CMS Data Protection Update, November 2024

Europe

I. The latest from the data protection authorities and current topics

1. EDPB: Coordinated Action in 2025

In October 2024, the European Data Protection Board (EDPB) announced the topic for the next Coordinated Action of Data Protection Authorities. In 2025, the focus will be on the implementation of the right to erasure pursuant to Art. 17 General Data Protection Regulation (GDPR) by data controllers, also known as the "right to be forgotten". The aim of the action is to analyse and compare the processes put in place by data controllers, identify the main problems in complying with this right and obtain an overview of best practices. The action is due to start in the first half of 2025. In past years, a focus of the Coordinated Actions of supervisory authorities has been the right of access under Art. 15 General Data Protection Regulation (GDPR)).

2. EDPB: Guidelines on processing personal data based on Art. 6 (1) (f) GDPR

On 8 October 2024, the EDPB released its new guidelines on processing of personal data based on Art. 6 (1) (f) GDPR for public consultation. These guidelines are of crucial importance and contain criteria for companies that process personal data on the basis of legitimate interests, for balancing tests and for assessing legal interests. The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has issued a press release welcoming the guidelines and expressing hope for more legal certainty, including for companies. Another development has been the judgment handed down by the Court of Justice of the European Union (CJEU) on 4 October in the case C-621/22 (more on this below).

3. EDPB: New guidelines on Art. 5 (3) ePrivacy Directive

To supplement previous guidelines, the European Data Protection Board (EDPB) has published new guidelines on Art. 5 (3) ePrivacy Directive on storing and accessing information in user devices (e.g. using cookies or other tracking technology). In the guidelines, the EDPB addresses matters including "use cases" such as URL and pixel tracking as well as general terms such as "information".

4. EU Commission: Report on the EU-US DPF

After the adoption of the EU-US Data Privacy Framework (EU-US DPF), which is supposed to ensure that personal data can be transferred from the EU to participating US companies without hindrance on the basis of the adequacy decision, on 9 October 2024 the EU Commission approved its report on the EU-US DPF. The intention is to ensure that all elements of the framework function properly during a periodic review. The report presents the results of the first periodic review and concludes that US authorities have put in place the necessary structures and proceedings and that the DPF is functioning effectively. The EU Commission will continue to monitor the relevant developments.

5. Bundestag: Ordinance on cookies on websites

On 17 October 2024, the German federal parliament (Bundestag) approved the ordinance of the German federal government pursuant to section 26 (2) German Telecommunications Digital Services Data Protection Act (TDDDG) and amendments to the telecommunications fees schedule. The purpose of the ordinance is to create user-friendly, recognised consent management services to manage the decisions of users regarding whether to consent to a digital service provider.

6. New draft bill: Employee Data Act

A draft bill last revised on 8 October 2024 – the German Employee Data Act (BeschDG) – has been published by the German Federal Ministry of Labour and Social Affairs and the German Federal Ministry of the Interior and Community. The draft bill is intended to strengthen the fair handling of employee data and provide greater legal certainty for employers and employees in the digital world of work. The purpose of the law is to keep up with the progressing digitalisation of the world of work and, in particular, to protect the personal data of employees and personal data during recruiting as the use of artificial intelligence (AI) and other technologies increases. The draft establishes information requirements for employers and requirements for consent to data processing to be granted.

7. DSK: New guide and resolution

The Data Protection Conference (DSK) has adopted a resolution dated 11 September 2024 on transfers of personal data to acquirers of a company as part of an asset deal, replacing its resolution from 2019. In the resolution, the DSK explains the conditions under which data may be transferred at different times during the acquisition of a company.

In August 2024, the DSK also published a new guide on data processing in connection with radio-based meters, which is intended to serve as an aid for lawful data processing when using the meters. Included in the guide is information on possible legal bases for the use of meters for electricity, heating and water as well as on security measures and storage periods. You can also read more about smart meters on our blog: Digitalisation of the energy transition – a new start for smart meters?

