National Level Legal Dynamics - Selected Cases and GDPR Compliance

Discussing selected legal cases at a national level, notably addressing GDPR compliance issues. Cases involving environmental information, judicial functions, and the vast reach of GDPR. Analysis by various legal experts on the evolving interpretations and applications of data protection laws.

• Legal Cases
• GDPR Compliance
• Data Protection
• Judicial Functions
• Environmental Information

make_19 Follow

Uploaded on Mar 13, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Judging cases at national level selected problems arising in the domestic case law The Hon. Ms. Justice Marie Baker, The Irish Supreme Court GDPR compliance

2. Friends of the Irish Environment v. Commissioner for Environmental Information Case C-470/19, ECLI:EU:C:2020:986 Request to the Central Office of the High Court under the AIE Regulations for pleadings, affidavits, documents etc. lodged by parties to an environmental case which had been fully determined in the High Court. The question specifically considered by the High Court was whether the Courts Service was acting in a judicial capacity and that led to a reference under Article 267 of the Treaty on the Functioning of the European Union which concluded that the courts are outside the scope of the definition of a public authority as they exercised institutionally judicial functions. The opinion of Advocate General Bobek Environmental Information offers a useful analysis of the meaning of public authority and he concluded that the phrase should not be interpreted as entertaining a purely functional or a purely institutional interpretation. Instead, an institutional definition with the functional corrective is proposed

3. Case C-175/20 SIA SS v Valsts ie mumu dienests Advocate General Bobek in his opinion described the GDPR as having a reach that is virtually limitless and observed that it is rather difficult nowadays to find a situation where someone is not processing some personal data somewhere at some stage . As he correctly says, that approach results from the elevation of the protection of personal data under Article 8 of the Charter to an overriding fundamental right (what he calls perhaps somewhat mischievously a super right ). He also observes that when GDPR or its predecessor were enacted it was unlikely that it was thought that they would govern such matters as access of trainee accountants to their examination identification of a party to a traffic accident by the police or limiting the disclosure of the payment by tax by a company in liquidation to the liquidator. scripts or preventing the

4. Case C-175/20 SIA SS v Valsts ie mumu dienests The SIA is the provider of online advertising services. The reference to the ECJ arose from a request from the National Tax Authority of Latvia to forward data relating to second hand car advertisements to ensure that the taxes on the sale of cars are properly collected. Recital 1 of the GDPR affords an exemption to public authorities such as to tax and customs authorities when they collect personal data necessary to carry out a particular inquiry in the general interest. The processing by the public authorities does of course have to comply with data protection rules. Recital 45 of the GDPR provides that when processing is carried out in line with a legal obligation, that processing should have a basis in Union or Member State law.

5. Case C-175/20 SIA SSv Valsts iemumu dienests One feature of the opinion of Advocate General Bobek was his comment that GDPR does not regulate the relationship between different data processing entities although it reaches indirectly into those relationships and does set conditions for disclosure and transfer. The Court in SIA held that the GDPR did not preclude tax authorities from requiring the provider of internet advertising services to transfer information relating to tax payers, provided the data are necessary for the purpose and that the period for which the data are collected does not exceed the period strictly necessary to achieve the general interest objective sought. The Court however reaffirmed the proposition that the collection by tax authorities from an economic operator is subject to GDPR.

6. Damages Under GDPR Article 92 of GDPR provides for a right of compensation and liability in respect of an infringement: any person who has suffered material or non material damages as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damages suffered . Recital 146 of GDPR provides that the concept of damage should be broadly interpreted and in a manner which fully reflects the objectives of the Regulation . Recital 85 then gives examples of material and non material damage including loss of control over the personal data, limitation of rights, discrimination, identity theft or fraud, financial pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy, or other significant economic or social disadvantage to the nature person concerned. loss, unauthorised reversal of

7. Domestic Damages Law Collins v FBD Insurance; the Supreme Court dismissed the plaintiff s action as he had failed to show actual damage, as the old 1988 Act did not provide for strict liability. The Supreme Court in Murphy v Callinan again under the old Act held that the infringement was not actionable without proof of negligence or a causative connection to an alleged material damage or other loss. The Court of Appeal in Shawl Property Investments Limited v A & B did consider the GDPR and the 2018 Act. Held that any alleged infringement could not be a matter for it in an appeal and that an action had to be by separate plenary proceeding and that compensation is payable even in the absence of material damage or financial loss but that s.117 or indeed the Act itself does not suggest that data protection is a tort of strict liability. There is to date no reported decision, or even as I recall a newspaper report of an award of damages in a data protection action which is an action brought in the Circuit Court.

