European Union: Privacy landscape continues to evolve with new CJEU rulings

Legal framework

Overview

The right to privacy emerged after World War II and was initially enacted in the Universal Declaration of Human Rights,^[1] before finding expression in the European Convention on Human Rights (ECHR).^[2] Later, the right to data protection was recognised by the European Court of Human Rights (ECtHR) as part of the broadly interpreted concept of private life.^[3]

In the EU, the right to data protection was first recognised by the Treaty on the Functioning of the European Union^[4] and was given the status of a human right by the Charter of Fundamental Rights of the European Union (CFR).^[5]

In 1995, to harmonise data protection laws, ensure a high level of protection and guarantee the free flow of personal data, the European Commission (EC) adopted the Data Protection Directive, which had to be implemented in each member state.^[6] In parallel, the ePrivacy Directive^[7] was adopted in 2002 to address personal data in the specific context of electronic communication services and to adapt the applicable rules to the digital age.

Confronted with various challenges – in particular, the persistent fragmentation of data protection laws throughout the EU and increasing digitalisation – the EU decided to review the legal framework. This led to the adoption of the General Data Protection Regulation (GDPR).^[8] Adopted in 2016, the GDPR became directly applicable in all member states on 25 May 2018. Reform and adaptation of other privacy-related laws as part of the EU’s Digital Strategy were also initiated.

Updates and trends

The GDPR achieved a high degree of harmonisation for the data protection rules in the EU; however, member states still have ‘margins of manoeuvre’ and can adopt national legislation to amend GDPR rules under certain circumstances (eg, for children’s consent or the scope of data subject rights).

Since 31 December 2020,^[9] the GDPR is no longer directly applicable in the UK. The UK’s national data protection legislation (the UK GDPR) broadly mirrors the current GDPR.^[10] If the GDPR were to change, the UK might not follow suit, so the rules might diverge.

In June 2021, the EC adopted an adequacy decision for the UK. Personal data can be transferred to the UK in most cases without any additional safeguards;^[11] however, unlike other adequacy decisions, the UK adequacy decision will automatically expire in 2025.^[12]

Focus on the GDPR

Objectives

The GDPR seeks to protect fundamental rights and freedoms of natural persons and reduce barriers for businesses by facilitating the movement of personal data within the EU.^[13] It also aims to address the data protection risks associated with new technologies and their widespread use by imposing more stringent obligations. Finally, it aims to ensure effective protection of personal data by strengthening data subjects’ rights and the obligations of those who process personal data, and by establishing authorities to monitor and ensure compliance.

Scope of application

The GDPR’s scope of application is defined by reference to activities,^[14] actors^[15] and geography.^[16]

The GDPR applies to the ‘processing’ of ‘personal data’, which are both interpreted very broadly: ‘processing’ covers every action that can be conducted with personal data, while ‘personal data’ means any information relating to an identified or identifiable natural person.^[17] Only anonymised data does not fall under the scope of the GDPR.^[18]

The GDPR also recognises specific categories of personal data, namely ‘sensitive data’^[19] and ‘data relating to criminal convictions and offences’.^[20] Sensitive data is:

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.^[21]

The processing of those categories of data is subject to more stringent requirements. In most cases, the data subject’s consent is required.

Data processed in the course of a purely personal or household activity is exempted; however, the exemption has to be interpreted rather narrowly. Larger scale or more intrusive activities generally fall under the GDPR’s scope, even if the main purpose is personal.

The GDPR defines three ‘data protection roles’:

• the data subject, who is the natural person whose information is being processed;
• the controller,^[22] who determines the purposes and means of the processing; and
• the processor,^[23] who processes the personal data on the controller’s behalf.

Controllers and processors are subject to specific requirements under the GDPR, whereas data subjects enjoy extensive rights.

The GDPR is very far-reaching: it applies to entities established in the EU^[24] and to certain others without such an establishment.^[25] In the latter case, it applies to the personal data processing of data subjects who are in the EU if the processing is related to offering goods or services or monitoring their behaviour (eg, online tracking) if the behaviour takes place in the EU. Those entities must appoint an ‘EU representative’, which acts as a point of contact for authorities and data subjects.