8. Lower Saxony: Specialist team for AI

The Lower Saxony Commissioner for Data Protection has set up a specialist team to monitor the dissemination and use of AI under data protection law and ensure that AI is used in accordance with data protection law. Its focus will be on fair, transparent and legally compliant use to secure personal data in an increasingly digitalised world. As a competence centre, the specialist team will be on hand to answer questions on AI and work together with authorities, academia and private and public bodies, with a focus on developing guard rails for using and inspecting AI, supporting research projects and assessing risks. Another key task the commissioner set the specialist team is to raise awareness of the risks associated with using AI among these institutions.

9. Rhineland-Palatinate: Information campaign on the necessity of guest access under data protection law

In August of this year, the Rhineland-Palatinate Commissioner for Data Protection and Freedom of Information organised an information campaign for online shops in Rhineland-Palatinate to draw attention to the principle of data minimisation and the need under data protection law for guest access on the basis of Art. 5 f. GDPR. Previously, the authority carried out random checks on online shops and informed them in writing of any infringements. The commissioner pointed out that one in ten of the online shops inspected had deficiencies in this regard. You can find the commissioner's press release dated 28 August 2024 here. See our blog for more about the topic: Obligation to set up guest access in online retail? (cmshs-bloggt.de).

10. Baden-Württemberg: FAQ about deceptive design patterns

In October 2024, the Baden-Württemberg Commissioner for Data Protection and Freedom of Information (LfDI) published an FAQ on deceptive design patterns on user interfaces intended to induce users into taking certain actions, such as giving consent under data protection law. For example, this can be done through the interface design by choosing a certain colour or placing content in specific locations. In addition to general information, the commissioner's guidelines contain explanations on overloading, skipping and stirring and are based on the guidelines on deceptive design patterns in social media platform interfaces and how to recognise and avoid them from the EDPB from 2023.

11. Bavaria, Berlin, Rhineland-Palatinate and Thuringia: Activity report 2023

In September, the Bavarian Commissioner for Data Protection (BayLfD) released the 2023 activity report. In addition to AI, the authority in 2023 focused on topics such as personal data protection and the consequences of the adequacy decision on the EU-US DPF for data controllers in the Bavarian public sector. In September, the Thuringian Commissioner for Data Protection and Freedom of Information (TLfDI) also published the 2023 activity report, which identified areas of focus such as digitalisation, AI and video surveillance. The report also shows that the number of administrative fine proceedings has risen slightly compared to the previous year. The 2023 activity report of the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) also describes the influence AI and digitalisation are having on the authority's work.

In Rhineland-Palatinate, the 2023 activity report of the Commissioner for Data Protection and Freedom of Information was released in October 2024. The topic of AI also took centre stage in this report. The commissioner found that the number of data incidents and complaints remain high.

II. New GDPR fines

1. Netherlands: EUR 290 million fine for non-compliance with general principles of data processing      

The Dutch data protection authority imposed a fine of EUR 290 million against a passenger transport company for non-compliance with the general principles of data processing. According to the authority, over a period of two years the company transferred personal data of European drivers, such as location information, payment details, IDs and data concerning health, to the USA and stored it on US servers without sufficient data protection precautions. No adequate assurances, such as standard contractual clauses (SCC), were used during the period. The Dutch authority argued that the transfers have only been secured since the application of the EU-US-DPF.

2. Ireland: EUR 91 million fine for insufficient technical and organisational measures (TOMs)

In Ireland, Meta Platforms received a fine of EUR 91 million due to a lack of suitable technical and organisational measures (TOMs). According to the Irish data protection authority, user passwords were stored unencrypted on internal systems, though external parties had no access to these passwords.

3. Netherlands: EUR 30.5 million fine for non-compliance with general principles of data processing

A company in the Netherlands specialising in facial recognition software has been fined EUR 30.5 million after the data protection authority found that the company had unlawfully, without a valid legal basis and in breach of the transparency requirement, processed personal data obtained through social media scraping in a database containing over 30 billion images. Rights of data subjects and the obligation to appoint a representative within the EU were also not properly observed.

