Key takeaways from December include:
- Concept of non-material damage under GDPR: In an expansive reading of the right to compensation under GDPR, a data subject’s fear that their personal data may be misused can qualify as recoverable “non-material damage”, according to a new ruling from the CJEU. Businesses should keep this finding, and the court’s wider reasoning behind it, in mind when considering potential compensation obligations following data breaches.
- Administrative fines for GDPR breaches: The CJEU has confirmed that national supervisory authorities can only issue administrative fines for GDPR breaches that arise out of negligent or intentional misconduct. This judgment will provide reassurance for businesses who, despite acting competently and in good faith, accidentally breach their GDPR obligations.
- Credit monitoring services: The CJEU has ruled that the GDPR’s prohibition on automated individual decision-making can, in certain circumstances, apply to private agencies which carry out “credit scoring” for lenders.
- Sensitive personal data: The CJEU has clarified that the processing of special category personal data, such as health data, requires a legal basis under both GDPR Art. 9 and GDPR Art. 6, meaning that businesses may wish to review their records of processing activities to ensure that both are reflected.
- Enforcement in France: Increased enforcement actions for lesser violations is expected for 2024, as the CNIL fines six additional entities under its simplified enforcement process, potentially raising regulatory risk for businesses operating in France.
- Digital Operational Resilience Act (“DORA”): Financial institutions and suppliers of IT services who are subject to DORA in Germany should consider the financial regulator BaFin’s new FAQ when DORA’s likely impact on their business and how to prepare.
- Cybersecurity Resilience: EU legislators have reached a political agreement on the Cyber Resilience Act. Once formally approved by the EU Parliament and EU Council, the Act will introduce new regulatory requirements for businesses that manufacture and sell digital products in the EU, including, in some circumstances, mandatory risk assessments and vulnerability reporting.
These developments, and more, covered below.
CJEU clarifies meaning of “non-material damage” in context of data breaches
What happened: In a ruling on the compensation obligations of a data controller to its data subjects following unauthorised access to that data in a cyberattack, the CJEU has clarified that fear experienced by a data subject that their personal data may be misused can qualify as recoverable “non-material damage”, provided that this fear is not unfounded. The CJEU has also recently reaffirmed that GDPR precludes national law makers from imposing a de minimis threshold for non-material damage.
This judgment arose from a 2019 cyberattack against the Bulgarian National Revenue Agency which resulted in a threat actor publishing more than 6 million people’s personal data on the internet.
The CJEU also took the opportunity to reiterate that:
- The fact that an unauthorised third party has gained access to personal data does not create an irrebuttable presumption that the data controller did not have appropriate technical and organisational measures in place.
- Nevertheless, when considering the appropriateness of protective measures, the obligation rests on the data controller to prove that they met the required standard. This presumption of fault has been reaffirmed by the CJEU in another recent case (see below).
- National courts should keep in mind that the GDPR requires controllers to establish “appropriate” risk management systems, not to eliminate the risk of personal data breaches altogether.
What to do: Businesses that process personal data should keep this decision in mind when considering their compensation obligations in the event of a cyberattack or other data breach. They are also reminded of their obligation to maintain appropriate technical and organisational measures in relation to their data processing, and may wish to review their compliance with these measures.
CJEU clarifies that data protection authorities can only issue fines for wrongful conduct
What happened: The CJEU clarified that data protection authorities can only impose administrative fines for breaches of the GDPR where there has been wrongful conduct. This means that the breach must have arisen either intentionally or as a result of negligence. The CJEU also explained that, in the context of legal persons such as companies, liability will arise for infringements by their representatives, directors, managers or any person acting in the course of the business of that legal person and on its behalf. The Court also held that, where the subject of a fine is part of a corporate group, the quantum of the fine should be calculated based on the total worldwide annual turnover of the entire group.
The rulings arose at the request of both the German and Lithuanian courts, following local administrative fines. In Lithuania, the National Public Health Centre was fined €12,000 after creating a mobile app which involved personal data of individuals exposed to Covid-19, while in Germany, a real estate company was fined €14 million for storing personal data of tenants when it was no longer required
What to do: Business should keep in mind the potential for administrative fines when developing and monitoring their data processing practices. Given that fines can be issued to legal persons for the wrongful conduct of their representatives, directors and managers (amongst others), businesses may want to consider reviewing their data protection training to ensure that all relevant individuals are aware of, and properly comply with, their GDPR obligations.
CJEU rules on automated credit scoring and extended data retention practices
What happened: In a series of decisions, the CJEU has examined the legality of two data processing practices, commonly used by credit information agencies, under the GDPR.
The Court ruled that:
- “Scoring” (i.e., the use of statistical methods to produce a probability of future behavior, such as the likelihood of debt repayment) constitutes “automated individual decision-making” when debt repayment probability scores are created using automated processing and these are relied on heavily by lenders for decision making. GDPR Art. 22 prohibits the use of automated individual decision-making except in limited circumstances, such as contractual necessity or explicit consent. Even where automated decision making is permitted, it must be subject to certain safeguards. As a result, credit scoring agencies will fall within the scope of the Art. 22 prohibition provided that lenders “draw strongly” on the score to make end decisions.
- It is further prohibited under the GDPR for private credit agencies to retain insolvency data for longer than the public insolvency register. When such data is unlawfully retained, the data subject has the right to have it deleted.
These rulings arose after members of the public challenged the refusal of several data protection commissioners to take action against SCHUFA, a German private company providing credit information services. In its judgment, the CJEU emphasized that national courts must be able to exercise a full review over any legally binding decisions of data protection authorities.
