The controller (defendant) operates an online music streaming service; the plaintiff is a customer of this service. The case was triggered by a data breach in November 2022 at a former processor of the controller, involving customers’ personal information (including email addresses, full names, ages, etc.).

The contract between the controller and the processor ended several years before the data breach at the end of 2019. According to the data processing agreement, the controller could choose between deletion or return of the data after the end of the processing. However, the  controller never exercised this right. A few days before the termination of the agreement, the processor informed the controller by email that the data would be deleted the following day. Almost a year later, in December 2020, the processor sent another email to the controller announcing that the deletion was imminent. Nevertheless, it was not until early 2023 and after the data breach had been reported that the processor confirmed to the controller that (some kind of) deletion had been carried out.

The Higher Regional Court ruled that the defendant was in principle liable to the plaintiff for damages within the meaning of Article 82 of the GDPR, but that the plaintiff had not credibly demonstrated any emotional damage and therefore no compensation payments were awarded.

In its judgment, the court dealt extensively with the issue of a controller’s liability for the omissions of its processor. In particular, the court addressed the monitoring and auditing measures that a controller must exercise over its processor and how these measures must be designed.

In general, the court takes the view that:

• if a company selects an IT service provider that is known in the market as a leading and reliable provider, it can generally place trust in the provider’s expertise and reliability without the need for an on-site inspection, but

• increased  requirements apply if large amounts of data or particularly sensitive data is hosted.

In the opinion of the Higher Regional Court, in the specific case this meant that the data controller was obliged to:

• exercise its rights towards the processor with respect to the deletion of the data (the data processing agreement allowed the controller to choose between deletion and return of the data);
• in case of deletion, obtain a written confirmation (i.e. a meaningful document certifying the deletion) from the processor, as detailed in the data processing agreement(s);

• immediately request the provision of the deletion confirmation, if no such confirmation has been provided within the contractually agreed period; and

• if necessary, carry out an on-site inspection (e.g., if the deletion confirmation remains outstanding).

The court also clarified that mere announcements of the data processor to delete the data (in the future) are not an adequate substitute for the confirmation that the data has already been deleted.

Conclusion and practical recommendation:

Even if the controller in the specific case has escaped being ordered to pay damages, the court has nevertheless affirmed the company’s liability.

Controllers should therefore take this judgment as an opportunity to review the robustness of their monitoring and auditing measures with regard to processors. Necessary measures must not only be introduced but also sustained and documented in such a way that they are sufficient as evidence in front of courts and supervisory authorities.

Central data protection supervision and new role of the Data Protection Conference  

The future government is planning to reform the structure of the data protection supervision authorities in Germany. Responsibilities and competencies for the private sector are to be bundled into the Federal Commissioner for Data Protection and Information Security (“BfDI“). Currently, Germany does not have one central supervisory authority for data protection law but authorities in each of the sixteen German federal states (Länder), that are competent for the public and the private sector in the respective state. In addition, there are different supervisory authorities for private broadcasters as well as for public broadcasters. Currently, the BfDI is only competent for the federal public sector and a limited number of private sectors, such as telecommunications.

This change in structure would lead to considerable relief, particularly for companies or groups of companies with headquarters outside Germany or outside the EEA. If the BfDI becomes the responsible authority for the private sector as a whole, there will no longer be any uncertainty as to which national supervisory authority to work with. This is particularly relevant if a company or group of companies has several branches in Germany. Controllers and processors would only have to cooperate with one national supervisory authority and the contact details of the data protection officer would only have to be communicated to the BfDI. In addition, controllers without a lead supervisory authority will no longer be required to report data security breaches to all of the various German supervisory authorities. Currently, controllers without establishment in the EU have to make notifications to the authorities in those federal states where the affected data subjects live – in the future, instead of notifying up to 16 different authorities, they could only notify to one authority, just like in other EU countries.

In addition, the new structure could provide greater legal certainty for both controllers and processors, as currently, each German supervisory authority may interpret the legal requirements differently and pursue varying priorities, for example with regard to enforcement.

However, it remains unclear how this structural reform can be implemented in a legally secure manner. The coexistence of different responsibilities of the federal government and the federal states is an expression of federal structures and thus of the federal state principle safeguarded by the German constitution (the German Basic Law, Grundgesetz).