4. Sweden: EUR 3.2 million fine for insufficient technical and organisational measures (TOMs)

The Swedish data protection authority has imposed a GDPR fine of EUR 3.2 million on a pharmaceutical retailer. The data controller used meta pixels on its website, which, due to incorrect settings, resulted in the transfer of customer personal data to Meta. The purpose of the tool was to improve marketing, not to transfer data. During its investigation, the data protection authority found that the controller had failed to take appropriate TOMs to protect personal data and avoid such an incident.

5. Norway: EUR 20,900 fine for having an insufficient legal basis for data processing

In September 2024, the Norwegian data protection authority fined a local authority EUR 20,900 after it granted two former employees access to a whistleblower report without redacting sensitive data concerning health and finances. The data protection authority found that the local authority could not claim any legal basis for processing this information and had previously published confidential information about the whistleblower.

6. Romania: EUR 1,000 fine for insufficient cooperation with the supervisory authority  

The Romanian data protection authority imposed a fine of EUR 1,000 on a company based in Romania under the GDPR because the company failed to provide information requested by the data protection authority.

III. Recent case-law

1. CJEU: On the concept of "legitimate interest"

In the case C-621/22, the CJEU issued a judgment on 4 October 2024 ruling that Article 6 (1) (1) (f) GDPR must be interpreted to mean where the processing of personal data consists of disclosing personal data of members of a sports association in pursuit of the economic interest of the controller in return for payment, such processing can only be considered necessary for the safeguarding of the legitimate interests of the controller if the processing is absolutely necessary to realise the legitimate interest in question. Furthermore, according to the CJEU, the interests or fundamental rights and freedoms of the members must not outweigh this legitimate interest when considering all the relevant circumstances. The CJEU also states that Article 6 (1) (1) (f) GDPR does not require a law to determine such an interest. According to the court, however, the provision requires that the legitimate interest invoked is lawful. The CJEU clearly takes a relatively broad interpretation of the provision and the concept of "legitimate interests".

In its judgment of 12 September 2024 (C-17/22 and C-18/22), the CJEU had already emphasised that processing can only be based on a legitimate interest if the processing is absolutely necessary to realise the legitimate interest, and that the interests or fundamental rights and freedoms of the data subject do not outweigh the legitimate interest of the controller, taking into account all the circumstances.

2. CJEU: No indefinite and unrestricted use of data by social media networks

In its 4 October 2024 (C-446/21) judgment, the CJEU ruled in proceedings initiated by data protection activist Maximilian Schrems that an online social network is not permitted to use all the personal data it has received for the purpose of targeted advertising for an unlimited period of time and without differentiating between its types. According to the CJEU, this is contrary to the principle of data minimisation. It could not rule out that statements about sexual orientation made at a panel discussion were manifestly made public, although the competent court in Austria would have to rule on this. The CJEU conceded that the fact a data subject has made data on their sexual orientation public means that the data can be processed in compliance with the GDPR, but this alone does not authorise the processing of other personal data relating to that person's sexual orientation. A statement about the proceedings by the NGO “None Of Your Business” (NOYB), in which Maximilian Schrems is a member, can be found here.

3. CJEU: Latest developments on GDPR damages

After repeated rulings on damages under Art. 82 GDPR from the CJEU in the past, a decision by the CJEU on questions referred from Latvia remained pending in October 2024 in case C-507/23. On these questions, the CJEU ruled that Art. 82 GDPR must be interpreted as meaning that an apology can constitute reasonable compensation for non-material damage. This is the case if it is no longer possible to restore the situation before the damage occurred and if this form of compensation – against the background of the compensatory function of the regulation – is suitable to compensate fully for the damage the data subject suffered. The CJEU held that it is not possible to take the position and motives of the controller into account to grant the data subject less in compensation than the actual damage incurred.

The CJEU also commented on the concept of loss of control. According to a judgment handed down by the Court of Justice on 4 October 2024 (C-200/23), Art. 82 (1) GDPR must be interpreted as meaning that a loss of control, which lasted for a limited period of time and which a data subject suffered as a result of data being made available online in a commercial register of a member state for a limited period of time may constitute non-material damage. This presupposes, however, that the data subject provides evidence that they have suffered the damage, even if the damage is minimal. This does not mean that the concept of non-material damage requires proof that additional specific detrimental consequences exist, the CJEU continued.

