Skip to content

EU General Data Protection Regulation

EU General Data Protection Regulation (GDPR)

I. European Union (EU) - General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR), adopted in 2016, came into force on 25 May 2018, replacing the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EU Directive). The GDPR involves new provisions and enhanced rights. In the wake of technological developments and globalisation and the constitutionalisation of the fundamental right to data protection in the EU, the GDPR aims to harmonise the framework for the digital single market, put individuals in control of their data and formulate a modern data protection governance.

Why is the GDPR relevant to Hong Kong organisations/ businesses?

In Hong Kong, the Personal Data (Privacy) Ordinance, Cap 486 of the Laws of Hong Kong (PDPO) protects the privacy of individuals in relation to personal data. When the PDPO was drafted, reference was made to the relevant requirements under the OECD Privacy Guidelines 1980 and the EU Directive. Given that the GDPR constitutes significant developments of data protection law from the EU Directive, the new regulatory framework includes a number of requirements that are not found under the PDPO.

One of the key developments introduced under the GDPR to the data protection landscape outside the EU is the explicit requirement of compliance by organisations established in non-EU jurisdictions in specified circumstances. Given the diversified business or transaction models (e.g. online transactions), it is all the more important for businesses in Hong Kong to ascertain if the GDPR is applicable to them, and to keep up with the new developments.


II. New Standard Contractual Clauses adopted by the European Commission under the GDPR for International Data Transfers


III. Publications and Articles on the GDPR


IV. Guidance and reference materials issued by the European Union


V. Highlights of Important Decisions and Major Developments under the GDPR




II. New Standard Contractual Clauses adopted by the European Commission under the GDPR for International Data Transfers

The European Commission adopted a new set of Standard Contractual Clauses (which came into effect on 27 June 2021) for the transfer of personal data to non-EU regions (“New SCCs”). From 27 September 2021 onwards, data exporters and data importers can only conclude contracts incorporating the New SCCs for the transfer of personal data out of the European Union. The PCPD publishes, for public reference, a set of frequently asked questions and answers on the implementation framework of the New SCCs and the obligations of parties entering into cross-border data transfer agreements using the New SCCs.

For more information, please refer to the set of frequently asked questions and answers:
https://www.pcpd.org.hk/english/data_privacy_law/eu/files/eu_faq.pdf

Please click here to read the "Introduction to the European Commission’s New Standard Contractual Clauses for International Data Transfers".

Please click here to download the presentation files and watch the video of the Webinar on “the New Standard Contractual Clauses of the EU for Transfer of Personal Data from EU to Non-EU Regions” organised by the PCPD



III. Publications and Articles on the GDPR

To raise the awareness amongst organisations / businesses in Hong Kong of the possible impact of the new regulatory framework for data protection in the GDPR, the PCPD has issued the following publication:

 eu   Booklet: 
An Update on European Union General Data Protection Regulation 2016
(May 2020 Revised Edition)


IV. Guidance and reference materials issued by the European Union

More Guidelines and Recommendations can be found here: https://edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en?page=0

European Data Protection Board

Subject Matter Recommendations/Guidelines
Administrative fines Guidelines 04/2022 on the calculation of administrative fines under the GDPR1
Consent Guidelines 05/2020 on consent
Controller and processor Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Data breach notification
Data portability Guidelines on right to data portability
Data protection by design and by default Guidelines 4/2019 on Article 25 data protection by design and by default
Data protection impact assessments Guidelines on data protection impact assessments
Data subject rights Guidelines 01/2022 on data subject rights - Right of access
Derogations Guidelines 2/2018 on derogations of Article 49 under the GDPR
Information and communications technology
One-Stop-Shop mechanism
International transfer and tools
Restrictions Guidelines 10/2020 on restrictions (on the scope of rights of data subject and obligations of controllers/processors) under Article 23 of the GDPR
Social media
Territorial scope Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)
Transparency Guidelines on Transparency under Regulation 2016/679


European Commission

Subject Matter Reference Materials
Data protection regime Overview of the data protection regime in the EU
GDPR requirements Introduction to the requirements of the GDPR


V. Highlights of Important Decisions and Major Developments under the GDPR

A. Highlight of Important Decisions under the GDPR

(I) Decisions involving imposition of fines

Date of Decision Data Protection Authority Penalty Imposed and Violations
22 July 2024 The Dutch Data Protection Authority (AP)

The Dutch Data Protection Authority (AP) fined Uber €290 million for breaches of the GDPR relating to the transfer of personal data of European taxi drivers to the United States without appropriate safeguards.

AP found that Uber collected sensitive information of drivers from Europe (including account details, taxi licences, location data, photos, payment details, identity documents, criminal and medical data) and retained it on servers in the United States. The transfers in question took place between 6 August 2021 and 27 November 2023. At the material time, the EU-US Privacy Shield was invalidated as a mechanism for transatlantic data transfers by the decision of the Court of Justice of the European Union in 2020. Even though standard contractual clauses (SCC) could still provide a valid basis for transferring personal data to a country outside the EU (if an equivalent level of protection can be guaranteed in practice), Uber no longer used SCC from August 2021 and only relied on the EU-US Data Privacy Framework (the successor to the EU-US Privacy Shield) from near the end of 2023. Thus, AP considered that the personal data transferred during the said period was insufficiently protected and found that Uber had contravened Article 44 of the GDPR.

During the investigation, AP closely cooperated with the French Data Protection Authority (CNIL) and coordinated with other European data protection authorities on the decision. For further details, please refer to the press releases issued by the AP and the CNIL, both dated 26 August 2024.

Remarks: The decision of AP against Uber is on appeal.

 

16 July 20241 The Dutch Data Protection Authority (AP)

The Dutch Data Protection Authority (AP) imposed a fine of €600,000 on A.S. Watson Health & Beauty Continental Europe B.V. (A.S. Watson) for violating Articles 5(1)(a) and 6 of the GDPR.

The AP’s investigation in October and November 2019 revealed that Kruidvat, a subsidiary of A.S. Watson, placed on its “Kruidvat.nl” website cookies on users’ devices without first obtaining valid consent from the users. The use of cookies on the website was also checked by default, meaning that users’ consent obtained in respect of processing of their personal data was not a “freely given, specific, informed and unambiguous” indication as required under Article 4 of the GDPR.

Moreover, it was found that the cookies collected information such as users’ location data, the pages they visited, the products they added to their shopping basket and purchased, and the recommendations they clicked on. The AP considered that the data collected was particularly sensitive. Given the nature of healthcare products available for purchase on Kruidvat’s website, when combined with the location data obtained through IP address tracking, highly specific and invasive user profiles of individuals visiting the “Kruidvat.nl” website could be created.

In light of the above, the AP determined that the processing of personal data of the website visitors was unlawful, thus contravening Articles 5 and 6 of the GDPR.

1 July 2024 Norwegian Data Protection Authority (Datatilsynet)

On 1 July 2024, the Oslo District Court upheld the 65 million kroner (approximately €5.55 million) fine imposed by the Norwegian Data Protection Authority (Datatilsynet) against the dating application (app) Grindr for its failure to comply with the consent requirement under the GDPR.

The case originated from a complaint lodged by the Norwegian Consumer Council in 2020 as Grindr was found to have shared sensitive personal data of users with numerous commercial third parties, several of which reserved the right to further share the data with other companies for targeted advertising. The personal data shared by Grindr included the users’ GPS locations, IP addresses, advertising ID, age, gender, device information and users’ names on the app.

