Our article looks back at the developments in data protection law that took place in 2023. We also look ahead to data (protection) law in 2024.
It is almost impossible to look back at the big issues in data protection law over 2023 without also looking ahead to 2024 and what the future holds: The use of virtual reality with the Metaverse and of artificial intelligence (AI) as well as political agreement in the EU on the AI Act and Data Act were the subjects of much attention. These increasingly interconnected issues and the preparations for upcoming legal developments will have an impact on data protection law in the coming years.
First of all however, the spring of 2023 saw the five-year anniversary of the European General Data Protection Regulation (GDPR) and German data protection authorities took stock of its impact since 25 May 2018 – including the Conference of Independent German Federal and State Data Protection Supervisory Authorities (DSK), the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the state commissioners from Baden-Württemberg, Hesse, Rhineland-Palatinate and North Rhine-Westphalia. In 2023, the EU Commission also launched an initiative to evaluate the application of the provisions of the GDPR which will build on the previous report published in 2020 and is due to be published in the second quarter of 2024. The European Data Protection Board (EDPB) published its contribution to this in December 2023. Some data protection authorities took the opportunity afforded by the fifth anniversary of the GDPR to also comment on the upcoming developments that will turn the law on data protection into a law on data.
Data law supplements data protection law: Our German #CMSdatalaw blog series
Together with the Data Governance Act, the Data Act forms one of the main pillars of the European digital and data strategies aimed at creating a single market for data in the European Union (EU) and promoting data sharing. After the Parliament and Council had already reached an informal agreement, the European Parliament adopted the Data Act on 9 November 2023 with 481 votes in favour, 31 against and 71 abstentions and the Council gave its official approval on 27 November 2023. As a result, new data law is being developed that allows for data usage and focuses on both personal and non-personal data. The Data Act was published at the end of 2023 in the Official Journal of the EU. 2024 will therefore be the year in which preparations and transpositions take place: Comprehensive data access requirements will be established and affected companies' duties will include ensuring data access by design while simultaneously protecting personal data and safeguarding their business secrets. From a data protection perspective, the right of access under Article 15 GDPR will become even more important in 2024.
EDPB makes right of access under Article 15 GDPR a top issue for 2024
In a statement issued on 17 October 2023, the EDPB announced the topic of the third coordinated enforcement action. This will be held in 2024 and will focus on the implementation of the right of access under Article 15 GDPR. The EDPB is thus making this a priority for national data protection authorities in the coming year. Companies should therefore review their data strategy and approach to responding to requests for access by data subjects and optimise them if necessary.
Article 15 GDPR made clearer by CJEU case law in 2023
In line with this, last year the Court of Justice of the European Union (CJEU) clarified the right of access under Article 15 GDPR. Right at the beginning of the year, in a judgment dated 12 January 2023 (C-154/21), the CJEU ruled that a controller that discloses or will disclose personal data to recipients is required to provide information on the identity of the recipients upon request by the data subject. Then, in a judgment from 4 May 2023 (C-487/21), the CJEU ruled on the term "copy" within the meaning of Article 15 GDPR: It held that the right to obtain a copy of personal data means that the data subject must be provided with a faithful and intelligible reproduction of the data. On 22 June 2023, the CJEU then issued another judgment on the right of access under Article 15 GDPR (C-579/21) and pointed out that every data subject has the right to know when and on what grounds their personal data was accessed. According to the Court, this also includes log data.
In the autumn, the CJEU then had to answer questions referred by the German Federal Court of Justice (BGH) on matters including the costs of access and the relationship between Article 15 GDPR and section 630g (2) sentence 2 German Civil Code (BGB). In a judgment from 26 October 2023 (C-307/22), the CJEU ruled that a patient may be entitled under Article 15 GDPR to receive a first copy of their complete patient file, including diagnoses, examination results, findings and information on treatments or interventions, free of charge. This also applies if the data subject is pursuing a purpose unrelated to data protection and other than the purpose stated in recital 63 sentence 1 GDPR. In the case in question, a patient demanded that their dentist provide them with a copy of their patient file free of charge in order to assert any liability claims due to potentially incorrect treatment, while the dentist only wanted to provide the file in return for the patient covering the copying costs in accordance with section 630g (2) sentence 2 German Civil Code (BGB). According to the Luxembourg-based court, however, costs only need to be reimbursed if the patient makes a further request for access beyond this initial free information.
