GDPR

Seven years of AVG: a legal review and outlook

Joris Deene
8 months ago
242 views
10 minutes reading time

The General Data Protection Regulation (GDPR), better known as the GDPR, has been a cornerstone of the data protection within the European Union. Now, seven years later, the privacy landscape continues to evolve, thanks in part to the clarifying role of the Court of Justice of the European Union (CJEU). It is crucial for companies and organizations to stay abreast of these developments in order to remain compliant and safeguard the rights of data subjects. In this post, we discuss some of the most influential rulings of the past year (May 2024 - May 2025) and look ahead to some important cases coming up.

Key ECJ rulings (May 2024 - May 2025)

Over the past year, the Court of Justice has once again addressed crucial aspects of the GDPR. Below is a selection of rulings that have a direct impact on the day-to-day practice of data processing.

  1. Case C-621/22 - Royal Dutch Lawn Tennis Association (KNLTB)
    • Bottom line: The ECJ ruled that a purely commercial interest can be considered a "legitimate interest" for data processing under certain conditions. This legitimate interest does not have to be explicitly defined by law, but it must be legitimate. The processing of the data in question is only permitted if it is strictly necessary and no less intrusive alternatives are available. Moreover, a balancing of interests is required between the interest of the data controller and the rights of the data subjects, whereby the data subjects must be able to reasonably foresee how their data will be used.
    • Practical implications: Organizations previously reluctant to use a legitimate interest as a legal basis for purely commercial purposes may now consider doing so, provided the Court's strict criteria are met. Organizations that already invoke a legitimate interest for commercial interests should evaluate whether their current practices meet the Court's requirements. If they do not, they should modify their practices or choose a different legal basis for the processing.
    • Relevant GDPR provision: Article 6(1)(f) GDPR - legitimate interest
    • Direct link to the judgment
  2. Case C-446/21 - Maximilian Schrems
    • Bottom line: Among other things, the Court stated that a situation in which an individual discloses his/her sexual orientation during a public panel discussion does not automatically qualify as processing personal data that is "manifestly disclosed by the data subject" within the meaning of the exemption in Article 9(2)(e) GDPR. Thus, a social media platform operator may not use this exemption to process other sexual orientation data obtained outside the platform (from third-party websites or apps).
    • Practical implications: Organizations must be careful when processing special categories of personal data. Even if an individual discloses special categories of data about himself in the context of a public discussion or in similar situations, this is not sufficient to trigger the application of the exemption in Article 9(2)(e) GDPR. Thus, the controller must identify another exemption under Article 9 or refrain from processing such special categories of data.
    • Relevant GDPR provision: Article 9 GDPR - Processing of special categories of personal data
    • Direct link to the judgment
    • Also read our detailed blog post about this ruling
  3. Case C-169/23 - Másdi
    • Bottom line: This judgment deals with the applicability of the provision under Article 14(5)(c) GDPR. This concerns an exception to the duty to inform data subjects, which applies when the acquisition or disclosure of the data is expressly required by law (in so far as that law provides appropriate measures to protect the legitimate interests of the data subjects). The CJEU stated that this exception applies to personal data regardless of the manner in which it was obtained. Thus, if the said exception applies, the controller does not have to inform the data subject about data obtained from a third party or about data generated by the controller itself in the course of its duties.
    • Practical implications: Organizations can rely on this exception to avoid the information obligation for personal data, regardless of their source (obtained from third parties or generated internally). However, they must clearly identify the specific legal provision authorizing the processing and ensure that the necessary measures to protect the legitimate interests of data subjects are effectively implemented. Any such assessment of the applicability of the exception under Article 14.5(c) must be adequately documented, as required by the principle of accountability.
    • Relevant GDPR provision: Article 14 GDPR - Information to be provided when personal data has not been obtained from the data subject
    • Direct link to the judgment
  4. Case T-354/22 - Bindl v. Commission
    • Bottom line: According to the General Court, data subjects may be entitled to compensation not only for material damage, but also for immaterial damage resulting from a breach of data protection rules. In this particular case, the General Court found that the transfer of data outside the European Economic Area (EEA) without the adequate transfer mechanisms had caused an actual and certain non-material damage to the data subject, as it placed him in a position of uncertainty regarding the processing of his personal data. Moreover, the General Court found a sufficiently direct causal link between the data protection breach and the non-material damage suffered by the data subject, and assessed this non-material damage at EUR 400, to be paid by the controller who had transferred his data outside the EEA.
    • Practical implications: Following this ruling, organizations should strengthen their data protection practices, as even minor breaches can lead to claims for damages. This includes ensuring appropriate security measures, clear internal procedures, periodic staff training and effective communication with affected data subjects.
    • Relevant GDPR provision: Article 82 GDPR - Right to compensation and liability
    • Direct link to the judgment

Expected ECJ rulings: a look ahead

In addition to the rulings already made, there are some cases pending before the ECJ that will have potentially significant implications.

