Skip to content

EU General Data Protection Regulation

EU General Data Protection Regulation (GDPR)

I. European Union (EU) - General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR), adopted in 2016, came into force on 25 May 2018, replacing the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EU Directive). The GDPR involves new provisions and enhanced rights. In the wake of technological developments and globalisation and the constitutionalisation of the fundamental right to data protection in the EU, the GDPR aims to harmonise the framework for the digital single market, put individuals in control of their data and formulate a modern data protection governance.

Why is the GDPR relevant to Hong Kong organisations/ businesses?

In Hong Kong, the Personal Data (Privacy) Ordinance, Cap 486 of the Laws of Hong Kong (PDPO) protects the privacy of individuals in relation to personal data. When the PDPO was drafted, reference was made to the relevant requirements under the OECD Privacy Guidelines 1980 and the EU Directive. Given that the GDPR constitutes significant developments of data protection law from the EU Directive, the new regulatory framework includes a number of requirements that are not found under the PDPO.

One of the key developments introduced under the GDPR to the data protection landscape outside the EU is the explicit requirement of compliance by organisations established in non-EU jurisdictions in specified circumstances. Given the diversified business or transaction models (e.g. online transactions), it is all the more important for businesses in Hong Kong to ascertain if the GDPR is applicable to them, and to keep up with the new developments.


II. New Standard Contractual Clauses adopted by the European Commission under the GDPR for International Data Transfers


III. Publications and Articles on the GDPR


IV. Guidance and reference materials issued by the European Union


V. Highlights of Important Decisions and Major Developments under the GDPR




II. New Standard Contractual Clauses adopted by the European Commission under the GDPR for International Data Transfers

The European Commission adopted a new set of Standard Contractual Clauses (which came into effect on 27 June 2021) for the transfer of personal data to non-EU regions (“New SCCs”). From 27 September 2021 onwards, data exporters and data importers can only conclude contracts incorporating the New SCCs for the transfer of personal data out of the European Union. The PCPD publishes, for public reference, a set of frequently asked questions and answers on the implementation framework of the New SCCs and the obligations of parties entering into cross-border data transfer agreements using the New SCCs.

For more information, please refer to the set of frequently asked questions and answers:
https://www.pcpd.org.hk/english/data_privacy_law/eu/files/eu_faq.pdf

Please click here to read the "Introduction to the European Commission’s New Standard Contractual Clauses for International Data Transfers".

Please click here to download the presentation files and watch the video of the Webinar on “the New Standard Contractual Clauses of the EU for Transfer of Personal Data from EU to Non-EU Regions” organised by the PCPD



III. Publications and Articles on the GDPR

To raise the awareness amongst organisations / businesses in Hong Kong of the possible impact of the new regulatory framework for data protection in the GDPR, the PCPD has issued the following publication:

 eu   Booklet: 
An Update on European Union General Data Protection Regulation 2016
(May 2020 Revised Edition)


IV. Guidance and reference materials issued by the European Union

More Guidelines and Recommendations can be found here: https://edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en?page=0

European Data Protection Board

Subject Matter Recommendations/Guidelines
Administrative fines Guidelines 04/2022 on the calculation of administrative fines under the GDPR1
Consent Guidelines 05/2020 on consent
Controller and processor Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Data breach notification
Data portability Guidelines on right to data portability
Data protection by design and by default Guidelines 4/2019 on Article 25 data protection by design and by default
Data protection impact assessments Guidelines on data protection impact assessments
Data subject rights Guidelines 01/2022 on data subject rights - Right of access
Derogations Guidelines 2/2018 on derogations of Article 49 under the GDPR
Information and communications technology
One-Stop-Shop mechanism
International transfer and tools
Restrictions Guidelines 10/2020 on restrictions (on the scope of rights of data subject and obligations of controllers/processors) under Article 23 of the GDPR
Social media
Territorial scope Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)
Transparency Guidelines on Transparency under Regulation 2016/679


European Commission

Subject Matter Reference Materials
Data protection regime Overview of the data protection regime in the EU
GDPR requirements Introduction to the requirements of the GDPR