8. Damages One novel feature in Irish law is the introduction by s. 117(7) of a representative action by a not for profit body that has been mandated by the data subject to bring an action or his or behalf. Article 80 of GDPR did provide for a non-profit body to issue proceedings without a mandate but Ireland opted out of that. Section 117(8) provides that the Court shall have power to grant relief by way of an injunction or declaration or compensation by damages in an action by a non-profit body. These are not class actions. There is however a proposed directive on class actions before the European Parliament which proposes a two year lead out for implementation.

9. Referral C-300/21 (sterreichische Post, 12 May 2021) This is one of a number of references which have not yet come to be heard by the CJEU, concerning the award of compensation. That Court asked whether in a claim for compensation a claimant had to show that he or she had suffered harm or whether the infringement of GDPR is itself sufficient. Interestingly the Court asked whether it was compatible with EU law that there had to be an infringement of some weight that goes beyond the upset caused by the infringement. The claim was against an entity which collected addresses and party affinity. They then sold this data. The claimant had not given his consent to data processing and was upset by the storage of his party affinity data and by the affinity attributed to him with a right wing political party which he said he did not reflect his political views and the attribution was insulting, shameful and damaging to his reputation. He claimed 1,000 in compensation. The Court of First Instance refused compensation but did given an injunction. The Appellate Court upheld that judgment. The primary focus of the reference was whether compensation was payable for the one-off sending of an advertising email without consent.

10. BA v Finanzamt X (Case C-670/21) Case C-687/21 is a request for a preliminary ruling from Germany where the defendant is Saturn Electro. That case also asked whether non material damage had to be demonstrated by a claimant in addition to the mere unauthorised disclosure. The Court also asked whether an accidental disclosure as a result of a mistake amounted to an infringement and whether it mattered whether the person receiving the document had read the data before returning the document. The question then came down to whether discomfort of the person whose personal data was disclosed was sufficient to establish non material damage. That case arose out of the applicant s purchase of a household appliance to be financed by a third party. An employee of the shop prepared a purchasing credit agreement which was entered into an automated data processing system. The information contained names, address, place of residence, employer and income and bank details. The documents were printed signed by both parties and handed to the customer who then took them to that part of the shop which was handing out the goods where two helpers were employed. Another customer jumped the queue which the employees did not notice and was given the household appliance ordered by the applicant and the associated contract documents. The third party left the shop with the appliance and the documents and the error was then discovered by the manager who retrieved the documents and the appliance within half an hour and returned them immediately to the applicant. The applicant refused an offer of compensation in the form of free delivery of the goods and sought damages for pain and suffering under GDPR.

11. C-741/21GP v juris GmbH Another case concerning Germany was referred in case C-741/21 where the defendant was juris.Again, the infringement was attributable to human error. The specific question concerned here was how compensation was to be determined when there was several infringements and whether an overall figure for compensation not determined by adding up individual amounts was an appropriate way of doing this. The applicant is a self-employed lawyer and a client of the defendant which operated a legal data base. Following a request for information the lawyer was informed that his data had been used for direct marketing purposes without his consent. Thereafter he received two marketing letters by post addressed to his office but addressed to him personally. The marketing letters had a personal test code, a ten-digit character string which if entered on the defendant s website would identify personal details of the addressee. One question that arises in that reference is whether uniform criteria are prescribed by GDPR or whether national provisions determine the measure of damages. While GDPR stipulates annual turnover as a assessment of the quantum of a fine (see Article 83(5), Article 6 and Article 21 of GDPR), no such guidance is apparent in respect of the measure of compensation. basis for the