The court upheld Datatilsynet’s decision that the purported consents Grindr obtained for sharing personal data were invalid, as users could only accept the privacy policy in its entirety to use the app and were not asked specifically if they wanted to consent to the sharing of their data with third parties for behavioural advertisements. It was also found that the information on the sharing of personal data was not properly communicated to users. Hence, the purported consents fell short of the requirement of a valid “consent” under Article 4 of the GDPR.

Furthermore, the court confirmed Datatilsynet’s findings that the information of a person being a registered user of Grindr (which markets itself specifically to the LGBTQ+ community) is considered as personal data concerning a person’s sexual orientation, which falls within the definition of special category of personal data under Article 9(1) of the GDPR. As the purported consents obtained were not valid, by sharing the said personal data, Grindr has failed to comply with the GDPR. With more stringent consent requirements under Article 9 of the GDPR, the court considered that Grindr also failed to obtain “explicit consent” in accordance with Article 9(2)(a) of the GDPR.

When assessing the amount of fine to be imposed, the court took into account the severity of the infringement of the GDPR, the size and financial situation of Grindr, as well as the steps that Grindr had taken to remedy the deficiencies.
27 December 2023 The French Data Protection Authority (CNIL)

The French Data Protection Authority (CNIL) fined Amazon France Logistique (Amazon), which manages the Amazon group’s large warehouses in France, €32 million for breaches of the GDPR relating to employee monitoring using scanners and video surveillance processing.

The CNIL found that in giving scanners to its employees to document the performance of the tasks assigned to them in real time, Amazon has (i) failed to comply with the data minimisation principle (in contravention of Article 5(1)(c)); (ii) failed to ensure lawful processing in using indicators which are excessively intrusive illegal, including indicators which make it possible to constantly monitor any time an employee’s scanner is interrupted, potentially requiring employees to justify every break or interruption (in contravention of Article 6); and (iii) failed to ensure that the privacy policy of Amazon had been given to temporary workers before their personal data was collected using the scanners or processed (in contravention of Articles 12 and 13).  

Further, CNIL found that in using video surveillance processing, Amazon has (i) failed to properly inform employees and external visitors of the video surveillance systems by providing information on notice boards or in other media or documents (in contravention of Articles 12 and 13), and (ii) failed to comply with the obligation to ensure security of personal data in using weak access password and sharing access account among several users (in contravention of Article 32).

For further details, please refer to the press release and the decision issued by the CNIL dated 23 January 2024.

11 December 2023 The Dutch Data Protection Authority (AP) and the French Data Protection Authority (CNIL)

The Dutch Data Protection Authority (AP), in cooperation with the French Data Protection Authority (CNIL), issued a €10 million fine on Uber Technologies, Inc. and Uber B.V. (Uber) for breaches of the GDPR by (i) failing to provide the data requested under the right of access in a clear manner and an accessible format and only providing such information in English (in contravention of Article 12(1)); (ii) not making the online form for exercising rights within the application used by drivers sufficiently accessible, as the form was located deep within the app and spread across various menus, and it could have been placed in a more logical location (in contravention of Article 12(2)); (iii) providing incomplete information in their privacy statement about data transfers outside the European Union and the specific security measures regarding the data transfers (in contravention of Articles 13(1)(f) and 15(2)), as well as overly general information about data retention periods (in contravention of Articles 13(2)(a), 15(1)(a) and 15(1)(d)); and (iv) failing to explicitly mention the right to data portability in their privacy statement (in contravention of Article 13(2)(b)).

In determining the amount of the fine, AP considered the size of the organisation and the severity and gravity of the infringements. At the time of the infringements, about 120,000 drivers were working for Uber in Europe.

For further details, please refer to the press release issued by the AP and the press release issued by the CNIL, both dated 31 January 2024.

1 September 2023 The Data Protection Commission of Ireland (DPC) The Data Protection Commission of Ireland (DPC) issued a reprimand and imposed on TikTok Technology Limited (TikTok) a fine of €345 million for breaches of the GDPR between 31 July 2020 and 31 December 2020. The DPC found that (i) the profile settings for child user accounts were set to public by default which allowed anyone (on or off TikTok) to view the content posted by child users (in contravention of Articles 25(1), 25(2), 5(1)(c) and 24(1)); (ii) TikTok failed to implement appropriate technical and organisational measures to mitigate risk imposed to children under the age of 13 who gained access to the platform (in contravention of Article 24(1)); (iii) the “Family Pairing” setting allowed a non-child user (who could not be verified as the parent or guardian) to pair their account to that of the child user and allowed the non-child user to enable direct messages for child users above the age of 16, which posed severe risks to child users (in contravention of Articles 5(1)(f) and 25(1)); (iv) TikTok had failed to provide sufficient transparency information (i.e. categories of recipient of personal data, the scope and consequence of the public-by-default processing) to child users (in contravention of Articles 12(1) and 13(1)(e)); and, following the EDPB’s binding decision in August 2023, (v) TikTok implemented “dark pattern” by nudging users towards more privacy-intrusive option during the registration process and when posting videos (in contravention of Article 5(1)(a)). In addition to issuing a reprimand and imposing a fine of €345 million, the DPC has issued an order requiring TikTok to bring its processing into compliance within three months. For more details, please refer to the decision of the DPC and press release issued by the DPC dated 15 September 2023.
15 June 2023 The French Data Protection Authority (CNIL) The French Data Protection Authority (CNIL) fined Criteo, a company that specializes in 'behavioral retargeting' which involves the collection of browsing data of internet users via its tracker (cookie) in order to display personalized advertising to users, 40 million Euro for breaches of the GDPR, namely, (i) failing to verify and demonstrate that the relevant internet users gave their consent to the data processing (in contravention of Article 7.1); (ii) failing to provide a clear privacy policy to inform the users what and how personal data was being used (in contravention of Articles 12 and 13); (iii) failing to respect the right of the users of access by providing them with only partial access of the personal data (in contravention of Article 15.1); (iv) failing to comply with the right of the users to withdraw consent and erasure of data (in contravention of Articles 7.3 and 17.1); and (v) failing to specify some of the respective obligations of controllers as required under the GDPR in the agreement between Criteo and its partners as joint controllers (in contravention of Article 26). For details, please refer to the press release issued by the CNIL dated 22 June 2023. 
12 May 2023 The Data Protection Commission of Ireland (DPC) The Data Protection Commission of Ireland (DPC) imposed on Meta Platforms Ireland Limited (Meta) a fine of 1.2 billion Euro and corrective measures for infringement of Article 46(1) of the GDPR in its transfer of personal data from the EU to the US in relation to its Facebook services. The DPC found that although Meta had relied on the Standard Contractual Clauses adopted by the European Commission in 2021 for such transfers and implemented supplemental measures to address the concerns in regard to US surveillance laws as raised by the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18), the data transfer arrangements, in the circumstances, did not provide appropriate safeguards to the personal data. Therefore, Meta has contravened Article 46(1) of the GDPR. 