V. Highlights of Important Decisions and Major Developments under the GDPR

A. Highlight of Important Decisions under the GDPR

(I) Decisions involving imposition of fines

Date of Decision Data Protection Authority Penalty Imposed and Violations
1 September 2023 The Data Protection Commission of Ireland (DPC) The Data Protection Commission of Ireland (DPC) issued a reprimand and imposed on TikTok Technology Limited (TikTok) a fine of €345 million for breaches of the GDPR between 31 July 2020 and 31 December 2020. The DPC found that (i) the profile settings for child user accounts were set to public by default which allowed anyone (on or off TikTok) to view the content posted by child users (in contravention of Articles 25(1), 25(2), 5(1)(c) and 24(1)); (ii) TikTok failed to implement appropriate technical and organisational measures to mitigate risk imposed to children under the age of 13 who gained access to the platform (in contravention of Article 24(1)); (iii) the “Family Pairing” setting allowed a non-child user (who could not be verified as the parent or guardian) to pair their account to that of the child user and allowed the non-child user to enable direct messages for child users above the age of 16, which posed severe risks to child users (in contravention of Articles 5(1)(f) and 25(1)); (iv) TikTok had failed to provide sufficient transparency information (i.e. categories of recipient of personal data, the scope and consequence of the public-by-default processing) to child users (in contravention of Articles 12(1) and 13(1)(e)); and, following the EDPB’s binding decision in August 2023, (v) TikTok implemented “dark pattern” by nudging users towards more privacy-intrusive option during the registration process and when posting videos (in contravention of Article 5(1)(a)). In addition to issuing a reprimand and imposing a fine of €345 million, the DPC has issued an order requiring TikTok to bring its processing into compliance within three months. For more details, please refer to the decision of the DPC and press release issued by the DPC dated 15 September 2023.
15 June 2023 The French Data Protection Authority (CNIL) The French Data Protection Authority (CNIL) fined Criteo, a company that specializes in 'behavioral retargeting' which involves the collection of browsing data of internet users via its tracker (cookie) in order to display personalized advertising to users, 40 million Euro for breaches of the GDPR, namely, (i) failing to verify and demonstrate that the relevant internet users gave their consent to the data processing (in contravention of Article 7.1); (ii) failing to provide a clear privacy policy to inform the users what and how personal data was being used (in contravention of Articles 12 and 13); (iii) failing to respect the right of the users of access by providing them with only partial access of the personal data (in contravention of Article 15.1); (iv) failing to comply with the right of the users to withdraw consent and erasure of data (in contravention of Articles 7.3 and 17.1); and (v) failing to specify some of the respective obligations of controllers as required under the GDPR in the agreement between Criteo and its partners as joint controllers (in contravention of Article 26). For details, please refer to the press release issued by the CNIL dated 22 June 2023. 
12 May 2023 The Data Protection Commission of Ireland (DPC) The Data Protection Commission of Ireland (DPC) imposed on Meta Platforms Ireland Limited (Meta) a fine of 1.2 billion Euro and corrective measures for infringement of Article 46(1) of the GDPR in its transfer of personal data from the EU to the US in relation to its Facebook services. The DPC found that although Meta had relied on the Standard Contractual Clauses adopted by the European Commission in 2021 for such transfers and implemented supplemental measures to address the concerns in regard to US surveillance laws as raised by the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18), the data transfer arrangements, in the circumstances, did not provide appropriate safeguards to the personal data. Therefore, Meta has contravened Article 46(1) of the GDPR. 

