wp-plugin-hostgator domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home4/scienrds/scienceandnerds/wp-includes/functions.php on line 6114ol-scrapes domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home4/scienrds/scienceandnerds/wp-includes/functions.php on line 6114Source:https:\/\/techcrunch.com\/2023\/05\/04\/cjeu-gdpr-damages-access-rights\/<\/a><\/br> The European Union\u2019s top court has handed down a couple of notable rulings today in the arena of data protection.<\/p>\n One (Case C-300\/21<\/a>) deals with compensation for breaches of the bloc\u2019s General Data Protection Regulation (GDPR); and the second (Case C-487\/21<\/a>) clarifies the nature of information that individuals exercising GDPR rights to obtain a copy of data held on them should expect to receive.<\/p>\n Read on for a summary of the judgements and some potential implications.<\/p>\n The CJEU\u2019s GDPR compensation ruling<\/a> relates to a referral from an Austrian court where an individual sought to sue the national postal service for damages after it used an algorithm to predict the political views of citizens according to socio-demographic criteria <\/span>without their knowledge or consent \u2014 leaving the individual feeling exposed, upset and with a knock to their confidence, per the Court\u2019s press release.<\/p>\n As regards regional damages for privacy violations, there have been a number of attempts to bring class action style suits seeking compensation for data protection breaches in recent years. This CJEU ruling may make it easier to do so within the EU, although the court has puts one limit on such claims since the judges have ruled that just the fact of an infringement of the GDPR does not automatically give rise to a right of compensation \u2014 meaning there is an onus on litigants to demonstrate personal harm.<\/p>\n At the same time, the CJEU has ruled there is no requirement for the non-material damage suffered to reach a certain threshold of seriousness in order to confer a right to compensation.<\/span><\/p>\n So, in other words, the court has avoided setting a bar on how much\/what type of harm needs to be demonstrated to file a compensation claim. Which looks like a big deal.\u00a0<\/span><\/p>\n \u201c[T]he Court holds that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness,\u201d it writes in a press release accompanying the judgement. \u201cThe GDPR does not contain any such requirement and such a restriction would be contrary to the broad conception of \u2018damage\u2019, adopted by the EU legislature. Indeed, the <\/span>graduation of such a threshold, on which the possibility or otherwise of obtaining that compensation woulda depend, would be liable to fluctuate according to the assessment of the courts seised.\u201d<\/span><\/p>\n Since the GDPR does not contain any rules for assessing damages, the judges say it is up to courts in EU Member States to define criteria for determining the extent of any compensation payable \u2014 while noting that such rules must comply with GDPR principles of equivalence and effectiveness, so as to ensure individuals can obtain full and effective compensation for damages suffered.<\/p>\n This sets up for a patchwork of outcomes on damages for privacy breaches, depending on where in the EU a user is able to sue, based on how national courts interpret the mandate.<\/p>\n Commenting on the outcome in a statement, Peter Church, a counsel in the technology practice at law firm Linklaters, suggested: \u201c[I]t is possible that even minor anxiety or upset might justify a compensation claim. This in turn could open the way for not only frivolous or vexatious claims but also large class actions in the event of, for example, a data breach (which is currently the subject of separate pending decision in Case C-340\/21<\/a>).\u201d<\/p>\n He also predicted a divergence between the EU and the UK (which is no longer in the bloc) on this issue, given how \u2014 back in 2021<\/a> \u2014 the UK\u2019s Supreme Court ended up denying a long running litigation against Google which had sought to skip the tricky step of demonstrating individual harms in favor of pressing for collective damages over privacy breaches related to ad tracking users of Apple\u2019s Safari browser.<\/p>\n In that case the UK judges concluded proof of harm was necessary; and, per Church, that it \u201cmust reach a threshold of seriousness to be eligible for compensation\u201d. Hence his prediction that the EU and the UK will \u201cpart ways on this issue\u201d since the CJEU has decided there is no seriousness bar on the harm experienced.<\/p>\n So if you live in the EU and having your privacy violated by a data-mining giant like Meta<\/a> has made you feel a bit annoyed, slightly upset, somewhat uneasy or a little alarmed any of those sensations would, presumably, be enough to sue for damages. (And this summer Member States are due to implement the Collective Redress Directive in national laws \u2014 a piece of pan-EU legislation which aims to make it easier for consumers to achieve collective redress through class action style litigation.)<\/p>\n Privacy rights group noyb<\/a>, which has been behind scores of data breach complaints against giants like Meta and Google, reads the CJEU ruling as confirmation that claims for \u201cemotional damages\u201d are affirmed. In a statement, its founder and honorary chairman Max Schrems, wrote: \u201c<\/em>We welcome the clarifications by the CJEU. A whole industry tried to reinterpret the GDPR, in order to avoid having to pay damages to users whose rights they violated. This seems to be rejected. We are very happy about the result.\u201d<\/p>\n In a separate ruling<\/a> today, the CJEU has issued clarification around the scope and content of an individual\u2019s right of access under the GDPR to obtain an copy of their data \u2014 deciding the regulation\u2019s wording intends they obtain \u201ca faithful and intelligible reproduction\u201d of their data, in order they can conduct their own checks to ensure, for example, that <\/span>their info is correct and being processed in a lawful manner.<\/p>\n The referral here relates to a legal challenge brought by an individual after a business consulting agency which provides data on the creditworthiness of third parties for its clients had processed his personal data. The person had asked for a copy of the documents about him \u201cin a standard technical format\u201d but had instead been provided with a list summarising the data, not a complete copy.\u00a0\u00a0<\/span><\/p>\n \u201cThat right [Article 15(3) of the GDPR] entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by the GDPR, bearing in mind that account must be taken, in that regard, of the rights and freedoms of others,\u201d the Court said in a press release.<\/span><\/p>\n It goes on to note that the data controller must take appropriate measures to provide the data subject with all their data \u201cin a concise, transparent, intelligible and easily accessible form, using plain and clear language\u201d; providing the information in writing or other means, including, where appropriate, electronically.<\/p>\n \u201cIt follows that the copy of the personal data undergoing processing, which the controller must provide, must have all the characteristics necessary for the data subject to exercise his or her rights under that regulation effectively and must, consequently, reproduce those data fully and faithfully,\u201d the Court adds.<\/p>\n This ruling looks important for ongoing efforts to use the GDPR to shine a light on the often dysfunctional algorithmic management of platform workers \u2014 such as legal challenges in recent years against Uber and Ola in the UK and the Netherlands brought by unions and the data trust, Worker Info Exchange, on behalf of a number of drivers, including over claims of robo-firing<\/a>.\u00a0<\/span><\/p>\n
\nEurope\u2019s top court clarifies GDPR compensation and data access rights<\/br>
\n2023-05-04 21:57:59<\/br><\/p>\nNo automatic right to damages \u2014 but no threshold for harm either<\/h3>\n
Faithful copy of data<\/h3>\n