On 10 July 2023, the European Commission adopted its long-awaited adequacy decision for the EU-U.S. Data Privacy Framework (the DPF). With immediate effect, the adequacy decision provides a new lawful basis for transfers from the EU to the U.S. This means that companies that participate in the DPF are able to transfer data from the EU to the U.S. without relying on another data transfer mechanism, such as Standard Contractual Clauses (SCCs) or binding corporate rules (BCRs).
Background to the Adequacy Decision
Pursuant to Article 45(3) of the GDPR, the European Commission has the power, by means of an adequacy decision, to decide that a non-EU country has sufficient standards of data protection to be treated as equivalent to those afforded in the EU.
Continue reading “The European Commission Adopts Adequacy Decision on EU-U.S. Data Privacy Framework”
On 4 May 2023, the European Court of Justice (CJEU) delivered its highly anticipated judgement in Österreichische Post (Case C-300/21) on a crucial issue: the extent to which data subjects affected by a breach of the GDPR have a right to compensation for non-material damage under Article 82 GDPR.
The underlying case arose from a data subject in Austria seeking 1,000 EUR ($1,009) in compensation for alleged non-material damages arising from Österreichische Post’s processing of his personal data for the purposes of political advertising. The individual had not consented to the processing and claimed that he felt offended by the fact that an affinity to a certain political party was attributed to him, alongside feelings of great upset, loss of confidence and exposure caused by the retention of his data on these supposed political opinions.
Continue reading “Österreichische Post: The CJEU Specifies the Requirements for Compensation for Breaches of the GDPR”
In a recent judgment, the Court of Justice of the European Union (the CJEU) has confirmed that Data Protection Officers (DPOs) can maintain other tasks and duties within their role, provided they do not result in a conflict of interest. The CJEU also held that the GDPR allows for EU member states to legislate to give greater protection to DPOs against dismissal than those set out in the GDPR.
Background to Ruling
In October 2020, the Federal Labour Court of Germany, Bundesarbeitsgericht, requested a preliminary ruling from the CJEU relating to proceedings between X-FAB Dresden GmbH & Co. KG (X-FAB) and its former DPO (“FC”) to clarify under what circumstances an organisation may be allowed to lawfully dismiss its appointed DPO. FC had been DPO for X-FAB and several related companies within its group and had held the role of chair of the works council and vice-chair of the central works council for a few group companies, alongside the DPO position for those companies. FC had been dismissed by X-FAB in December 2017 at the request of the state officer for data protection and freedom of information of Thüringen, Germany. Subsequently, on the coming into force of the GDPR in May 2018, X-FAB had repeated this dismissal as a precautionary measure. FC sought a declaration by the German courts that he retain the DPO position. X-Fab argued FC’s dismissal was justified, stating “a risk of a conflict of interests” in performing both functions, i.e., as both DPO and chair/vice-chair of the works council, on the grounds of incompatibility between the roles. The courts at both first instance and appeal upheld FC’s claim.
Continue reading “CJEU Rules on Dismissal of DPOs and Conflict of Interest”
On August 1, 2022, the Court of Justice of the European Union (CJEU) issued an opinion regarding a Lithuanian data protection case that may signal an expansion of interpretation of the definition of sensitive personal data under the EU’s General Data Protection Regulation (GDPR). Specifically, the CJEU found that data indirectly disclosing sexual orientation constitutes sensitive personal data.
At issue was a Lithuanian law that requires the Chief Official Ethics Commission of Lithuania to publish information about the private interests of public officials in an effort to combat corruption. In the facts underlying the case, a Lithuanian official objected to the Chief Official Ethics Commission’s online publication of his private interest information, which included his spouse’s name. The CJEU concluded that the publication of such information was prohibited by the GDPR because it was “liable to disclose indirectly the sexual orientation of a natural person,” a type of special category of personal data generally prohibited from processing under GDPR Article 9 (processing of special categories of personal data) unless certain additional conditions are satisfied such as the data subject’s explicit consent, or that processing is necessary for reasons of substantial public interest.
Continue reading “Court of Justice of the European Union Recognizes Inferred Special Categories of Personal Data”
On October 3, 2017, the Irish High Court referred Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems to the Court of Justice of the European Union (CJEU), where the future of standard contractual clauses (SCCs) will be decided (here).
In December 2015—following the CJEU’s landmark decision in Maximillian Schrems v. Data Protection Commissioner invalidating the U.S.-EU Safe Harbor framework—Schrems amended his original complaint to the Irish Data Protection Commissioner (DPC), challenging the validity of data transfers to the U.S. based on the European Commission approved SCCs (available here). Based on the CJEU’s Schrems decision, the Irish DPC petitioned the Irish High Court asking to refer the matter to the CJEU for ruling on the question of whether the European Commission’s SCC decisions are valid under European law. Specifically, the Data Protection Commissioner questioned whether there is an effective remedy under U.S. law compatible with the requirements of Article 47 of the EU Charter of Fundamental Rights for an EU citizen whose data is transferred to the U.S., where such data is subject to electronic surveillance by U.S. agencies for national security purposes. EU citizens have a right guaranteed by Article 47 of the Charter to an effective remedy before an independent tribunal if their rights or freedoms are violated. These include the rights under Articles 7 and 8 to respect for private and family life and protection of personal data.
Continue reading “Irish High Court Refers Future of EU Model Clauses to CJEU”