Meta has been (i) ordered to suspend any future transfer of personal data to the US within 5 months; (ii) fined 1.2 billion Euro; and (iii) ordered to bring its processing operations into compliance with Chapter V of the GDPR within 6 months. For more details,  please refer to the decision of the DPC dated 12 May 2023 and the press release issued by the DPC dated 22 May 2023.
4 April 2023 The Information Commissioner’s Office of the UK (ICO) The Information Commissioner’s Office (ICO) issued a £12,700,000 fine to TikTok Information Technologies UK Limited and TikTok Inc (TikTok) for breaches of the UK GDPR between May 2018 and July 2020, namely, by (i) providing its services to UK children under the age of 13 and processing their personal data without consent or authorisation from their parents or carers (in contravention of Articles 6(1) and 8); (ii) failing to provide proper information to its users about how their data is collected, used, and shared in a way that is easy to understand which made users, in particular children, unlikely to be able to make informed choices about whether and how to engage with it (in contravention of Article 12); and (iii) failing to ensure that the personal data of its UK users was processed lawfully, fairly and in a transparent manner (in contravention of Article 5(1)(a)). For more details, please refer to the news article issued by the ICO dated 4 April 2023.
12 January 2023 The Data Protection Commission of Ireland (DPC) The Data Protection Commission of Ireland (DPC) imposed on WhatsApp Ireland Limited (WhatsApp) a fine of 5.5 million Euro for breaches of the GDPR relating to its service.  The DPC found that WhatsApp was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement and security, and has contravened Article 6 of the GDPR.  WhatsApp was also in breach of the fairness principle and its transparency obligations by not clearly outlining its legal basis for personal data processing to users.  WhatsApp has also been directed to bring its data processing operations into compliance within 6 months.  The decision was issued after the adoption of a binding decision by the European Data Protection Board under Article 65 of the GDPR (a dispute resolution process triggered as a result of the opposing views among the supervisory authorities concerned). For more details, please refer to the decision of the DPC dated 12 January 2023 and the press release issued by the DPC dated 19 January 2023.
4 January 2023 The Data Protection Commission of Ireland (DPC) The Data Protection Commission of Ireland (DPC) imposed on Meta Platforms Ireland Limited (Meta) fines of 210 million Euro and 180 million Euro for breaches of the GDPR relating to its Facebook and Instagram services respectively.  The DPC found that Meta is not entitled to rely on the “contract” legal basis in connection with the delivery of personalised services (including behavioural advertising) as part of its Facebook and Instagram services, and has contravened Article 6 of the GDPR.  Meta was also in breach of the fairness principle and its transparency obligations by not clearly outlining its legal basis for personal data processing to users.  Meta has been directed to bring its data processing operations into compliance within 3 months.  The decision was issued after the adoption of a binding decision by the European Data Protection Board under Article 65 of the GDPR (a dispute resolution process triggered as a result of the opposing views among the supervisory authorities concerned). For more details, please refer to the decisions (Facebook ; Instagram) of the DPC and press release issued by the DPC dated 4 January 2023.
25 November 2022 The Data Protection Commission of Ireland (DPC) The Data Protection Commission of Ireland (DPC) imposed on Meta Platforms Ireland Limited (Meta) a fine of 265 million Euro and a range of corrective measures for infringement of its obligation for data protection by design and default under the GDPR, following the conclusion of an inquiry into Meta in relation to the discovery of a collated set of personal data that had been scraped from Facebook and made available on the Internet.  For details of the decision, please refer to the press release issued by DPC dated 28 November 2022.
10 November 2022 The French Data Protection Authority (CNIL) The French Data Protection Authority (CNIL) fined Discord Inc. (Discord), a company which provides voice over IP and instant messaging service, 800,000 Euro for failing to have a written data retention policy in place and failing to provide sufficient information to its users regarding its data retention periods, with no specific retention periods or criteria for determining them.  The investigation also found that Discord failed to inform users of voice channel connections and transmissions to third parties which continued to run in the background after the application window is closed, failed to carry out a data protection impact assessment, and failed to put in place a strong enough password management policy.  For details of the decision, please refer to the press release issued by the CNIL dated 17 November 2022.
2 November 2022 The Portuguese Data Protection Authority (CNPD) The Portuguese Data Protection Authority (CNPD) imposed a 4.3 million Euro fine on the National Institute of Statistics for various violations of the GDPR in conducting the 2021 census.  Following an investigation, CNPD found that the questions in the census concerning religion and health data, which were legally required to be optional, were not duly flagged as optional, thus prevented respondents from forming a free will and self-determination as to whether to respond to questions collecting special categories of data.  Further, CNPD held that the National Institute of Statistics did not provide any information concerning the processing operations, violated its duties of due diligence in choosing processors, infringed provisions relating to international transfer of data and failed to carry out a Data Protection Impact Assessment relating to the processing.  For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
17 October 2022 The French Data Protection Authority (CNIL) The French Data Protection Authority (CNIL) fined Clearview AI Inc. 20 million Euro for unlawfully processing personal data by collecting and using biometric data without a legal basis and its failure to take into account the rights of data subjects in an effective and satisfactory way, in particular requests for access to their data. During the investigation, Clearview AI Inc. has also failed to cooperate with the CNIL. For details of the decision, please refer to the press release issued by the CNIL dated 20 October 2022.
6 October 2022 The Italian Data Protection Authority (GPDP)
 
The Italian Data Protection Authority (GPDP) imposed a fine of 2 million Euro and issued various compliance orders to Alpha Exploration Co. Inc, the parent company of social platform Clubhouse, for violations of the GDPR, including the lack of valid legal bases in carrying out data processing activities for the purposes of marketing, recording, sharing audio with third parties, profiling of users, sharing of accounts information, failure to provide information to users on processing to users, and  failure to provide adequate information as to the personal data retention periods.  For details of the decision, please refer to the press release issued by GPDP dated 5 December 2022.
4 October 2022 The Information Commissioner’s Office of the UK (ICO) The Information Commissioner’s Office (ICO) fined Easylife Ltd £1,350,000 for using personal information of 145,400 customers to predict their medical condition and target them with health-related products without their consent, and an additional £130,000 for making 1,345,732 unwanted marketing calls. For details of the decision, please refer to the press release issued by the ICO dated 6 October 2022.
2 September 2022 The Data Protection Commission of Ireland (DPC) The Data Protection Commission of Ireland (DPC) imposed on Instagram (Meta Platforms Ireland Limited (Meta IE)) a fine of 405 million Euro and a range of corrective measures, following an inquiry into the processing of personal data relating to child users (aged between 13 and 17) of the Instagram social networking service, which examined the public disclosure of email addresses and/or phone numbers of children using Instagram business account feature and a public-by-default setting for personal Instagram accounts of children.

