Österreichische Post: The CJEU Specifies the Requirements for Compensation for Breaches of the GDPR

Share

On 4 May 2023, the European Court of Justice (CJEU) delivered its highly anticipated judgement in Österreichische Post (Case C-300/21) on a crucial issue: the extent to which data subjects affected by a breach of the GDPR have a right to compensation for non-material damage under Article 82 GDPR.

Background

The underlying case arose from a data subject in Austria seeking 1,000 EUR ($1,009) in compensation for alleged non-material damages arising from Österreichische Post’s processing of his personal data for the purposes of political advertising. The individual had not consented to the processing and claimed that he felt offended by the fact that an affinity to a certain political party was attributed to him, alongside feelings of great upset, loss of confidence and exposure caused by the retention of his data on these supposed political opinions.

Continue reading “Österreichische Post: The CJEU Specifies the Requirements for Compensation for Breaches of the GDPR”

The AI Act Progresses Ahead With Approval of Key European Parliament Committees

Share

On 11 May 2023, the European Parliament Internal Market and Consumer Protection (IMCO) and Civil Liberties, Justice and Home Affairs (LIBE) committees voted by a large majority to adopt a compromise position on the draft text of the proposed AI Act. The AI Act is a landmark legislative proposal set to be one of the first and most significant set of rules on artificial intelligence. This compromise text approved by the Committees makes some key changes to the European Commission’s initial draft of the AI Act, outlined below.

Continue reading “The AI Act Progresses Ahead With Approval of Key European Parliament Committees”

CJEU Rules on Dismissal of DPOs and Conflict of Interest

Share

In a recent judgment, the Court of Justice of the European Union (the CJEU) has confirmed that Data Protection Officers (DPOs) can maintain other tasks and duties within their role, provided they do not result in a conflict of interest. The CJEU also held that the GDPR allows for EU member states to legislate to give greater protection to DPOs against dismissal than those set out in the GDPR.

Background to Ruling

In October 2020, the Federal Labour Court of Germany, Bundesarbeitsgericht, requested a preliminary ruling from the CJEU relating to proceedings between X-FAB Dresden GmbH & Co. KG (X-FAB) and its former DPO (“FC”) to clarify under what circumstances an organisation may be allowed to lawfully dismiss its appointed DPO. FC had been DPO for X-FAB and several related companies within its group and had held the role of chair of the works council and vice-chair of the central works council for a few group companies, alongside the DPO position for those companies. FC had been dismissed by X-FAB in December 2017 at the request of the state officer for data protection and freedom of information of Thüringen, Germany. Subsequently, on the coming into force of the GDPR in May 2018, X-FAB had repeated this dismissal as a precautionary measure. FC sought a declaration by the German courts that he retain the DPO position. X-Fab argued FC’s dismissal was justified, stating “a risk of a conflict of interests” in performing both functions, i.e., as both DPO and chair/vice-chair of the works council, on the grounds of incompatibility between the roles. The courts at both first instance and appeal upheld FC’s claim.

Continue reading “CJEU Rules on Dismissal of DPOs and Conflict of Interest”

AI Regulation in the U.K. — New Government Approach

Share

On July 18, 2022, the U.K. Government published a paper on its proposals for AI regulation “Establishing a pro-innovation approach to regulating AI” (the AI Paper). This was published alongside the Government’s AI Action Plan, the first update provided since the Government published its National AI Strategy in September 2021.

The AI Paper provides for an alternative approach to AI regulation in the U.K. when compared with the recently proposed draft legislation for AI regulation in the EU (the EU AI Act). The U.K. Government favours a more decentralised and less regimented approach: guidance, rather than legislation; sector-based, rather than cross-sector application; regulated at sector level, rather than centrally; and with a looser definition of what constitutes AI for the purposes of regulatory application. This is intended to make the U.K. an attractive environment for AI innovation, with more flexible and pragmatic regulation, although AI businesses operating in multiple sectors will potentially need to review and comply with more than one set of principles and address conflicts between them.

Continue reading “AI Regulation in the U.K. — New Government Approach”

European Union Adopts Adequacy Decision For Safe Data Flows With Japan

Share

On January 23, 2019, the European Commission announced its decision to adopt adequacy status with Japan for transfers of personal data.  Pursuant to the European Union’s (EU) General Data Protection Regulation (GDPR), this decision will allow personal data to flow freely between the 28 EU countries, three additional European Economic Area member countries (Norway, Liechtenstein, and Iceland), and Japan, without the need for additional data protection safeguards or derogations.  Japan adopted an equivalent decision with the EU on January 22, 2019.  These reciprocal findings of adequacy will create the largest area of safe data flows in the world.

Continue reading “European Union Adopts Adequacy Decision For Safe Data Flows With Japan”

EU-US Privacy Shield Second Review: Improvements Shown, but More to be Done

Share

The EU Commission published its second annual review of the functioning of the EU-US Privacy Shield, which focused on the commercial issues, human resources and data automated individual decision-making and developments in the U.S. legal framework.  This report follows the same general structure as the report on the first annual EU-US Privacy Shield review that we reported on last year.

Continue reading “EU-US Privacy Shield Second Review: Improvements Shown, but More to be Done”

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.