In addition, the Data Protection Conference (“DSK“), in which all German supervisory authorities are represented, is to be anchored in the Federal Data Protection Act (“BDSG“). In contrast to the current situation, it is to be given the task of creating binding data protection standards. This can ensure that a uniform approach is created, particularly in areas of cooperation between the private and public sectors. At the same time, there is a risk that even non-practical and very dogmatic opinions of this very diverse body in the future will become binding.

Better use of GDPR leeway

The coalition partners also want to make better use of the leeway provided by the GDPR. This means that where the GDPR provides opening clauses for national legislators, new rules shall  be created to relieve the burden on small and medium-sized enterprises as well as for the processing of personal data of and by employees as well as volunteers. Such leeway exists in the GDPR under Art. 23 GDPR, among others. According to Art. 23 (1) GDPR, the extensive transparency obligations under Art. 13, 14 and Art. 15 GDPR could be reduced to an appropriate level for small and medium-sized enterprises. However, no concrete plans have been agreed on yet.

Introduction of the retention of data relating to the civil identity and associated IP addresses

A proposal on data retention (Vorratsdatenspeicherung), which is currently suspended in Germany, has also caused a stir. Specifically, a proportionate three-month retention period for IP addresses and port numbers is to be introduced, in line with European and constitutional requirements, to be able to assign them to the owner of the connection. In this context, the Federal Police is to be authorized to carry out source telecommunication surveillance to combat serious crimes.

As recently as April 30, 2024, the ECJ ruled in Case C-470/21 that data retention is not by itself contrary to European law. However, it remains to be seen whether the future German Federal Government will succeed in finding a regulation that upholds the fundamental rights to respect for family life and the protection of personal data (Art. 7 and Art. 8 of the Charter of Fundamental Rights of the European Union).

Actual effects

The actual effects of the measures set out are not yet foreseeable. On the one hand, the measures set out for the reform of data protection are very vague. Secondly, the coalition agreement itself is not a binding document. The implementation of the intended measures depends largely on the political framework conditions. Several years may pass before the reforms envisaged in a coalition agreement are implemented in law.

The judgment is based on a personal data breach concerning the social network Facebook. In April 2021, data from over 500 million users was made public on the internet. This data was collected by unknown third parties using scraping. To collect the data these third parties were using the search function for phone numbers which, by default, allowed unrestricted access to public profiles based on phone numbers (including where the profile owner had decided not to publish the telephone number).

In summary, the BGH has ruled in favour of the existence of non-material damages due to a mere loss of control of personal data and has therefore provided some clarity to the previously inconsistent German case law. In particular, the decision clarified whether non-material damages due to loss of control can be claimed; what requirements must be met to substantiate such claims; and how such damages are to be measured.

Claims for damages

In its judgment, the BGH states that a claim under Article 82(1) GDPR requires the following:

• An infringement of the GDPR;
• A material or non-material damage to the data subject; and
• A causal link between the infringement and the material or non-material damage.

In particular, BGH’s judgment looks at the question of whether the plaintiff suffered non-material damage in the specific case. The plaintiff claimed non-material damages for the anger and fear as a result of the loss of control over his personal data.

In its judgment, the BGH takes a broad interpretation of the term ‘non-material damage’. With reference to the case law of the ECJ (e.g. ECJ, judgment of 4 October 2024 – C-200/23, para. 145, 156 in conjunction with 137 – Agentsia po vpisvaniyata) and Recital 85 of the GDPR, the BGH ruled that the mere loss of control over personal data due to an infringement of the GDPR is sufficient to constitute non-material damages. According to the BGH, this applies even if there has been no specific misuse of the affected data to the detriment of the data subject or other noticeable negative consequences. Such consequences would only intensify an already existing damage.

Furthermore, the BGH clarifies the basic conditions for the assertion of a claim for non-material damage under the GDPR and civil procedural law. It was the plaintiff’s obligation to provide substantial evidence for damages in the specific form of loss of control over personal data and to prove the causal link. That means that the plaintiff had to present facts which, in conjunction with a legal provision, are suitable and necessary to justify the existence of the respective claim deriving from Article 82(1) GDPR. For this, the plaintiff can even use standardised text modules in written submissions, provided that these still demonstrate that the plaintiff is personally affected by the incident. The BGH considers the following circumstances, as presented by the plaintiff, to be sufficient to cause the damage:

• Loss of control over leaked personal data (with respect to his cell number, the plaintiff stated that he always passed on this number consciously and purposefully and did not make it accessible to the public randomly and without reason)
• State of significant unease and concern about possible misuse of personal data (increased mistrust regarding emails and calls from unknown numbers, receiving contact attempts via text messages and emails by unknown senders)

Further motions

Regarding the plaintiff’s motion for action of acknowledgment of future material and non-material damages deriving from the incident, the BGH states that the mere possibility of future damages is sufficient to grant such motion (this is in line with settled German case law).