Meta has been (i) ordered to suspend any future transfer of personal data to the US within 5 months; (ii) fined 1.2 billion Euro; and (iii) ordered to bring its processing operations into compliance with Chapter V of the GDPR within 6 months. For more details,  please refer to the decision of the DPC dated 12 May 2023 and the press release issued by the DPC dated 22 May 2023.
4 April 2023 The Information Commissioner’s Office of the UK (ICO) The Information Commissioner’s Office (ICO) issued a £12,700,000 fine to TikTok Information Technologies UK Limited and TikTok Inc (TikTok) for breaches of the UK GDPR between May 2018 and July 2020, namely, by (i) providing its services to UK children under the age of 13 and processing their personal data without consent or authorisation from their parents or carers (in contravention of Articles 6(1) and 8); (ii) failing to provide proper information to its users about how their data is collected, used, and shared in a way that is easy to understand which made users, in particular children, unlikely to be able to make informed choices about whether and how to engage with it (in contravention of Article 12); and (iii) failing to ensure that the personal data of its UK users was processed lawfully, fairly and in a transparent manner (in contravention of Article 5(1)(a)). For more details, please refer to the news article issued by the ICO dated 4 April 2023.
12 January 2023 The Data Protection Commission of Ireland (DPC) The Data Protection Commission of Ireland (DPC) imposed on WhatsApp Ireland Limited (WhatsApp) a fine of 5.5 million Euro for breaches of the GDPR relating to its service.  The DPC found that WhatsApp was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement and security, and has contravened Article 6 of the GDPR.  WhatsApp was also in breach of the fairness principle and its transparency obligations by not clearly outlining its legal basis for personal data processing to users.  WhatsApp has also been directed to bring its data processing operations into compliance within 6 months.  The decision was issued after the adoption of a binding decision by the European Data Protection Board under Article 65 of the GDPR (a dispute resolution process triggered as a result of the opposing views among the supervisory authorities concerned). For more details, please refer to the decision of the DPC dated 12 January 2023 and the press release issued by the DPC dated 19 January 2023.
4 January 2023 The Data Protection Commission of Ireland (DPC) The Data Protection Commission of Ireland (DPC) imposed on Meta Platforms Ireland Limited (Meta) fines of 210 million Euro and 180 million Euro for breaches of the GDPR relating to its Facebook and Instagram services respectively.  The DPC found that Meta is not entitled to rely on the “contract” legal basis in connection with the delivery of personalised services (including behavioural advertising) as part of its Facebook and Instagram services, and has contravened Article 6 of the GDPR.  Meta was also in breach of the fairness principle and its transparency obligations by not clearly outlining its legal basis for personal data processing to users.  Meta has been directed to bring its data processing operations into compliance within 3 months.  The decision was issued after the adoption of a binding decision by the European Data Protection Board under Article 65 of the GDPR (a dispute resolution process triggered as a result of the opposing views among the supervisory authorities concerned). For more details, please refer to the decisions (Facebook ; Instagram) of the DPC and press release issued by the DPC dated 4 January 2023.
25 November 2022 The Data Protection Commission of Ireland (DPC) The Data Protection Commission of Ireland (DPC) imposed on Meta Platforms Ireland Limited (Meta) a fine of 265 million Euro and a range of corrective measures for infringement of its obligation for data protection by design and default under the GDPR, following the conclusion of an inquiry into Meta in relation to the discovery of a collated set of personal data that had been scraped from Facebook and made available on the Internet.  For details of the decision, please refer to the press release issued by DPC dated 28 November 2022.
10 November 2022 The French Data Protection Authority (CNIL) The French Data Protection Authority (CNIL) fined Discord Inc. (Discord), a company which provides voice over IP and instant messaging service, 800,000 Euro for failing to have a written data retention policy in place and failing to provide sufficient information to its users regarding its data retention periods, with no specific retention periods or criteria for determining them.  The investigation also found that Discord failed to inform users of voice channel connections and transmissions to third parties which continued to run in the background after the application window is closed, failed to carry out a data protection impact assessment, and failed to put in place a strong enough password management policy.  For details of the decision, please refer to the press release issued by the CNIL dated 17 November 2022.
2 November 2022 The Portuguese Data Protection Authority (CNPD) The Portuguese Data Protection Authority (CNPD) imposed a 4.3 million Euro fine on the National Institute of Statistics for various violations of the GDPR in conducting the 2021 census.  Following an investigation, CNPD found that the questions in the census concerning religion and health data, which were legally required to be optional, were not duly flagged as optional, thus prevented respondents from forming a free will and self-determination as to whether to respond to questions collecting special categories of data.  Further, CNPD held that the National Institute of Statistics did not provide any information concerning the processing operations, violated its duties of due diligence in choosing processors, infringed provisions relating to international transfer of data and failed to carry out a Data Protection Impact Assessment relating to the processing.  For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
17 October 2022 The French Data Protection Authority (CNIL) The French Data Protection Authority (CNIL) fined Clearview AI Inc. 20 million Euro for unlawfully processing personal data by collecting and using biometric data without a legal basis and its failure to take into account the rights of data subjects in an effective and satisfactory way, in particular requests for access to their data. During the investigation, Clearview AI Inc. has also failed to cooperate with the CNIL. For details of the decision, please refer to the press release issued by the CNIL dated 20 October 2022.
6 October 2022 The Italian Data Protection Authority (GPDP)
 
The Italian Data Protection Authority (GPDP) imposed a fine of 2 million Euro and issued various compliance orders to Alpha Exploration Co. Inc, the parent company of social platform Clubhouse, for violations of the GDPR, including the lack of valid legal bases in carrying out data processing activities for the purposes of marketing, recording, sharing audio with third parties, profiling of users, sharing of accounts information, failure to provide information to users on processing to users, and  failure to provide adequate information as to the personal data retention periods.  For details of the decision, please refer to the press release issued by GPDP dated 5 December 2022.
4 October 2022 The Information Commissioner’s Office of the UK (ICO) The Information Commissioner’s Office (ICO) fined Easylife Ltd £1,350,000 for using personal information of 145,400 customers to predict their medical condition and target them with health-related products without their consent, and an additional £130,000 for making 1,345,732 unwanted marketing calls. For details of the decision, please refer to the press release issued by the ICO dated 6 October 2022.
2 September 2022 The Data Protection Commission of Ireland (DPC) The Data Protection Commission of Ireland (DPC) imposed on Instagram (Meta Platforms Ireland Limited (Meta IE)) a fine of 405 million Euro and a range of corrective measures, following an inquiry into the processing of personal data relating to child users (aged between 13 and 17) of the Instagram social networking service, which examined the public disclosure of email addresses and/or phone numbers of children using Instagram business account feature and a public-by-default setting for personal Instagram accounts of children.

