Upcoming CJEU rulings on data protection matters

Questions to be decided by the CJEU

In particular, the ruling on the following questions is of great importance for data protection practice:

• Is personalised advertising on Facebook performed without a legal basis?
• Does Facebook violate the principle of data minimisation?
• Is significance of the damage necessary to claim non-material damage under Art. 82 (1) GDPR?
• Can a lack of responsibility of the controller or processor be taken into account when assessing the amount of damages under Art. 82 (1) GDPR?
• Are general prevention aspects to be included in the assessment of the amount of non-material damage under Art. 82 (1) GDPR?
• What is the scope of the right to access from Article 15 GDPR?
• Does the fact that unauthorized disclosure of or access to personal data has occurred by persons who are not employed in the administration of the controller and are not subject to its control indicate that the technical and organizational measures are not adequate?
• Does credit scoring by the German credit scoring agency SCHUFA violate Art. 22 GDPR and thus the protection against automated decision-making?
• Can consumer associations bring GDPR claims on behalf of individuals, even without claiming a specific rights violation and without being mandated by data subjects?

Legality of Facebook’s practices under the GDPR

Several plaintiffs, including privacy advocate Max Schrems, brought a case to the Austrian Federal Court alleging Facebook of having no legal basis for processing personal data for personalized advertising. To attract paying advertisers to the platform, Facebook collects data about its users, which it uses to display customized advertising to them based on the preferences and interests that can be derived from the user’s profile or click behaviour.

According to Art. 6 (1) GDPR, any data processing requires a legal basis. Valid consent (Art. 6 (1) (a) GDPR) with regard to personalized advertising was not given by the Facebook users, as the requirements of the GDPR for free and informed consent were not met. However, Facebook argues that their data processing is necessary for the performance of the contract with the user, Art. 6 (1) (b) GDPR. In return, the use of Facebook is free of charge.

To claim necessity for the performance of the contract as legal basis, it would be required that the processing for personalised advertising is objectively necessary for the user’s contract of use with Facebook. An opinion of the European Data Protection Board (EDPB) casts doubt on that in Facebook’s case. According to the EDPB, Art. 6 (1) (b) GDPR should be interpreted strictly and therefore only cover processing that is genuinely necessary for the respective contract. By contrast, unilaterally imposed processing should not be covered by the provision. The fact that the processing purposes are mentioned in the terms and conditions does not render them necessary for the performance of the contract. Whether the CJEU shares these doubts in the case of Facebook’s user agreement remains to be seen.

In addition, the CJEU has to answer the question of whether Facebook also violates the principle of data minimisation (Art. 5 GDPR). Facebook collects sensitive user information of all kinds (e.g., political opinions) not just based on profile details but also on user click and like behaviour. Service providers used by Facebook can evaluate the data, e.g. with the help of artificial intelligence, to use them for personalised advertising, like election advertising.

This practice could violate the requirement of data minimisation, which might force Facebook to filter out such sensitive data. In addition, particularly sensitive data may only be processed pursuant to Art. 9 (2) (e) GDPR, if they have evidently been made public by the data subject. However, it is questionable whether this applies to statements users share on Facebook, e.g. statements on their profile.

Non-material damages

The CJEU also has to rule on the question of whether the concept of non-material damage in Art. 82 (1) GDPR covers any impairments caused by GDPR violations, irrespective of its significance. The basis for this referral is a case in which the plaintiff had received two unlawfully sent advertising letters. The plaintiff argues that the defendant thereby unlawfully processed his personal data and therefore claims compensation for his non-material damage pursuant to Art. 82 (1) GDPR.

Generally, the GDPR does require significance of damages. Moreover, the objective of the GDPR supports a broad understanding of the concept of damage. However, de minimis thresholds are often derived from general legal principles. In addition, Recital 85 of the GDPR refers to “significant economic or social disadvantages” in regard to damages, which could indicate that at least minor damages should be excluded from compensation.

