Subject matters
Three recent CJEU rulings will require substantial modernisation and reform of many of Ireland’s public-register digital portals. Duncan Grehan explains.
Article 15 of the GDPR is entitled ‘Right of access by the data subject’. The Court of Justice of the EU has recently explained:
- Anyone has the right to know who has checked personal data (in its ruling on 12 January in Case C-154/21, RW v Oesterreichische Post AG),
- The scope of the right to get a copy (ruling of 4 May 2023 in Case C487/21), and
- The protection of such data rights and the right to compensation when breached (on 4 May, Case C-300/21).
My May 2023 Gazette article (‘Who’s been checking your data?’, p54) queried, among other things, the right to access Ireland’s public registers in the light of the RW v Oesterreichische Post ruling.
The two further CJEU rulings, on 4 May, provided wider explanations on the right for any ‘natural person’ to ‘a copy’ of personal data ‘information’ held by its controller. It considered, in depth, article 15 of the GDPR on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
The first ruling in May concerns one’s right to a copy of one’s personal data held by its controller; the second defines the right to have the member-state court determine whether one is entitled to compensation, even for non-material damage suffered by an infringement of your right to your personal data and to its protection.
Preliminary applications
For preliminary ruling applications under article 267 of the Treaty on the Functioning of the EU that concern intellectual-property legal questions, the CJEU offers the hearing services of several chambers of its court, unlike for the interpretation of other issues of EU law that are also referred to it by any member-state court on foot of the article 267 pathway.
In this way, on the same day, the first chamber and the third chamber of the CJEU issued rulings on the scope of data-protection rights, summarised below.
The availability of several CJEU chambers assists the processing and progress of IP-related applications, as many applications (whether relating to IP or other subjects) can often be thrown out for inadmissibility, on grounds like the interpretation of the law in question having been already answered in another earlier application, or the legal question being not broadly important enough for its clarification by the CJEU.
In its official recommendations (latest edition 2019) on its procedures to the national courts, it states that this type of application should only be made “when, in a case before a national court, a question of interpretation that is new and of general interest for the uniform application of EU law is raised, or where the existing case law does not appear to give the necessary guidance to deal with a new legal situation”.
Noteworthy is the recognition for special procedural consideration to “expedited and urgent” referrals. All referral applications concerning all law-issue types are free of charge.
First Chamber ruling
In Case C487/21, the CJEU’s First Chamber received a request for a preliminary ruling under article 267 TFEU from the Austrian Federal Administrative Court in proceedings entitled FF v Österreichische Datenschutzbehörde, with an intervening applicant party, CRIF GmbH.
CRIF GmbH’s business is to provide its clients with creditworthiness reports on third parties. A complaint had been filed by an individual (‘FF’) with the Austrian Data Protection Authority that CRIF had not provided a complete copy of the personal data to FF, the complaining third party, when requested.
The matter then went before the Federal Administrative Court, which, in its referral to the CJEU, sought clarification of the scope of the article 15(3) GDPR provision of the right to ‘a copy’.
After considering the observations submitted on behalf of the complainant, FF, and those of Mr Max Schrems, as well as the earlier opinion of Advocate General Pitruzella (15 December 2022) and observations from several other countries, the CJEU (First Chamber) ruled that the first sentence of article 15(3) with regard to the processing of personal data, and on the free movement of such data, “must be interpreted as meaning that the right to obtain from the controller a copy of the personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by that regulation, bearing in mind that account must be taken, in that regard, of the rights and freedoms of others”.
The third sentence of article 15(3) “must be interpreted as meaning that the concept of ‘information’ to which it refers relates exclusively to the personal data of which the controller must provide a copy pursuant to the first sentence of that paragraph”.