The decision was issued after the adoption of a binding decision by the European Data Protection Board under Article 65 of the GDPR (a dispute resolution process triggered as a result of the opposing views among the supervisory authorities concerned). For details of the decision, please refer to the decision of the DPC and its press release dated 15 September 2022.
13 July 2022 The Hellenic Data Protection Authority of Greece The Hellenic Data Protection Authority of Greece fined Clearview AI Inc., a company which markets facial recognition services, 20 million Euro for violating the principles of lawfulness and transparency, imposed a prohibition on the collection and processing of personal data of subjects located in the Greek territory using methods included in the facial recognition service, and ordered it to delete the personal data of those subjects located in Greece, which the defendant collects and processes using the aforementioned methods. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
18 May 2022 The Information Commissioner’s Office of the UK (ICO) The Information Commissioner’s Office (ICO) fined Clearview AI Inc. £7,552,800 for using images of people in the UK and elsewhere, that were collected from the web and social media, to create a global online database that could be used for facial recognition. Clearview AI Inc. is also ordered to stop obtaining and using personal data of UK residents that is publicly available on the Internet and to delete the data of UK residents from its systems. For details of the decision, please refer to the press release issued by the ICO dated 23 May 2022.
15 March 2022 The Data Protection Commission of Ireland (DPC) The Data Protection Commission of Ireland fined Meta Platforms (formerly Facebook) 17 million Euro for infringements of Article 5(2) of the GDPR (in relation to the purpose limitation principle). For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
10 February 2022 The Italian Data Protection Authority (GPDP) The Italian Data Protection Authority (GPDP) fined Clearview AI Inc. 20 million Euro for processing personal data unlawfully without an appropriate legal basis and infringements in relation to transparency, purpose limitation and storage limitation, etc. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
14 January 2022 The Dutch Data Protection Authority The Dutch Data Protection Authority fined DPG Media Magazines 525,000 Euro for unnecessarily requesting copies of identity documents. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
22 December 2021 The Austrian Data Protection Authority (DSB) The Austrian Data Protection Authority (DSB) ruled that the use of Google Analytics tool by an Austrian website operator in its website violated Article 44 of the GDPR in transferring personal data to Google LLC in the United States. In particular, DSB held that the standard contractual clauses which the website operator concluded with Google LLC did not offer an adequate level of protection to the personal data concerned. For details of the decision, please refer to the summary of decision issued by the DSB entitled “Information from the data protection authority on the decision on the use of Google Analytics”.
20 August 2021 The Data Protection Commission of Ireland (DPC) The Data Protection Commission of Ireland (DPC) issued its final decision of imposing a fine of 225 million Euro upon WhatsApp Ireland Ltd., along with a reprimand and an order for WhatsApp Ireland Ltd. to bring its processing into compliance by taking a range of specified remedial actions in respect of  infringements of, inter alia, the principle of transparency in providing information to users across Europe about its service. The final decision was issued after the adoption of a binding decision by the European Data Protection Board under Article 65 of the GDPR (a dispute resolution process triggered as a result of the opposing views among the supervisory authorities concerned). For details of the decision, please refer to the decision of the DPC and its press release dated 2 September 2021.

Remarks: The decision of the DPC against WhatsApp Ireland Ltd. is being appealed.
21 June 2021 The Swedish Authority for Privacy Protection (IMY) The Swedish Authority for Privacy Protection (IMY) fined SL, which operates public transport in Stockholm, SEK 16 million for unlawful use of body cameras in the public transport. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
29 April 2021 The Dutch Data Protection Authority The Dutch Data Protection Authority fined municipality 0.6 million Euro for using Wi-Fi tracking which was possible to track shoppers and people who live or work in the city centre. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.


(II) Interpretation of the GDPR

Date of Decision Ruling
4 July 2023 Court of Justice of the European Union rules that national competition authorities can determine GDPR violations in competition cases

On 4 July 2023, the Court of Justice of the European Union (CJEU) made a ruling that in an abuse of dominance investigation, it may be necessary for the competition authority (of the EU member state concerned) to examine whether a company’s conduct complies with rules other than those relating to competition laws, including the GDPR.
 
However, the CJEU also noted that the competition authority would not replace the data protection authority of a particular EU member state in concern. In fact, when considering whether the GDPR has been complied with, the competition authority is required to consult and cooperate sincerely with the data protection authority, consider whether it has made decisions in similar cases, and must not depart from those decisions.
 
In the present case concerning the German Federal Cartel Office’s prohibition against Meta’s Facebook services from combining user data from different sources for conducting personalised advertising without the user’s consent in 2019, the CJEU commented generally on the data processing practices of Meta. It noted that the performance of a contract as a legal basis for processing under the GDPR can only be relied on if the data processing is objectively indispensable to the main subject matter of that contract. The CJEU doubted, in this regard, whether Meta’s personalised advertising fulfils the criteria and referred the matter back to the German court to decide.
 