The CJEU’s decision will have a significant impact on whether and how many claims for damages will be brought under the GDPR.

Relevance of the degree of responsibility in damages

The CJEU will also decide on a question referred by the German Federal Labour Court. The Court is unsure whether the degree of responsibility of the controller or processor is relevant when assessing the amount of the non-material damage to be compensated on the basis of Art. 82(1) GDPR. In particular, it is asked whether a lack of responsibility or minor responsibility of the controller or processor may be taken into account in their favour.

A reference point could be Article 82 (3) of the GDPR, which provides that the controller or processor shall only be exempted from liability “if it proves that it is not in any way responsible for the event giving rise to the damage”.

If the CJEU rules that a lack of responsibility can be taken into account in favour of the controller or processor, this will reduce the amount of damages in the future in many cases.

Consideration of aspects of general prevention in the amount of damages

Another question referred to the CJEU by the German Federal Labour Court is whether Art. 82 (1) GDPR also has a general preventive function and whether this function must be taken into account when assessing the amount of the non-material damage to be compensated on the basis of Art. 82 (1) GDPR.

Traditionally, claims for damages only compensate for the actual damage caused to the individual as a result of a violation of law (e.g. the GDPR) or contract. However, according to Recital 146 GDPR the concept of damage should be interpreted broadly and in a way that fully reflects the objectives of the GDPR. Therefore, it is sometimes argued that claims for damages should not only compensate the resulting disadvantages but also act as a deterrent. Damages would then also have a general preventive function.

If the CJEU rules that Art. 82 (1) GDPR also has a general preventive function, this could lead to much higher damages in the future.

Scope of the right to access

Another question referred from a court in Finland to the CJEU concerns the scope of the right to access under Art. 15 (1) GDPR. The court has to decide whether data subjects can also request information about who processed the data subject’s personal data, when and for what purpose as part of their right to access. In this case the court has to assess whether this kind of data also constitutes “personal data” of the data subject. This question is particularly relevant because it would concern data about employees of the controller.

Sufficiency of technical and organisational measures

The CJEU also must address the question of whether the fact that unauthorized disclosure of or access to personal data has occurred by persons who are not employed in the administration of the controller and are not subject to its control indicate that the technical and organizational measures of the respective organisation are not adequate.

This issue is of considerable practical importance, as this could mean that controllers can already be held liable if third parties succeed in gaining access to personal data in their possession.

Schufa credit scorings

Another question referred to the CJEU concerns Schufa (credit) scorings. The German company creates consumer credit scorings, which are used by their clients to assess the risk of default of potential customers. The scoring can in itself already lead to a decision about the granting of a loan or an online purchase. Hence, the CJEU has to determine those scorings constitute a solely automated decision-making and therefore violate Art. 22 GDPR.

Filing of GDPR claims by consumer associations

Based on a case brought against Facebook by the Federation of German Consumer Organizations, the German Federal Court of Justice asked the CJEU to decide whether consumer protection associations can bring GDPR claims on behalf of individuals, even without being mandated by them.

CJEU Advocate General Richard de la Tour proposed that the CJEU interprets the GDPR that it does not preclude national legislation that allows consumer groups to bring cases against people that are allegedly in violation of data protection law, provided that the goal of the representative action is to ensure observance of the rights which the persons affected by the respective processing derive directly from that regulation. While the judgement is yet to come, Advocate General Richard de la Tour recently issued an opinion, in which he proposed the admissibility of cases brought by consumer groups.

This question has a great practical importance, as it can particularly address the imbalance of power between data-processing companies and data subjects. While individuals often have limited resources and thus often refrain from appealing against decisions, consumer associations often have more resources to ensure that consumer rights are enforced.

Lasting impact of the CJEU’s decisions

The decisions of the CJEU on the above-mentioned questions will have a lasting impact on data protection practice. Therefore, it will be exciting to see what the outcome of the proceedings will be. We will keep you updated!