While disclosure under the GDPR has been important in the past and will remain so in the future, international data transfers have also continued to preoccupy the data protection world – another key issue that will be no less relevant despite the EU Commission's adequacy decision for the USA.
EU Commission: Adequacy decision for the USA
On 10 July 2023, the EU Commission adopted the EU–US Data Privacy Framework (DPF) and the adequacy decision for the USA. This is intended to facilitate data traffic between the EU and the USA after the Privacy Shield was declared invalid by the Schrems II judgment of the Court of Justice of the European Union (CJEU) in July 2020. This means that personal data have protection in the USA that is comparable to that in the EU provided they are transferred within the framework of the DPF. The adequacy decision thus serves as the basis for data transfers to US organisations certified under the DPF, with the result that the recourse to additional measures that was previously needed in these cases, such as the EU standard contractual clauses (SCC) from 2021 and the data transfer impact assessment, is no longer necessary.
However, concerns are already being expressed about the new DPF: On 10 July 2023, the NGO "My Privacy is None of Your Business" (NOYB) led by Maximilian Schrems announced that it had prepared various procedural options to bring the new agreement before the CJEU, as it asserts it is largely a copy of the invalid old agreement. The digital association Bitkom e.V. also expects the courts to review the decision. With the involvement of the German data protection authorities, the EDPB also published a critical statement on the DPF in the spring of 2023 and the DSK application instructions on 4 September 2023. In a statement, the Thuringian Commissioner for Data Protection and Freedom of Information (TLfDI) took a view at odds with the DSK's vote on the application instructions and estimated the probability that the CJEU will overturn the adequacy decision to be "quite high". The Commissioner (TLfDI) made his stance particularly clear in a press release dated 14 July 2023:
We should not ignore what the well-known lawyer Maximilian Schrems has said [...]: "They say the definition of insanity is doing the same thing over and over again and expecting a different result".
The Cologne Higher Regional Court (OLG) is one of the first German courts to use a ruling from 3 November 2023 (6 U 58/23) to criticise the DPF.
Given how long proceedings usually take, it will probably be some time before the CJEU has the opportunity to rule on the DPF. Only last year the CJEU issued an eagerly awaited judgment on GDPR fines.
CJEU comments on GDPR fines
On 5 December 2023, the CJEU ruled in cases C-683/21 and C-807/21 on the conditions under which national data protection authorities can impose fines on companies under the GDPR. The Court of Justice has stated that the imposition of a fine requires culpable behaviour, i.e. a GDPR violation can only be punished if it is committed intentionally or negligently. This can be affirmed if:
that controller could not be unaware of the infringing nature of its conduct, whether or not it is aware that it is infringing the provisions of the GDPR.
Companies should note in particular that, according to the CJEU's interpretation of the GDPR, it is not necessary to impose a fine in the case of legal entities if the GDPR violation was committed by a governing body itself or if the governing body was aware of it. This governing body should be liable for offences committed by its representatives, managers or directors as well as any other person acting on its behalf in the course of their business activities. According to the CJEU, it is not necessary to first establish that an identifiable natural person has committed an offence. In addition, the controller could be liable for processing violations by processors attributable to the controller. In cases in which the recipient of the fine is part of a group of businesses, the definition of a business under competition law and the total worldwide annual revenue of the group from the previous financial year must be taken into account.
