GDPR

Subscribe to GDPR via RSS
Stock-Images-Law-Courts-European-Court-of-Justice-Luxemboug-Court-of-European-Union-Law-Exterior

The court determined that mere infringement of the GDPR is insufficient for a damages claim, but that there is no minimum threshold for non-material damages.

By Tim Wybitul, Myria Saarinen, Isabelle Brams, Floriane Cruchet, Camille Dorval, Charlotte Guerin, Lara Nonninger, and Hayley Pizzey

In a recent judgment (Case C-300/21), the Court of Justice of the European Union (CJEU) held that mere infringement of the General Data Protection Regulation (GDPR) is insufficient to claim compensation under Article 82, absent any material or non-material damage suffered by the individual. In relation to non-material damage, the CJEU rejected the concept of a minimum threshold level of damage or harm to the individual.

Article 82 of the GDPR states that any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation.

The CJEU’s judgment has the potential to encourage non-material damages claims — whether individual or collective — as it is clear that there is no de minimis threshold for such damages. However, the judgment also holds that mere GDPR infringement is an insufficient basis for non-material damages and therefore the claimant must prove that they suffered damage — albeit not to a standard, European Union-wide minimal threshold. Therefore, the specific impact of this judgment will vary across Member States, depending on applicable domestic law underpinning non-material damages claims more broadly.

Organisations must provide individuals with information on the specific recipients of their data upon request.

By Tim Wybitul, Isabelle Brams, Calum Docherty, and Amy Smyth

The Court of Justice of the European Union (CJEU) has ruled that organisations must generally disclose the specific identity of data recipients on request from an individual in order to give effect to the right of access. Organisations may only limit their response to the mere categories of recipients if they cannot identify the specific recipients or if the request is manifestly unfounded or excessive. The court’s judgment in the case of RW v. Österreichische Post AG (Case C-154/21) follows the opinion given by CJEU Advocate General Giovanni Pitruzzella in mid-2022 (the Opinion). For background on the case and the Opinion, see this Latham & Watkins blog post.

The CJEU’s final ruling could subject companies to direct GDPR enforcement by DPAs notwithstanding national procedural rules, but may rule against strict liability under the GDPR.

By Tim Wybitul, Myria Saarinen, Isabelle Brams, Irina Vasile, and Amy Smyth

On 27 April 2023 Advocate General of the Court of Justice of the European Union (CJEU) Campos Sánchez-Bordona delivered an opinion in which he approved direct enforcement of the General Data Protection Regulation (GDPR) against companies but rejected

Organisations should expect increased scrutiny and enforcement activity around the role of data protection officers in the coming year.

By Gail E. Crawford, Fiona M. Maclean, Ben Leigh, and Amy Smyth

The European Data Protection Board (EDPB) has announced that its coordinated enforcement action for 2023 will focus on the designation and position of data protection officers (DPOs). Each year, the EDPB’s Coordinated Enforcement Framework (CEF) designates a topic EU data protection authorities (DPAs) should focus on. Although participation for any given year is voluntary, the EDPB has stated that this CEF will involve 26 DPAs across the European Economic Area, including the European Data Protection Supervisor.

The proposal provides a uniform basis for secondary research and clarifies uncertainty over implementation and interpretation of the GDPR but also raises many questions.

By Oliver Mobasser and Gail Crawford

On 3 May 2022, the European Commission launched its proposal for a Regulation for the European Health Data Space to “unleash the full potential of health data”. However, questions arise as to whether this proposal is a welcome facilitator of innovation or another burden for research-focussed businesses.

Among other goals

The Advocate General opined that data subjects must prove that they suffered damage from a GDPR breach in order to claim compensation.