The plaintiff also asserted injunctive relief. Insofar as he sought an order that prevents Facebook from making his personal data accessible to unauthorized third parties via software for importing contacts without taking the necessary measures to do so according to the state of the art, the BGH considered this application to be procedurally inadmissible. The reason for this was that the claim was unspecific in several respects – for example, it partly only re-phrased security requirements of the GDPR. However, the BGH deemed the plaintiff’s further application to be admissible. This application was aimed at preventing Facebook from further processing the plaintiff’s telephone numbers on the basis of consent given by him, since, in the plaintiff’s opinion, this consent was invalid due to a lack of transparency. The court of appeal will have to rule on this application again. Interestingly, the BGH also stated that consent is the only lawful basis that could be considered for processing of phone numbers for the search function.

Furthermore, the BGH ruled that the plaintiff had no further right of access according to Article 15(1) GDPR against the defendant. The plaintiff claimed a right of information regarding the specific recipients of the data. Since this was not possible because the defendant had no knowledge of the specific recipients of the data, the BGH ruled that the plaintiff had no right of access in this regard.

BGH on amounts of non-material damages

In accordance with the principle of procedural autonomy, the modalities for calculating the amount of non-material damage are determined by the national rules governing  the scope of financial compensation. Limited by the principle of equivalence and effectiveness, the application in Germany is governed by Section 287 German Civil Procedure Code (Zivilprozessordnung – “ZPO”). Article 82 GDPR only has a compensatory function and not a deterrent or punitive function. Therefore, the severity or number of infringements is irrelevant for the calculation of damages. Instead, the respective court must consider the sensitivity of the data concerned, the typical appropriate use, the type of loss of control, the possibility of regaining control and existing psychological damage. As a result, the BGH suggested that the court of appeal awards damages in the amount of EUR 100.

In general, however, it can be inferred from the BGH’s statements that the BGH also considers double-digit (but likely not single digit) amounts to be potentially appropriate, albeit taking into account the respective circumstances of the individual case.

Conclusion

The BGH’s judgment is a landmark for future similar cases due to the relatively low amount as a result of damages. The courts of lower instance will in all likelihood concur with the BGH’s opinion. It remains to be seen to what extent other supreme federal courts will follow the opinion of the BGH. The German Federal Social Court (Bundessozialgericht – “BSG), the federal court of appeal for social security cases, for example, seems to take the position in a judgment which is not yet publicly accessible that the mere formulaic assertion that the plaintiff had suffered a “loss of control” as a result of being left in the dark about the processing of his personal data to be insufficient to justify a claim under Article 82(1) GDPR.

The judgment is based on a personal data breach at Facebook. In April 2021, data from over 500 million users was made public on the internet. This data was collected by unknown third parties using scraping.

In the course of this incident, the plaintiff’s data (user ID, first and last name, place of work and gender) was published on the internet. The plaintiff argues that Facebook did not take sufficient and appropriate measures to protect his personal data and is essentially seeking non-material damages for the anger and loss of control over his personal data.

After the plaintiff was awarded an amount of EUR 250 in the first instance instead of the requested minimum of EUR 1,000, he lost in the appeal instance. The court of appeal stated that the mere loss of control is not sufficient for the assumption of non-material damage within the meaning of Art. 82 (1) GDPR. Furthermore, the plaintiff had not sufficiently substantiated that he had been psychologically affected beyond the loss of control.

The appeal to BGH was partially successful. The BGH is of the opinion that even the mere and brief loss of control over personal data as a result of an infringement of the GDPR could constitute non-material damages within the meaning of Art 82(1) GDPR. There is no need for the data to be misused in a specific way to the detriment of the data subject or for there to be any other additional noticeable negative consequences. For the specific case, the BGH has not decided on a particular amount of damages but considers EUR 100 to be reasonable in view of the underlying circumstances. However, it still remains in general the plaintiff’s obligation to present and prove the conditions that are pre-requisites for his claims.

The BGH has now referred the case back to the court of appeal for a new hearing and decision.

