CJEU Publishes a Flurry of GDPR-related Decisions

On 4 October 2024, a flurry of noteworthy data protection judgments were delivered by the Court of Justice of the European Union (“CJEU”). In this article, we look at each of these five judgments.

The judgments provide important clarification on a number of key issues including: what constitutes “data concerning health” under the GDPR; whether legitimate interests can cover purely commercial interests; the scope of personal data which can be proceed by online platforms for targeted advertising purposes; whether loss of control of personal data can constitute “non-material damage” within the meaning of Article 82(1) GDPR; and whether an apology may suffice as compensation for non-material damage under Article 82(1) GDPR.

1. Broad interpretation of what constitutes health data under the GDPR

In the case of Lindenapotheke (Case C-21/23), the CJEU adopted a broad interpretation of what constitutes health data, and therefore special category data, under the GDPR.

The Advocate General had previously suggested that, whilst you may be able to infer a person’s health status from an order for non-prescription pharmacy-only medicines, that is not sufficient to constitute special category data. This is because the link is too tenuous and the information that may be inferred from it are too hypothetical or imprecise for the data in question to be capable of being classified as health data.

However, the CJEU took a different approach. Instead, the CJEU held that the information that customers provide when buying non-prescription pharmacy-only medicinal products online, constitutes “data concerning health” within the meaning of Article 4(15) GDPR. This means the controller is subject to the additional restrictions applicable to the processing of special category data under Article 9 GDPR when processing such data.

The CJEU confirmed that the concept of “data concerning health” must be interpreted broadly, in light of the GDPR’s objective of ensuring a high level of protection for individuals. The CJEU found that the processing of such online orders by the controller involves the processing of special category data, to the extent that the order establishes a link between a medicinal product, its therapeutic indications or its uses, and a person identifiable by factors such as their name or delivery address.

The CJEU held that it is immaterial whether or not the information deduced is accurate or not; and whether or not the controller intended to obtain special category data. Furthermore, such data is health data even if there is only some likelihood, rather than absolute certainty, that the medicines are intended for the purchaser. The CJEU noted that, even if the medicines are intended for another individual, it may still be possible to identify them and draw conclusions on the state of their health, for example, if a different delivery address is provided for those medicines or the customer refers to another person in their order.

Separately, the CJEU also held that the GDPR does not preclude national laws which enable competitors to bring legal proceedings on the basis of unfair commercial practices based on GDPR infringements.

2. Purely commercial interests can be legitimate interests

In the case of KNLTB case (Case C‑621/22), following a referral from the Dutch courts, the CJEU ruled that marketing and other purely commercial interests can constitute “legitimate interests” within the meaning of Article 6(1)(f) GDPR. The CJEU concluded that legitimate interests need not be enshrined in law, but must be lawful.

The Dutch DPA has historically interpreted the “legitimate interests” lawful basis very narrowly, taking the approach that a controller cannot rely on purely commercial interests as a legitimate interest, and that the legitimate interest must have a basis in law.

The CJEU, however, has now confirmed that a wide range of interests can be considered to be a “legitimate interest” and there is no requirement that the interests are laid down by law. The CJEU reiterated the three-step test for assessing whether “legitimate interests” can be relied on as a lawful basis, including: (i) a legitimate interest should be pursued by the controller or a third party, (ii) the processing of personal data is necessary for the purposes of legitimate interests pursued, and (iii) the interests or fundamental freedoms and rights of the person(s) concerned should not override the legitimate interests of the controller or of a third party.

The CJEU also emphasised the importance of a controller considering the data subject’s reasonable expectations when seeking to rely on “legitimate interests” as a lawful basis for processing personal data. The data subject’s interests and fundamental rights could, in particular, override the interests of the controller where personal data are processed in circumstances where data subjects do not reasonably expect such processing (per Recital 47 GDPR). 

The EDPB has separately issued draft guidance on the notion of legitimate interests (see Guidelines 1/2024), which provides further clarity on the scope of this concept.

3. Personal data processed for targeted advertising purposes must be processed in line with the data minimisation principle

In the case of Schrems v Meta (Case C-446/21), the CJEU confirmed that targeted advertising on online platforms is not illegal per se, but personal data cannot be processed indefinitely for this purpose, in accordance with the data minimisation principle under Article 5(1)(c) GDPR.

In this case, the data subject made a statement relating to his sexual orientation at a public panel discussion. The data subject subsequently brought an action before the Austrian courts challenging Meta Platforms Ireland’s processing of personal data relating to his sexuality for targeted advertising purposes.  The Austrian Supreme Court requested that the CJEU clarify whether the data subject had authorised the processing of this data by manifestly making this information public, in accordance with Article 9(2)(e) GDPR.

