The European Court of Justice has issued two important decisions interpreting the European Union’s General Data Protection Regulation. One addresses the right to compensation for GDPR violations, and the other addresses the scope of an individual’s right of access when his or her data has been provided by a controller to other recipients. Each decision is discussed below.
Decision One: Right to compensation
Background and facts
The Austrian Post, that country’s leading logistics and postal services provider, collected information on political affinities of individual Austrians using an algorithm based on social and demographic criteria, and then sold the data to organizations for targeted advertising. The applicant, who had not consented to this, alleged that he was offended by the political affinity attributed to him and contended that the collection and processing of data caused him to suffer emotional distress, loss of confidence, and a feeling of exposure. The applicant asked a regional court to enjoin the Post from processing his data and requested a monetary award of 1,000 Euros. The court issued the injunction but denied the compensation claim, saying that the applicant had suffered no harm beyond the emotional distress. The regional court decision was upheld on appeal. According to the appellate court, monetary awards are not available under the GDPR unless the damage meets a certain “threshold of seriousness.”
Given the uncertainties surrounding the scope of Article 82 of the GDPR, which addresses “Right to compensation and liability,” the Supreme Court of Austria decided to stay the proceedings and refer the matter to the European Court of Justice. The Supreme Court specifically requested preliminary rulings on the following issues:
- Whether an applicant must have suffered harm to be entitled to compensation, or whether the GDPR violation itself is sufficient for a monetary award; compensation.
- Whether additional requirements under EU law should be considered in addressing compensation.
- Whether the applicant must have suffered more than mere upset to be entitled to an award of monetary damages.
Ruling: There must be some damage for a monetary recovery, but damage doesn’t have to be “serious”
In the view of the court, a violation of the GDPR is not in itself sufficient to confer a right to compensation under Article 82(1) of the GDPR. As the court noted, Article 82(1) of the GDPR clearly states that a violation must cause the applicant to suffer damage before compensation can be awarded, and that there must be a link between the violation and the damage suffered. The court further noted that Article 82(2) clearly states that there is no compensation unless there is a violation, damage, and a “causal link” between the violation and the damage suffered.
Regarding the second question, the court held that the damage resulting from a GDPR violation does not have to be “serious” before compensation can be awarded. The court emphasized that the GDPR does not define the concept of damage. and because of its vagueness, the GDPR should be broadly interpreted to include both material and non-material damage. Nor does the regulation establish a threshold of seriousness. Therefore, a national rule requiring a “seriousness threshold” is precluded by the interpretation of GDPR.
As to the third question, the court held that national courts must apply domestic rules in determining the amount of compensation payable under Article 82(1) of the GDPR, as long as they adhere to the GDPR and its intent. The court emphasized that the GDPR does not establish specific rules addressing compensation of damages.
Decision Two: Right of access to data
Background and facts
The applicant in the second case submitted a request pursuant to Article 15 of the GDPR, to access his personal data stored by Austrian Post and to know the identity of the third parties to whom his data was disclosed. The Post generally responded that it uses the data and discloses it to trading partners for marketing purposes. However, it did not identify the recipients of the data. The applicant brought legal proceedings seeking the identity of the third parties to whom his information had been disclosed. The lower court dismissed the claim on the ground that Article 15(1)(c) of the GDPR allows the controller to inform individuals about the categories of recipients of their data without disclosing the specific recipients. The applicant appealed to the Austrian Supreme Court, which referred the issue to the CJEU for a preliminary ruling.
Ruling: Individual has right to know identities of data recipients . . . usually.
The court concluded that Article 15(1)(c) of the GDPR imposes an obligation on the controller, when responding to a right to know request, to provide the individual with the identities of the recipients when the data has been or will be disclosed. The court acknowledged that Article 15(1)(c) does not provide clear guidance. However, the court emphasized the fact that recital 63 states that individuals have the right to know about the recipients of personal data and does not indicate that this is limited to the categories of the recipients. Applying a principle of transparency, the court ruled that the GDPR gives individuals the right to be informed of the specific recipients of their data, and thus that the controller is obliged to provide such information when a request is submitted.
The court did, however, note one exception to this rule: A controller would not be obliged to provide recipients’ identities if it is impossible to identify them, OR if the controller shows that the request is manifestly unfounded or excessive. In those limited circumstances, the controller would have the option to provide the individual with only the categories of recipients.
Navigating the ever-changing laws of data privacy can be challenging. The Constangy Cyber Team is here to help! Contact us today with questions regarding GDPR at cyber@constangy.com.
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
Subscribe
Contributors
- Suzie Allen
- John Babione
- Bert Bender
- Jason Cherry
- Christopher R. Deubert
- Maria Efaplomatidis
- Sebastian Fischer
- Laura Funk
- Lauren Godfrey
- Amir Goodarzi
- Taren N. Greenidge
- Chasity Henry
- Julie Hess
- Sean Hoar
- Donna Maddux
- David McMillan
- Ashley L. Orler
- Todd Rowe
- Melissa J. Sachs
- Allen Sattler
- Matthew Toldero
- Alyssa Watzman
- Aubrey Weaver
- Xuan Zhou