The decision was issued after the adoption of a binding decision by the European Data Protection Board under Article 65 of the GDPR (a dispute resolution process triggered as a result of the opposing views among the supervisory authorities concerned). For details of the decision, please refer to the decision of the DPC and its press release dated 15 September 2022.
13 July 2022 The Hellenic Data Protection Authority of Greece The Hellenic Data Protection Authority of Greece fined Clearview AI Inc., a company which markets facial recognition services, 20 million Euro for violating the principles of lawfulness and transparency, imposed a prohibition on the collection and processing of personal data of subjects located in the Greek territory using methods included in the facial recognition service, and ordered it to delete the personal data of those subjects located in Greece, which the defendant collects and processes using the aforementioned methods. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
18 May 2022 The Information Commissioner’s Office of the UK (ICO) The Information Commissioner’s Office (ICO) fined Clearview AI Inc. £7,552,800 for using images of people in the UK and elsewhere, that were collected from the web and social media, to create a global online database that could be used for facial recognition. Clearview AI Inc. is also ordered to stop obtaining and using personal data of UK residents that is publicly available on the Internet and to delete the data of UK residents from its systems. For details of the decision, please refer to the press release issued by the ICO dated 23 May 2022.
15 March 2022 The Data Protection Commission of Ireland (DPC) The Data Protection Commission of Ireland fined Meta Platforms (formerly Facebook) 17 million Euro for infringements of Article 5(2) of the GDPR (in relation to the purpose limitation principle). For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
10 February 2022 The Italian Data Protection Authority (GPDP) The Italian Data Protection Authority (GPDP) fined Clearview AI Inc. 20 million Euro for processing personal data unlawfully without an appropriate legal basis and infringements in relation to transparency, purpose limitation and storage limitation, etc. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
14 January 2022 The Dutch Data Protection Authority The Dutch Data Protection Authority fined DPG Media Magazines 525,000 Euro for unnecessarily requesting copies of identity documents. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
22 December 2021 The Austrian Data Protection Authority (DSB) The Austrian Data Protection Authority (DSB) ruled that the use of Google Analytics tool by an Austrian website operator in its website violated Article 44 of the GDPR in transferring personal data to Google LLC in the United States. In particular, DSB held that the standard contractual clauses which the website operator concluded with Google LLC did not offer an adequate level of protection to the personal data concerned. For details of the decision, please refer to the summary of decision issued by the DSB entitled “Information from the data protection authority on the decision on the use of Google Analytics”.
20 August 2021 The Data Protection Commission of Ireland (DPC) The Data Protection Commission of Ireland (DPC) issued its final decision of imposing a fine of 225 million Euro upon WhatsApp Ireland Ltd., along with a reprimand and an order for WhatsApp Ireland Ltd. to bring its processing into compliance by taking a range of specified remedial actions in respect of  infringements of, inter alia, the principle of transparency in providing information to users across Europe about its service. The final decision was issued after the adoption of a binding decision by the European Data Protection Board under Article 65 of the GDPR (a dispute resolution process triggered as a result of the opposing views among the supervisory authorities concerned). For details of the decision, please refer to the decision of the DPC and its press release dated 2 September 2021.

Remarks: The decision of the DPC against WhatsApp Ireland Ltd. is being appealed.
21 June 2021 The Swedish Authority for Privacy Protection (IMY) The Swedish Authority for Privacy Protection (IMY) fined SL, which operates public transport in Stockholm, SEK 16 million for unlawful use of body cameras in the public transport. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
29 April 2021 The Dutch Data Protection Authority The Dutch Data Protection Authority fined municipality 0.6 million Euro for using Wi-Fi tracking which was possible to track shoppers and people who live or work in the city centre. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.

1 The substantive ruling was issued on 2 May 2024 and the announcement on the imposition of fine was made on 16 July 2024.


(II) Interpretation of the GDPR

Date of Decision Ruling
20 June 2024 Court of Justice of the European Union clarifies the rules regarding compensation for non-material damage arising from identity theft

On 20 June 2024, the Court of Justice of the European Union (CJEU) delivered a preliminary ruling concerning compensation for non-material damage under Article 82 of the GDPR in the context of identity theft.
 
The case originated from a request for a preliminary ruling by the local court of Munich, Germany with regard to a proceeding brought by two applicants who opened accounts at a German company named Scalable Capital and entered personal data (“Data”) in their respective accounts. The Data was later seized by unknown third parties. There was no indication that the Data had been used fraudulently. The applicants sought compensation for non-material damages which they claimed to have suffered as a result of theft of the Data.
 
The case was referred to the CJEU to clarify these main issues:
(1) whether compensation under Article 82 of the GDPR is exclusively compensatory, or both punitive and compensatory;
(2) whether, in determining the amount of compensation, it is required to consider the severity and possible intentional nature of the infringement of the GDPR, and whether it is appropriate to consider that non-material damage is by its nature less significant than physical injury;
(3) whether minimal compensation can be awarded where the damage is not serious; and
(4) whether compensation for non-material damages for “identity theft” requires the actual misuse of the identity of data subject.
 
In answering (1) and (2), the CJEU stressed the difference between the compensatory nature of Article 82 of the GDPR and the punitive nature of Articles 83 and 84 of the GDPR and affirmed that compensation under Article 82 is neither punitive nor deterrent. The CJEU ruled that Article 82(1) is exclusively compensatory to allow the damage actually suffered as a result of an infringement of the GDPR to be compensated fully and effectively. As such, it does not require consideration of the severity and possible intentional nature of the infringement. Also, it is not the case that non-material damage is, by its nature, less significant than physical injury. It is appropriate to consider this when determining the amount of damages due in respect of the right to compensation for non-material damage.
 
On (3), the CJEU took the view that Article 82(1) does not require the damage alleged by the data subject to reach a “de minimis” threshold.  Provided that the compensation is such as to compensate the damage suffered in full, minimal compensation can be awarded where the damage is not serious.
 
On (4), the CJEU ruled that to claim compensation for non-material damage caused by identity theft, there must have been actual misuse of the identity of the person affected by a theft of personal data by a third party. However, the CJEU emphasized that compensation for non-material damage caused by the theft of personal data cannot be limited to cases where it is shown that that data theft subsequently gives rise to identify theft or fraud.

For further details, please refer to CJEU’s Judgment dated 20 June 2024.
11 April 2024 Court of Justice of the European Union publishes preliminary ruling regarding the right to compensation for non-material damage in GDPR infringement

On 11 April 2024, the Court of Justice of the European Union (CJEU) delivered a preliminary ruling in relation to the right to compensation for non-material damage under the GDPR.
 
Proceedings were brought by an individual (data subject) against a company (data controller) for using and processing his personal data despite his objections to the company and revocation of his consent to receive marketing information. The data subject relied on Article 82(1) of the GDPR to claim compensation for, inter alia, the loss of control over his personal data. The Regional Court of Saarbrucken Germany referred the case to the CJEU for its preliminary ruling on issues relating to the threshold for claiming non-material damage, data controller’s exemption from liability and determination of the amount of compensation.
 
In its judgment, the CJEU emphasised that to claim compensation under Article 82(1) of the GDPR, three conditions must be satisfied: (i) the data subject suffered material or non-material damage; (ii) there exists an infringement of the GDPR; and (iii) there is a causal link between the infringement and the damage. Thus, the CJEU held that even if the provision of the GDPR which has been infringed confers rights to the data subject, a mere infringement of that provision is, in itself, not sufficient to constitute “non-material damage” within the meaning of Article 82(1) of the GDPR, irrespective of the degree of seriousness of the damage suffered by the data subject.
 
The CJEU also held that in the event of a personal data breach committed by a person acting under a data controller’s authority, the data controller may benefit from the exemption under Article 82(3) of the GDPR only if he proves that there is no causal link between any breach of the data protection obligations imposed on him under Articles 5, 24 and 32 of the GDPR and the damage suffered by the data subject; simply claiming that the damage in question was caused by negligence or failure on the part of a person acting under his authority is not sufficient.
 
Regarding determination of the amount of compensation for non-material damage, in light of the difference between the functions of Articles 82 and 83 of the GDPR, with the former being compensatory while the latter being punitive in nature, the CJEU took the view that (1) the criteria for setting the amount of administrative fines under Article 83 of the GDPR cannot be used to assess the amount of compensation under Article 82 of the GDPR; and (2) it is not necessary to take account of the fact that several infringements of the GDPR concerning the same processing operation affect the person seeking compensation.

