Compensation Claims
Article 82 of the GDPR, along with the Data Protection Act 2018, allows data subjects or non-profit organisations mandated to act on their behalf, to take compensation claims for material or non-material loss suffered as a result of a breach of the GDPR. However, uncertainty prevails as to the scope of the right to compensation for non-material damage.
On 6 October 2022, the Advocate General at the CJEU issued an Opinion in the Österreichische Post AG case (Case C-300/21) that a mere violation of the GDPR is not sufficient to recover compensation. Proof of material or non-material damage must be also provided by the claimant. In addition, compensation for non-material damage does not cover mere upset which the person concerned may feel as a result of a violation of the GDPR. If the CJEU follows this opinion, it would be welcome news for companies, as it would raise the bar for successful damages claims for non-material loss.
On 23 January 2023, the Irish Circuit Court, in the case of Cunniam v Parcel Connect Limited & Ors, granted a stay on proceedings brought by a data subject where only non-material damages have been alleged, pending six decisions awaited from the CJEU relating to non-material damage (including the CJEU's decision in the Österreichische Post AG case). The Court held that not granting the stay would substantially prejudice the defendants’ case, and would lead to the risk of an irreconcilable judgment being produced by the Court.
Data Protection Officers ("DPOs")
The CJEU decision in X-Fab (Case C-453/21) provides guidance on how to determine whether a conflict of interest arises in respect of the role of Data Protection Officer and when a DPO may be lawfully dismissed. In this case, an employee, who performed the role of DPO and also worked as council chair, was dismissed at the direction of the State DPA due to a potential conflict of interest between these roles. The employee claimed that the dismissal was void due to protective employment provisions under German law, and the German court referred the matter to the CJEU.
Article 38(6) GDPR acknowledges that a DPO may fulfil other tasks and duties, provided such other tasks and duties do not result in a conflict of interests. The CJEU held that an assessment of whether a conflict of interests exists must be carried out on a case by case basis, in light of all the relevant circumstances, in particular the structure of the organisation. However, DPOs cannot be entrusted with tasks or duties which would result in them “determining the objectives and methods of processing personal data on the part of the controller or processor".
Article 38(3) of the GDPR further states “[a DPO] shall not be dismissed or penalised by the [organization] for performing his tasks”. The CJEU held that member states, such as Germany, are free to lay down more protective provisions provided they do not undermine the GDPR’s objectives. However, a national law which prevents the dismissal of a DPO who is unable to carry out their role in an independent manner because of a conflict of interest would be incompatible with the GDPR.
The EDPB recently announced that it has selected the designation and position of the DPO role as the focus for its next coordinated pan-EU enforcement action. It would therefore be prudent for organisations to take steps to review their DPO function. It is natural for jobs and roles to evolve over time, so organisations which have appointed a DPO should take steps to ensure that their DPO is not also entrusted with tasks or duties which conflict with the performance of their DPO obligations.
International transfers
In January 2023, the DPC referred its draft decision in relation to the lawfulness of Meta's EU-US transfers to the European Data Protection Board ("EDPB") under the Article 65 dispute resolution process, after it was unable to resolve objections from other EU data protection authorities. The dispute resolution procedure comes as the EU considers a draft adequacy decision for the Data Protection Framework ("DPF").
The DPF is expected to be finalised and adopted by Summer 2023, which will mark three years since the invalidation of its predecessor, the EU-US Privacy Shield. The DPF and accompanying US Executive Order aims to address the concerns raised by the European Court of Justice in Schrems II. In particular, they provide binding safeguards that limit access by US intelligence services to what it is necessary and proportionate to protect national security, and establishes an independent and impartial redress mechanism, including a new Data Protection Review Court. Although a finalised adequacy decision is expected later this year, many organisations may continue entering into the standard contractual clauses and conducting transfer impact assessments due to the likelihood of the DPF being further challenged by privacy advocates such as NOYB or others before the CJEU in the future.
Following public consultation, on 23 February 2023, the EDPB have also issued their finalised Guidelines 05/2021 on the interplay between Article 3 and Chapter V GDPR. The guidelines provide some welcome clarity in regard to what constitutes a 'transfer' requiring compliance with the international transfer rules set out in Chapter V of the GDPR.