This judgment is important insofar as the BGH has taken a position on a legal issue – non-material damages for loss of control over personal data and its amount – that has been controversial and inconsistently handled to date. Back on October 31, 2024, the BGH determined the procedure for the Leading Decision Procedure in accordance with Section 552b of the German Code of Civil Procedure (Zivilprozessordnung – “ZPO”). In such procedures, the BGH can decide legal issues that are relevant to the outcome of a large number of proceedings and thus provide guidance for the courts of lower instance. However, leading decisions are not formally binding. Nevertheless, the BGH judgment sends a signal, as the BGH considers the loss of personal data to be low in relation to the amount of damages.

An update to this post will be made once the judgment is publicly available.

In its judgement of 04 October 2024 (C-21/23), the European Court of Justice (“ECJ”, “Court”) ruled, that the provisions of Chapter VIII of the GDPR, do not preclude national rules which grant undertakings the right to rely, on the basis of the prohibition of acts of unfair competition, on infringements of the substantive provisions of the GDPR allegedly committed by their competitors. The ECJ further ruled, that the data of a pharmacist’s customers, which are provided when ordering pharmacy-only but non-prescription medicines on an online sales platform, constitute “health data” within the meaning of Art. 4 (15) and Art. 9 GDPR (to that extent contrary to the Advocate General’s opinion of 25 April 2024).

Background

The plaintiff and the defendant in the main proceedings each operate a pharmacy. The defendant also holds a mail order license and sells its range of products, including pharmacy-only medicines, through the online sales platform Amazon Marketplace, which allows the seller to offer products directly to consumers. The plaintiff sought an injunction to prohibit the defendant selling pharmacy-only pharmaceuticals via the online sales platform. In the plaintiff’s opinion, such distribution constitutes an unfair commercial practice because the defendant was violating a statutory provision within the meaning of Section 3a of the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – “UWG”).

The District Court upheld the claim. The Higher Regional Court dismissed the defendant’s appeal and ruled that the defendant’s sale of pharmacy-only medicines via Amazon Marketplace violates the provisions of the UWG, as this distribution involves the processing of health data within the meaning of Art. 9(1) GDPR, to which the customers have not explicitly consented. According to the Higher Regional Court, the provisions of the GDPR must be regarded as market conduct rules within the meaning of national competition law, with the result that the plaintiff, as a competitor, is entitled to claim injunctive relief based on national competition law by relying on an infringement of the provisions of the GDPR by the defendant.

The defendant then appealed to the German Federal Court of Justice (Bundesgerichtshof – “BGH”), in which it maintained its application for dismissal of the injunction. The BGH stated that the key factor for the decision is how Chapter VIII and Art. 9 of the GDPR are to be interpreted, and referred the following questions to the ECJ for a preliminary ruling:

1. Do the rules in Chapter VIII GDPR preclude national rules which – alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the regulation and the options for legal redress for data subjects – empower competitors to bring proceedings for infringements of GDPR against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices?

2. Do the data of the customers of a pharmacist, who acts as a seller on an online sales platform, provide when ordering pharmacy-only but not prescription-only medicines  (customer’s name, delivery address and information required for individualising the pharmacy-only medicine ordered) constitute data concerning health within the meaning of Article 9(1) GDPR?

Decision

First question (competitor’s right to bring injunction claims)

According to the ECJ, neither the wording of the provisions of Chapter VIII of the GDPR nor their context precludes competitors from bringing claims based on an infringement. On the contrary, where the infringement of the substantive provisions of the GDPR is likely to affect primarily the data subjects, it may also affect third parties. The Court notes that, in the context of the digital economy, access to personal data and the use that can be made of it are of considerable importance. Accordingly, in order to take account of real economic developments and to maintain fair competition, it may be necessary to take into account the rules on the protection of personal data when enforcing competition law and the rules on unfair commercial practices. The judgment recognises that the GDPR does not contain a specific opening clause, which expressly authorises Member States to allow competitors to seek an injunction to prevent an infringement of the GDPR. However, according to the Court, it is clear that the EU legislature, when adopting the GDPR, did not intend to achieve full harmonisation of the remedies available in the event of a breach of the provisions of the GDPR and, in particular, did not intend to exclude the possibility for competitors of an alleged infringer of the rules on the protection of personal data to bring an action under national law on the basis of the prohibition of unfair commercial practices.

Moreover, such an action for an injunction brought by a competitor could prove to be a particularly effective means of ensuring such protection, since it makes it possible to prevent numerous infringements of the rights of the data subjects (in this respect, the Court refers to its judgment of 28 April 2002, Meta Platforms Ireland, C-319/20, in which the Court ruled that the GDPR does not preclude national legislation which allows a consumer protection association to bring an action, in the absence of a mandate given to it for that purpose and irrespective of the infringement of specific rights of the data subjects).