  1. Case C-693/22-I (Sale of a database)
    • What the case is about: The Court must assess whether a national law that permits the sale of a database containing personal data in the context of enforcement measures, even when the data subject has not given consent to the sale, is permissible under the GDPR.
    • Possible practical implications: If the Court the position of the Advocate General follows and allows the sale of a database of personal data without the consent of data subjects, provided that such processing is deemed necessary and proportionate to enforce a civil claim, several practical implications arise. First, it could reduce the level of control that data subjects have over their personal data. Moreover, determining whether such data processing meets the thresholds of necessity and proportionality could lead to legal and procedural uncertainty, particularly in the absence of clear criteria or oversight mechanisms.
  2. Case C-654/23 - Inteligo
    • What the case is about: The CJEU must interpret, inter alia, whether Article 83(2) GDPR means that a supervisory authority imposing an administrative fine is required to assess and explain in a sanction decision the impact of each of the criteria listed in letters (a) to (k) of that Article on the decision to impose a fine and, respectively, on the decision regarding the amount of the fine imposed.
    • Possible practical implications: Depending on the Court's response, supervisory authorities should revise their templates for sanction decisions or at least change the way such documents are completed to reflect the criteria used in determining both the decision to impose a fine and the specific amount of the fine. In that case, organizations could have a reason to challenge the penalty decision if supervisory authorities do not adequately explain such penalty criteria.
    • Relevant GDPR provision: Article 83 GDPR - General conditions for imposing administrative fines.
  3. Case C-492/23 - Russmedia
    • What the case is about: The CJEU must distinguish between qualification as processors or controllers in the context of storage and hosting of online information in order to determine their obligations under the GDPR in light of this clarification. Among other things, the Court will determine the extent to which controllers are responsible for (i) verifying the identity of the person placing ads and for conducting prior checks of the content of ads that may be unlawful or may violate an individual's private and family life, as well as for (ii) implementing technical measures to prevent unauthorized copying and redistribution of those ads.
    • Possible practical implications: If the Court the position of the Advocate General adopts, storage and hosting providers would be considered processors under the GDPR with respect to ads placed by users, and therefore would not be required to proactively monitor ad content or implement technical measures to prevent copying or redistribution, thus limiting their responsibilities for user-generated content. However, for registered users/advertisers, platform operators would act as data controllers and must verify their identity, as well as comply with the obligations the GDPR establishes for data controllers with respect to them, such as ensuring a valid legal basis for processing, providing clear privacy statements and implementing adequate security measures.
  4. Case C-413/23 P - EDPS v. SRB (European Data Protection Supervisor v. Single Resolution Board)
    • What the case is about: The case concerns the situation where only the controller disclosing certain pseudonymized information is able to identify data subjects, while this is not possible for the recipient of such information. Thus, the information pseudonymized by the disclosing controller cannot be correlated by the recipient with additional information that would identify data subjects. The Court in this case is expected to clarify, among other things, whether the privacy notice provided to data subjects must also cover the disclosure of such pseudonymized information to the recipient, for whom such information is not personal data.
    • Possible practical implications: If the ECJ the position of the Advocate General follows that pseudonymized data is personal data, organizations must treat such data as fully subject to data protection rules, even when shared with third parties that cannot directly re-identify data subjects. This means they must comply with transparency obligations, including informing data subjects of the disclosure of their personal data, identifying all categories of recipients, and ensuring that this information is provided clearly and efficiently.

Conclusion and recommendations

The case law of the EU Court of Justice remains a dynamic and guiding factor in the interpretation and application of the GDPR. The rulings discussed above and those yet to come underscore the importance for any organization to continuously evaluate and adapt its data processing activities to evolving legal standards.

Correctly interpreting these statements and translating them into concrete action points within your organization can be complex. However, a proactive approach to data protection is not only a legal obligation but also contributes to the trust of your customers and relations.

Do you have questions about the impact of these rulings on your specific situation or would you like guidance on optimizing your GDPR compliance? Our team of specialized lawyers is ready to assist you with expert advice. Please feel free to contact us for a no-obligation consultation.

Joris Deene

Attorney-partner at Everest Attorneys

View all posts

You might also like this

Contact

Questions? Need advice?
Contact Attorney Joris Deene.

Phone: 09/280.20.68
E-mail: joris.deene@everest-law.be

Topics