Understanding Recent CJEU Rulings on EU GDPR: Key Takeaways for Businesses

The European Union General Data Protection Regulation (EU GDPR) has been a cornerstone of data protection and privacy in the digital age. As it approaches its fifth anniversary, recent rulings by the Court of Justice of the European Union (CJEU) have further clarified and expanded upon crucial aspects of the regulation. These landmark decisions provide valuable insights for businesses seeking compliance in the complex landscape of data protection.

1. Accountability Principle: The Heart of Compliance

In Case C-60/22, the CJEU delved into the accountability principle outlined in Article 5(2) of the EU GDPR. The case revolved around a controller's failure to demonstrate compliance with obligations such as the joint responsibility agreement (Article 26) and the processing register (Article 30). The court ruled that while non-compliance with these articles does not inherently constitute unlawful processing, accountability remains paramount. The CJEU emphasized the interconnectedness of the accountability principle with the core principles of 'lawfulness, fairness, and transparency' (Article 5(1)(a)) and the requirements for lawful processing (Article 6(1)). This ruling underscores the necessity for businesses to not only adhere to specific requirements but to holistically design and implement accountable data protection programs.

2. Right of Access: Balancing Transparency and Complexity

Case C-487/21 addressed the right of access under Article 15 EU GDPR. The court tackled the issue of whether providing a summary list of personal data fulfilled a controller's obligations or if providing the actual documents was necessary. The CJEU emphasized that data subjects have the right to a faithful and intelligible reproduction of their data, including documents. Controllers must ensure that the context in which data is provided allows data subjects to comprehend the information fully. Notably, the court highlighted the need to balance the right of access with other interests, such as protecting trade secrets and intellectual property rights of third parties.

3. Compensation for GDPR Violations: A Nuanced Approach

In Case C-300/21, the CJEU addressed compensation under Article 82 EU GDPR. The case arose from unauthorized algorithmic processing of citizens' data. The court ruled that for compensation claims, three conditions must be met: GDPR infringement, material or non-material damage, and a causal link between infringement and damage. The CJEU clarified that non-material harm need not reach a certain threshold of seriousness for compensation rights to apply. However, it left the determination of non-material harm and compensation calculations to individual member state laws. This ruling highlights the need for a nuanced evaluation of harm and compensation and reinforces the role of member state laws in this context.

4. Joint Controllership: Flexibility and Transparency

In Case C-683/21, the CJEU addressed joint controllership of data, particularly in situations lacking clear coordination. The court determined that joint control requires each controller to fulfil Article 4(7) criteria independently and exercise joint influence over processing. Notably, an absence of formal agreements or arrangements does not preclude joint control. The CJEU reminded entities to transparently define responsibilities, with contracts serving as useful tools for compliance. This decision reinforces the importance of understanding joint controllership and the need for transparent documentation of roles and responsibilities.

Conclusion

In conclusion, these CJEU rulings emphasize the ongoing evolution and intricacies of EU GDPR compliance. Businesses must prioritize accountability, transparency, and balancing rights to navigate the complexities of data protection. Staying informed about these recent rulings is essential for organizations aiming to uphold privacy rights, avoid legal pitfalls, and build trust in the digital age.