In the light of the foregoing, the answer to the first question is that the provisions of Chapter VIII of the GDPR must be interpreted as not precluding a national law which, in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcing that regulation, and the means of redress available to the data subjects, gives competitors of the alleged infringer the power to take action against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices for infringements of the GDPR.

In the present case, it is therefore for the national court to determine whether the alleged infringement of the substantive provisions of the GDPR at issue in the main proceedings, if established, also constitutes an infringement of the prohibition of unfair commercial practices under the relevant national legislation.

Second question (scope of the protection of health data)

In the second part of its decision, the ECJ once again interpreted the term ‘special categories of personal data’ and, in this case specifically the term health data (Art. 4 no. 15 GDPR), very broadly. The Advocate General in its Opinion on the case had assumed that it is not possible to deduce the state of health of the customer with sufficient probability from orders of pharmacy-only but non-prescription medicines and therefore had found that such information is not health data.

The ECJ has now decided otherwise. The Court ruled that the provisions of the GDPR cannot be interpreted as meaning that the processing of personal data that only indirectly reveals sensitive information about a natural person would be exempt from the increased protection. For personal data to be classified as health data within the meaning of Article 9(1) of the GDPR, it is sufficient that the health of the data subject can be inferred by association or deduction. The Court affirms that the data provided by a customer when ordering pharmacy-only medicines via an online platform can be used to infer, by association or deduction, the health status of the data subject, since the order establishes a link between a medicinal product, its therapeutic indications and uses, and an identified natural person or a person who can be identified by information such as his or her name or delivery address.

Moreover, the prohibition on processing health data shall apply in principle, regardless of whether the information disclosed by the processing in question is accurate or not, and regardless of whether the data controller acts with the aim of obtaining information falling within one of the special categories referred to in Article 9(1) of the GDPR. Consequently, the information provided by customers when ordering non-prescription medicines online constitutes health data, even if those medicines are only intended for those customers with a certain probability and not with absolute certainty. In this context, the Court also mentions the possibility that the order data may allow conclusions about the health of third parties (e.g. by means of a different delivery address).

The court of the main proceedings will therefore have to decide whether the processing of health data of the customers of the defendant is permissible on the basis of one of the exceptions in Article 9(2) of the GDPR – in particular, because the data subject has given explicit informed consent, or whether the processing is permissible on the basis of Article 9(2)(h) of the GDPR because it is necessary for the purposes of health care and on the basis of Union or Member State law or pursuant to contract with a health professional .

Practical note

This is the third decision by the ECJ that allows actors other than data protection supervisory authorities to take legal action against controllers: in addition to the Meta Platforms decision of April 2022 mentioned above (C-319/20), in July this year, the ECJ clarified that the right of a consumer protection association to challenge the infringement of a data subject’s right “occurring in the course of processing” also extends to information obligations pursuant Articles 12(1) and 13(1) GDPR (C-752/22).

These rulings have significant consequences – they not only increase compliance risks, but also legal defense costs. In practice, consumer protection organisations – out of ignorance or lack of knowledge of business contexts – often take a more dogmatic approach than the competent data protection supervisory authority.

With the competitors, further inexperienced players are now entering the ring. Unlike in the past, it can be assumed that going forward, competitors will make use of the right to sue for injunctive relief if a controller is,  in its view, violating the provisions of the GDPR and this is deemed unfair within the meaning of national competition law. As the acts against unfair competition are based on the EU Directive 2005/29/EC and therefore largely harmonized within the European Union, the ECJ’ decision is likely to affect all data controllers in the European Union.

Accordingly, in order to identify potential shortcomings that could be the subject of a competitor’s claim, controllers are well advised to review their existing processes in light of their specific business model. With respect to the potential processing of health information, a careful assessment is necessary. In particular, the question arises as to which constellations the extensive interpretation of the ECJ still covers in relation to health data – for example, dietary supplements. Or whether – as we believe – it should remain limited to pharmacy-only medicines.

Furthermore, this aspect should be considered in the planning of future business activities in order to avoid a cease-and-desist order.

For any questions about this decision or any assistance please contact your local DLA Piper contact.

Identifiability; what can amount to personal data; and joint controllership are some of the issues addressed by the Court of Justice of the European Union (CJEU) in its recent judgment in the IAB Europe case (C-604/22). This case concerned the use of personal data for online advertising purposes and the use of real time bidding technology.

