On 17 September, the new Labour government made The Retained EU Law (Revocation and Reform) Act 2023 (Commencement No. 2 and Saving Provisions) (Revocation) Regulations 2024 SI 2024/976, the effect of which was to revoke the earlier commencement regulations (SI 2024/714) and to prevent section 6 The Retained EU Law (Revocation and Reform) Act 2023, which would have amended the European Union (Withdrawal) Act 2018, from coming into force on 01 October 2024. Once brought into force, section 6 REULA would have had the effect of removing the status of binding precedent from decisions of the CJEU made on or before 11pm on 31 December 2020 on domestic courts when interpreting retained EU law/assimilated law, save in specified circumstances. Consequently, there is now greater certainty as to the interpretation of law and precedent but the opportunity to seek to revisit and re-argue binding judgments informed by decisions of the CJEU is restricted.

Decisions of the CJEU post-dating 31 December 2020 have not bound the courts in accordance with s.6(1) European Union (Withdrawal) Act 2018 since the end of the Brexit transition period, albeit that courts (and tribunals) may have regard to such decisions.

As practitioners advising on the UK GDPR won’t be escaping the clutches of the CJEU any time soon, in this post we summarise several decisions of the CJEU issued on 04 October 2024 and which may have persuasive effect when interpreting the GDPR (which may still be relevant to disputes arising from processing activities prior to Brexit) and the UK GDPR:

• C-200/23 Agentsia po vpisvaniyata v OL, 04 October 2024: the Court held that operators of public registers are controllers in respect of the data included in the register, that data contained on the public register should be minimised and disclosed only where required by law, noted that an opinion from the supervisory authority as to lawfulness of processing activities is not determinative and, found that a temporary loss of control of personal data through online publication was capable of providing a basis for non-material damage (and an entitlement to compensation) where there was evidence to that effect.

• C-21/23 ND v DR, 04 October 2024: the CJEU held that (i) ancillary customer data entered when purchasing pharmacy-only but not prescription-only medication online falls within the scope of health data under Article 9(1) GDPR and, (ii) the GDPR did not prevent member states from implementing national laws and regulations which would give standing to competitors to pursue complaints/claims regarding alleged non-compliance with the GDPR as an unfair commercial practice. We have previously highlighted the anti-competitive effects of the failure to enforce the UK GDPR.

• C-621/22 Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Persoonsgegevens, 04 October 2024: the Court reiterated that establishing legitimate interests under Article 6(1)(f) GDPR requires a lawful purpose (but need not be enshrined in law), necessary in the sense that the relevant interests could not reasonably be achieved as effectively by other means having a lesser impact on data subjects’ rights (including having regard to the principle of data minimisation), and a balancing exercise between the competing rights and interests must be carried out. The CJEU held that “a commercial interest of the controller which consists in the promotion and sale of advertising space for marketing purposes” could constitute a legitimate interest but, when considering compliance with the requirement of necessity, held that it would be possible for a controller to inform data subjects in advance and to ask whether they wanted their personal data shared with third parties for the purposes of advertising and marketing, thus enabling affected individuals to retain control over the disclosure of their personal data, which it considered would involve the least intrusion and still enable the controller to pursue its legitimate interests “in an equally effective manner”. In conducting the balance of interests, the Court noted that of “particular importance” were the reasonable expectations of individuals when their personal data was collected, and that the nature and activities of the intended recipient would also need to be taken into account.

• C-446/21 Maximillian Schrems v Meta Platforms Ireland Ltd (formerly Facebook Ireland Ltd), 04 October 2024: the CJEU found that Meta gathered personal data on “users’ activities both on and outside that social network, including in particular data relating to online platform visits and third-party websites and apps, and also follows users’ navigation patterns on those sites through the use of social plug-ins and pixels embedded in the relevant websites” and that this processing was “particularly extensive since it relates to potentially unlimited data and has a significant impact on the user, a large part – if not almost all – of whose online activities are monitored”. The Court held that: the processing was “characterised by a serious interference with the fundamental rights of the data subjects” which, in its view (albeit this was a matter for the national court), did not “appear to be reasonably justified in the light of the objective consisting in enabling the dissemination of targeted advertising”; “the storage of the personal data of the users of a social network platform for an unlimited period for the purpose of targeted advertising must be considered to be a disproportionate interference in the rights guaranteed to those users by the GDPR”; and, “the indiscriminate use of all of the personal data held by a social network platform for advertising purposes, irrespective of the level of sensitivity of the data, does not appear to be a proportionate interference with the rights guaranteed by the GDPR to users of that platform”. Consequently, the court determined that “Article 5(1)(c) of the GDPR must be interpreted as meaning that the principle of data minimisation provided for therein precludes all of the personal data obtained by a controller, such as the operator of an online social network platform, from the data subject or third parties and collected either on or outside that platform, from being aggregated, analysed and processed for the purposes of targeted advertising without restriction as to time and without distinction as to type of data”. Furthermore, the Court held that in connection with the processing of special category personal data, and in particular personal data pertaining to sexual orientation, the disclosure by an individual of their sexual orientation during a panel discussion which took place in public, was live streamed and subsequently further made available as a pre-recorded event for viewing and download, was capable of being considered to have been manifestly made public by the data subject within the meaning of Article 9(2)(e) GDPR, thus providing a lawful basis for processing that data, but that the condition must be interpreted and applied strictly and therefore this would not provide carte-blanche to process any and all personal data pertaining to that individual’s sexual orientation and nor could such disclosure be interpreted as the provision of consent to processing in accordance with Article 9(2)(a) GDPR. Accordingly, the CJEU concluded that “Article 9(2)(e) of the GDPR must be interpreted as meaning that the fact that a person has made a statement about his or her sexual orientation on the occasion of a panel discussion open to the public does not authorise the operator of an online social network platform to process other data relating to that person’s sexual orientation, obtained, as the case may be, outside that platform using partner third-party websites and apps, with a view to aggregating and analysing those data, in order to offer that person personalised advertising”.

• C‑507/23 A v Patērētāju tiesību aizsardzības centrs, 04 October 2024: an apology may constitute sufficient compensation under Article 82(1) GDPR for non-material damage where it is sufficient on a standalone basis to compensate the affected data subject in full, but data subjects are entitled to be compensated in full for the damage suffered as a consequence of unlawful processing which establishes a right to compensation and this cannot be reduced by reference to the attitude of motivation of the relevant controller/processor.

If your organisation requires support in understanding how the GDPR and/or UK GDPR applies, or how these CJEU decisions could impact its processing activities, please contact us.

Find out more about our data protection and data privacy services.