In his December 2022 opinion, considered by the court, AG Pitruzella had written: “It should be borne in mind that it is settled case law that, for the purpose of interpreting a provision of EU law, it is necessary to consider not only its wording, but also its context and the objectives of the legislation of which it forms part [paragraph 25] … it should be noted that, unlike with the term ‘copy’, the GDPR does explicitly define the concept of ‘personal data’, in article 4(1) of that regulation, according to which personal data are ‘any information relating to an identified or identifiable natural person’ [paragraph 32].
The scope of the concept of ‘personal data’ resulting from that definition is very broad. As can be inferred from the court’s case law, the use of the expression ‘any information’ in that definition reflects the aim of the EU legislature to assign a wide scope to that concept” [paragraph 33].
“The choice on the part of the controller to provide, where possible, a compilation of the personal data undergoing processing cannot, therefore, warrant some data being omitted or provided incompletely or not reflecting the reality of the processing” [paragraph 44].
No unconditional right
Also on 4 May, the Third Chamber of the CJEU delivered its much-anticipated judgment in Case C-300/21, UI v Österreichische Post AG (the ‘Austrian Post case’). It is the first CJEU judgment to address the issue of non-material damage under article 82 GDPR.
The court observed that “it is important to note that the fourth sentence of Recital 146 of the GDPR states that the rules laid down by the GDPR apply without prejudice to any claims for damages deriving from the violation of other rules of EU or member-state law [paragraph 41]. In the light of all of the foregoing reasons, the answer to Question 1 is that article 82(1) of the GDPR must be interpreted as meaning that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation [paragraph 42]”.
In consideration of Recital 12 of the GDPR, the CJEU, obiter, noted the duty when applying the law “to ensure a consistent and high level of protection of natural persons with regard to the processing of personal data within the European Union and, to that end, to ensure consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data throughout the European Union”.
The CJEU (Third Chamber) ruled that:
1) The GDPR “must be interpreted as meaning that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation”,
2) Article 82(1) of Regulation 2016/679 “must be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness”, and
3) Article 82 of Regulation 2016/679 “must be interpreted as meaning that, for the purposes of determining the amount of damages payable under the right to compensation enshrined in that article, national courts must apply the domestic rules of each member state relating to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with”.
In this Austrian Post ruling, the CJEU provided more detailed explanation as to the conditions to compensation rights: “the sixth sentence of Recital 146 of the GDPR states that that instrument is intended to ensure ‘full and effective compensation for the damage they have suffered’ [paragraph 57] … in view of the compensatory function of the right to compensation under article 82 of the GDPR, as the advocate general pointed out, in essence, in points 39, 49 and 52 of his opinion, financial compensation based on that provision must be regarded as ‘full and effective’ if it allows the damage actually suffered as a result of the infringement of that regulation to be compensated in its entirety, without there being any need, for the purposes of such compensation for the damage in its entirety, to require the payment of punitive damages [paragraph 58]”.
Reform required
From these three rulings, substantial modernisation and reform of many of Ireland’s public-register digital portals and an increase in the registers’ trained human-resources personnel is required.
This is needed to ensure that Ireland complies with the EU law standards on the personal-data access rights of anyone requesting a copy, seeking to establish any infringement of their data rights being protected, and to gain compensation for all damage actually suffered.
Reform is needed to enable enforcement, and remedial steps are also required against private controllers. Where data errors or shortfalls arise in reply to a request, or loss or injury is proven in consequence of data-protection law breaches, fair access to justice requires simple cost-free remedies.
Look it up
CASES:
- Facebook Ireland and Schrems (Case C-311/18, 16 July 2020)
- FF v Österreichische Datenschutzbehörde, intervening party: CRIF GmbH (Case C487/21, 4 May 2023)
- RW v Oesterreichische Post AG (Case C-154/21, 12 January 2023)
- UI v Österreichische Post AG (Case C-300/21, 4 May 2023)
LEGISLATION:
Duncan Grehan is a solicitor and a member of the Law Society’s EU and International Affairs Committee.
Read and print a PDF of this article here.
Duncan Grehan
Duncan Grehan is a member of the Law Society’s EU and International Affairs Committee