Principles relating to personal data processing and accountability

Article 5 sets out the general principles with which controllers and processors must comply when processing personal data. These principles are the cornerstone of all subsequent GDPR provisions, and they guide courts and authorities in their interpretation of the GDPR.

• Lawfulness, fairness and transparency: personal data must be processed lawfully, fairly and in a transparent manner.
• Purpose limitation: personal data must be collected for specified, explicit and legitimate purposes, must not be used for any purposes other than those notified to the individual and must not be further processed in any manner incompatible with those initial purposes, unless the further processing is based on a new lawful purpose.
• Data minimisation: personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Accuracy: personal data must be accurate, kept up to date and erased or rectified, if necessary.
• Storage limitation: personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is being processed, and otherwise must be deleted or anonymised.
• Integrity and confidentiality: personal data must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (TOMs).

In accordance with the principle of accountability, controllers are responsible for and must be able to demonstrate compliance with these principles, in particular by keeping relevant documentation, such as a record of processing activities.^[26] The principle of accountability also leads to a shift of the burden of proof in certain cases (ie, it is the controller’s responsibility to evidence GDPR compliance).

Lawfulness of data processing

Data processing is lawful only if and to the extent it is based on one or more of the legal bases listed in the GDPR.^[27] Whether a lawful basis for processing applies, and if so which, is determined with regard to the type of personal data and the purpose of the processing.

The most common lawful bases for the processing of (ordinary) personal data are performance of a contract, consent and the controller’s overriding legitimate interests, as set out below:

• To rely on the performance of a contract, the processing must be ‘necessary’ to the contract. If ‘there are realistic, less intrusive alternatives, the processing is not necessary’.^[28]
• Consent is often regarded as the ‘method of choice’ but in practice it is very challenging to rely on consent. The threshold for obtaining valid consent is very high. Consent has to be ‘freely given’,^[29] ‘specific’ and ‘informed’ and must express the unambiguous indication of the wishes of the data subject.^[30] The data subject must also be able to withdraw their consent, at any time, as easily as it was given.
• Relying on overriding legitimate interests may also be quite challenging. First, the existence of a legitimate interest must be carefully assessed. The GDPR does not provide a list of interests to be considered as such; however, the GDPR states, for instance, that ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’.^[31] Second, controllers have to balance these legitimate interests against the data subject’s fundamental rights and freedoms. Only when those rights do not override the controller’s legitimate interests is it possible to rely on this legal ground.^[32]

The other three lawful bases also require the processing to be ‘necessary’ for a specific purpose, namely compliance with a legal obligation, protecting the data subjects’ vital interests, or the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Sensitive data may only be processed if a legal basis, for example, ‘explicit consent’, according to the (stricter) catalogue pursuant to article 9 GDPR, is applicable.

The GDPR also regulates specific types of processing, such as automated decision-making, including profiling. Profiling means any form of automated processing of personal data to evaluate certain personal aspects relating to the individual, in particular to analyse or predict certain aspects. The GDPR imposes certain requirements to ensure additional guarantees in the context of such data processing.

Rights of the data subject

The GDPR grants a wide range of rights to data subjects, giving them more control over their personal data. Data subject rights can be classified into two groups.

The first group covers all information obligations^[33] imposed on controllers. These require a controller to:

• give the data subject specific information about the circumstances of the data processing,^[34] at the time personal data is collected or before it is processed;
• inform the data subject before carrying out changes to the data processing;
• inform the data subject of personal data breaches where relevant;^[35] and
• take reasonable steps to inform other controllers of a right exercised by the data subject in some cases,^[36] such as if the data subject asks for their data to be erased and the data was made public by the controller.