The proceedings, in the course of which questions from Germany were referred to the CJEU, are based on an administrative order imposing a fine from the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI), which published a press release on the decision on 5 December 2023 and found that the practice of the German data protection authorities is confirmed by the CJEU. The Hessian Commissioner for Data Protection and Freedom of Information (HBDI) also welcomed the decision in a press release on 5 December 2023. This decision by the CJEU is of particular practical relevance, as the national data protection authorities of the EU Member States made repeated use of their power to impose fines for GDPR violations in 2023 and will continue to do so in the future.
Enforcement tracking: GDPR fines in 2023
Fines under the GDPR can amount to up to EUR 20 million or 4 % of a company's global annual revenue. On 24 May 2023, the EDPB published an update to the guidelines 04/2022 on the calculation of administrative fines under the GDPR to harmonise the methods for determining the size of fines that can be imposed by the various data protection authorities. To this end, the EDPB developed a five-step system, which is explained in more detail in the guidelines and is based on the severity of the GDPR violation, but also on other factors including mitigating circumstances.
Also in May, the Irish data protection authority imposed a fine of EUR 1.2 billion against Meta Platforms Ireland Limited for transferring the personal data of European users to the USA and potentially creating opportunities for US intelligence services to access these data. The full text of the decision of the Irish data protection authority is over 200 pages long. Meta announced in a press release that it would take action against the fine and base relevant data transfers to the USA from September on the DPF. At EUR 1.2 billion, this fine from Ireland is the largest known GDPR fine issued in 2023. One of the largest GDPR fines heard of in Germany in 2023 was issued due to unsatisfied data subject rights such as the right of access pursuant to Article 15 GDPR mentioned above: A bank was fined EUR 300,000. Just in time for the fifth anniversary of the GDPR, CMS published the fourth edition of the Enforcement Tracker Report in 2023. The fifth edition for the next period being investigated will follow soon.
In addition to fines, GDPR violations can also result in the actions for redress measures and compensation claims under civil law by data subjects against companies.
GDPR compensation is still keeping the courts busy
The largest known sums awarded by courts as compensation under Article 82 GDPR in 2023 were up to EUR 10,000 and were upheld by the labour courts. For example, one such amount was awarded by the Oldenburg Labour Court (ArbG) in its ruling on 9 February 2023 (3 Ca 150/21) to an employee for information provided by their former employer 20 months late according to Article 15 GDPR. The court set the compensation at EUR 500 for each month the information was delayed. In a judgment dated 23 March 2023 (3 Ca 44/23), the Duisburg Labour Court also required an employer to pay EUR 10,000 in compensation to a former employee for not providing information in due time and providing incomplete information. In its judgment dated 27 July 2023 (3 Sa 33/22), the Baden-Württemberg Higher Labour Court (LArbG) also awarded EUR 10,000 in compensation for continued use by the defendant of photos and film material of a former employee, including on the company homepage and in social media, against the employee's will for a period of nine months after termination of the employment relationship.
Social media scraping before courts across the country
While the masses of warnings regarding the dynamic integration of fonts on websites was causing a stir in data protection law in late 2022 and early 2023, another topic has been occupying the courts in Germany from north to south over the same period: so-called scraping cases. These are all based on the same incident in which there was a leak on a social media platform of data entered on it, such as names, telephone numbers and relationship statuses. As a result, some data subjects are demanding compensation under Article 82 GDPR. The year 2023 began with the first court decisions affirming the claims, such as the Lüneburg Regional Court's judgments dated 24 January 2023 (3 O 74/22, 3 O 81/22) for EUR 300, the Stuttgart Regional Court's judgment dated 26 January 2023 (53 O 95/22) also for EUR 300 and the Heidelberg Regional Court's judgment dated 31 March 2023 (7 O 10/22) for EUR 250, while other courts have recognised a claim for compensation under Article 82 GDPR such as the Berlin Regional Court in its judgment dated 7 March 2023 (13 O 79/22), the Detmold Regional Court in its judgment dated 7 March 2023 (02 O 67/22) and the Offenburg Regional Court in its judgment dated 28 February 2023 (2 O 98/22).
