Upcoming data protection rulings in the EU: an overview of CJEU pending cases
There has been a surge in questions posed by national courts to the Court of Justice of the EU (CJEU) in the past year on how various provisions of the General Data Protection Regulation (GDPR) should be interpreted and applied in practice. They vary from understanding essential aspects of the fundamental right to the protection of personal data, such as the scope of one’s right to access their own data or the appropriate lawful ground for complex processing like profiling and personalized advertising, to systemic questions such as the interplay of competition law and data protection law in digital markets. They also seek to dispel enforcement conundrums, such as identifying and quantifying non-material damages for breaches of the GDPR or clarifying the ne bis in idem principle for cases under the parallel purview of Data Protection Authorities and national courts.
According to the EU Treaties, EU Member-States’ courts may – or, in case no appeal from their decisions is possible, must – ask the CJEU to rule on the interpretation and validity of disputed provisions of EU law. Such decisions are known as preliminary rulings, by which the CJEU expresses its ultimate authority to interpret EU law and which are binding for all national courts in the EU when they apply those specific provisions in individual cases.
Since May 2018 – when the GDPR became applicable across the EU -, the CJEU has played an important role in clarifying the meaning and scope of some of its key concepts. For instance, the Court notably ruled that two parties as different as a website owner that has embedded a Facebook plugin and Facebook may be qualified as joint controllers by taking converging decisions (Fashion ID case), that consent for online data processing is not validly expressed through pre-ticked boxes (Planet49 case) and that the European Commission Decision to grant adequacy to the EU-US Privacy Shield framework is invalid as a mechanism for international data transfers, and supplemental measures may be necessary to lawfully transfer data outside of the EU on the basis of Commission-vetted model clauses (in the Schrems II case).
Ever since the enactment of the 1995 EU Data Protection Directive, the CJEU had a prominent role in expanding the scope of protection afforded to individuals by data protection law, in a way that ultimately influenced the text of the GDPR. Some notable examples include landmark rulings on the definition of personal data (in Breyer and Nowak), the lawfulness of transferring data to countries outside of the EU (in Schrems I) and the so-called “right to be forgotten” (in Google Spain).
What are the questions that the Court is asked to clarify next? This overview includes a preview of the most interesting cases where the CJEU is expected to weigh in. The analysis focuses on questions that are relevant from the perspective of commercial data use, meaning that novel questions about personal data processing in the context of law enforcement, passenger name records and national elections have not been included in the overview. Table 1 below contains a list of links to the relevant cases as submitted to the CJEU, allowing for a more comprehensive view.
1. Clarifying essential aspects of personal data protection: right of access; lawful grounds for processing data for targeted advertising
Both the very active Austrian Supreme Court of Justice (Oberster Gerichtshof) and the Austrian Federal Administrative Court (Bundesverwaltungsgericht) have sent questions to the CJEU about the information that controllers are required to hand over in response to data subjects’ access requests.
In March 2021, the former asked the EU’s highest court, in a case involving the Austrian Postal Office, whether under their right of access data subjects must be informed about the categories of recipients of their personal data even in the cases where specific recipients have not yet been determined, but disclosures to those recipients are planned for the future. Or should they only be informed about the categories of recipients with whom personal data was already shared?
More recently, in August 2021, the Federal Administrative Court sought clarifications from the CJEU regarding what obtaining a “copy of the personal data undergoing processing” means. In this respect, the Bundesverwaltungsgericht asks whether such a right entails receiving entire documents/database excerpts in which the personal data are included or a mere “faithful reproduction” of the personal data processed by the controller. If the latter is the case, the referring court also wishes to know if there are exceptions to the rule, for the benefit of data subjects’ comprehension. Lastly, Austrian judges also query whether the information that should be made available to data subjects in a “commonly used electronic format” is only the “copy” of the personal data or also all the elements of Article 15(1) GDPR (e.g., information about the purposes of the processing and data retention periods).