The CJEU made the following findings:

• The principle of data minimisation precludes the aggregation, analysis and processing of all personal data obtained by a controller, such as the operator of an online social network platform, from the data subject or third parties, and collected either on or outside that platform, for the purposes of targeted advertising without restrictions on timing and distinction of the type of data.
• It is possible that the data subject manifestly made his sexual orientation public on the occasion of the panel discussion in question, but this is to be verified by the Austrian Supreme Court.
• Even if it is determined that the data subject manifestly made his sexual orientation public, this does not authorise the operator of an online social network platform to process other data relating to the data subject’s sexual orientation obtained, as the case may be, outside of that platform, using partner third-party websites and apps, with a view to aggregating and analysing this data in order to offer him personalised advertising.

4. A data subject’s loss of control of personal data, due to it being published online, may constitute “non-material damage” under Article 82(1) GDPR

In the case of Agentsia po vpisvaniyata (Case C‑200/23), the CJEU held that the concept of non-material damage under Article 82(1) GDPR does not require tangible adverse consequences. In addition, the CJEU ruled that an opinion of a supervisory authority of a Member State is not sufficient to exempt liability.

In this case, the data subject is a shareholder of a Bulgarian company. The company’s constitutive instrument was sent to a Bulgarian Authority, responsible for managing a public commercial register. The Authority made the company instrument public, and the data subject requested the Authority to erase the personal data relating to her contained in that instrument. The Authority failed to comply with the erasure request, on the basis that there was a legal requirement to publish certain information relating to the company in the commercial register, and the data subject should have provided a redacted copy of the constitutive instrument. The data subject brought an action against the Authority. 

The CJEU made the following findings:

• The Authority is considered both a “recipient” of the personal data contained in a company’s constitutive instrument, and a “controller” in circumstances where it makes that data available to the public, even if the instrument contains personal data not required by law.
• Articles 16 and 17 GDPR preclude an authority responsible for maintaining the commercial register of that Member State from refusing any request for erasure of personal data which is not required to be contained in a company’s constitutive instrument published by that authority.
• A handwritten signature of a natural person constitutes “personal data” under the GDPR, as it is usually used to identify a person, and has evidential value regarding the accuracy and sincerity of a document.
• Article 82(1) GDPR must be interpreted as meaning that a loss of control of personal data, for a limited period, by a data subject, due to this data being made available online to the public, in the commercial register of a Member State, may suffice to cause “non-material damage”, provided that the data subject demonstrates that he or she has actually suffered damage, however minimal.  The concept of “non-material damage” does not require the existence of additional tangible adverse consequences being demonstrated.
• Article 82(3) of the GDPR (which states that a controller is exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage), must be interpreted as meaning that an opinion from a supervisory authority, issued on the basis of Article 58(3)(b) GDPR, is not sufficient to exempt a controller from liability. The CJEU further noted that the use of the terms “opinions” and “advisory powers” in Article 58(3)(b) GDPR indicates that an opinion issued under this provision is not legally binding under EU law.

5. The making of an apology may constitute sufficient compensation for “non-material damage” under Article 82(1) GDPR

In the case of Patērētāju tiesību aizsardzības centrs ("PTAC") (Case C‑507/23), the CJEU held that an apology could serve as adequate compensation for non-material damage, provided it fully compensates for the damage suffered by the data subject.

PTAC (Consumer Rights Protection Centre, Latvia) distributed a second-hand vehicle risk campaign which contained a character which imitated the data subject, who was a journalist for the automotive sector.  The data subject brought an action against PTAC for distributing his personal data without authorisation and sought non-material damage financial compensation.

The CJEU relying on the decision in Österreichische Post, C‑300/21 (previously discussed here) came to following conclusions:

• An infringement of the GDPR alone does not constitute damage warranting compensation;
• The making of an apology may constitute sufficient compensation for non-material damage where it is impossible to restore the data subject’s situation to that which existed prior to the occurrence of the damage, provided that form of redress compensates the data subject in full for the damage suffered; and
• The controller’s attitude and motivation do not constitute aggravating or mitigating factors when the court is determining the amount of compensation to award a data subject and cannot be taken into account. Article 82 GDPR fulfils an exclusively compensatory, rather than punitive function.

Comment

These five judgments delivered by the CJEU on 4 October 2024, provide clarity on a variety of important concepts under the GDPR.  As we approach 2025, we look forward to further judgments and clarification from the CJEU on the scope of number of key concepts under the GDPR. We understand there are more than 30 GDPR-related cases pending before the CJEU, which have the potential to result in a GDPR 2.0!

Contact Us

Matheson's Technology & Innovation Group is available to guide you through the impact of these decisions on your business.  For more information, please contact Davinia Brennan, Anne-Marie Bohan, Deirdre Crowley, Carlo Salizzo, Sarah Jayne Hanna, any member of our Technology and Innovation Group or your usual Matheson contact.

With thanks to Meghan D’Arcy for her contribution to this article.