Data Subject Access Requests ("DSARs")
Over the past year, the EDPB and DPC have each published guidelines on the right of access to help controllers understand the scope of their obligations under Article 15 GDPR (available here and here). Whilst these non-binding guidelines are informative, in many ways they raise the bar in regard to what is expected from controllers when responding to access requests. Two issues, in particular, are worth noting.
First, the draft EDPB guidelines reject any proportionality limit with regard to the efforts a controller has to expend on responding to a DSAR. This is surprising as to date there have been strong grounds to believe that a controller is only required to take reasonable and proportionate steps to search for personal data in line with the EU principle of proportionality. It remains to be seen if this approach will be endorsed in the finalised guidelines. In contrast, the DPC guidelines state that controllers are not obliged to conduct searches which go beyond what is reasonable in terms of time and money, taking into account the circumstances of the case.
Second, both sets of guidelines indicate that in order to meet the information requirements in Article 15(1) and (2) GDPR it is not sufficient for companies to provide a copy of, or link to, or extract of their privacy notice, when responding to access requests. Rather, organisations are required to update and tailor the information in the privacy notice to reflect the processing operations carried out with regard to the data subject making the request. A recent ruling from the CJEU ( Case C-151/21) supports this view. This will unfortunately make responding to access requests a more burdensome task for many organisations.
Further cases regarding the scope of the right of access under Article 15 GDPR are currently pending before the CJEU which should provide greater clarity on the scope of the right of access.
Resources:
Cookie Compliance
Cookie compliance continues to be an enforcement trend. In January 2023, the EDPB Cookie Banner Task Force published a report which provides some tips on how to comply with the cookie rules in the ePrivacy Directive. The Report was issued following complaints from NOYB, and investigations by EU DPAs in relation to certain companies' cookie banners and policies. In light of the report and continued enforcement of cookie rules by EU DPAs across Europe, it would be prudent for organisations to revisit their cookie practices to ensure they comply with the cookie rules and expectations of Regulators.
Deceptive Design Patterns in Social Media Platform Interfaces
The EDPB have published finalised Guidelines 03/2022 on deceptive design patterns in social media platform interfaces. The guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid deceptive design patterns that violate the GDPR. Deceptive design patterns are interfaces and user journeys implemented on social media platforms that attempt to influence users into making unintended, unwilling and potentially harmful decisions, regarding the processing of their personal data. The guidelines provide examples of deceptive design pattern types, present best practices for different use cases and contain specific recommendations for designers of user interfaces that aim to facilitate the effective implementation of the GDPR.
European Data Protection Board Agenda for 2023
The European Data Protection Board ("EDPB") recently published its 2023-2024 work programme. In particular, the EDPB intends to publish guidance on a list of topics, including: Legitimate Interest; Children’s Data; Processing of data for Medical and Scientific Research Purposes; Anonymisation and Pseudonymisation. The EDPB further indicated its intention to develop guidance on the interplay between the proposed EU Artificial Intelligence Act and the GDPR, along with updated guidance on the right of access, identifying lead supervisory authority and breach notification. Organisations should familiarise themselves with these guidelines once published, as they set out the expectations of EU DPAs, in regard to GDPR compliance requirements.
The EDPB will also continue to prioritise effective enforcement and cooperation between European data protection authorities such as by supporting their work on cases of strategic importance.
Separately, the European Commission has launched an initiative to improve and streamline cooperation between EU data protection authorities when enforcing the GDPR in cross-border cases. Little is known of the initiative so far, other than the fact that it aims to harmonise aspects of administrative procedure applied by national DPAs in cross-border cases. The initiative likely follows on from the EDPB's letter to the European Commission of 10 October 2022, which contained a list of procedural aspects that could benefit from further harmonisation at EU level. The list includes, amongst other issues, the status and rights of parties to administrative procedures; procedural deadlines; requirements for admissibility or dismissal of complaints; investigative powers of Supervisory Authorities; and the practical implementation of the cooperation procedure.