For further details, please refer to CJEU’s Judgment dated 11 April 2024. 
7 March 2024 Court of Justice of the European Union clarifies the meaning of “personal data” and “joint controller” in the context of advertising technology under the GDPR

On 7 March 2024, the Court of Justice of the European Union (CJEU) made a ruling concerning the interpretation of “personal data” and “joint controller” under the GDPR in the context of advertising technology.

IAB Europe, a non-profit organisation representing the digital advertising and marketing industry, has drawn up the Transparency and Consent Framework (the “Framework”). The Framework establishes a standardised mechanism for requesting, storing and sharing users’ preferences and consents (or objections) concerning the processing of the users’ data for the provision of targeted advertisements. These preferences and consents are stored in a combination of letters and characters, known as the “TC String”.

In 2022, the Belgian Data Protection Authority held that the Framework did not conform to the GDPR requirements, and imposed corrective measures and an administrative fine on IAB Europe. IAB Europe contested the decision before the Brussels Court of Appeal, averring that a TC String does not constitute personal data and that IAB Europe does not qualify as a data controller. The Brussels Court of Appeal referred the matter to the CJEU for a preliminary ruling.

On the question of personal data, the CJEU referred to recital 26 of the GDPR and took the view that for information to be treated as personal data within the meaning of Article 4(1) of the GDPR, it is not required that all the information enabling the identification of the data subject must be in the hands of one person. Noting also that the user may be identified by combining the TC String with additional data such as the user’s IP address, the CJEU held that the TC String constitutes personal data within the meaning of Article 4(1) of the GDPR. The mere fact that IAB Europe is unable to access the data processed by its members under the Framework and carry out the combination by itself does not preclude a TC String from being classified as personal data.

On the question of joint controller, the CJEU held that IAB Europe may be regarded as a “joint controller” under Articles 4(7) and 26(1) of the GDPR since it exerted influence over the processing operation of personal data for its own purposes and determines, jointly with its members, the purposes and means of such processing operation. That said, the CJEU clarified that the joint controllership of IAB Europe does not extend to the subsequent processing of personal data that does not involve the participation of IAB Europe.

The CJEU reiterated that joint controllership does not always imply equal responsibility among all joint controllers engaged in the processing of personal data. The level of responsibility of each joint controller must be assessed in light of all relevant circumstances of the particular case.

For further details, please refer to (1) CJEU’s Judgment and (2) Press Release issued by the CJEU dated 7 March 2024.
 
30 January 2024 Court of Justice of the European Union rules police should not indefinitely store biometric data

On 30 January 2024, the Court of Justice of the European Union (CJEU) ruled that law enforcement agencies retaining for an indefinite period (i.e. without any time limit other than death of the person) the biometric and genetic data of a person convicted of a criminal offence is contrary to EU law. The case relates to a request by a person, who was convicted and later legally rehabilitated, to remove his personal data from the police records. 
 
The Court held that even if the general and indiscriminate storage of the personal data of a convicted person is justified by the prevention, detection, investigation and prosecution of criminal offences or the execution of criminal penalties, national authorities are required to impose on the data controller the obligation to periodically review whether that storage continues to be necessary; and to grant the data subject the right to have the data erased where retention of the data is no longer necessary. 
 
The Court also held that where an obligation is imposed on the national authorities to set appropriate time limits on the data storage period, such time limit can be regarded as “appropriate” only if it takes into consideration the relevant circumstances such as the nature and seriousness of the offence committed and the risk presented by the convicted person.

For further details of the judgment, please refer to (1) CJEU’s Judgment and (2) Press Statement issued by the CJEU dated 30 January 2024.
 
14 December 2023

Court of Justice of the European Union clarifies conditions for awarding ‘non-material damage’

On 14 December 2023, the Court of Justice of the European Union (CJEU) ruled that the misuse of personal data following a cyberattack constitutes “non-material damage” under the GDPR. The case stemmed from a 2019 cyberattack of the Bulgarian National Revenue Agency, after which cybercriminals published personal data concerning millions of persons. The Bulgarian Supreme Administrative Court requested the CJEU to determine the conditions for awarding non-material damages, and the extent to which the data controller needed to demonstrate adequate security measures were in place.

In the judgment, the CJEU answered the referred questions as follows:

  • In the event of unauthorised disclosure of or unauthorised access to personal data, courts must assess the appropriateness of the protective measures implemented in a concrete manner, and cannot infer from the unauthorised disclosure or unauthorised access alone that the protective measures implemented by the data controller were not appropriate.
  • It is for the data controller to prove that the protective measures implemented were appropriate.
  • In the event that the unauthorised disclosure of personal data or unauthorised access to those data is committed by a ‘third party’ (such as cybercriminals), unless the data controller can prove that it is in no way responsible for the damage suffered by the data subjects, the data controller may be required to compensate the data subjects concerned.
  • The fear experienced by a data subject concerning a possible misuse of his personal data by third parties as a result of an infringement of the GDPR is, in itself, capable of constituting ‘non-material damage’.

For further details of the judgment, please refer to (1) CJEU’s Judgement and (2) Press Release issued by the CJEU dated 14 December 2023.

7 December 2023

Court of Justice of the European Union rules on the lawfulness of credit scoring

On 7 December 2023, the Court of Justice of the European Union (CJEU) handed down two rulings to oppose two data processing practices by credit information agencies. The rulings against German credit information agency concerned its practice of automated establishment of a probability score regarding an individual’s ability to meet payment commitments in the future based on the personal data of that individual and its retention of customer insolvency data.

The CJEU was asked by the German Administrative Court of Wiesbaden to clarify whether credit scoring, a mathematical statistical method used to predict the probability of future behaviour such as the repayment of a loan, constituted “automated decision making” under Article 22 of the GDPR, and whether SCHUFA’s retention period of 3 years for information relating to the granting of a discharge from remaining debts was lawful.

The CJEU held that credit scoring must be regarded as an ‘automated individual decision’, which was prohibited in principle under Article 22, in so far as third parties (including SCHUFA’s clients, such as banks) attribute to it a determining role in the granting of credit. It was for the Administrative Court of Wiesbaden to assess whether the German Federal Law on data protection contains any valid exceptions to that prohibition in accordance with the GDPR, and if it does, whether the general conditions for data processing under the GDPR had been met.

As regards the retention of information on debt discharge, the CJEU considered that it was contrary to the GDPR for private agencies to keep such data for longer than the 6-month period mandated by German law for the public insolvency register. Since the retention of data beyond six months was held unlawful, the data subject has the right to have the data deleted and the agency is obliged to delete the data as soon as possible. Even where the storage for six months is lawful, the data subject will still have the right to object to the processing of his data and the right to have the data erased, unless the existence of overriding legitimate grounds can be demonstrated.

For further details of the judgment, please refer to (1) CJEU’s Judgments of Case C-634/21 and Joined Cases C‑26/22 and C‑64/22 and (2) Press Release issued by the CJEU adated 7 December 2023.

5 December 2023

Court of Justice of the European Union rules on the imposition and calculation of administrative fines

On 5 December 2023, the Court of Justice of the European Union (CJEU) reaffirmed the conditions under which supervisory authorities could issue fines to data controllers under the GDPR and ruled that a data controller should not receive a fine unless the violation of the GDPR was committed “intentionally or negligently”. The decision stemmed from cases originating from Lithuania and Germany, which respectively dealt with the Lithuania National Public Health Centre processing citizens’ data for its COVID-19 monitoring app and a German real estate company retaining personal data to tenants for longer than necessary.