For further details of the judgment, please refer to  (1) CJEU’s Judgment and (2) Press Statement issued by the CJEU dated 4 July 2023.
22 June 2023 Court of Justice of the European Union rules that data subjects have the right to access the date of and the reasons for the consultations on their personal data

On 22 June 2023, the Court of Justice of the European Union (CJEU) makes a ruling, inter alia, in relation to the interpretation of Article 15(1) of the GDPR (rights of access by the data subject).  The case concerns a data subject, an ex-employee and customer of Pankki S (“Bank”), requesting the Bank to inform him of the identity of the persons who had consulted his customer data, the exact dates of the consultations and the purposes for which those data had been processed (“Requested Information”).

Upon failing to obtain the Requested Information from the Bank and to seek an order to the same effect from the Data Protection Supervisor’s Office, Finland, the data subject brought an action before the Administrative Court of Eastern Finland, which referred the case to CJEU for clarification on the interpretation of Article 15(1) of the GDPR, namely, (i) whether the GDPR applies to the access request as the relevant processing activities occurred before the GDPR came into force (i.e. 25 May 2018); (ii) whether the data subject is entitled to the Requested Information under Article 15(1) of the GDPR; and (iii) whether the controller being a bank and the data subject being a customer and employee of a bank is relevant for defining the scope of right of access.

The CJEU decided that Article 15 of the GDPR applies to a request of access made after GDPR comes into force even though the concerned processing was conducted prior to the same, and that  information relating to the dates and purposes of the personal data consultation operations constitutes information that the data subject has the right to obtain from the controller. However, the GDPR does not establish such a right in respect of the information relating to the identity of the employees who carried out those operations following the controller’s instructions, unless (i) that information is essential to enable the data subject effectively to exercise the rights conferred on them by the GDPR, and (ii) provided that the rights and freedoms of those employees are dully considered. Lastly, the CJEU ruled that, the fact that a data controller is engaged in the business of banking and acts within the framework of regulated activity, and that the data subject is a customer and employee of the data controller has, in principle, no bearing on the scope of the right conferred on that data subject by Article 15 of the GDPR. For further details of the judgment, please refer to  (1) CJEU’s Judgment and (2) Press Statement issued by the CJEU dated 22 June 2023.
4 May 2023 Court of Justice of the European Union rules that mere infringement of the GDPR does not give rise to a right to compensation

On 4 May 2023, the Court of Justice of the European Union (CJEU) made a ruling in relation to the compensation available under the GDPR for non-material damage. The case concerned a data subject  who filed a complaint against the Austrian Post for collecting personal data relating to the political affinities of Austrian residents in 2017. The data was subsequently sold to various organisations, which enabled them to send targeted advertisements in relation to political elections. The data subject sought €1,000 in non-material damages under Article 82 of GDPR.

The case was referred to the CJEU to clarify, among others, (1) whether a data subject would be entitled to compensation under Article 82 from mere infringement of the GDPR, if he/she had not suffered harm as a result of the GDPR infringement; and (2) whether a claim for compensation for non-material damage has to meet a seriousness threshold that requires more than mere upset feelings caused by the GDPR infringement.

The CJEU ruled that the right to compensation under Article 82 is subject to three conditions: (1) personal data is processed in a manner that infringes the GDPR; (2) the data subject suffered material or non-material damage; and (3) there is a causal link between the infringement and the damage suffered. Therefore, not every infringement of the GDPR gives rise, by itself, to a right to compensation.

The Court also held that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. The GDPR does not contain any such requirement and such a restriction would be contrary to the broad conception of ‘damage’, adopted by the EU legislature.
Lastly, the Court noted that the GDPR does not contain any rules governing the assessment of damages. It is therefore for the legal system of each Member State to prescribe the detailed rules for actions intended to safeguard the rights which individuals derive from the GDPR and, in particular, the criteria for determining the extent of compensation payable in that context, provided that the principles of equivalence and effectiveness are complied with.

The CJEU stated that this ruling ensures the GDPR provides “full and effective compensation for the damage suffered”. For further details of the judgment, please refer to  (1) CJEU’s Judgment and (2) Press Statement issued by the CJEU dated 4 May 2023.
2 March 2023 Court of Justice of European Union clarifies rules on the production of evidence containing personal data in civil proceedings

On 2 March 2023, the Court of Justice of the European Union (CJEU) made a ruling on the applicability of the GDPR in the context of discovery in civil proceedings. An issue arose in a payment dispute between a construction company and its customer as to whether personal data that was originally collected for tax purposes can be produced in civil proceedings. The issue was referred to the CJEU for a preliminary ruling by the Swedish Supreme Court.