What to do: Businesses that offer credit information services in the EU may wish to review their data processing practices to ensure compliance with the GDPR, in light of these new rulings. Such businesses may want to keep the decision on automated decision making in mind when considering how to implement AI systems into their scoring processes and, more generally, decision-making processes, as is suggested, for example, by the Hamburg DPA. It remains to be seen whether data protect authorities will provide guidance on how to interpret the “draw strongly” condition.
CJEU clarifies the conditions for the processing of sensitive personal data under the GDPR and that damages must be compensatory not punitive
What happened: In a case regarding the processing of an incapacitated employee’s personal health data, the CJEU ruled that the lawful processing of special category personal data under the GDPR requires: (i) a lawful basis under GDPR Art. 9; and (ii) cumulatively, an additional lawful basis under GDPR Art. 6.
The particular complexity in this case arose from the fact that the defendant, the Medical service of German state Health Insurance, was both the claimant’s employer and the medical assessment body tasked by their insurer with processing health data to prepare an expert opinion on the claimant’s capacity to work. The court held that there was no barrier under the GDPR to medical assessment bodies processing the health data of their own employees.
The CJEU held that, under GDPR Art. 82, the system of liability was fault-based and that the controller’s fault was presumed unless it could provide exonerating evidence. The court also took the opportunity to confirm that compensation pursuant to GDPR Art. 82 is expected to fulfil a purely compensatory function, and should not have a deterrent or punitive purpose.
What to do: This decision should serve as a reminder to businesses of the extra care which must be taken when processing health data. In particular, businesses who process health data must ensure they fulfil the requirements of both GDPR Art. 6 and Art. 9 and may wish to review their records of processing activities to ensure that both are reflected.
CNIL fines six new entities under simplified enforcement process
What happened: The French CNIL fined six entities a total of €44,000 under its simplified enforcement process. As detailed in our November roundup, this simplified enforcement process is available for matters which the CNIL determines to be of limited complexity or seriousness. While most details of these six fines remain non-public, the sanctioned breaches include lack of cooperation with the CNIL, excessive data collection from a job applicant and lack of data security (robustness and storage of passwords).
What to do: Although these decisions may not be surprising in terms of substance, businesses should take note of the ongoing use of the simplified enforcement process. This could precipitate more vigorous enforcement against a broader range of violations than those that the CNIL previously prioritized.
EU institutions reach political deal on Cyber Resilience Act
What happened: Negotiations between the EU Commission, Parliament and Council resulted in a political agreement on the Cyber Resilience Act.
As detailed in our September 2022 roundup, the Act will introduce mandatory cybersecurity requirements for all products that are either directly or indirectly connected to another device or network and will apply to both hardware and software. Once enacted, manufacturers will need to implement cybersecurity measures across the entire lifecycle of products before they can be sold in the EU.
The final negotiations focused primarily on which body should receive notifications from manufacturers when security vulnerabilities are being actively exploited. A compromise was found whereby manufacturers will submit a notification to both ENISA (the EU cybersecurity agency) and the competent national computer security incident response team (“CSIRT”) via a single reporting platform. However, there will be a number of restrictions in place to allow the CSIRT to limit notification to ENISA (e.g., to protect national security interests). The negotiations also clarified that non-profit organisations that sell open-source software but reinvest all the revenues in not-for-profit activities will be excluded from the Act’s scope.
What to do: The political agreement is subject to formal approval by both the EU Parliament and EU Council. The Regulation is expected to enter into force in early 2024; manufacturers, importers and distributers of relevant hardware and software products will have 36 months to adapt to the new requirements (with a more limited 21-month grace period for the reporting obligation).
BaFin publishes new DORA guidelines
What happened: The German financial regulator, BaFin, has published FAQs on the EU’s new Digital Operational Resilience Act (“DORA”). This highly significant regulation aims to strengthen the EU’s financial market by imposing uniform controls on IT risks, cybersecurity and digital operational resilience across the sector. Amongst other clarifications, the BaFin FAQ confirmed that:
- The supervision of critical IT third-party services by a supervisory authority under DORA, does not relieve financial companies of their own regulatory obligations to monitor their use of third-party IT service providers.
- The costs of monitoring in compliance with DORA must be borne by the critical third-party IT providers, not the authorities.
- BaFin will act as the central reporting body for all financial companies under its supervision and therefore should be the recipient of reports on IT-related incidents.
What to do: Entities covered by DORA must comply with the new regulations by 17 January 2025. Such entities may wish to consult the new BaFin guidance when considering how to establish internal processes and documentation which meet the new DORA requirements. In a previous Debevoise Data Blog post, we published a detailed list of preparatory steps which financial entities and third-party service providers may wish to consider taking.
CNIL and the French Competition Authority signed joint declaration on closer cooperation
What happened: The French Data Protection Authority (the CNIL) and the French Competition Authority (Autorité de la concurrence) signed a joint declaration on their intention to deepen their cooperation in order to protect consumers and ensure that competition is not distorted.
The joint declaration emphasises the importance of interplay between data protection and competition law and defines the ways and means of cooperation between the two authorities. Besides the cooperation already foreseen in the existing legislative mechanisms, both authorities also intend to establish regular informal exchanges such as inter-agency meetings and joint studies, so that they are in a position to better take personal data protection and competition regulations into account, and identify issues requiring a joint approach.
What to do: The joint declaration illustrates the interplay between data protection and competition laws. Although they essentially pursue different objectives, they cannot be considered separately in the digital age and competition authorities recognise personal data protection as a parameter of competition.
The joint declaration follows the CJEU judgment confirming that EU national competition authorities can assess GDPR-related violations in competition law violation proceedings in close cooperation with the competent data protection agencies (see our blog post here). Deepened cooperation between the competition and data protection authorities is expected in other EU jurisdictions and beyond, raising the risk of greater regulatory scrutiny.
To subscribe to the Data Blog, please click here.
The cover art used in this blog post was generated by DALL-E.