The subject matter of the main proceedings was an action against a decision of the Federal Office for Migration and Refugees before the Wiesbaden Administrative Court (VG Wiesbaden), in which the Federal Office relied on the electronic file “MARIS” created by it, which contained personal data of the plaintiff in the main proceedings. The electronic file “MARIS” was transmitted to the VG via the electronic court and administrative mailbox as part of a joint procedure pursuant to Article 26 of the GDPR. The court had doubts as to whether the maintenance of the electronic file created by the Federal Office and its transmission to the court via the Electronic Court and Administrative Mailbox complied with the GDPR. These judicial doubts were fuelled by the fact that the Federal Office did not provide a list of processing activities pursuant to Article 30 GDPR or an agreement on joint responsibility pursuant to Article 26 GDPR upon request. In order to obtain clarity as to whether the data present in the electronic file “MARIS” may be made the subject of the administrative court proceedings, the VG submitted three questions to the ECJ.
With regard to the first question submitted by the VG Wiesbaden, the ECJ reiterates that any processing of personal data must be in conformity with the principles for the processing of data set out in Article 5(1) of the GDPR and must meet the conditions for the lawfulness of the processing set out in Article 6 of the GDPR (para. 57). A breach of Art. 26 and 30 GDPR by the controller, on the other hand, does not constitute “unlawful processing” within the meaning of Art. 17(1)(d) or Art. 18(1)(b) GDPR according to the judgment (para. 61, 66), which gives the data subject a right to erasure or to restriction of processing, because this breach as such does not mean that the controller violates the principle of “accountability” within the meaning of Art. 5(2) in conjunction with Art. 5(1)(a) and Art. 6(1) DPA (para. 69). According to the ECJ, such violations must be countered by the supervisory authority exercising the “remedial powers” provided for by the GDPR, namely the order under Article 58(2)(d) of the GDPR to bring processing operations into compliance with the GDPR, the filing of a complaint under Article 77(1) of the GDPR or the assertion of a claim for damages under Article 82 of the GDPR (para. 67).
The ECJ answers the third question of the VG Wiesbaden, which thus remains to be answered, to the effect that consent of the data subject pursuant to Art. 6 (1) sentence 1 lit. a DSGVO constitutes only one of the permissive elements of Art. 6 (1) DSGVO (para. 72), so that the processing of personal data required by national courts within the scope of the powers conferred on them is based on Art. 6(1)(e) of the GDPR (para. 73). if a controller has breached its obligations under Art. 26 or 30 of the GDPR, the consent of the data subject is not a prerequisite for the consideration of such data by a national court to be lawful. (para. 75).
Conclusion: The ECJ makes it clear that a differentiation must be made between the question of the legal basis for a data processing on the one hand and “accompanying” compliance obligations under the GDPR on the other. Whether a processing operation is “unlawful” depends solely on the question of whether a legal basis exists for the processing in question.
B. Case C-300/21 – Austrian Post
The ECJ ruled in Case C-300/21 – Österreichische Post that a mere breach of the GDPR does not in itself give rise to a claim for damages, but that this depends on whether damage has actually been caused. With regard to the amount of the claim for damages, the court merely refers to the national provisions of the member states, whereby the Union law principles of equivalence and effectiveness must be observed.
The Austrian Supreme Court expressed doubts about the asserted claim for damages of a data subject who, in the course of a collection of information on political affinities with the help of an algorithm by the Austrian Post, was attributed a particular affinity to a specific party. The data subject, who had not consented to the processing of his personal data, claimed that he had felt a great annoyance and loss of confidence as well as a sense of exposure and sought payment of 1,000 euros as compensation for the non-material damage he allegedly suffered before the Austrian courts.
In its judgment of 4.5.2023 , the ECJ first states that the claim for damages provided for in the GDPR is subject to three cumulative conditions: a breach of the GDPR, material or non-material damage resulting from that breach, and a causal link between the damage and the breach (paras. 32, 37). Thus, already according to the wording of the recitals, not every infringement of the GDPR in itself leads to a claim for damages – unlike in the case of remedies that allow the imposition of fines, the existence of individual damage must be proven when claiming non-material damages (paras. 40, 50).
However, the ECJ further states that the claim for damages is not limited to non-material damage that reaches a certain degree of materiality, as such a requirement is not mentioned in the GDPR (para. 45) and such a limitation would be contrary to the broad understanding of the concept of damage chosen by the Union legislator (para. 46).