Two very complex sets of questions in cases involving processing of data for targeted advertising purposes on social media have also reached the CJEU in 2021. The Court’s answers are likely to shape the future of how social media companies and online advertising businesses process personal data in the EU.
The first one, from April, comes from the Higher Regional Court of Düsseldorf, Germany (Oberlandesgericht Düsseldorf), in a first case of its kind, combining antitrust and data protection enforcement (see also Section 3 below). In a case involving Facebook, the German court asks the CJEU if data collection through user interfaces placed on third party websites or apps that relate to Article 9(1) GDPR protected attributes (e.g., political party or health-related outlets) counts as processing special categories of data. Should people that visit such websites or apps or use the company’s plugins therein (e.g. “Like” buttons) be considered to have manifestly made their sensitive data public? As the European Data Protection Board (EDPB) has already provided guidance on these matters, it will be interesting to see to what extent the CJEU will endorse the EDPB’s interpretation or diverge from it.
The Oberlandesgericht Düsseldorf also seeks to clarify whether personal data may be lawfully collected and combined by the company when obtained from other Facebook Group services and third-party websites/apps to offer personalised content and advertising, under the “contract” or “legitimate interests” legal bases. In parallel, the court asks the CJEU to rule on whether GDPR-compliant consent may be effectively and freely expressed by users “to a dominant undertaking”.
These last questions resemble others that were posed more recently by the Austrian Oberster Gerichtshof. On July 20, 2021, the court essentially asked the CJEU (see an unofficial translation of the questions) to clarify whether the social media platform can rely on “contract” as lawful ground for processing personal data for personalized advertising, or whether it should rely on consent of its users under the GDPR (by asking against which of these two lawful grounds should the wording of its terms and conditions be assessed).
In addition to the consequential question about the appropriate lawful ground in this particular context, the Austrian court also invited the CJEU to clarify how the data minimisation and purpose limitation principles as provided by the GDPR should apply in the context of personalised online advertising, in particular when it comes to sensitive data.
2. Accountability and due diligence
The German Federal Labour Court’s (Bundesarbeitsgericht) reference of October 2020 invites the CJEU to shed light on the circumstances that may lawfully lead organisations to dismiss their appointed Data Protection Officers (DPOs). The EDPB DPO guidelines state that “a DPO could still be dismissed legitimately for reasons other than for performing his or her tasks as a DPO (for instance, in case of theft, physical, psychological or sexual harassment or similar gross misconduct)”. With this reference, the German court seeks to understand whether the CJEU shares the same view and, if so, whether Article 38(3) GDPR would preclude a German provision that forbids employers from terminating the employment relationship with their DPOs in all cases, including for reasons other than the performance of the latter’s tasks.
Additionally, the referring court asks the CJEU whether the GDPR limitations on dismissal also apply to those DPOs who are appointed pursuant to a domestic law obligation, where the GDPR itself does not require their appointment.
Looking at a different accountability-related obligation, in a June 2021 reference, the Bulgarian Supreme Administrative Court (Varhoven administrativen sad) wishes to know if the mere occurrence of a data breach is sufficient to ascertain that the controller has not implemented appropriate technical and organisational measures to prevent the breach. In case of a negative answer, the CJEU is asked to further provide a benchmark against which national courts may assess the appropriateness of the implemented measures.
3. Administrative enforcement: How far can DPAs go and do antitrust authorities play a role?
In a set of questions from March 2021, the Budapest Regional Court (Fővárosi Törvényszék) aims to ascertain how far the GDPR-prescribed independence and corrective powers of Data Protection Authorities (DPAs) go. While it seems to be clear that individuals and companies have a right to lodge a judicial appeal against DPAs’ decisions or their inaction (see Article 79 GDPR), the Hungarian court highlights situations where both DPAs and courts are simultaneously called by individuals to assess the lawfulness of the same data processing operations.
Should DPAs have priority competence to determine GDPR infringements? Or should both DPAs and Courts independently examine the existence of an infringement, possibly arriving at different conclusions? May a DPA find a GDPR breach where, in parallel proceedings, a court has found that there was no such breach? The CJEU is thus expected to clarify how the ne bis in idem principle manifests under the complex enforcement system of the GDPR.