By Tim Wybitul, Isabelle Brams, Lara Nonninger, and Hayley Pizzey

Article 82 of the General Data Protection Regulation (GDPR) states that any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation. The meaning of non-material damage, in particular, has been debated for some time. Some European courts have been generous in assessing non-material damages to claimants. A number of German courts, for example, have found that loss of control of personal data can amount to damage.[1] A series of cases before the Court of Justice of the European Union (CJEU) also question, among other things, whether damage — or proof of damage — is required at all under Article 82 GDPR.[2]

The bill would largely build on the UK data protection regime’s EU GDPR-style framework, albeit with UK-specific provisions.

By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth

The UK government introduced the Data Protection and Digital Information Bill (the Bill) to Parliament on 18 July 2022, following the publication of its response to the consultation “Data: a new direction” (the Consultation). (For more information on the Consultation, see this Latham blog post.)

The Bill details the government’s proposals for reforming the current UK data protection regime (consisting primarily of the UK Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR)).

This article presents an overview of the proposed changes. In part 2, we provide a deeper dive into certain key provisions.

In summary, the proposed changes — while broad in scope — do not amount to a wholesale change in direction for UK data protection laws. Assuming the Bill is passed without amendment, the UK regime would largely build on the current EU GDPR-style framework, albeit with UK-specific provisions. The changes can be grouped into two categories: (1) a more risk-based / outcome-focused approach and (2) developments in key areas around accountability, data subject rights, security, and legal grounds for processing.

Areas of interest include anonymisation, “recognised legitimate interests”, and the ICO’s role.

By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth

The UK Data Protection and Digital Information Bill (the Bill) sets out the government’s proposals for reforming the current UK data protection regime (consisting primarily of the UK Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR)). While broad in scope, the proposals do not amount to a wholesale change in direction for UK data protection laws. Assuming the Bill is passed without amendment, the UK regime would largely build on the current EU GDPR-style framework, albeit with UK-specific provisions. The changes can be grouped into two categories: (1) a more risk-based / outcome-focused approach and (2) developments in key areas around accountability, data subject rights, security, and legal grounds for processing.

This article provides a deep dive into certain key provisions of the Bill. In part 1, we provide an overview of the proposed changes.

The Advocate General argues that organisations should provide individuals with information on the specific recipients of their personal data.

By Tim Wybitul, James Lloyd, Isabelle Brams, Irina Vasile, and Amy Smyth

Advocate General Giovanni Pitruzzella (AG) of the Court of Justice of the European Union (CJEU) recently delivered an opinion (the Opinion) regarding the interpretation of an individual’s right of access to their data under Article 15 GDPR (often known as a data subject access request, or DSAR/SAR). Specifically, the Opinion addresses an individual’s right to access information about “the recipients or categories of recipient to whom the personal data have been or will be disclosed […]”, pursuant to Article 15(1)(c) GDPR. The AG delivered the Opinion in the context of Case C-154/21 (the Case), which is currently pending before the CJEU.

The EDPB sets out relevant steps and factors that EU supervisory authorities should consider when calculating administrative fines under the GDPR.

By Gail Crawford, Ian Felstead, James Lloyd, Tim Wybitul, Irina Vasile, Sami Qureshi, and Amy Smyth

On 16 May 2022, the European Data Protection Board (EDPB) adopted draft Guidelines 04/2022 on the calculation of administrative fines under the GDPR (Draft Guidelines).[1] The Draft Guidelines are currently subject to public consultation and comments may be submitted until 27 June 2022 (at the latest). The EDPB’s aim is to create a harmonised methodology for the calculation of GDPR fines. All EU supervisory authorities (SAs) must use the same starting points, on the basis of which administrative fines can be subsequently calculated and further tailored for individual cases. The EDPB clearly emphasizes that the Draft Guidelines are not drafted to enable controllers/processors to precisely calculate the expected fine; this determination will rather depend on all the individual circumstances of the case. SAs will need to ensure that fines are effective, proportionate, and dissuasive, taking into account the particularities of each case. While the EDPB acknowledges that SAs retain discretion to account for these particularities, they are clearly expected to follow the methodology set out in the Draft Guidelines.