The CJEU was asked by a Lithuanian court and a German court to interpret the GDPR regarding the imposition and calculation of administrative fine on controller for infringements under Article 83.

Regarding the imposition of an administrative fine under Article 83, the CJEU ruled that a supervisory authority may not impose a fine on a data controller for an infringement of the GDPR unless that infringement was committed wrongfully, i.e. intentionally or negligently. A data controller may be fined for conduct falling within the scope of the GDPR where that data controller could not have been unaware of the infringing nature of its conduct, regardless of whether or not it was aware of the infringement.

In addition, the CJEU held that, where the data controller is a legal person, it is not necessary for the infringement to have been committed by its management body, or for that body to have knowledge of such infringement. On the contrary, a legal person is liable both for infringements committed by its representatives, directors or managers, and for those committed by any other person acting in the course of the business of that legal person and on its behalf. Further, the imposition of fines is not premised upon a finding of an infringement being committed by an identified natural person. A data controller may also be fined for operations performed by a data processor to the extent that the data controller may be held responsible for such operations.

As regards the calculation of an administrative fine under Article 83, the CJEU ruled that where the addressee of a fine is, or forms part of, an undertaking, a supervisory authority must take as its basis the concept of an “undertaking” under EU competition law, which defines an economic unit even if in law that economic unit consists of several persons, natural or legal. Accordingly, for the calculation of a fine, a supervisory authority must take into account the total worldwide turnover of the undertaking concerned, taken as a whole, in the preceding business year, as the basis for penalties.

For further details of the judgment, please refer to (1) CJEU’s Judgments of Case C-683/21 and Case C-807/21 and (2) Press Release issued by the CJEU dated 5 December 2023.

4 July 2023 Court of Justice of the European Union rules that national competition authorities can determine GDPR violations in competition cases

On 4 July 2023, the Court of Justice of the European Union (CJEU) made a ruling that in an abuse of dominance investigation, it may be necessary for the competition authority (of the EU member state concerned) to examine whether a company’s conduct complies with rules other than those relating to competition laws, including the GDPR.
 
However, the CJEU also noted that the competition authority would not replace the data protection authority of a particular EU member state in concern. In fact, when considering whether the GDPR has been complied with, the competition authority is required to consult and cooperate sincerely with the data protection authority, consider whether it has made decisions in similar cases, and must not depart from those decisions.
 
In the present case concerning the German Federal Cartel Office’s prohibition against Meta’s Facebook services from combining user data from different sources for conducting personalised advertising without the user’s consent in 2019, the CJEU commented generally on the data processing practices of Meta. It noted that the performance of a contract as a legal basis for processing under the GDPR can only be relied on if the data processing is objectively indispensable to the main subject matter of that contract. The CJEU doubted, in this regard, whether Meta’s personalised advertising fulfils the criteria and referred the matter back to the German court to decide.
 
For further details of the judgment, please refer to  (1) CJEU’s Judgment and (2) Press Statement issued by the CJEU dated 4 July 2023.
22 June 2023 Court of Justice of the European Union rules that data subjects have the right to access the date of and the reasons for the consultations on their personal data

On 22 June 2023, the Court of Justice of the European Union (CJEU) makes a ruling, inter alia, in relation to the interpretation of Article 15(1) of the GDPR (rights of access by the data subject).  The case concerns a data subject, an ex-employee and customer of Pankki S (“Bank”), requesting the Bank to inform him of the identity of the persons who had consulted his customer data, the exact dates of the consultations and the purposes for which those data had been processed (“Requested Information”).

Upon failing to obtain the Requested Information from the Bank and to seek an order to the same effect from the Data Protection Supervisor’s Office, Finland, the data subject brought an action before the Administrative Court of Eastern Finland, which referred the case to CJEU for clarification on the interpretation of Article 15(1) of the GDPR, namely, (i) whether the GDPR applies to the access request as the relevant processing activities occurred before the GDPR came into force (i.e. 25 May 2018); (ii) whether the data subject is entitled to the Requested Information under Article 15(1) of the GDPR; and (iii) whether the controller being a bank and the data subject being a customer and employee of a bank is relevant for defining the scope of right of access.

The CJEU decided that Article 15 of the GDPR applies to a request of access made after GDPR comes into force even though the concerned processing was conducted prior to the same, and that  information relating to the dates and purposes of the personal data consultation operations constitutes information that the data subject has the right to obtain from the controller. However, the GDPR does not establish such a right in respect of the information relating to the identity of the employees who carried out those operations following the controller’s instructions, unless (i) that information is essential to enable the data subject effectively to exercise the rights conferred on them by the GDPR, and (ii) provided that the rights and freedoms of those employees are dully considered. Lastly, the CJEU ruled that, the fact that a data controller is engaged in the business of banking and acts within the framework of regulated activity, and that the data subject is a customer and employee of the data controller has, in principle, no bearing on the scope of the right conferred on that data subject by Article 15 of the GDPR. For further details of the judgment, please refer to  (1) CJEU’s Judgment and (2) Press Statement issued by the CJEU dated 22 June 2023.
4 May 2023 Court of Justice of the European Union rules that mere infringement of the GDPR does not give rise to a right to compensation

On 4 May 2023, the Court of Justice of the European Union (CJEU) made a ruling in relation to the compensation available under the GDPR for non-material damage. The case concerned a data subject  who filed a complaint against the Austrian Post for collecting personal data relating to the political affinities of Austrian residents in 2017. The data was subsequently sold to various organisations, which enabled them to send targeted advertisements in relation to political elections. The data subject sought €1,000 in non-material damages under Article 82 of GDPR.

The case was referred to the CJEU to clarify, among others, (1) whether a data subject would be entitled to compensation under Article 82 from mere infringement of the GDPR, if he/she had not suffered harm as a result of the GDPR infringement; and (2) whether a claim for compensation for non-material damage has to meet a seriousness threshold that requires more than mere upset feelings caused by the GDPR infringement.

The CJEU ruled that the right to compensation under Article 82 is subject to three conditions: (1) personal data is processed in a manner that infringes the GDPR; (2) the data subject suffered material or non-material damage; and (3) there is a causal link between the infringement and the damage suffered. Therefore, not every infringement of the GDPR gives rise, by itself, to a right to compensation.

The Court also held that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. The GDPR does not contain any such requirement and such a restriction would be contrary to the broad conception of ‘damage’, adopted by the EU legislature.
Lastly, the Court noted that the GDPR does not contain any rules governing the assessment of damages. It is therefore for the legal system of each Member State to prescribe the detailed rules for actions intended to safeguard the rights which individuals derive from the GDPR and, in particular, the criteria for determining the extent of compensation payable in that context, provided that the principles of equivalence and effectiveness are complied with.

The CJEU stated that this ruling ensures the GDPR provides “full and effective compensation for the damage suffered”. For further details of the judgment, please refer to  (1) CJEU’s Judgment and (2) Press Statement issued by the CJEU dated 4 May 2023.
2 March 2023 Court of Justice of European Union clarifies rules on the production of evidence containing personal data in civil proceedings

On 2 March 2023, the Court of Justice of the European Union (CJEU) made a ruling on the applicability of the GDPR in the context of discovery in civil proceedings. An issue arose in a payment dispute between a construction company and its customer as to whether personal data that was originally collected for tax purposes can be produced in civil proceedings. The issue was referred to the CJEU for a preliminary ruling by the Swedish Supreme Court.