4. CJEU: Competitors' standing to bring action for GDPR infringements

On 25 April 2024, the Opinion of the Advocate-General responsible was released in the case C-21/23. In October, the CJEU rendered its judgment. One of the key issues in these proceedings is whether infringements of data-protection law by competitors of the controller under the GDPR can be asserted via the provisions of the German Unfair Competition Act (UWG) instead of by data subjects as parties authorised to bring an action. The CJEU has now ruled that EU member states may grant competitors of an alleged infringer of personal data provisions the opportunity to challenge this infringement in court as a prohibited unfair business practice. In each case, a competitor of a pharmacist with a mail-order licence had brought an action, claiming that the pharmacist was in breach of the GDPR. The CJEU also confirmed that data concerning health within the meaning of Article 9 (1) GDPR are transmitted when ordering non-prescription but pharmacy-only medicines via an online platform.

5. CJEU: Rules on requirement of the supervisory authorities to impose remedies and fines

In its judgment dated 26 September 2024, the CJEU ruled on questions referred from Germany in the case C-768/21 on the obligation of supervisory authorities to impose remedies and fines in the event of GDPR infringements in accordance with Art. 58 (2) GDPR. The CJEU has denied that such an obligation to impose measures or fines exists in every case. In particular, according to the court, supervisory authorities may refrain from doing so if the necessary measures have already been taken by the data controller on their own initiative. This case involved a bank employee who had repeatedly accessed personal customer data without authorisation. The bank did not inform the customer of this but took disciplinary action against the employee and reported the incident to the competent data protection authority. The customer concerned became aware of the incident and demanded that the data protection authority intervene. The CJEU has now strengthened the discretionary powers of the authority in these cases, but it held that this must always be seen against the background of ensuring a uniform and high level of protection. In a press release from 26 September 2024 on the judgment, the Hessian Commissioner for Data Protection and Freedom of Information welcomed the CJEU's decision and emphasised that it provides a positive incentive to monitor compliance with data protection requirements and react immediately in the event of infringements.

6. German Federal Court of Justice: Latest developments on social media scraping

The hearing scheduled for 8 October 2024 before the German Federal Court of Justice for social media scraping cases in the proceedings VI ZR 7/24 and VI ZR 22/24 was cancelled after the second appeals were withdrawn in both proceedings. The previous rulings were issued by Stuttgart Higher Regional Court (judgment dated 13 December 2023 – 4 U 51/23) and Cologne Higher Regional Court (judgment dated 7 December 2023 – 15 U 108/23) regarding the scraping cases on a social media platform. The Stuttgart Higher Regional Court found that future damage attributable to the scraping was to be compensated pursuant to Art. 82 GDPR, while Cologne Higher Regional Court rejected the claim for compensation in a comparable case.

Nevertheless, the German Federal Court of Justice will rule on the scraping cases in the near future, as it has designated the appeal proceedings VI ZR 10/24 in the scraping complex as the landmark decision proceedings (decision dated 31 October 2024 - VI ZR 10/24). The hearing for this was scheduled for 11 November 2024 (VI ZR 10/24).

IV. CMS events, fascinating blog posts and more

1. CMS Client Academy | Introduction to Data Protection | E-learning.

2. CMS GDPR Enforcement Tracker Report 2023/2024.

3. Legal standing of consumer associations in the event of GDPR infringements (in German) (cmshs-bloggt.de).

4. Our overview of case-law on GDPR compensation has been updated (in German): GDPR compensation: Overview of current rulings and developments (continuously updated) (cmshs-bloggt.de)

5. With CMS Digital Laws, you can now also work with the full texts of the AI Act and the P2B Regulation in German and English in addition to the Digital Services Act (DSA) and the Data Governance Act (DGA). More content is coming.

For more information on any of these news stories and on data protection issues in the EU and Germany, contact your CMS client partner or these CMS experts.