In an enlightening obiter dictum, the Limburg Regional Court explained why it rejected a claim for compensation in these cases in its judgment dated 24 January 2023 (4 O 278/22):
[...] If – contrary to the Chamber's opinion – each individual user affected were to be awarded, for example, a claim for [...] EUR 100 in compensation, this would mean a total amount of EUR 53,300,000,000 (in words: fifty-three billion three hundred million euros) to be paid out. This would be disproportionate to the seriousness of a possible data protection breach by the defendant. As a result, this would amount to punitive damages, which are in any case alien to German civil law [...].
The Hamm Higher Regional Court (OLG) in August (7 U 19/23), September (7 U 77/23) and November (7 U 71/23), the Stuttgart Higher Regional Court (OLG) in its judgments dated 22 November 2023 (4 U 17/23 and 4 U 20/23) and the Cologne Higher Regional Court (OLG) in its judgment dated 7 December 2023 (15 U 33/23) became the first higher regional courts to reject claims for compensation asserted in the scraping cases on the grounds of a lack of evidence of (non-material) damage. In one case, the Stuttgart Higher Regional Court affirmed the motion for a declaratory judgment by the data subject only with regard to a claim for compensation for any future losses. In a press release from November 2023, the Stuttgart Higher Regional Court gave notice that 100 cases of this type were already pending before its 4th Civil Senate, while the number of pending cases nationwide was over 6,000. Therefore, further court decisions on the subject are to be expected.
Requirements of Article 82 GDPR that become relevant in these scraping cases and others, such as when non-material damage can be compensated under the GDPR, had received no clarification from the CJEU for a long time. Not least for this reason, the German Federal Court of Justice (BGH) referred new questions to the CJEU in September 2023 regarding Article 82 GDPR. However, in 2023, the Luxembourg-based court handed down some judgments relevant to Article 82 GDPR, while decisions on others are still outstanding. As 2023 drew to a close, the CJEU ruled on further cases, decisions on which had been long awaited due to their high relevance for data protection in practice.
CJEU: Two data processing practices of commercial credit agencies are in contravention of the GDPR
In the case C-634/21 (SCHUFA Holding (Scoring)) and in joined cases C-26/22 and C-64/22 (SCHUFA Holding (residual debt discharge)), the CJEU ruled on 7 December 2023 that the data processing practices of commercial credit agencies were not compatible with the requirements of the GDPR. The CJEU stated that credit scoring is only permissible under certain conditions and that a SCHUFA score cannot be the only factor in the credit check, while storing information on whether a discharge of residual debt is granted is contrary to the GDPR if it is stored for longer than in the public insolvency register. This data must be deleted without undue delay after six months. Before the six months elapse, the interests of the commercial credit agency and the data subject must be weighed up. The proceedings will now go back to the Wiesbaden Administrative Court (VG), which had referred questions on the interpretation of the GDPR to the CJEU.
The German data protection authorities have already commented on this: In its press release on 7 December 2023, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) finds that the CJEU case law on scoring also has "groundbreaking significance" for decisions based on the use of AI. The Lower Saxony State Commissioner for Data Protection and the Thuringian Commissioner for Data Protection and Freedom of Information (TLfDI) find that the CJEU has strengthened data protection. The Thuringian Commissioner for Data Protection and Freedom of Information (TLfDI) also recognises the relevance of this decision to AI systems. The Hessian Commissioner for Data Protection and Freedom of Information (HBDI), who had rejected the original complaints of the data subjects in the proceedings mentioned above, and against whose negative decision the actions before the Administrative Court (VG) were directed, summarised the proceedings in a press release dated 7 December 2023.
The future will be shaped by the interactions between current topics such as AI, the Metaverse and Data (Protection) Law. 2024 is therefore set to be an eventful year. Stay up to date with CMS Law Now.