The second group includes rights that must be exercised by the data subject for the controller to act. The data subject has the right to:

• access their personal data processed by the controller;^[37]
• obtain rectification of inaccurate or incomplete personal data;^[38]
• request restriction of processing,^[39] which means that personal data can still be stored but may not be used in certain situations;
• request erasure^[40] of their personal data in particular circumstances;
• receive the personal data they provided in a structured and commonly used machine-readable format and request the controller to transmit this directly to another controller;^[41]
• object to the processing of their personal data on grounds relating to their particular situation.^[42] The controller must stop processing the data if it cannot show compelling legitimate grounds for the processing that override the individual’s interests (although this does not apply where the personal data is processed for direct marketing purposes); and
• not be subject to a decision based solely on automated processing, including profiling, which produces legal or similar effects for the data subject.^[43] This right does not apply if automated decision-making is necessary for the performance of a contract between the controller and the data subject.

If a controller or processor breaches the GDPR, the data subject has the right to lodge a complaint with any data protection supervisory authority (DPA), including those established in a member state other than where they live, as well as the right to start judicial proceedings. The data subject may also file a claim for damages.

Oversight and enforcement

Each member state has established at least one DPA,^[44] which must be independent in performing its tasks and exercising its powers and must contribute to the consistent application of the GDPR throughout the EU. The DPA has a wide range of responsibilities and a broad scope of powers, including investigative and corrective powers. It can issue warnings, reprimands or fines;^[45] order data to be rectified, blocked or deleted; or impose a ban on processing. A DPA regulates controllers and processors established in its own member state, as well as elsewhere if the processing affects data subjects in the member state or is otherwise connected.

If more than one DPA would have jurisdiction for a specific processing activity of a controller or processor established in the EU (ie, for cross-border processing), the DPA of the entity’s ‘main establishment’ will act as ‘lead supervisory authority’. This ‘one-stop-shop mechanism’^[46] ensures more efficient cross-border proceedings.^[47]

All DPAs are members of the independent European Data Protection Board (EDPB),^[48] along with the European Data Protection Supervisor.^[49] The EDPB is responsible for ensuring the uniform application of the GDPR throughout member states and efficient cooperation among DPAs. It can issue guidelines^[50] and recommendations and make binding decisions in relation to disputes regarding which DPA is competent or the lead supervisory authority,^[51] as well as in relation to urgency procedures.^[52]

Updates and trends

On 24 May 2023, the EDPB issued the final version of its guidelines on the calculation of fines.^[53]

In 2023, a few landmark rulings have been issued. For instance, the Court of Justice of the European Union (CJEU) ruled that the mere infringement of the GDPR is not sufficient to award damages to a data subject.^[54] It also considered that providing extracts of documents or databases or even entire documents may be necessary to fulfil data subject access requests.^[55]

Privacy governance

The role of the DPO

The main responsibility of the data protection officer (DPO) is to monitor GDPR compliance and to ensure awareness-raising of staff involved in processing operations.^[56] The ultimate responsibility to comply with the GDPR lies, however, with the controller.

The controller^[57] or the processor must appoint a DPO if their ‘core activities’ comprise the regular, systematic and large-scale monitoring of data subjects, or the large-scale processing of sensitive data or data relating to criminal convictions and offences.^[58]

The DPO must be appointed on the basis of their professional qualities, their expert knowledge of data protection and their ability to fulfil the assigned tasks. They may be an employee or an external provider.^[59] In both cases, the DPO must be able to perform their tasks independently and without any conflict of interest.

Once designated, the DPO’s contact details must be published and communicated to the DPA as the contact point for data subjects and DPAs.

Ensuring GDPR compliance of data processing operations

Data protection by design and by default

The controller^[60] must:

• Implement appropriate TOMs to satisfy the general data protection principles under the GDPR and to integrate necessary safeguards throughout the whole processing.^[61] TOMs must be implemented considering the state of the art, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for individuals.
• Implement appropriate TOMs ensuring that, by default, only personal data that is necessary for each specific purpose of the processing is processed.^[62]

The controller must also regularly review and update the TOMs.^[63]

Appropriate TOMs to ensure data security

To keep personal data secure, appropriate TOMs must be implemented.^[64] Technical measures are precautionary measures relating to the processing itself, such as a backup system or User-ID policy. Organisational measures cover the external framework conditions surrounding the processing, like employee training, policies or a safety plan.

