GDPR Week: European Courts Reshape GDPR Enforcement and Interpretation

In a landmark week for EU data protection law, the European Court of Justice (ECJ) and the General Court delivered three pivotal judgments that clarify the scope of GDPR enforcement, the concept of personal data, and the rights of data subjects.

These decisions - Latombe v Commission (T-553/23) [currently only in French]), EDPS v SRB (C-413/23 P), and IP v Quirinbank (C-655/23) – carry significant implications for organisations processing personal data and for the future of transatlantic data transfers.

Latombe v Commission (T-553/23): EU-US Data Privacy Framework Upheld

Background:

Philippe Latombe, a French citizen, challenged the European Commission’s adequacy decision underpinning the EU-US Data Privacy Framework (“DPF”), arguing that the U.S. Data Protection Review Court (“DPRC”) lacked independence and that bulk data collection by U.S. intelligence agencies violated EU standards.

Key Takeaways:

• Adequacy decision upheld: The General Court upheld the Commission’s adequacy decision, confirming that the U.S. ensures an adequate level of protection for personal data.
• DPRC has sufficient safeguards: The DPRC was found to have sufficient safeguards to ensure judicial independence. This includes that judges of the DPRC may only be dismissed by the Attorney General for cause. In addition, the Commission is required to continuously monitor the application of the legal framework on which its adequacy decision pursuant to Art. 45 GDPR is based.
• Bulk data collection compliant with Schrems II: Bulk data collection practices were deemed compliant with Schrems II, provided they are subject to ex post judicial review. A prior authorisation issued by an independent authority is not necessary.

Practical Implications:

• Legal certainty for transatlantic data transfers: The ruling provides legal certainty for transatlantic data transfers under the DPF. Organisations relying on the DPF can continue operations without immediate risk of invalidation.
• Ongoing monitoring: However, ongoing monitoring by the Commission remains essential, and future legal challenges cannot be ruled out.

EDPS v SRB (C-413/23 P): Clarifying the Concept of Personal Data

Background:

The Single Resolution Board (“SRB”), the central resolution authority within the Banking Union, transferred pseudonymised comments from affected shareholders to a consulting firm without informing the shareholders. The European Data Protection Supervisor (“EDPS”) found this to be a violation of SRB’s transparency obligations. The General Court annulled the EDPS’s decision, prompting an appeal, which was now decided by the ECJ.

Key Takeaways:

• Pseudonymised data is not always personal data: The ECJ confirmed that pseudonymisation may, depending on the context and technical safeguards, effectively prevent re-identification and therefore not constitute personal data for the recipient. 
• Relative identifiability matters: The Court reaffirmed the “relative approach” to identifiability – meaning that whether data is personal depends on the actor processing it. This aligns with earlier landmark rulings such as Breyer (C 582/14), Nowak (C 434/16), and IAB Europe (C 604/22), which collectively support a contextual, actor-specific understanding of personal data.
• Subjective opinions can be personal data – if linked to an individual: The ECJ reiterated that even subjective comments, such as shareholder feedback, can constitute personal data if they reflect the views of identifiable individuals. However, this does not mean all pseudonymised data is automatically personal.
• Transparency obligations apply at the point of collection: Controllers must inform data subjects of all potential recipients at the time of data collection – even if the data is later pseudonymised or transferred securely. This reinforces the importance of robust privacy notices and early-stage compliance.

Practical Implications:

• Legal certainty for pseudonymisation strategies: Organisations can rely on pseudonymisation to reduce compliance burdens – provided that re-identification is effectively prevented for recipients. This supports scalable, privacy-conscious data sharing models.
• Clearer risk allocation in multi-party setups: The ruling helps delineate responsibilities between controllers and processors. Even if a processor cannot identify data subjects, it may still be subject to obligations under the controller’s oversight. This may also impact contractual relations, including data processing agreements pursuant to Article 28 GDPR.
• Enhanced confidence in data governance: By confirming a contextual and proportionate approach to personal data, the ECJ empowers organisations to design compliant and efficient data flows without overextending obligations.
• Privacy notices must be future-proof: Controllers should ensure that privacy statements cover all phases of data processing and name all potential recipients – even if data is pseudonymised before transfer.

IP v Quirinbank (C-655/23): Injunctions and Non-Material Damage under the GDPR

Background:

The case examined whether a data subject can obtain a prohibitory injunction against a controller for future unlawful onward transfers of personal data, even without requesting erasure. It also addressed the threshold for non-material damage under Article 82 GDPR.

Key Takeaways:

• No right to injunctive relief under GDPR: The GDPR does not stipulate any right to injunctive relief. Although Article 79 GDPR ensures that every data subject can seek court protection against unlawful data processing, the GDPR does not offer any legal remedy for data subjects affected by the unlawful processing of personal data if they have not previously requested the deletion of their data. Such a remedy would enable data subjects to request the deletion of their data in However, the GDPR does not provide any legal remedy for the person affected by the unlawful processing of personal data if that person has not previously requested the deletion of their data. Such a question would enable the data subject to preventively obtain an order prohibiting the controller from continuing the unlawful processing. However, a right to injunctive relief under national law is not excluded.
• Negative feelings as “non-material damage”: The term “non-material damage” within the meaning of Article 82 GDPR includes negative feelings experienced by the data subject as a result of the unauthorized transfer of their personal data to a third party, such as concern or annoyance, caused by a loss of control over this data, its possible misuse, or damage to reputation. However, the data subject must prove that (i) these feelings actually exist and that (ii) they are based on the violation of the GDPR. This means that emotional distress such as annoyance or worry may constitute non-material damage, but must go beyond everyday discomfort to qualify for compensation 
• Degree of fault: The degree of fault of the controller is not taken into account when assessing the amount of compensation for non-material damage owed under this provision.

Practical Implications:

• Right to erasure: It is likely that affected individuals will increasingly exercise their right to erasure under Article 17 of the GDPR in the future. Companies are well advised to have technical processes in place to respond to requests in a timely manner.
• Burden of proof in court: The threshold for non-material damage remains nuanced, requiring careful legal assessment in claims. The courts must continue to carefully evaluate, for example in a party hearing, whether such negative feelings actually exists, for which the claimant carries the burden of proof. In this regard, claimants should always be reminded of their duty to tell the truth in court.

Conclusion

These decisions collectively reinforce the robustness of the GDPR framework while clarifying key concepts such as pseudonymisation, transparency, and data subject rights. Organisations should revisit their data transfer mechanisms, transparency practices, and legal risk assessments in light of these rulings.

The Latombe ruling initially provides legal clarity for transatlantic data transfers. Even though this area is constantly changing, there is certainty for the time being.

EDPS v SRB raises new questions regarding transparency and assessment in particular. Although the ECJ has ruled that pseudonymized data does not necessarily constitute personal data, the controller should always check to what extent it is possible to draw conclusions. Otherwise, they are subject to transparency obligations and the other obligations of the GDPR towards the data subjects.

Furthermore, a litigation risk remains. Even if a claim for injunctive relief is denied under the GDPR, it is still possible to resort to national law. In this respect, national courts are required to develop the law accordingly.