The CJEU’s judgment, delivered on 7 March 2024, is a result of IAB Europe’s appeal of a decision of the Belgian Data Protection Authority (Belgian DPA) regarding the Transparency and Consent Framework (TCF) and the IAB Europe’s role within it.

Background

IAB Europe is a non-profit association representing undertakings in the digital marketing and advertising sector at European level. It developed the TCF, which is an operational framework of rules intended to enable online publishers, data brokers and advertisers to obtain users’ consent and lawfully process their personal data.

The TCF is widely applied in the context of a real time auctioning system used to acquire advertising space for the display of targeted advertisements online. A key component of the TCF is the Transparency and Consent String (TC String).

The TC String is a combination of letters and characters which encodes and records user preferences through consent management platforms (CMPs), when they visit a website or app. The TC String is then shared with ad platforms and other participants of the ad-tech ecosystem; the CMP also places a specific cookie on the user device. When combined, the TC String and this cookie can be linked to the user’s IP address.

On 2 February 2022, the Belgian DPA held that the TC String amounts to personal data, that the IAB Europe qualifies as a data controller under the GDPR and that IAB Europe is in non-compliance with certain requirements of the GDPR as a result (for details see our blogpost at Belgian DPA decision on IAB Transparency and Consent Framework | Privacy Matters (dlapiper.com)).

IAB Europe contested the Belgian DPA decision, and the Brussels Court of Appeal referred two questions to the CJEU for a preliminary ruling:

1. Whether a character string capturing user preferences in connection to the processing of their personal data constitutes personal data.
   
2. Whether an organisation which proposes to its members a framework relating to the consent to the processing of personal data containing rules setting out how such personal data is to be stored or disseminated must be classified as a controller within the meaning of the GDPR.

The ruling

First question

Drawing from its previous rulings, the CJEU stated that the concept of personal data under Article 4(1) of the GDPR includes information resulting from the processing of personal data relating to an identified or identifiable person. It was noted that a string such as the TC String contains individual preferences of an individual user in relation to the processing of their personal data.

The CJEU concluded that, if the combination of a TC String with additional data, such as the user’s IP address, allows the user to be identified, then the TC String contains information concerning an identifiable user and constitutes personal data within the meaning of Article 4(1) of the GDPR.

The fact that IAB Europe cannot itself combine the TC String with the user’s IP address and does not have direct access to the data processed by its member does not change that conclusion.

The CJEU took the view that, subject to the verifications that are for the Brussels Court of Appeal to carry out, IAB Europe under the TCF has reasonable means allowing to identify an individual from a TC String by requesting its members to provide it with all information allowing it to identify the users whose data are subject of a TC String.

It follows from this that a TC String can constitute personal data within the meaning of Article 4(1) of the GDPR.

Second question

To address the second question, the CJEU built upon its previous judgments and stated that a natural or legal person exerting influence over the processing of personal data and, as result, participating in the determination of the purposes and means of the processing may be regarded as a controller within the meaning of Article 4(7) of the GDPR.

The CJEU confirmed again that the concept of joint controllership does not necessarily imply equal responsibility and does not require each joint controller to have access to the personal data concerned.

The CJEU took the view that IAB Europe as a sectoral organisation which makes available to its members a standard, appears to exert influence over the personal data processing operations when the consent preferences are recorded in a TC String and jointly determines, with IAB members, the purposes and means of those operations.

It follows that IAB Europe can, in certain instances, be regarded as a controller within the meaning of Article 4(7) of the GDPR.

The court clarified this point further, adding that a distinction must be drawn between the processing of personal data carried out by the members of IAB Europe, when the consent preferences of the users concerned are recorded in a TC String in accordance with the framework of rules established in the TCF, compared with the subsequent processing of personal data by operators and third parties on the basis of those preferences. Accordingly, the court was of the view that IAB Europe cannot be automatically regarded as controller in respect of subsequent data processing operations carried out by the third parties based on the preferences contained in the TC String, such as digital advertising or content personalisation, if IAB Europe does not exert an influence in the determination of either the purposes or the means of the processing.

Conclusion / implications

While not necessarily seismic or revelatory, the CJEU decision does bring welcome clarity on some longstanding data protection and e-privacy issues in the ad-tech space, in particular on the question of identifiability of individuals, the breadth of what can amount to personal data and the reach of joint controllership.

