Alarming: Court of Justice may severely limit enforcement of European’s privacy rights

Oct 13, 2022

Alarming: Court of Justice may severely limit enforcement of European’s privacy rights

Hardly noticed by the general public, the Advocate General (AG) of the Court of Justice of the European Union (CJEU) has issued an opinion, aiming to limit one of the last potential avenues for users to enforce their privacy rights under the GDPR. According to the AG, Europeans would hardly get compensations for GDPR violations – although the GDPR explicitly foresees a claim for non-material damages. The final judgment will be issued by the CJEU in the next months.

Further Resources:

Background of the case. The Austrian Postal Service illegally calculated the political leaning of millions of Austrians, in violation of the GDPR. A Viennese plaintiff that was wrongfully associated with the right-wing populist Freedom Party sued the Postal Service for damages, claiming € 1.000 for massive anger, loss of trust and a feeling of exposure. The GDPR explicitly names a claim for non-material damages. Nevertheless, the Austrian Supreme Court (OGH) referred three questions to the CJEU, asking if Article 82 of the GDPR allows for damages without material damages or if the Austrian Courts may require an additional “threshold” to grant non-material damages.

No damages for most GDPR violations? The Austrian Supreme Court mainly asked if it could limit the award of non-material damages, if the anger of a plaintiff does not go beyond the anger that comes with the violation of GDPR rights. As this definition would include all realistic types of anger that may come from a violation of the GDPR, it would largely undermine the legislator’s intent to grant non-material damages for violations of the right to data protection.

Max Schrems: “This case is deeply troubling. If the view of the Austrian Supreme Court and the Advocate General prevails, most users will never see compensation for GDPR violations anymore. I talked to many experts in the last days and you hear wide-spread concern.

Other options not efficient. The AG Opinion repeatedly points at other options than damages, such as mere declarations, nominal damages (usually €1) or injunctions. While any plaintiff undoubtedly has the right to bring such claims, they generally cannot remedy past violations or recall illegally shared data. Plaintiffs would have to invest high amounts of money to merely get a piece of paper, saying that they were right. Controllers would walk away with the profits from GDPR violations and no realistic consequences.

Max Schrems: “It costs thousands and often ten‑thousands of Euros to bring a civil case. No one would bring a claim to merely get a piece of paper saying he or she was right.”

The AG Opinion also points at Data Protection Authorities (DPAs) to do their job. In reality, many DPAs still take the view that they have no duty to enforce users’ rights. Some DPAs believe that users’ are not even a party in a procedure before them. The AG Opinion argues that more civil court cases would “deprive” DPAs of complaints, when in fact many do not even process the current number of complaints.

Max Schrems: “Some sections of this Opinion read deeply cynical for anyone working in the field. We have a massive enforcement gap in the GDPR. At the same time, it seems like the Opinion entertains many arguments to limit enforcement. This is a very problematic approach coming from within the Court of Justice.

Fragmented “damages” in the EU? The AG Opinion seems to also allow the 30 EU and EEA Member States to come up with their own “thresholds” or other national laws that may limit the clearly intended full compensation of non-material damages under the GDPR. This would lead to massive fragmentation as some Member States would allow full compensation and others may introduce higher and higher limits.

Not even clarity in the referred case. Even if the views in the AG Opinion are accepted, there is no clear answer to the underlying case. Footnote 86 itself admits that by “setting out these considerations, I am not prejudging whether, in this case, [the plaintiff]’s situation came under one category or the other” – meaning it is still unclear if the plaintiff in the Austrian case should get compensation or not.

Opinion not legally stringent. In addition to questions regarding the conclusions of the AG opinion, it also has severe legal shortcomings. The opinion partly argues that the rules on damages would be harmonized in the EU, just to then argue that Member States may depart from the law. Equally, concepts like the “loss of control” or the free flow of personal data in the EU seem to be drastically misunderstood in the AG opinion. noyb has prepared a 10 page legal digest of the AG Opinion, highlighting many of these rather technical errors in the opinion.

Max Schrems: “We very much hope that the judges will not follow this opinion. It doesn’t solve the issues before the Court, nor is it legally sound, but it may be used to close one of the last paths for enforcement of the GDPR.

Growing judicial action against GDPR rights. While the CJEU has so far taken a very neutral and technical approach to the GDPR, it becomes more and more obvious that some national courts refer countless questions to the CJEU that aim at limiting the GDPR. Currently, there are about 40 references to the CJEU, predominantly with questions that would allow the limiting of GDPR rights, or with non-issues that are clearly decided under the GDPR.

Max Schrems: “We see a worrying trend that courts are bit by bit limiting the rights under the GDPR and add more and more roadblocks. While 96% of the European Parliament and all EU Member States stood behind strong privacy protections, we hardly see enforcement on the ground. It seems that some judges were convinced by the industry that the GDPR must be limited. We see more and more judgments that try to gradually undo the GDPR by limiting plaintiffs and authorities. This is especially a trend in the German-speaking countries and the Netherlands. Some courts seem to hope that the CJEU will limit the GDPR. Many judgments read as if judges want to do the right thing when adding these roadblocks, when in fact departing from a clear democratic decision.

The final decision of the CJEU in this case will be issued in the next months.