In addition, the ECJ notes that the GDPR does not provide any rules for the assessment of damages claims, which is why the determination of the criteria is the task of the law of the individual Member States (para. 54). In this context, the ECJ emphasises the compensatory function of the claim for damages under Article 82(1) of the GDPR and points out that, according to recital 146 of the GDPR, this instrument is intended to ensure “full and effective compensation for the damage suffered” (para. 57).
Conclusion: Infringement means infringement – regardless of its severity. But; no compensation on the basis of Art. 82 GDPR without damage – which the data subject must demonstrate.
C. Case C-487/21 – Austrian Data Protection Authority and CRIF
In another judgment with Austrian precedent, the ECJ ruled that the right to a copy from Art. 15(3) GDPR means that the data subject is provided with a faithful and intelligible reproduction of all existing data. This includes the right to obtain a copy of extracts from documents or even of entire documents or extracts from databases if this is indispensable to enable the data subject to effectively exercise the rights conferred on him or her by the GDPR. Moreover, the ECJ clarifies that the term “information” in Article 15(3), third sentence, of the GDPR refers exclusively to personal data of which the controller must provide a copy pursuant to Article 15(3), first sentence, of the GDPR.
The subject matter of the main proceedings was the complaint of a data subject who asserted a claim for information under Article 15 GDPR against a credit reference agency and requested that the data held there be made available “in a customary technical format”. The credit agency then provided the plaintiff with a list of his personal data in aggregated form. Since the data subject was of the opinion that he should have been provided with a copy of all documents containing his data, such as e-mails and excerpts from databases, he filed a complaint with the Austrian Data Protection Authority. The authority rejected the complaint on the grounds that the data subject’s right under Article 15 of the GDPR had not been violated.
The Austrian Federal Administrative Court therefore referred to the ECJ the question of whether the obligation under Art. 15(3) p. 1 GDPR is fulfilled if the controller transmits the personal data as a table in aggregated form, or whether it also covers the transmission of extracts from documents or even entire documents, as well as extracts from databases in which these data are reproduced, and also asked for clarification of what exactly the term “information” in Art. 15(3) p. 3 GDPR covers.
In this respect, the ECJ takes the view that the right under Art. 15(3), p. 3, GDPR must be interpreted as meaning that the data subject is provided with a faithful and intelligible reproduction of all personal data. To this end, a copy of extracts or of entire documents or extracts from databases must be provided if this is indispensable to enable the data subject to effectively exercise the rights conferred on him or her by the GDPR, taking into account the rights and freedoms of others in this respect. Moreover, the ECJ clarifies that the term “information” used within the meaning of Art. 15 (3) sentence 3 GDPR refers exclusively to personal data.
With regard to the wording of Article 15(3)(1) of the GDPR, the ECJ states, by way of a grammatical interpretation, that the provision confers the right to obtain a faithful reproduction of the personal data, in the sense of a broad meaning, which are the subject of operations that must be classified as processing by the controller. Moreover, the Court explains that the term ‘copy’ does not refer to a document as such, but to the personal data it contains, which must be complete. The copy must therefore contain all the personal data that are the subject of the processing.
With regard to the objectives pursued by Article 15 GDPR, the ECJ points out that the exercise of the right of access must not only make it possible to verify whether personal data are accurate, but also whether they are processed in a lawful manner.
In addition, the ECJ, referring to recitals 58 and 60 and Article 12(1) of the GDPR, states that the controller must take appropriate measures to provide all information in a precise, transparent, intelligible and easily accessible form, in plain and simple language, and that the information must be provided in writing or in another form, including, where appropriate, by electronic means, unless the data subject requests that it be provided orally. In particular, when personal data are generated from other data or when they are based on free fields, i.e. a missing indication from which information about the data subject is derived, the context in which these data are the subject of processing is indispensable in order to provide the data subject with transparent information and an intelligible presentation of these data.
Furthermore, according to the ECJ, the modalities of the transfer must be chosen in such a way that the rights or freedoms of other persons are not violated, while not leading to the denial of any information to the data subject.
Conclusion: A copy is (merely) a reproduction of the personal data processed. Only if it is indispensable, the accompanying documents (describing the context), contracts must be provided. Curtains down and all questions open.