IAB Europe has welcomed the decision that “provides well-needed clarity over the concepts of personal data and (joint) controllership, which will allow a serene completion of the remaining legal proceedings“.

Next steps are for the matter to be assessed by the Brussels Court of Appeal and to issue a final determination. Until then, the Belgian DPA’s decision continues to remain suspended.

Despite all the prophecies of doom, we believe that the TCF will emerge stronger from this decision. This is because neither the questions submitted to the court nor the CJEU’s answers call the TCF into question. On the contrary, IAB Europe should be able to resolve the issue of joint controllership for the participants in the TCF at a technical level, especially since, according to the CJEU, joint controllership cannot automatically be assumed for subsequent processing operations on the basis of the preferences articulated via the TC String. Organisations should assess whether and how they are using the TCF and continue to keep developments in this judgment under review.

The Court of Justice of the European Union (CJEU) has delivered an important judgment on the scope and interpretation of the ‘automated decision-making’ framework under the GDPR.  It is a decision that could have significant implications for service providers who use algorithms to produce automated scores, profiles or other assessments that are relied upon by customers in a decision-making process.

Background

On 7 December the Court of Justice of the European Union handed down judgment in the Schufa case. 

Schufa AG (“Schufa”) is a (or the) leading German credit rating agency and holds information about almost 70 million individuals.  Amongst other things, it provides credit scores for German residents.  These scores are then relied upon by financial service providers to make lending decisions, such as offering mortgages or other loans.  Other customers of Schufa include retailers (online and stationary), telecommunication service providers, utility and transportation companies.

The case referred to the CJEU revolved around a German resident whose application for a loan was turned down by a German bank.  The bank’s decision was made primarily in reliance on a poor credit score assigned to that individual by Schufa.

The individual challenged Schufa and in particular requested that Schufa disclose information about its automated decision-making processes under Article 15(1)(h) GDPR.

By way of reminder, Article 22 GDPR restricts the taking of a decision about a data subject based solely on automated processing, where that decision produces legal effects concerning him or her or similarly significantly affects him or her.  Such a decision may only be taken under one of a limited number of grounds, and data subjects have an absolute right to contest the decision and obtain human intervention in the decision.

Article 15(1)(h) GDPR, meanwhile, is the component of the ‘right of access’ that allows a data subject to obtain, from the responsible controller, information about automated decision-making, including its ‘logic’ and its consequences.

Schufa rejected the assertion that it was responsible for automated decision-making, asserting that its role was to produce an automated score but that the relevant decision (whether to grant the loan) was taken by the third-party bank. 

Key Findings

The court rejected Schufa’s argument and held that the creation of the credit score was, itself, a relevant automated decision for the purposes of Article 22 GDPR.  This runs contrary to the previous received wisdom that only the ultimate decision-maker – in this case, the bank using the credit score to decide on the loan application – was engaging in automated decision-making.

The following factors were central to the court’s conclusion on this point:

• The score produced by Schufa was considered to play a ‘determining role’ in the decision about whether to grant credit. 
• The court adopted a broad interpretation of the term ‘decision’, finding that it could encompass ‘a number of acts which may affect the data subject in many ways.  Consequently, it did not matter that the ultimate decision about whether to grant credit was not taken by Schufa – there was a sufficiently close nexus between Schufa’s decision about what score to award and the subsequent credit decision.
• Applying a purposive approach, the court also took into account the fact that Schufa was in a much better position that its customer to satisfy the Article 15 GDPR request and to provide meaningful information about the automated decision-making process, including its logic.

Implications

Businesses using algorithms or other automated processes to produce risk scores or similar outputs (for example, identity verification, fraud detection) are likely to be understandably concerned by the potential implications of this judgment.  In general, such companies have developed business models that assume the customer will bear the regulatory risk and responsibility associated with any decision taken using the company’s outputs. 

However, it is important that such companies read this judgment carefully and consider the ways in which their business models may be distinguished from those considered in Schufa.  For example:

• To what extent does the company’s customer rely solely or predominantly on the provided output when making a decision?  If the output is one of only a number of factors taken into account by the customer, and in particular if the customer only attaches a moderate degree of weight / significance to this factor, then the circumstances may be sufficiently different. If not, it will be important that the company ensures that customers can rely on one of the exceptions to Article 22 GDPR, namely: explicit consent or necessity for a contract between the customer and the data subjects. Member State law can also provide for an authorisation, where such authorisation lays down “suitable measures” to safeguard the data subject’s rights and freedoms.
• Is the ultimate decision one that has a legal or comparatively significant effect?  For example, a company may be specialised in producing automated marketing profiles / segmentations that are then relied upon by a customer to determine the marketing content to be sent to a consumer.  However, other than in limited special circumstances, it is unlikely that the decision about what marketing content to send to a consumer will constitute a ‘significant’ decision for Article 22 GDPR purposes. For example, in relation to Schufa, it is likely that many of Schufa’s customers do not use the credit scores provided for decisions that have a significant effect on the data subject – for example where the customer is an online shop and only uses the data to decide whether to request payment from a specific customer before or after delivery of their goods or services.

