2024 privacy review – the most important ECJ privacy rulings

Six years into the application of the GDPR, the European Court of Justice (“ECJ”) continues to shape the interpretation of essential GDPR concepts such as controllership, sensitive personal data, legal bases for the processing of personal data, or damage claims by data subjects. Below, we have summarized the most important rulings of the ECJ in 2024 relating to the interpretation of the GDPR and provided links to the official website of the ECJ with the full text of each decision.

1. The concept of personal data

In Case C-604/22 – IAB Europe, the ECJ clarified the concept of personal data with particular respect to the Transparency and Consent Framework (“TCF”) operated by IAB Europe, a European industry association in the digital marketing sector.

The TCF provides a framework for consent-based digital marketing activities by storing a website user’s targeted advertisement preferences obtained through a Consent Management Platform (“CMP”) in a string composed of a combination of letters and characters, i.e., an alphanumerical code (the “TC String”). The TC String is then shared with other stakeholders in the digital marketing ecosystem, such as data brokers and advertising platforms, so that they know what the user has consented or objected to. Combined with a cookie placed by the CMP, the TC String could be linked to a website user’s IP address.

The ECJ held that the TC String constitutes personal data in so far as it could be associated by reasonable means with an identifier, such as a website user’s IP address. The fact that IAB Europe itself cannot access the data that is processed under the rules of the TCF, nor combine it with other identifiers such as an IP address, does not preclude the TC String from being qualified as personal data for IAB.

Why this is important: Once again, the ECJ clarified that it applies a broad understanding of what constitutes personal data.

2. Special categories of personal data

In Case C-21/23 – Lindenapotheke, the ECJ clarified its interpretation of special categories of personal data under Article 9 GDPR, drawing on its extensive backlog of privacy rulings around special categories of data as Case C-184/20 – Vyriausioji tarnybinės etikos komisija and Case C-252/21 – Bundeskartellamt.

A company, operating a pharmacy under the trade name “Lindenapotheke”, had been selling pharmacy-only, but non-prescription medicines. A competitor brought an action before German courts seeking an order that the company cease and desist to sell such products. The competitor argued that the company processed health data in the context of online orders without obtaining consent, in violation of Article 9 GDPR. The competitor’s cease and desist claim was based on German unfair competition law which allows competitors to seek an injunction against market participants infringing laws that regulate market behaviour.

The ECJ not only clarified that competitors can bring cease and desist actions against other competitors for alleged GDPR infringements. The ECJ also made clear that special categories of personal data must be interpreted broadly. As already stated in Case C-184/20, special categories of personal data do not only cover inherently sensitive data, but also data that can be used to infer sensitive information, for example the information that a person has bought certain medicines is capable of revealing information about that person’s health conditions. According to the ECJ, it is irrelevant whether the controller aims to infer such information (see arguments in Case C-252/21), and it is also irrelevant whether such information is accurate. This means that even if medicines ordered online are intended for a third person, e.g., a child or an elderly parent, the information inferred from the order would still be considered sensitive personal data although the controller cannot be absolutely certain that the information relates to the ordering customer.

Why this is important: The ECJ confirmed its broad understanding of personal data to the concept of special categories of personal data. Since such personal data may only be processed in exceptional cases, controllers may need to reconsider some of their personal data classifications and must ensure that they process special categories of personal data in accordance with applicable law. It is also important to keep in mind that Article 9 GDPR does not provide for a permission ground relating to performance of a contract.

3. Purpose limitation and data minimization

In Case C-446/21 – Schrems v Meta, the ECJ clarified the conditions that must be observed when processing (sensitive) personal data for the purposes of personalised advertising.

In this specific case, Mr Schrems challenged the processing of certain personal data relating to his sexual orientation, alleging that Meta had used such data to present personalised advertisements to him.

In its ruling, the ECJ clarified that the principle of data minimization (Article 5 (1)(c) GDPR) requires the controller to define retention periods appropriate for each type of data. In addition, the ECJ provides some guidance on the interpretation of Art. 9 (2)(e) GDPR relating to sensitive data manifestly made public.

Why this is important: The ECJ’s ruling strengthens data subject rights with respect to personalised advertising. It underlines once more that the GDPR principles laid out in Article 5 (1) GDPR are not to be understood as merely programmatic interpretation guidelines but rather as mandatory requirements for GDPR compliance.