The GDPR does not specifically define what security measures must be taken. It only lists criteria for the measures to ensure a level of security appropriate to the risk. There is no one-size-fits-all solution so controllers and processors must carry out a ‘balancing test’. They have quite a broad margin of discretion, but the decision to implement certain TOMs might be closely scrutinised. So, controllers and processors should assess the specific risks raised by their processing and the protective effects of individual TOMs. In the event of a personal data breach, TOMs should be adapted accordingly to prevent such incident from recurring.

When assessing a risk, the relevant factors are the nature of the risk,^[65] its likelihood^[66] and its severity.^[67]

When assessing individual TOMs, the controller or processor must assess whether and how it can prevent the risk from occurring, given the state of the art, the costs of implementation and the nature, scope, context and purposes of processing. It should focus on measures such as encryption and pseudonymisation. It must take measures that can ensure the ongoing confidentiality, integrity, availability and resilience of the processing, and restore the availability of and access to the data if there is an incident.

DPIA

If data processing poses a high risk to individuals, the controller must first carry out a data protection impact assessment (DPIA). A DPIA is an internal risk assessment to document any risks identified and any measures taken to mitigate the risks (eg, implementing TOMs or adding contractual safeguards with third parties).

A DPIA is required when: new technologies are used; there is a systematic and extensive evaluation of personal aspects based on automated processing; sensitive personal data is processed on a large scale; or there is systematic monitoring of a publicly accessible area on a large scale.^[68]

EU guidelines suggest that a controller must consider the following criteria to determine the risk of processing,^[69] and a DPIA is generally required if two of these criteria are met:

• evaluation or scoring;
• automated decision-making with legal or similar significant effect for data subjects;
• systematic monitoring;
• sensitive data or data of a highly personal nature;
• data processed on a large scale;
• matching or combining datasets;
• data concerning vulnerable data subjects (eg, children);
• innovative use or applying new technological or organisational solutions; and
• when the processing in itself prevents data subjects from exercising a right or using a service or contract.

Finally, DPAs may establish non-exhaustive ‘blacklists’ or ‘whitelists’ of those activities that always require a DPIA and those that do not.^[70]

In the rare event that the risks identified in a DPIA cannot be mitigated, the controller must consult with the relevant DPA before processing.

Contractual requirements

Although the GDPR has increased the data processor’s responsibilities, the controller remains primarily responsible. The controller must only use processors that provide sufficient guarantees to ensure GDPR compliance.^[71] The controller must also conclude a binding contract with the processor setting out all the elements of the processing and certain restrictions, including that the processor may process data only upon the documented instructions of the controller, the controller has certain audit rights, and the processor must support the controller to ensure GDPR compliance.^[72]

Joint controllers must determine their respective responsibilities for GDPR compliance in a transparent manner, in particular with regard to the exercise of data subject rights and the controllers’ respective duties to provide information to data subjects.^[73]

Data exports

The GDPR includes restrictions regarding data transfers to countries outside the European Economic Area. Safeguards must be used to ensure an ‘adequate level of data protection’, unless the personal data is transferred to a country covered by an ‘adequacy decision’ (ie, the country has an adequate level of data protection).^[74]

If the recipient country is not covered by an adequacy decision, the transfer must be subject to ‘appropriate safeguards’,^[75] namely:

• binding corporate rules (ie, group internal data protection frameworks approved by the relevant DPA);
• standard contractual clauses (SCCs) adopted by the EC or by a DPA;^[76]
• an approved code of conduct;
• an approved certification mechanism; or
• individual contractual clauses authorised by the DPA.

