An overview of two recent CJEU cases on data privacy
On May 2023, the Court of Justice of the European Union (CJEU) issued two decisions regarding the interpretation of key aspects of the General Data Protection Regulation (GDPR): the right to compensation and the right of access. Below is a concise summary of these cases.
In Case C-300/21 (UI v Österreichische Post AG), the CJEU deliberated on the issue of non-material damage compensation as defined in Article 82 of the GDPR, establishing that the mere violation of the GDPR does not automatically warrant compensation. However, the CJEU also underscored that there exists no prescribed minimum threshold of severity for individuals to be entitled to compensation. In determining the appropriate monetary compensation, national courts are entrusted with the responsibility of applying domestic regulations within each Member State, while ensuring adherence to the fundamental principles of equivalence and effectiveness as mandated by EU law.
To summarize, this CJEU judgment brings some clarity to the matter by establishing that the infringement of the GDPR alone does not automatically entitle a data subject to compensation. The severity of non-material damage incurred does not require a specific threshold to trigger the right to compensation. Instead, the assessment of compensation must be conducted in alignment with the relevant laws of the respective Member State, ensuring a fair and appropriate resolution.
In Case C-487/21 (Österreichische Datenschutzbehörde and CRIF), CJEU conducted an analysis of the GDPR’s right of access, delving into its precise scope. The court’s ruling emphasized that the right to obtain a “copy” of personal data means that the data subject must be given a “faithful and intelligible” reproduction of this data. This includes furnishing copies of document excerpts, complete documents, or segments from databases that contain the requested data, whenever necessary to enable the data subject to effectively exercise their rights under the GDPR. In cases where this obligation potentially clashes with the rights and freedoms of others, a delicate balance must be struck to safeguard the interests at hand. Furthermore, the CJEU interpreted the concept of “information” in the third sentence of Article 15(3) GDPR narrowly, concluding that it refers exclusively to the “copy of personal data undergoing processing”, excluding additional information, such as metadata.
To summarize, it can be concluded that the GDPR does not impose a general obligation on controllers to provide complete copies of documents or databases in response to access requests. Nevertheless, the specific circumstances of each case must be considered, as there may be instances where providing extracts or copies thereof becomes necessary and appropriate to fulfill the rights of data subjects. The approach to such requests should be context-sensitive, ensuring a balanced and proportionate response in line with GDPR principles.
Laura Ghinea, Senior Associate