4. Legal bases for personal data processing

On several occasions, the ECJ also provided guidance regarding the interpretation of certain GDPR legal bases for the processing of personal data. In particular, the ECJ’s ruling covered Article 6 (1)(b), (c), and (f) GDPR and the conditions for works agreements as legal basis (Cases C-17/22 and C-18/22 (joined cases) – HTB Neunte Immobilien Portfolio and Ökorenta Neue Energien Ökostabil IV), Case C-621/22 – KNLTB and Case C-65/23 – K GmbH).

In Cases C-17/22 and C-18/22, the ECJ ruled that, for the processing of personal data to be regarded as necessary for the performance of a contract under Article 6 (1)(b) GDPR, it must be objectively indispensable for a purpose that is integral to the contractual obligation intended for the data subject. If a contract expressly prohibits the disclosure of certain data to other parties, then such disclosure cannot be considered necessary for the performance of this contract. Additionally, the ECJ found that a controller can rely on Article 6 (1)(c) GDPR even if the legal obligation stems from case law (as opposed to a statutory law) provided (i) the case law is clear and precise, (ii) its application is foreseeable by the persons who are subject to it and (iii) the case law meets an objective of public interest and is proportionate to it.

In Cases C-17/22 and C-18/22 as well as in Case C-621/22, the ECJ clarified that even a purely commercial interest can be considered as legitimate interest in the sense of Article 6 (1)(f) GDPR, provided that the interest is lawful. These rulings provide further details on the aspects to be considered for a positive balancing of interest test and emphasize that reliance on Article 6 (1)(f) GDPR requires that the controller complies with all other obligations under the GDPR.

Case C-65/23 clarified to some extend a long-standing dispute in German legal literature to what extent a works agreement could legitimise certain data processing activities that would be considered unlawful under the GDPR for not meeting the necessity requirement. In a works agreement that governed the use of an HR software the parties agreed that certain employee data may be transferred to a server of the company’s parent company in the US. Following a claim for damages by an employee of the Germany company, the validity of the works agreement as a legal basis for certain data processing activities was called into question. In its ruling, the ECJ stated that although Article 88 GDPR allowed for Member States to provide for more specific rules regarding the processing of employee personal data in the employment context, this cannot be interpreted as meaning that such more specific rules could circumvent the obligations of the controller or processor resulting from other provisions of the GDPR. Therefore, a processing activity cannot be justified in a works agreement beyond what is permitted by the GDPR.; the processing activity must comply with the general principles of the GDPR, such as the necessity principle, and must be justified by a legal basis under the GDPR.

Why this is important: The above-mentioned rulings of the ECJ touch upon some of the most relevant legal bases relied on in practice. In particular, the ECJ underscores that necessity is a central element of the balancing of interests and must be analysed and documented in each individual case to ensure that there is no equally suitable but less invasive alternative. The ECJ further emphasises that a legitimate interest can only exist if the controller complies with all other obligations under the GDPR, such as transparent information, purpose limitation, data minimisation, accuracy of data, storage limitation, as well as integrity and confidentiality (Art. 5(1) GDPR). Furthermore, the ECJ has emphasised that processing in a works agreement cannot be permitted beyond the scope of the GDPR.

5. Exercise of the supervisory authorities’ powers

Some of the ECJ’s rulings in 2024 also concerned questions regarding the Supervisory Authorities’ powers under the GDPR.

Case C-46/23 – Újpesti Polgármesteri Hivatal, concerned an order of the Hungarian authority requiring a controller to delete personal data of data subjects who were entitled to exercise their right to erasure pursuant to Article 17 GDPR but had not yet exercised it.

The ECJ took the view that Article 17 GDPR imposes two separate obligations on controllers. While the first part of Article 17 (1) GDPR grants data subjects a right to request erasure of their data, the second part of Article 17 (1) GDPR obligates the controller to erase those personal data without undue delay. This led the ECJ to argue that a data subject’s request for erasure is not necessary for a controller to be required to delete personal data. Supervisory Authorities may therefore order the rectification of a controller’s failure to delete personal data in accordance with its obligations under Article 17 (1) GDPR.

Case C-768/21 – Land Hessen, concerned an action brought against the Supervisory Authority of the German State Hesse by a German data subject for failing to impose sanctions against a controller. The data subject was of the view that the controller had violated certain GDPR obligations in relation to a data breach and that the Supervisory Authority was therefore required to impose a sanction against the controller. The ECJ decided that a Supervisory Authority is not required to exercise a corrective power where such action is not appropriate, necessary or proportionate to remedy a violation and to ensure that GDPR is fully enforced. It also found that a complainant whose rights have been infringed does not have a subjective right to seek the imposition of an administrative fine on the controller by the Supervisory Authority.

