Preliminary questions on the GDPR referred to the European Court of Justice by Austrian supreme courts in 2021

by Gerald Trieb and Antonia Kühberger// As reported in a previous blog post, the Austrian Supreme Court (Oberster Gerichtshof, OGH) recently submitted a preliminary ruling request to the European Court of Justice (ECJ) to clarify whether Facebook unlawfully reinterpreted the original “consent” of registered users to data processing on the basis of a contract when the GDPR came into effect. However, this is not the first preliminary ruling request in relation to provisions of the GDPR submitted by Austrian courts. Only within this current year, not less than three additional respective requests have been submitted, which shall be presented in this blog post.

  1. Preliminary request on the Right of Access by the data subject according to Article 15 GDPR (OGH 18.2.2021, 6 Ob 159/20f), “Österreichische Post”

The initial case was a lawsuit regarding a violation of the right of access pursuant to Article 15 GDPR. A data subject asked inter alia for information on specific recipients, in the event of a disclosure. In the subsequent civil proceedings, the defendant disclosed categories of recipients in its reply letter and referred to its website for more detailed information; however, the website also listed categories of recipients (e.g. doctors, banks and lawyers) only. In response to the complaint, the defendant merely stated that personal data were processed for marketing purposes within the scope of its activities as an address publishing company and was disclosed to business customers (advertising companies, IT companies, etc.).

Consequently, the following question was referred to the ECJ:

Is Article 15(1)(c) GDPR to be interpreted as meaning that the right of access is limited to information concerning categories of recipient where specific recipients have not yet been determined in the case of planned disclosures, but that right must necessarily also cover recipients of those disclosures in cases where data has already been disclosed?

The question therefore concerns the wording “recipients or categories of recipient” in Article 15(1)(c) GDPR, which the OGH – most likely correctly – considers not yet clarified and in need of interpretation. The previous instances, lower Austrian civil courts, dismissed the claim because the wording “recipients or categories of recipient” in Article 15(1)(c) GDPR clearly gave the controller the free right to choose whether the categories of recipients or the specific recipients are to be disclosed. The Austrian DPA (Datenschutzbehörde, 24.4.2020, 2020-0.219.620) and the Austrian Federal Administrative Court (Bundesverwaltungsgericht, 9.12.2019, W214 2221970-1), however, are of the opinion that the recipients must be specifically disclosed. This view seems to be shared by the Austrian Supreme Court, which in its preliminary request considers that there is a right to choose – but only in favour of the data subject. In this regard, the OGH refers to recital 63, from which the fundamental obligation of the data controller to specify the recipients was derived. The ECJ will now decide who is ultimately right.

  1. Preliminary request on the compensation for non-material damages (OGH 15.4.2021, 6 Ob 35/12x), “Österreichische Post”

The main proceedings concern the complaint of a data subject against a postal service provider, Österreichische Post AG, for unlawful processing of political party affinities. The plaintiff claimed that he was entitled to non-material damages of EUR 1.000,00- due to “great inner turmoil” because he was wrongfully attributed a high affinity with the Austrian Freedom Party (FPÖ), a far-right positioned party. This categorization caused him significant anger and a loss of trust, but also the feeling of being exposed.

The ECJ must now clarify the conditions and scope of Article 82 GDPR. In particular, the OGH submitted the following questions to the ECJ:

  1. Does the award of compensation under Article 82 GDPR also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?

  2. Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?

  3. Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?

Article 82 GDPR states that “any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. Thus, a separate liability standard under data protection law is developed, whereby the concept of “non-material damage” is to be interpreted autonomously by the European Union. The national liability regime is consequently “overlayed” in this respect.


The assessment of the obligation to compensate is based on the criteria of proportionality, effectiveness and a sufficient deterrent effect. Although the compensation has to be more than symbolic compensation, in the opinion of the OGH, liability should only arise if actual (non-material) damage has occurred. Such an impairment does not have to be particularly severe, but requires the prerequisite of “noticeability”. Austrian courts have been very reluctant to award compensation for non-material damage so far.

By referring the matter to the ECJ, the OGH pre-empted the German courts. The German Federal Constitutional Court has recently represented the point of view that it is incompatible with the right to one’s lawful judge to dismiss a claim for damages without having obtained an interpretation of the concept of damage in Article 82(1) GDPR from the ECJ.

  1. Preliminary request on the meaning and extent of “a copy of the personal data undergoing processing” in the context of the Right of Access by the data subject according to Article 15(3) GDPR (BVwG 9.8.2021, W211 2222613-2/12E), “Österreichische Datenschutzbehörde and CRIF”;

In the main proceedings, a data subject made a written access request according to Article 15 GDPR requesting – among other things – a copy of her personal data. The respondent partially complied with the access request, but failed to additionally provide for a copy of the processed data.

Subsequently, the BVwG requested the ECJ’s preliminary ruling on the interpretation of Article 15(3) GDPR and submitted the following questions:

  1. Is the term “copy” in Article 15(3) GDPR to be interpreted as photocopy or facsimile or an electronic copy of (electronic) data, or does the term also cover a “transcript”, un “double” (“duplicata”) or a “transcript”, as understood in German, French and English dictionaries?

  2. Is the first sentence of Article 15(3) of the GDPR, according to which ‘the controller shall provide a copy of the personal data undergoing processing’, to be interpreted as affording a general right for a data subject to obtain a copy of – also – entire documents in which the personal data of that data subject are processed, or to receive a copy of a database extract if the personal data are processed in such a database, or does the data subject have a right – only – to an exact reproduction of the personal data about which information is to be provided pursuant to Article 15(1) of the GDPR?

In addition, it shall be clarified whether, in the event of a restrictive view, at least parts of the text must be made available in individual cases (question 3). The ECJ should also determine whether the use of the word “information” in Article 15(3) refers solely to the personal data mentioned in Article 15(3) or also to the information pursuant to Article 15(1) (a) to (h) GDPR or even to metadata beyond that (question 4).

According to representatives of the restrictive interpretation – and also Austrian case law – it does not correspond to the meaning and purpose of Art 15 GDPR that the term “copy” in paragraph 3 obligates the controller to a broader handover of data. However, the supporters of an extensive interpretation see paragraph 3 as an extension of Article 15(1) GDPR. It is intended to allow the data subject making the access request to have direct access to the raw version of the data. The controller should then provide this in the form of a true “copy” of entire documents.

In all three cases, no decision has been made by the ECJ yet. Due to the preliminary requests, the ECJ will have the opportunity to put its foot down and provide more clarity to the interpretation of the concept of recipient, the term “copy” and the criteria of the non-material claim for damages.

Links:

Dr. Gerald Trieb is Partner at Knyrim Trieb Rechtsanwälte Vienna (Austria).

Antonia Kühberger is Legal Intern at Knyrim Trieb Rechtsanwälte Vienna (Austria) and Data Protection Support at Coca-Cola Hellenic Bottling Company.



 



Tagged on:
By Guest | December 22, 2021 | Article |