Europe's top court clarifies GDPR compensation and data access rights
The European Union's top court has handed down a couple of notable rulings today in the arena of data protection.
One (Case C-300/21) deals with compensation for breaches of the bloc's General Data Protection Regulation (GDPR); and the second (Case C-487/21) clarifies the nature of information that individuals exercising GDPR rights to obtain a copy of data held on them should expect to receive.
Read on for a summary of the judgments and some potential implications.
No automatic right to damages — but no threshold for harm either
The CJEU's GDPR compensation ruling relates to a referral from an Austrian court where an individual sought to sue the national postal service for damages after it used an algorithm to predict the political views of citizens according to socio-demographic criteria without their knowledge or consent -- leaving the individual feeling exposed, upset and with a knock to their confidence, per the Court's press release.
As regards regional damages for privacy violations, there have been a number of attempts to bring class action–style suits seeking compensation for data protection breaches in recent years. This CJEU ruling may make it easier to do so within the EU, although the court has put one limit on such claims since the judges have ruled that just the fact of an infringement of the GDPR does not automatically give rise to a right of compensation -- meaning there is an onus on litigants to demonstrate personal harm.
At the same time, the CJEU has ruled there is no requirement for the nonmaterial damage suffered to reach a certain threshold of seriousness in order to confer a right to compensation.
So, in other words, the court has avoided setting a bar on how much/what type of harm needs to be demonstrated to file a compensation claim. Which looks like a big deal.
"[T]he Court holds that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness," it writes in a press release accompanying the judgment. "The GDPR does not contain any such requirement and such a restriction would be contrary to the broad conception of ‘damage,’ adopted by the EU legislature. Indeed, the graduation of such a threshold, on which the possibility or otherwise of obtaining that compensation woulda depend, would be liable to fluctuate according to the assessment of the courts seised."
Since the GDPR does not contain any rules for assessing damages, the judges say it is up to courts in EU Member States to define criteria for determining the extent of any compensation payable -- while noting that such rules must comply with GDPR principles of equivalence and effectiveness, so as to ensure individuals can obtain full and effective compensation for damages suffered.
This sets up for a patchwork of outcomes on damages for privacy breaches, depending on where in the EU a user is able to sue, based on how national courts interpret the mandate.
Commenting on the outcome in a statement, Peter Church, a counsel in the technology practice at law firm Linklaters, suggested: "[I]t is possible that even minor anxiety or upset might justify a compensation claim. This in turn could open the way for not only frivolous or vexatious claims but also large class actions in the event of, for example, a data breach (which is currently the subject of separate pending decision in Case C-340/21)."
He also predicted a divergence between the EU and the U.K. (which is no longer in the bloc) on this issue, given how -- back in 2021 -- the U.K.'s Supreme Court ended up denying a long-running litigation against Google that had sought to skip the tricky step of demonstrating individual harm in favor of pressing for collective damages over privacy breaches related to ad tracking users of Apple's Safari browser.
In that case, the U.K. judges concluded proof of harm was necessary and, per Church, that it "must reach a threshold of seriousness to be eligible for compensation." Hence his prediction that the EU and the U.K. will "part ways on this issue" since the CJEU has decided there is no seriousness bar on the harm experienced.
So if you live in the EU and having your privacy violated by a data-mining giant like Meta has made you feel a bit annoyed, slightly upset, somewhat uneasy or a little alarmed, any of those sensations would, presumably, be enough to sue for damages. (And this summer member states are due to implement the Collective Redress Directive in national laws -- a piece of pan-EU legislation that aims to make it easier for consumers to achieve collective redress through class action–style litigation.)
Privacy rights group noyb, which has been behind scores of data breach complaints against giants like Meta and Google, reads the CJEU ruling as confirmation that claims for "emotional damages" are affirmed. In a statement, its founder and honorary chairman Max Schrems, wrote: "We welcome the clarifications by the CJEU. A whole industry tried to reinterpret the GDPR, in order to avoid having to pay damages to users whose rights they violated. This seems to be rejected. We are very happy about the result."
Faithful copy of data
In a separate ruling today, the CJEU has issued clarification around the scope and content of an individual's right of access under the GDPR to obtain an copy of their data -- deciding the regulation's wording intends they obtain "a faithful and intelligible reproduction" of their data, in order they can conduct their own checks to ensure, for example, that their info is correct and being processed in a lawful manner.
The referral here relates to a legal challenge brought by an individual after a business consulting agency that provides data on the creditworthiness of third parties for its clients had processed his personal data. The person had asked for a copy of the documents about him "in a standard technical format" but had instead been provided with a list summarizing the data, not a complete copy.
"That right [Article 15(3) of the GDPR] entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by the GDPR, bearing in mind that account must be taken, in that regard, of the rights and freedoms of others," the Court said in a press release.
It goes on to note that the data controller must take appropriate measures to provide the data subject with all their data "in a concise, transparent, intelligible and easily accessible form, using plain and clear language," providing the information in writing or other means, including, where appropriate, electronically.
"It follows that the copy of the personal data undergoing processing, which the controller must provide, must have all the characteristics necessary for the data subject to exercise his or her rights under that regulation effectively and must, consequently, reproduce those data fully and faithfully," the Court adds.
This ruling looks important for ongoing efforts to use the GDPR to shine a light on the often dysfunctional algorithmic management of platform workers -- such as legal challenges in recent years against Uber and Ola in the U.K. and the Netherlands brought by unions and the data trust, Worker Info Exchange, on behalf of a number of drivers, including over claims of robo-firing.
As we have reported, ride-hailing drivers have had limited success in obtaining their data via the GDPR access right route, with platforms blocking requests on security and privacy grounds and/or sending only partial information.
So it will be interesting to see if the CJEU's clarification that the right to a copy of data does actually mean a faithful copy bolsters such efforts in the future.
Albeit, the judgment touches on the issue of conflicting rights -- that is, between the right of full and complete access to personal data, and others' rights or freedoms -- with judges saying "a balance will have to be struck." So there could still be scope for platforms to keep pushing back.
"Wherever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen, bearing in mind that the result of those considerations should not be a refusal to provide all information to the data subject," the Court adds in its press release.