If the transfer is not covered by these safeguards, an exemption might apply, such as where the data subject has given explicit consent or where the transfer is necessary for the performance of a contract with the data subject.^[77]

Following the CJEU’s judgment in Schrems II^[78] the landscape relating to data exports has significantly evolved. First, the EU–US Privacy Shield^[79] has been declared invalid.^[80]

Second, the EC released a new set of SCCs.^[81] The new SCCs have a few new or updated aspects, including a modular approach, a docking clause that facilitates the formation of multilateral contractual relationships by allowing new parties to accede to an already existing agreement, and a ‘practical toolbox’ to comply with the Schrems II ruling.

In addition, data exporters must review whether the recipient abroad can guarantee compliance with EU data privacy law (a ‘transfer impact assessment’), and under certain circumstances implement additional technical, organisational and contractual measures,^[82] depending on the level of security for the data in the country of the data importer.^[83] The GDPR also restricts transfers of personal data to organisations and their subordinate bodies governed by public international law, or to any other body that is set up by, or on the basis of, an agreement between two or more countries.

Personal data breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data.^[84] This could include, for instance, a lost USB stick, an intrusion by a hacker or the sending of an email to the wrong recipient.

If the breach poses a risk to data subjects, the controller must notify the relevant DPA without delay and, where feasible, within 72 hours of becoming aware of the breach. Where there is a high risk, the affected data subjects must also be notified. In practice, these tight deadlines are challenging for businesses, and the emphasis is often on assessing when a business can reasonably be said to be ‘aware’, bearing in mind the complexities of many data breach investigations.

A wide range of factors are relevant to assess the level of risk: the type of breach;^[85] the nature, sensitivity and volume of personal data; the consequences for affected individuals; the number of affected individuals; and the likelihood and severity of the consequences on affected individuals, such as discrimination, identity theft or financial loss.

Controllers must document each data breach.^[86]

Focus on specific requirements

Sector-specific requirements

In sectors like banking, healthcare, social security, post, telecoms and gambling, specific data protection requirements apply.

Regarding telecoms, with the entry into force of the European Electronic Communications Code (EECC), the regulatory landscape has become increasingly complex. In particular, over-the-top providers are now subject to applicable rules.

Cybersecurity

In 2016, the EU adopted the Directive on Security of Network and Information Systems^[87] (the NIS Directive) to enhance cybersecurity standards for certain businesses with IT infrastructure in the EU.^[88]

In December 2022, the revised NIS Directive, the NIS 2 Directive,^[89] was published. The NIS 2 Directive expands the scope of the current NIS Directive by adding new sectors, introducing a clear size cap and by strengthening applicable requirements.

Other EU digital and data-related legislation

The EU’s Digital Strategy aims to protect individuals and foster innovation by imposing rules to safely navigate digitalisation. The Digital Services Act,^[90] which regulates online intermediaries and platforms, came into force on 16 November 2022.^[91] The Digital Markets Act,^[92] which sets out rules on gatekeeper platforms, entered into force on 1 November 2022. Once ‘gatekeepers’ are designated, they will have until March 2024 to ensure compliance.

Other data-related legislative proposals of the EU’s Digital Strategy include the Data Act (which regulates access to data by users and third parties), the Data Governance Act (setting out rules inter alia for providers of data-sharing services) and the Artificial Intelligence Act (which provides for stringent regulation of artificial intelligence systems).

The 2002 ePrivacy Directive applies in addition to the GDPR. It covers a wide range of issues, such as collection of traffic data, cookies^[93] and unsolicited communications. EU discussions to replace the directive with a regulation continue.

Conclusion

The GDPR has established a stringent and far-reaching data protection framework. It shifts a lot of responsibility to businesses that process personal data. As a best practice, many businesses have set up privacy governance committees to manage GDPR risk. This approach is extending to businesses that are not subject to the GDPR, because many countries have adopted or are in the process of adopting similar comprehensive privacy frameworks.^[94] Aligning different national requirements is difficult for businesses, not only because EU member states still have leeway to enact country-specific rules, but also because the approach taken in countries outside the EU sometimes conflicts with the GDPR. That said, for those looking to implement global compliance programmes, developing principles-based policies and procedures with the GDPR as their bedrock is often a pragmatic solution.

Notes