The CJEU decided that any processing of personal data, including processing carried out by public authorities such as courts, must be based on a legal ground under Article 6 of the GDPR. The CJEU examined Articles 6(1)(e) (processing in the public interest) and Article 6(3) (European Union member states may adopt more specific provisions regarding personal data processing activities in the public interest, provided that such more specific law meets an objective of public interest and is proportionate to the public interest pursued) of the GDPR, and considered that the requirements of Article 6(3) of the GDPR were fulfilled due to the obligation under Swedish law to submit evidence to the courts if it may be deemed to have probative value.

The CJEU also decided that disclosure of the documents was a further processing for the purposes of Article 6(4) of the GDPR which will be permitted where the processing is based on national law and constitutes a necessary and proportionate measure in a democratic society to safeguard one of the objectives referred to in Article 23(1) of the GDPR. In its decision, the CJEU indicates that, those objectives include Articles 23(1)(f) (the protection of judicial independence and judicial proceedings) and 23(1)(j) (the enforcement of civil claims) of the GDPR. However, the CJEU emphasised that it is up to the referring court to examine whether the requirements of Article 6(4) of the GDPR in conjunction with Article 23(1) of the GDPR are met. For further details of the judgment, please refer to CJEU’s Judgment dated 2 March 2023.
9 February 2023 Court of Justice of European Union rules on data protection officer dismissal and conflict of interests

On 9 February 2023, the Court of Justice of the European Union (CJEU) made a ruling in relation to conditions for dismissing Data Protection Officers (DPOs) under Article 38(3) and definition of conflict of interests under Article 38(6) of the GDPR. The case relates to the dismissal of a DPO of a Germany company group, who was also the “chair of the works council” of the same group, in May 2018 when the GDPR came into effect. The DPO sought a declaration that the dismissal was ineffective by bringing proceedings before the Germany courts, while the company cited conflict of interest as the just cause for dismissal.  The Germany Federal Labour Court referred the case to the CJEU clarifying, among others, (i) whether Article 38(3) precludes member states from setting out further conditions for dismissing DPOs, and (ii) the extent to which conflicts of interest in the context of Article 38(6) can justify the dismissal of DPOs.

In relation to Article 38(3), the CJEU ruled that member states are free to “to lay down more protective specific provisions on the dismissal of the DPO” as long as these do not “undermine the achievement of the objectives of the GDPR”. In relation to Article 38(6), the CJEU ruled that DPOs should “be in a position to perform their duties and tasks in an independent manner”, and conflicts of interest within the meaning of Article 38(6) arise where DPOs are “assigned any tasks or duties which would lead [them] to determine the purposes and means of the processing of personal data”.

For further details of the judgment, please refer to CJEU’s Judgment dated 9 February 2023.
12 January 2023 Court of Justice of European Union rules administrative and civil remedies provided for by the GDPR may be exercised concurrently and independently of each other

On 12 January 2023, the Court of Justice of the European Union (CJEU) made a ruling in relation to the relationship between administrative and civil remedies provided under the GDPR. The case relates to a shareholder’s request for audio recording of the company’s general meeting. The shareholder was only provided extracts which reproduced his contributions, and subsequently requested the Hungarian data protection authority to order the company to send him the recording in question. After his request was refused by the Hungarian data protection authority, he brought an administrative appeal against that decision, and at the same time, brought proceedings before the Hungarian civil courts against the decision of the company. While the administrative appeal proceedings are still ongoing, the civil courts have found that the company had infringed the shareholder’s right of access to his personal data. The Budapest High Court therefore referred the case to the CJEU clarifying whether, in the context of reviewing the lawfulness of the decision of the national supervisory authority, it is bound by the final judgment of the civil courts concerning the same facts and same alleged infringement of the GDPR; and whether one of those remedies might take priority over the other.

In the said Judgment, the CJEU found that the GDPR does not provide for any priority or exclusive competence or jurisdiction or for any rule of precedence in respect of the assessment carried out by the supervisory authority or by a court as to whether there is an infringement of the rights concerned. Consequently, the administrative and civil remedies provided for by the GDPR may be exercised concurrently with and independently of each other. It is for each member state to ensure that the concurrent and independent remedies do not call into question the effectiveness of the GDPR and effective protection of the rights thereunder, the consistent and homogeneous application of its provisions and the right to an effective remedy before a court or tribunal.