In another case already mentioned above (see Section 1), the Oberlandesgericht Düsseldorf seeks to clarify the fundamental question of how antitrust law enforcement and data protection rules interact and whether antitrust regulators may play a role in safeguarding data protection law as part of antitrust proceedings.
This case started from a 2019 decision of the German federal antitrust authority (Bundeskartellamt) against Facebook. The authority found a breach of German competition law with regard to abuse of market dominance by also relying on GDPR provisions in its assessment. These findings primarily concerned rules around valid consent for combining personal data across several services of the social media company. One of the measures imposed by the authority was a prohibition to collect user and device related data obtained from the use of its affiliated services, as well as from visits to third-party websites or apps without valid consent from users.
Facebook appealed the decision before German courts, with the court of appeal (Oberlandesgericht Düsseldorf) expressing doubts on the legality of the decision of the antitrust regulator, and deciding to suspend its effects as an interim measure until the matter is decided on substance. In return, the German Federal Court of Justice’s antitrust division overturned this interim measure of the court of appeal, and decided that the prohibition ordered by Bundeskartellamt can be enforced while judicial proceedings are ongoing, before sending the case back to Düsseldorf to be decided on substance.
The court in Düsseldorf suspended proceedings and asked the CJEU to clarify a number of essential questions (see also Section 1 above). In this context, can the Bundeskartellamt determine a GDPR breach by the company investigated in antitrust proceedings and order its correction, given that the regulator is not a supervisory authority under the Regulation, let alone the lead one? The referring Court noted that the Irish Data Protection Commissioner – as the lead DPA of the company – was already investigating alleged GDPR breaches relevant for this case.
4. Judicial redress: Can competitors engage in representative actions? And do “worries” and “fears” count as non-material damages?
An interesting question posed by the Austrian Supreme Court of Justice in December 2020 relates to whether persons other than harmed data subjects may initiate judicial proceedings for GDPR breaches against the infringer. The Austrian court wishes to know if Article 80(2) GDPR allows competitors, associations, entities and Chambers to sue, regardless of invoking specific data subjects’ rights infringements and the latter’s mandate, in cases where such bodies are entitled to initiate proceedings under national consumer law.
On such matters, the literature argues that Article 80(2) leaves it up to Member-States to determine whether non-profits with public interest statutory objectives and which are active in the defense of data subjects’ rights may bring own-initiative proceedings in their territory. Thus, it will be particularly interesting to see how the CJEU views the ability of competitors to sue other companies in putative defense of data subjects’ collective interests, notably in the absence of alleged infringements of individuals’ rights.
In May 2021, the Oberster Gerichtshof (Austria) asked important questions to the CJEU related to non-material damages under the GDPR: can courts attribute compensation to data subjects where a GDPR provision has been infringed, but the data subjects have not suffered harm? And, if demonstrating harm is necessary, does Article 82 GDPR require data subjects’ non-material damages to go beyond the mere nuisance or discomfort caused by the infringement?
Just a month later, the Bulgarian Supreme Administrative Court went further and asked whether data subjects’ worries, fears and anxieties caused by a confidentiality breach involving personal data qualify as non-material damages which entitle them to compensation, even where data misuse by third parties has not been established and/or data subjects have not suffered any further harm.
According to its 2020 Annual Report, the average length of proceedings at the CJEU was 15.4 months in the past year. Therefore, it will take a while before the Court clarifies the questions summarized above – and it should be expected that for the very complex ones that raise novel issues, like the interaction between antitrust and data protection law, the proceedings will be longer than average. This overview of questions for preliminary rulings in any case indicates that while there are many GDPR provisions that need clarification, some of the most intricate issues raised by complex personal data processing and how data protection law applies to them have now reached the top court in the EU.
