European court rulings address data protection in the EU
12/05/2023
The Court of Justice of the European Union (CJEU) has made two rulings that attempt to
clarify the extent of data protection in the EU.
The CJEU’s role is to interpret EU law to make sure it is applied in the same way in all of the
bloc’s countries. The CJEU can also, in certain circumstances, be used by individuals,
companies or organisations to take action against an EU institution, if they feel it has
somehow infringed their rights.
The first CJEU ruling dealt with compensation for breaches of the bloc’s General Data
Protection Regulation (GDPR) and effectively says there is no automatic right to damages but
also no threshold for harm.
Significantly, the GDPR does not contain any rules for assessing damages, with the judges
saying it is up to courts in EU Member States to define criteria for determining the extent of
any compensation payable.
The second ruling clarified the nature of information that individuals, exercising GDPR rights
to obtain a copy of data held on them, should expect to receive.
The GDPR compensation ruling follows a referral from an Austrian court where an individual
sought to sue the national postal service for damages after it used an algorithm to predict the
political views of citizens according to socio-demographic criteria without their knowledge or
consent.
The ruling may make it easier to bring class action–style suits seeking compensation for data
protection breaches in the EU. However, the judges ruled that the fact of an infringement of
the GDPR does not automatically give rise to a right of compensation.
The CJEU has also ruled there is no requirement for the nonmaterial damage suffered to reach
a certain threshold of seriousness in order to confer a right to compensation.
The Court ruling press release said that the right to compensation is not limited to non-
material damage that reaches a certain threshold of seriousness. “The GDPR does not contain
any such requirement and such a restriction would be contrary to the broad conception of
‘damage,’ adopted by the EU legislature. Indeed, the graduation of such a threshold, on which
the possibility or otherwise of obtaining that compensation would be liable to fluctuate
according to the assessment of the courts.”
The second ruling revolved around the “faithful” copy of data with the CJEU issuing
clarification around the scope and content of an individual’s right of access under the GDPR to
obtain “a faithful and intelligible reproduction” of their data.
The ruling followed a legal challenge brought by an individual after a business consulting
agency that provides data on the creditworthiness of third parties for its clients had processed
his personal data. The person had asked for a copy of the documents about him “in a standard technical format” but had instead been provided with a list summarising the data, not a
complete copy.
The CJEU’s clarification that the right to a copy of data means a “faithful” copy stating,
“Wherever possible, means of communicating personal data that do not infringe the rights or
freedoms of others should be chosen, bearing in mind that the result of those considerations
should not be a refusal to provide all information to the data subject.”
W Denis Europe arranges comprehensive insurance for EEA based businesses, large and small,
including, Data Protection Infringement Cover, Cyber, Errors & Omissions, Directors & Officers Liability and much more. If you wish to discuss your insurance requirements, please visit
www.wdenis.eu or contact Vida Jarašiūnaitė vida.jarasiunaite@wdenis.eu or Mark Dutton