The CJEU decided that any processing of personal data, including processing carried out by public authorities such as courts, must be based on a legal ground under Article 6 of the GDPR. The CJEU examined Articles 6(1)(e) (processing in the public interest) and Article 6(3) (European Union member states may adopt more specific provisions regarding personal data processing activities in the public interest, provided that such more specific law meets an objective of public interest and is proportionate to the public interest pursued) of the GDPR, and considered that the requirements of Article 6(3) of the GDPR were fulfilled due to the obligation under Swedish law to submit evidence to the courts if it may be deemed to have probative value.

The CJEU also decided that disclosure of the documents was a further processing for the purposes of Article 6(4) of the GDPR which will be permitted where the processing is based on national law and constitutes a necessary and proportionate measure in a democratic society to safeguard one of the objectives referred to in Article 23(1) of the GDPR. In its decision, the CJEU indicates that, those objectives include Articles 23(1)(f) (the protection of judicial independence and judicial proceedings) and 23(1)(j) (the enforcement of civil claims) of the GDPR. However, the CJEU emphasised that it is up to the referring court to examine whether the requirements of Article 6(4) of the GDPR in conjunction with Article 23(1) of the GDPR are met. For further details of the judgment, please refer to CJEU’s Judgment dated 2 March 2023.
9 February 2023 Court of Justice of European Union rules on data protection officer dismissal and conflict of interests

On 9 February 2023, the Court of Justice of the European Union (CJEU) made a ruling in relation to conditions for dismissing Data Protection Officers (DPOs) under Article 38(3) and definition of conflict of interests under Article 38(6) of the GDPR. The case relates to the dismissal of a DPO of a Germany company group, who was also the “chair of the works council” of the same group, in May 2018 when the GDPR came into effect. The DPO sought a declaration that the dismissal was ineffective by bringing proceedings before the Germany courts, while the company cited conflict of interest as the just cause for dismissal.  The Germany Federal Labour Court referred the case to the CJEU clarifying, among others, (i) whether Article 38(3) precludes member states from setting out further conditions for dismissing DPOs, and (ii) the extent to which conflicts of interest in the context of Article 38(6) can justify the dismissal of DPOs.

In relation to Article 38(3), the CJEU ruled that member states are free to “to lay down more protective specific provisions on the dismissal of the DPO” as long as these do not “undermine the achievement of the objectives of the GDPR”. In relation to Article 38(6), the CJEU ruled that DPOs should “be in a position to perform their duties and tasks in an independent manner”, and conflicts of interest within the meaning of Article 38(6) arise where DPOs are “assigned any tasks or duties which would lead [them] to determine the purposes and means of the processing of personal data”.

For further details of the judgment, please refer to CJEU’s Judgment dated 9 February 2023.
12 January 2023 Court of Justice of European Union rules administrative and civil remedies provided for by the GDPR may be exercised concurrently and independently of each other

On 12 January 2023, the Court of Justice of the European Union (CJEU) made a ruling in relation to the relationship between administrative and civil remedies provided under the GDPR. The case relates to a shareholder’s request for audio recording of the company’s general meeting. The shareholder was only provided extracts which reproduced his contributions, and subsequently requested the Hungarian data protection authority to order the company to send him the recording in question. After his request was refused by the Hungarian data protection authority, he brought an administrative appeal against that decision, and at the same time, brought proceedings before the Hungarian civil courts against the decision of the company. While the administrative appeal proceedings are still ongoing, the civil courts have found that the company had infringed the shareholder’s right of access to his personal data. The Budapest High Court therefore referred the case to the CJEU clarifying whether, in the context of reviewing the lawfulness of the decision of the national supervisory authority, it is bound by the final judgment of the civil courts concerning the same facts and same alleged infringement of the GDPR; and whether one of those remedies might take priority over the other.

In the said Judgment, the CJEU found that the GDPR does not provide for any priority or exclusive competence or jurisdiction or for any rule of precedence in respect of the assessment carried out by the supervisory authority or by a court as to whether there is an infringement of the rights concerned. Consequently, the administrative and civil remedies provided for by the GDPR may be exercised concurrently with and independently of each other. It is for each member state to ensure that the concurrent and independent remedies do not call into question the effectiveness of the GDPR and effective protection of the rights thereunder, the consistent and homogeneous application of its provisions and the right to an effective remedy before a court or tribunal.

For further details of the judgment, please refer to (1) CJEU’s Judgment and (2) Press Statement issued by the CJEU dated 12 January 2023.
12 January 2023 Court of Justice of European Union confirms data subjects’ right of access to information about specific recipients to whom the personal data have been or will be disclosed

On 12 January 2023, the Court of Justice of the European Union (CJEU) made a ruling in relation data subjects’ right to access information about the recipients or categories of recipients to whom the personal data have been or will be disclosed under Article 15(1)(c) of the EU GDPR. In this case, Österreichische Post AG (responsible for the Austrian postal service), in responding to a data subject’s data access request for the information as to the identity of the recipients of his personal data, merely provided a description of the categories of recipients, without disclosing the identity of the specific recipients of the personal data. The Supreme Court of Austria referred the case to the CJEU for its interpretation of Article 15(1)(c) of the EU GDPR.

In the Judgment, CJEU ruled that in order to ensure the effectiveness of other rights conferred on data subjects under the EU GDPR (including the right to rectification, right to erasure, right to restriction of processing and right to object under Articles 16, 17, 18 and 21 of the EU GDPR respectively), the data subject must have the right to be informed of information about the specific recipients to whom his/her personal data have been or will be disclosed.

That said, CJEU acknowledged that in specific circumstances such right of access may be subject to limits, for example, where it is impossible to disclose the identity of specific recipients, in particular where they are not yet known, or where the controller demonstrates that the data subjects’ requests are manifestly unfounded or excessive (within the meaning of Article 12(5) of the EU GPDR).

For further details of the judgment, please refer to (1) CJEU’s Judgment and (2) Press Statement issued by the CJEU dated 12 January 2023.
8 December 2022 Court of Justice of European Union extends right to erasure (right to be forgotten) to remove manifestly inaccurate information

On 8 December 2022, the Court of Justice of the European Union (CJEU) made a ruling on right to erasure (right to be forgotten). This case concerned two investment managers who had requested Google to de-reference search results linking their names to certain articles criticizing their business investment model. They alleged that those articles contain inaccurate claims. They also required Google to remove thumbnail photos of them from search results based on their names. Google declined their request and contended that it was unaware of the alleged inaccuracy of the information contained therein. The German Federal Court of Justice referred the case to the CJEU for its interpretation of Article 17(3)(a) of the EU GDPR which concerns the exercise of right to erasure and right of freedom of expression and information.

In the said Judgment, CJEU pointed out that the right to protection of personal data is not an absolute right but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. While the EU GDPR expressly provides that the right to erasure is excluded where processing is necessary for the exercise of the right to freedom of expression and information, the right to freedom of expression and information cannot be taken into account where, at the very least, a part – which is not of minor importance – of the information found in the referenced content proves to be inaccurate.

CJEU ruled that the search engine operator must remove information found in referenced content where the person requesting de-referencing submits relevant and sufficient evidence to prove that such information is manifestly inaccurate. To avoid an excessive burden on the requestor, CJEU stated that such proof does not have to come from a judicial decision against the website publishers in question and the requestor only has to provide evidence that can reasonably be required of him or her to try to find.

Regarding the display of the thumbnail photos following a search by name, CJEU stated that such display constitutes a particularly significant interference with the data subjects’ rights to private life and their personal data. A separate weighing-up of competing rights and interests is required depending on whether the said photos are displayed in the original context illustrating the information provided in those articles and the opinions expressed in them, or outside such context.