For further details of the judgment, please refer to (1) CJEU’s Judgment and (2) Press Statement issued by the CJEU dated 12 January 2023.
12 January 2023 Court of Justice of European Union confirms data subjects’ right of access to information about specific recipients to whom the personal data have been or will be disclosed

On 12 January 2023, the Court of Justice of the European Union (CJEU) made a ruling in relation data subjects’ right to access information about the recipients or categories of recipients to whom the personal data have been or will be disclosed under Article 15(1)(c) of the EU GDPR. In this case, Österreichische Post AG (responsible for the Austrian postal service), in responding to a data subject’s data access request for the information as to the identity of the recipients of his personal data, merely provided a description of the categories of recipients, without disclosing the identity of the specific recipients of the personal data. The Supreme Court of Austria referred the case to the CJEU for its interpretation of Article 15(1)(c) of the EU GDPR.

In the Judgment, CJEU ruled that in order to ensure the effectiveness of other rights conferred on data subjects under the EU GDPR (including the right to rectification, right to erasure, right to restriction of processing and right to object under Articles 16, 17, 18 and 21 of the EU GDPR respectively), the data subject must have the right to be informed of information about the specific recipients to whom his/her personal data have been or will be disclosed.

That said, CJEU acknowledged that in specific circumstances such right of access may be subject to limits, for example, where it is impossible to disclose the identity of specific recipients, in particular where they are not yet known, or where the controller demonstrates that the data subjects’ requests are manifestly unfounded or excessive (within the meaning of Article 12(5) of the EU GPDR).

For further details of the judgment, please refer to (1) CJEU’s Judgment and (2) Press Statement issued by the CJEU dated 12 January 2023.
8 December 2022 Court of Justice of European Union extends right to erasure (right to be forgotten) to remove manifestly inaccurate information

On 8 December 2022, the Court of Justice of the European Union (CJEU) made a ruling on right to erasure (right to be forgotten). This case concerned two investment managers who had requested Google to de-reference search results linking their names to certain articles criticizing their business investment model. They alleged that those articles contain inaccurate claims. They also required Google to remove thumbnail photos of them from search results based on their names. Google declined their request and contended that it was unaware of the alleged inaccuracy of the information contained therein. The German Federal Court of Justice referred the case to the CJEU for its interpretation of Article 17(3)(a) of the EU GDPR which concerns the exercise of right to erasure and right of freedom of expression and information.

In the said Judgment, CJEU pointed out that the right to protection of personal data is not an absolute right but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. While the EU GDPR expressly provides that the right to erasure is excluded where processing is necessary for the exercise of the right to freedom of expression and information, the right to freedom of expression and information cannot be taken into account where, at the very least, a part – which is not of minor importance – of the information found in the referenced content proves to be inaccurate.

CJEU ruled that the search engine operator must remove information found in referenced content where the person requesting de-referencing submits relevant and sufficient evidence to prove that such information is manifestly inaccurate. To avoid an excessive burden on the requestor, CJEU stated that such proof does not have to come from a judicial decision against the website publishers in question and the requestor only has to provide evidence that can reasonably be required of him or her to try to find.

Regarding the display of the thumbnail photos following a search by name, CJEU stated that such display constitutes a particularly significant interference with the data subjects’ rights to private life and their personal data. A separate weighing-up of competing rights and interests is required depending on whether the said photos are displayed in the original context illustrating the information provided in those articles and the opinions expressed in them, or outside such context.

For further details of the judgment, please refer to (1) CJEU’s Judgment and (2) Press Statement issued by the CJEU dated 8 December 2022.


B.Major Developments under the GDPR

Date Major Developments
10 July 2023  The Adequacy Decision for the EU-US Data Privacy Framework (DPF)

On 10 July 2023, the European Commission Union adopted an adequacy decision on the EU-US Data Privacy Framework (DPF), concluding that the US provides a level of protection essentially equivalent to that of the EU for personal data transferred under the DPF from a data controller or a processor in the EU to certified organisations in the US. Specifically, the adequacy decision has the effect that such transfers may take place without the need to obtain any further authorisation.
 
Some new binding safeguards introduced by the DPF include:
  • limiting access to EU data subject's personal data by US intelligence services to what is necessary and proportionate to protect national security (under the US's Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities');
  • providing EU data subjects whose data would be transferred to the US under the DPF with several new rights (i.e., to access their data, or to correct or delete inaccurate or unlawfully handled data); and
  • establishing a two-tier redress mechanism for EU data subjects (i.e., EU data subjects' complaints would first be investigated by the Civil Liberties Protection Officer (CLPO) of the US intelligence community, and the data subjects may appeal the CLPO's decision before the independent and newly established Data Protection Review Court).
US organisations will be able to self-certify under the DPF by committing to comply with a detailed set of privacy obligations (e.g., purpose limitation, data minimisation, data deletion as soon as no longer necessary, specific obligations concerning data security and sharing of data with third parties, etc). Certifications must be renewed on an annual basis. Organisations that are found to persistently fail to comply with the principles will be removed from the DPF list and must return or delete the personal data received under the DPF.
 