Table 1 — Pending data protection questions sent to the CJEU
|Subject-Matter||Date||Requesting court||Relevant provision(s)|
|Online publication of private interests declarations||April 28, 2020||Vilniaus apygardos administracinis teismas (Lithuania)||Article 6(1) and (3) GDPR; Article 9(2)(g) GDPR|
|Internet search engine de-referencing||September 24, 2020||Bundesgerichtshof (Germany)||Article 17(3) GDPR|
|DPO independence and employment termination||October 21, 2020||Bundesarbeitsgericht (Germany)||Article 38(3) GDPR|
|Publication of beneficial owners’ information under the AML Directive||November 13, 2020||Tribunal d’arrondissement (Luxembourg)||Article 5(1)(a), (b), (c) and (f) GDPR; Article 25(2) GDPR; Chapter V GDPR|
|Ability of competitors and associations to sue for GDPR breaches, without a data subject mandate||December 22, 2020||Oberster Gerichtshof (Austria)||Article 80(1) and (2) GDPR; Article 84(1) GDPR|
|Employee data processing under national law||January 20, 2021||Verwaltungsgericht Wiesbaden (Germany)||Article 88(1) and (2) GDPR|
|Purpose/storage limitation and parallel databases||February 8, 2021||Fővárosi Törvényszék (Hungary)||Article 5(1)(b) and (e) GDPR|
|Publication of subscribers’ data in public directories: consent, erasure and accountability||March 2, 2021||Hof van beroep te Brussel (Belgium)||Articles 12(2) and 2(f) ePrivacy Directive; Articles 5(2), 7, 17(1) and (2), 24 and 95 GDPR|
|Conflicts between parallel supervisory authority and court decisions||March 3, 2021||Fővárosi Törvényszék (Hungary)||Articles 77(1) and 79(1) GDPR; Articles 51(1), 52(1) and 58(2)(b) GDPR|
|Disclosing recipients in the context of access requests||March 9, 2021||Oberster Gerichtshof (Austria)||Article 15(1)(c) GDPR|
|Monitoring of GDPR breaches by competition authorities; special category data “manifestly made public” by the data subject; legal basis for social media providers collecting 3rd party data; definition of “legitimate interests”||April 22, 2021||Oberlandesgericht Düsseldorf (Germany)||Chapter VI GDPR, with a specific mention to Article 56(1); Article 9(1) and (2)(e) GDPR; Article 6(1), 4(11) and 9(2)(a) GDPR|
|Compensation in the absence of harm||May 12, 2021||Oberster Gerichtshof (Austria)||Article 82 GDPR|
|Data (confidentiality) breaches and liability; concept of non-material damage||June 2, 2021||Varhoven administrativen sad (Bulgaria)||Articles 5(2), 24 and 32 GDPR; Articles 82(1), (2) and (3)|
|Data as remuneration; legal basis for online behavioural advertising; special categories of data||July 20, 2021||Oberster Gerichtshof (Austria)||Article 5(1)(b) and (c) GDPR; Article 6(1)(b) GDPR; Article 9(1) and (2)(e) GDPR|
|Credit scoring: profiling, legal basis and transparency [the questions to the CJEU have not been published yet]||August 9, 2021||Bundesverwaltungsgericht (Austria)||Article 4(4) GDPR; Article 6(1)(f) GDPR; Article 15(1)(h) GDPR [to be confirmed]|
|Right to obtain a copy of the personal data pursuant to an access request (see also HERE)||August 9, 2021||Bundesverwaltungsgericht (Austria)||Article 12(1) GDPR; Article 15(1) and (3) GDPR|
|Processing of health data; cumulation of lawful grounds for processing sensitive data; non-material damages||August 26, 2021||Bundesarbeitsgericht (Germany)||Article 6(1) GDPR; Article 9(2)(h) and (3) GDPR; Article 82(1) GDPR|
|Is the collection and retention of publicly available data by a credit agency against the lawfulness and storage limitation principles?||August 31, 2021||VG Viesbaden (Germany)||Article 5(1)(a) and (e) GDPR; Article 6(1)(f) GDPR; Article 17 GDPR; Article 40 GDPR; Articles 77 and 78 GDPR.|