For further details of the judgment, please refer to (1) CJEU’s Judgment and (2) Press Statement issued by the CJEU dated 8 December 2022.


B.Major Developments under the GDPR

Date Major Developments
15 January 2024

The European Commission Retains all its Existing Adequacy Decisions

On 15 January 2024, the European Commission concluded its review and evaluation of its 11 existing adequacy decisions under the 1995 Data Protection Directive and the GDPR.

In its published report, the European Commission finds that personal data transferred from the European Union to Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, continues to benefit from adequate data protection safeguards. As such, the adequacy decisions adopted for these 11 countries and territories would remain in place and data can continue to flow freely to these jurisdictions.

The review has demonstrated that the data protection frameworks in these countries and territories have further converged with the EU’s framework and strengthened protection of personal data in their jurisdictions. The review also showed that public authorities in the 11 jurisdictions are subject to appropriate safeguards in the area of access to data by public authorities, notably for law enforcement or national security purposes.

For further details of the review, please refer to the European Commission’s full report dated 15 January 2024.

10 July 2023  The Adequacy Decision for the EU-US Data Privacy Framework (DPF)

On 10 July 2023, the European Commission Union adopted an adequacy decision on the EU-US Data Privacy Framework (DPF), concluding that the US provides a level of protection essentially equivalent to that of the EU for personal data transferred under the DPF from a data controller or a processor in the EU to certified organisations in the US. Specifically, the adequacy decision has the effect that such transfers may take place without the need to obtain any further authorisation.
 
Some new binding safeguards introduced by the DPF include:
  • limiting access to EU data subject's personal data by US intelligence services to what is necessary and proportionate to protect national security (under the US's Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities');
  • providing EU data subjects whose data would be transferred to the US under the DPF with several new rights (i.e., to access their data, or to correct or delete inaccurate or unlawfully handled data); and
  • establishing a two-tier redress mechanism for EU data subjects (i.e., EU data subjects' complaints would first be investigated by the Civil Liberties Protection Officer (CLPO) of the US intelligence community, and the data subjects may appeal the CLPO's decision before the independent and newly established Data Protection Review Court).
US organisations will be able to self-certify under the DPF by committing to comply with a detailed set of privacy obligations (e.g., purpose limitation, data minimisation, data deletion as soon as no longer necessary, specific obligations concerning data security and sharing of data with third parties, etc). Certifications must be renewed on an annual basis. Organisations that are found to persistently fail to comply with the principles will be removed from the DPF list and must return or delete the personal data received under the DPF.
 
The adequacy decision takes effect immediately, and the DPF will start to apply upon certification of US organisations. Meanwhile, the European Commission will periodically review the adequacy decision, with the first review to take place within one year after the entry into force.
 
For further details of the DPF, please refer to the full Adequacy Decision for the EU-US Data Privacy dated 10 July 2023.
25 March 2022 The new Trans-Atlantic Data Privacy Framework between the EU and the United States (“US”)

On 16 July 2020, the Court of Justice of the European Union struck down the framework of the EU-US Privacy Shield in the case of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems and intervening parties (commonly known as “Schrems II Judgment”). Since 2016, the EU-US Privacy Shield had been implemented as a major mechanism for effecting transfers of personal data from EU companies to US companies.

Following continuous discussions between the European Commission and the US, the parties announced on 25 March 2022 that an agreement had been reached in principle on a new Trans-Atlantic Data Privacy Framework (“New Framework”), with a view to re-establishing a legal mechanism for the transfer of personal data from the EU to the US.

In particular, the New Framework ensures that (i) signals intelligence activities undertaken by the US should be necessary and proportionate in advancing legitimate national security objectives; (ii) a new redress mechanism with independent and binding authority will be established to direct remedial measures for affected EU individuals; and (iii) US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.

As the next step forward, the European Commission and the US will continue to work on the legal documents required to be adopted by both sides for putting the New Framework into practice.

For further details of the New Framework, please refer to (1) the European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework  and (2) the Press Statement issued by the White House of the US, both dated 25 March 2022.
21 March 2022 New Transfer Instruments for transferring personal data from the United Kingdom

The GDPR is retained in the domestic law in the United Kingdom (“the UK”) as the “UK GDPR”. Article 46(1) of the UK GDPR allows international transfers of personal data, inter alia, where the data exporter has provided appropriate safeguards (including through standard data protection clauses issued by the Information Commissioner, etc).

On 21 March 2022, two new transfer instruments, namely (i) the International Data Transfer Agreement (“IDTA”) and (ii) the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers adopted in June 2021 (“Addendum”) issued by the Information Commissioner came into force. In particular, the new instruments are intended to replace the existing Standard Contractual Clauses recognised in the UK, i.e. the Standard Contractual Clauses adopted in the EU in the pre-GDPR era (“the Old SCCs”).

The practical implications of the introduction of the IDTA and the Addendum for data transferors and data transferees are that:

  • Contracts concluded on or before 21 September 2022 on the basis of the Old SCCs shall continue to provide appropriate safeguards for the purpose of the UK GDPR (provided that the processing operations that are the subject matter of the contract remain unchanged) until 21 March 2024.
  • From 22 September 2022, either the IDTA or the Addendum will have to be incorporated for new contracts concerning international transfers of personal data under the UK GDPR.
  • From 22 March 2024, the old SCCs will no longer be deemed to provide “appropriate safeguards” for the purpose of the UK GDPR. All contracts that have incorporated the old SCCs will have to be substituted by either the IDTA or the Addendum by 21 March 2024.
For further details of the IDTA and the Addendum, please refer to the introduction provided by the Information Commissioner’s Office of the UK.
17 December 2021 The adequacy decision for South Korea

On 17 December 2021, the European Commission adopted the decision that the Republic of Korea ensures an adequate level of protection for personal data transferred from the EU to entities in the Republic of Korea subject to the Personal Information Protection Act as contemplated by the additional safeguards stipulated therein, together with the relevant official representations, assurances and commitments.

For details of the adequacy decision for South Korea, please refer to the Joint Press Statement by Didier Reynders, Commissioner for Justice of the European Commission, and Yoon Jong In, Chairperson of the Personal Information Protection Commission of the Republic of Korea.
28 June 2021 The adequacy decision for the United Kingdom

On 28 June 2021, the European Commission adopted two adequacy decisions for the United Kingdom, one under the GDPR and the other for the Law Enforcement Directive. Free flow of personal data from the EU to the United Kingdom is allowed where the United Kingdom ensures essentially an equivalent level of personal data protection to that guaranteed under the EU law.

For details of the adequacy decision for the United Kingdom, please refer to the press release issued by the European Commission

1 A five-step methodology was listed by the European Data Protection Board in the Guidelines, which composed of the following steps:
(1) Identify relevant processing operations and evaluating the application of Article 83(3) of the GDPR;
(2) Identify the starting point for further calculation of the fine amount by, inter alia, consider the categorisation of infringements under Articles 83(4)–(6) of the GDPR and the nature of gravity of the infringement, and the turnover of the undertaking;
(3) Evaluating aggravating or mitigating factors listed in Article 83(2) of the GDPR ;
(4) Identify the legal maximums (static and dynamic maximums) of fines (whichever is higher); and
(5) Consider the effectiveness, proportionality and dissuasiveness of the fine.
Please refer to the Guidelines for details.