12. C-340/21 (Natsionalna agentsia za prihodite Bulgaria made a reference in Case C-340/21 in a case where the domestic court had dismissed an action for compensation. This involved a hacking and one question raised was where the burden of proving that technical and organisational measures were appropriate and whether the obtaining of an expert s report is a necessary and sufficient means of proof to establish whether the measures implemented were appropriate. The hacking in this case was caused by persons who were not employees of the controller and not subject to its control. The question was whether the controller was responsible for an event for which was out of its direct control. That case also asks whether worries, fears and anxieties with regard to a possible future misuse of personal data entitles a person to compensation where misuse has not been established and where no further harm has been suffered. Interestingly there, the claim for compensation was for an amount of just over 500. The domestic court dismissed the action because the applicant had not shown what technical steps the controller should have actually taken, but failed to do so or did so poorly. This same approach we find in Ireland where the local court also found that no causal connection was found between the breach and the claims of loss of confidence, self-esteem, work and the alleged effect on the relationships and state of health of the plaintiff. On the appeal the burden of proof was the main focus as was an argument by the appellant/plaintiff that possible future misuse of the personal data was no hypothetical but actual present non material damage.

13. C-667/21 (Krankenversicherung Nordrhein) Finally, in a German reference of 8 November 2021 Case C-667/21 concerning health data the question concerned a dispute between the applicant and his employer a medical service of a health insurance fund and the question was whether the defendant was obliged to pay compensation for material and non material damage due to an infringement of data protection provisions in the context of an employment relationship. The case concerned whether the applicant was incapable of work due to ill health and was out of work on full pay and thereafter on a sickness benefit. The expert had phoned the employee s GP to obtain information and the final report prepared by the expert diagnosed severe depressive episode without psychotic symptoms. The net question that arose was whether the defendant could perform a medical assessment on its own employee.

14. Schrems III? Meta: A future in Europe? Latest update from the litigation involving the Irish Data Protection Commission, Activist Max Schrems and the transfer of data from Meta in Europe toAmerica. DPC : March 2022 Draft decision reported to suspend data flows The Irish Times reports : Data Protection Commission s Meta ruling could lead to decisive victory for data privacy If no transfers decision gets EU backing, onus will be on US to get its data act together Meta'sAnnual 2022 Report Says It May Have To Shut Down Facebook and Instagram in Europe Because of GDPR AFact, Not a Threat Blackmail or reality ? Schrems III on the cards?

15. Third time lucky?: Transatlantic Data Privacy Framework New US/EU deal An agreement in principle on a Transatlantic Data Privacy Framework was announced by the Commission and the US in March 2022; Detailed text has not yet been published; Statements indicate it will include: Aproportionality requirement to access data; A"multi-layer redress mechanism ; An effective oversight of new privacy and civil liberties standards ; It remains to be seen whether theAgreement will address the issues raised in Schrems II.

16. Issues following Brexit; Directive 95/46/EC Chapter IV Article 25(1): Data transfers to third party country only if .the third country in question ensures an adequate level of protection Article 25(6): Commission may find that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, ., for the protection of the private lives and basic freedoms and rights of individuals Schrems 1 Test is essential equivalence : data protection laws in the destination country need not be identical in every respect, but the overall standard of protection must be equivalent. Assessment of UK adequacy: June 2021. Future problems? The National Digital Strategy The Charter and ECHR Bulk collection Remains to be seen how the UK will process data, have indicated a clear intention to replace GDPR with their own framework

17. C-140/20 Graham Dwyer v. Commissioner of An Garda Siochana Grand Chamber judgment April 2022 General and indeterminate retention could only be justified by national security objectives; Combatting serious crime could not be considered a national security objective; EU law permits, inter alia: Targeted retention for a limited period; Quick freeze of data held by service providers; Must be limited to what is strictly necessary to achieve the objective; Power to grant access to data must be exercised by an independent body.