In a quirk of timing, we note that the Schufa judgment was handed down in the same week that the trilogue process around the EU AI Act concluded.  The use of AI systems to make decisions about the offering of credit is one of a number of ‘high risk’ use cases found in the Act.  Going forward, it looks likely that Schufa will become an important touchstone for businesses developing AI-enabled solutions that are relied upon by customers of those businesses in important decision-making processes.  

These guidelines apply a maximalist interpretation to the cookie rule, meaning that a wide variety of technologies other than traditional cookies are, in the opinion of the EDPB, caught by the rule. Where a technology is caught then, depending on the purpose for which the technology is used, its use will be conditional upon obtaining consent.

The guidelines are open for public consultation until 28 December 2023.

Background

By way of reminder, Article 5(3) of the e-Privacy Directive creates requirement to obtain prior consent where a company stores information, or gains access to information already stored, in the terminal equipment of a subscriber or user of an electronic communications network, and that storing of or access to information is not strictly necessary to deliver the service requested by the subscriber or user. As such, the Directive seeks to protect what it regards as the ‘private sphere’ of the user’s terminal equipment from unwanted intrusion.

Historically it has been well-understood that traditional internet cookies trigger this rule. They function by creating a file on the user’s computer which stores information. Later, if the user returns to the website, the information in the file stored on the user’s computer is accessed (e.g., to verify someone’s language preference). 

However, the extent to which newer methods of tracking a user’s digital footprint – such as pixels, URL tracking and JavaScript code – also trigger this rule has, to date, been much less clear.

How does the EDPB interpret the ‘cookie rule’?

In a word: broadly. For each part of the relevant test under the cookie-rule – the nature of information; what constitutes terminal equipment; and what it means to gain access to or store such information – the EDPB applies a wide reading. For example:

• It does not matter how long information is stored on terminal equipment – the ephemeral storage of any information (for example, in RAM or CPU cache) is sufficient.
• The nature and volume of information stored or accessed is also irrelevant. Note that it is also irrelevant whether the information is personal data (albeit this much was already well-understood prior to the guidelines).
• Perhaps most controversially, the EDPB also suggests that it may not matter who gives the instruction to transmit information to the accessing entity – the proactive sending of information by the terminal equipment might also be caught.

Which technologies are caught?

The upshot of this interpretation is that the EDPB considers, in most cases, that the use of the following technologies will trigger the cookie rule:

• URL and pixel tracking: for example, tracking pixels used to ascertain whether an email has been opened, or tracking links used by websites to identify the origin of traffic to the website, such as for marketing attribution.
• Local processing: for example, using an API on a website to remotely access locally generated information.
• Tracking based on IP only: for example, the transmission of a static outbound IPv4 originating from a user’s router, used to track a user across multiple domains for online advertising purposes.
• Internet of Things (IoT) reporting: for example, smart household devices transmitting information to a remote server controlled by the manufacturer, whether directly or via intermediary equipment (such as a mobile phone).

What are the practical implications?

If a technology is caught by the cookie rule, then the company deploying that technology must obtain prior, opt-in consent before accessing or storing the information, unless the company can demonstrate that the storage of, or access to, the information is strictly necessary for the purpose of delivering the digital service. 

It is probably fair to say that this does not consistently happen in practice as of today. The practicalities of obtaining consent may also be challenging, depending on the context in which the technology is used. From the user’s perspective, questions of ‘consent fatigue’, in a world in which users are already bombarded with cookie consent pop-ups, also arise.

Responses to the EDPB’s consultation on the draft guidelines will make for interesting reading. Even when finalised, the guidelines will represent the EU data protection authorities’ interpretation of the law and are not directly binding law in their own right. Certainly, many of these points would form the basis for an interesting legal challenge before the European courts. In the meantime, however, businesses operating in the EU are advised to start preparing for a world where the scope of the cookie rule, as applied by the regulator, is much broader than they may previously have realised.