Litigation

In recent months, the European Court of Justice (“CJEU”) issued five judgments providing some clarity on the scope of individuals’ rights to claim compensation for “material and non-material damage” under Article 82 of the GDPR. These rulings will inform companies’ exposure to compensation claims, particularly in the context of the EU’s Collective Redress Directive, but open questions remain about the quantum of compensation courts will offer in these cases and we expect both the CJEU and national courts to deliver additional case-law clarifying this topic in the coming year (for more information on recent CJEU cases related to compensation, see our previous blog posts here and here).

  • In VB v Natsionalna agentsia za prihodite (C-340/21), the CJEU concluded that individuals may have suffered “non-material damage”—and therefore be able to claim compensation—if they can demonstrate that they feared future misuse of personal data that was compromised in a personal data breach.  
  • In VX v Gemeinde Ummendorf (C-456/22), the CJEU found that there is no de minimis threshold for damage, below which individuals cannot claim for compensation.
  • In BL v MediaMarktSaturn (C-687-21), the CJEU restated its existing case-law, and expanded upon its analysis in VB by clarifying that alleged harms cannot be “purely hypothetical”.
  • In Kočner v Europol (C-755/21), the CJEU awarded non-material damages of €2000 for the publication in newspapers of transcripts of “intimate” text messages.
  • In GP v Juris GmbH (C-741/21), the CJEU found that where one processing activity infringes multiple provisions of the GDPR, this should not allow claimants to “double-count” the harm they suffered.

We provide further detail on each case below.Continue Reading Rounding up Five Recent CJEU Cases on GDPR Compensation

On March 7, 2024, the CJEU rendered its judgement in the IAB Europe case (C-604/22).   The case relates to role of IAB Europe, a sector organization, in its Transparency and Consent Framework (“TCF”) used by companies to record the GDPR consent granted (or not granted) by a user and to document compliance with their GDPR transparency obligations.  The framework is widely used in digital advertising, including in real-time bidding scenarios; below, we set out the court’s three main findings.Continue Reading CJEU Decides the IAB Europe Case, Expanding the Concept of Controllership

The EU Representative Actions Directive (“RAD”) was meant to have been transposed by all EU member states by December 25, 2022. However, the EU Commission announced on January 27, 2023, that only three out of the 27 EU member states have properly transposed the RAD into their national legislation as required, and that it will now start issuing formal notices to the remaining countries to transpose the RAD as soon as possible.

As reported in our previous blog post, the RAD aims to harmonize member state frameworks on collective actions (i.e., whereby multiple claimants may lodge a claim or claims as a group) across the EU. It sets minimum requirements with respect to collective actions on a wide range of topics, including data protection matters (see also our blog post on the implications of RAD for data protection infringements and our separate blog post on the Court of Justice of the EU’s interpretation of Article 80(2) GDPR on data protection-related collective actions). This blogpost provides an overview of the RAD and its implementation status by EU member states.Continue Reading National Transposition of the EU Representative Actions Directive: What is the Current Status?