The adequacy decision takes effect immediately, and the DPF will start to apply upon certification of US organisations. Meanwhile, the European Commission will periodically review the adequacy decision, with the first review to take place within one year after the entry into force.
 
For further details of the DPF, please refer to the full Adequacy Decision for the EU-US Data Privacy dated 10 July 2023.
25 March 2022 The new Trans-Atlantic Data Privacy Framework between the EU and the United States (“US”)

On 16 July 2020, the Court of Justice of the European Union struck down the framework of the EU-US Privacy Shield in the case of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems and intervening parties (commonly known as “Schrems II Judgment”). Since 2016, the EU-US Privacy Shield had been implemented as a major mechanism for effecting transfers of personal data from EU companies to US companies.

Following continuous discussions between the European Commission and the US, the parties announced on 25 March 2022 that an agreement had been reached in principle on a new Trans-Atlantic Data Privacy Framework (“New Framework”), with a view to re-establishing a legal mechanism for the transfer of personal data from the EU to the US.

In particular, the New Framework ensures that (i) signals intelligence activities undertaken by the US should be necessary and proportionate in advancing legitimate national security objectives; (ii) a new redress mechanism with independent and binding authority will be established to direct remedial measures for affected EU individuals; and (iii) US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.

As the next step forward, the European Commission and the US will continue to work on the legal documents required to be adopted by both sides for putting the New Framework into practice.

For further details of the New Framework, please refer to (1) the European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework  and (2) the Press Statement issued by the White House of the US, both dated 25 March 2022.
21 March 2022 New Transfer Instruments for transferring personal data from the United Kingdom

The GDPR is retained in the domestic law in the United Kingdom (“the UK”) as the “UK GDPR”. Article 46(1) of the UK GDPR allows international transfers of personal data, inter alia, where the data exporter has provided appropriate safeguards (including through standard data protection clauses issued by the Information Commissioner, etc).

On 21 March 2022, two new transfer instruments, namely (i) the International Data Transfer Agreement (“IDTA”) and (ii) the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers adopted in June 2021 (“Addendum”) issued by the Information Commissioner came into force. In particular, the new instruments are intended to replace the existing Standard Contractual Clauses recognised in the UK, i.e. the Standard Contractual Clauses adopted in the EU in the pre-GDPR era (“the Old SCCs”).

The practical implications of the introduction of the IDTA and the Addendum for data transferors and data transferees are that:

  • Contracts concluded on or before 21 September 2022 on the basis of the Old SCCs shall continue to provide appropriate safeguards for the purpose of the UK GDPR (provided that the processing operations that are the subject matter of the contract remain unchanged) until 21 March 2024.
  • From 22 September 2022, either the IDTA or the Addendum will have to be incorporated for new contracts concerning international transfers of personal data under the UK GDPR.
  • From 22 March 2024, the old SCCs will no longer be deemed to provide “appropriate safeguards” for the purpose of the UK GDPR. All contracts that have incorporated the old SCCs will have to be substituted by either the IDTA or the Addendum by 21 March 2024.
For further details of the IDTA and the Addendum, please refer to the introduction provided by the Information Commissioner’s Office of the UK.
17 December 2021 The adequacy decision for South Korea

On 17 December 2021, the European Commission adopted the decision that the Republic of Korea ensures an adequate level of protection for personal data transferred from the EU to entities in the Republic of Korea subject to the Personal Information Protection Act as contemplated by the additional safeguards stipulated therein, together with the relevant official representations, assurances and commitments.

For details of the adequacy decision for South Korea, please refer to the Joint Press Statement by Didier Reynders, Commissioner for Justice of the European Commission, and Yoon Jong In, Chairperson of the Personal Information Protection Commission of the Republic of Korea.
28 June 2021 The adequacy decision for the United Kingdom

On 28 June 2021, the European Commission adopted two adequacy decisions for the United Kingdom, one under the GDPR and the other for the Law Enforcement Directive. Free flow of personal data from the EU to the United Kingdom is allowed where the United Kingdom ensures essentially an equivalent level of personal data protection to that guaranteed under the EU law.

For details of the adequacy decision for the United Kingdom, please refer to the press release issued by the European Commission

1 A five-step methodology was listed by the European Data Protection Board in the Guidelines, which composed of the following steps:
(1) Identify relevant processing operations and evaluating the application of Article 83(3) of the GDPR;
(2) Identify the starting point for further calculation of the fine amount by, inter alia, consider the categorisation of infringements under Articles 83(4)–(6) of the GDPR and the nature of gravity of the infringement, and the turnover of the undertaking;
(3) Evaluating aggravating or mitigating factors listed in Article 83(2) of the GDPR ;
(4) Identify the legal maximums (static and dynamic maximums) of fines (whichever is higher); and
(5) Consider the effectiveness, proportionality and dissuasiveness of the fine.
Please refer to the Guidelines for details.