Why this is important: Although their views and interpretation of the GDPR are not legally binding, the Supervisory Authorities’ practices are key for GDPR enforcement. Having a clear understanding of the scope of their powers helps controllers to better understand what they may expect from Supervisory Authorities.

6. Damages for violation of data subject rights

2024 also brought further clarity concerning damages for data subjects through rulings of the ECJ as well as the European General Court and Germany’s Federal Court of Justice.

In Case C-687/21 – MediaMarktSaturn, the ECJ confirmed its prior case-law on damages pursuant to Article 82 GDPR, in particular, Case C-667/21 – Krankenversicherung Nordrhein and Case C-300/21 – Österreichische Post. As such, the ECJ re-iterated that Article 82 GDPR fulfils a compensatory and not a punitive function, i.e., the amount of the compensation allocated for any non-material damages must compensate the damage suffered by the data subject, irrespective of the number GDPR infringements committed by a controller. Also, according to the ECJ, the mere infringement of GDPR provisions does not suffice to successfully claim compensation for damages. Instead, a causal link between the damages suffered and the infringement must exist. Where data subjects assert negative consequences following an alleged GDPR infringement, they must demonstrate that those negative consequences constitute material or non-material damage; a purely hypothetical risk of misuse by an unauthorised third party is insufficient.

In Case C-741/21 – juris, the ECJ clarified that for a controller to be exempted from liability pursuant to Article 82 (3) GDPR, it is not sufficient for the controller to claim that the damage in question was caused by the failure of a person acting under the controller’s authority, here an employee. Instead, a controller must prove that there is no causal link between any breach of its obligations resulting from Articles 5, 24 and 32 GDPR and the damage suffered by the data subject.

In Case C-590/22 – PS, the ECJ acknowledged that even if it is not possible to establish that a data subject’s personal data had indeed been disclosed to a third party, the data subject may still seek compensation for non-material damage as long as the data subject can prove that he or she has actually suffered such damage as a result of the alleged disclosure to a third party. However, a mere allegation of fear, with no proven negative consequences, cannot give rise to compensation (see Case C-687/21).

Case T-354/22 – Bindl v Commission concerns the highly relevant issue of damages resulting from personal data transfers to countries that do not provide an adequate level of data protection. The applicant claimed that he should be awarded EUR 400 for non-material damage resulting from a data transfer to the US (which at the time of the alleged violation did not guarantee an adequate level of data protection, as the EU-US Data Privacy Framework was not put in place yet). The General Court acknowledged that the transfer of the applicant’s personal data, in particular his IP address to the US put him in a position of some uncertainty as regards the processing of his personal data. The General Court found that the related loss of control and him being deprived of his rights and freedoms through the risk of his personal data being accessed by US security and intelligence services justified a financial compensation in the amount of EUR 400.

Lastly, Germany’s Federal Court of Justice (Bundesgerichtshof, “BGH”) in VI ZR 10/24 – Scraping (German language only) also ruled on non-material damages, applying for the first time the new concept of precedential ruling which seeks to relieve the burden on other courts dealing with a matter relating to the same facts and thus to speed up proceedings. The underlying facts in this ruling concerned a case of personal data scraping which affected approximately 533 million Facebook users worldwide whose personal data were publicly disclosed on the internet. Following the ECJ’s jurisprudence on non-material damages, the BGH found that a data subjects’ temporary loss of control over their personal data (if proven) may generally constitute a non-material damage. However, the BGH did not specify the criteria that must be met to prove such loss of control, and it must be assessed on a case-by-case basis whether a data subject suffered such loss of control. While several other details remain to be specified in further rulings, the BGH also found that in the specific case, an amount of EUR 100 was sufficient to compensate the data subject in question for the damage suffered.

Why this is important: Data Subjects’ rights to claim compensation for non-material damages resulting from violations of the GDPR has become a significant concern for companies. Given the number of potential data subjects that could be affected by a personal data breach or by an unlawful processing activity, especially in the consumer and HR context, the financial impact for companies is unpredictable. The ECJ’s rulings on non-material damages provide guidance to better understand some of the potential financial risks that may result from a violation of the GDPR.