On 6 October 2022, the Advocate General (Campos Sánchez-Bordona) issued his opinion in UI v Österreichische Post AG on the interpretation of the rules on civil liability under the GDPR .

He concluded that a data subject must have suffered harm in order to claim compensation, and that breach of the GDPR alone was not sufficient.  There is also a distinction to be drawn between mere upset (which does not give rise to a right for compensation) and non-material damage (which does).

Continue Reading ‘Mere upset’ insufficient for compensation under the GDPR

The Summer 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

Continue Reading Get your Update on IT & Data Protection Law in our Newsletter (Summer 2022 Edition)

The Winter 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

Continue Reading Get your Update on IT & Data Protection Law in our Newsletter (Winter 2022 Edition)

Two Chinese information security laws, the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”), are creating difficulties for parties involved in litigation in the United States seeking discovery materials stored in China.

Both the DSL and the PIPL require data processors to obtain approval from the Chinese government before transferring any data stored in China to a foreign court or law enforcement authority, or otherwise face significant penalties such as fines in the millions of dollars.

Litigants in the U.S. should be aware that the DSL and PIPL may impose significant costs and delays in the discovery process, and may be used to avoid turning over certain materials.

Continue Reading Chinese data security laws increasingly create roadblocks for litigants seeking discovery in U.S. courts

In a recent decision of December 19, 2021, case no. 1 BvR 1073/20 (published with an official press release dated February 2, 2022), the German Federal Constitutional Court (Bundesverfassungsgericht – BVerfG) set aside several judgments of the Berlin civil courts. The Berlin civil courts had denied the plaintiff, who alleges she was exposed to hate speech on a social network, the right to demand from the operator of the social network access to customer data, i.e., the full names of the users who had posted the content that the plaintiff considered to be hate speech. In the view of the BVerfG, the Berlin courts had failed to properly balance the parties’ interests and thereby had violated the plaintiff’s fundamental rights.
Continue Reading Germany’s Federal Constitutional Court provides guidance for assessing claims against hate speech on social media

In a judgment handed down by the UK Court of Appeal on 21 December 2021 ([2021] EWCA Civ 1952, available here), Walter Soriano, the claimant, was granted his cross-appeal, giving him permission to serve Forensic News LLC and four other defendants in the United States with proceedings under the General Data Protection Regulation (GDPR). The appeal came from the High Court, which had previously refused such permission on the basis that the claimant could not demonstrate that the claim satisfied the test for serving claims outside the jurisdiction. The reason given by the High Court was that the processing of the claimant’s personal data did not fall within the territorial scope of the GDPR. The Court of Appeal therefore revisited the GDPR’s territorial scope as part of this appeal and decided the claimant had an arguable case and could therefore serve the claim outside the jurisdiction.
Continue Reading UK’s Court of Appeal assesses territorial scope of GDPR

On December 1, 2021, in a much-noted decision, the Administrative Court of Wiesbaden (AC Wiesbaden) handed down a preliminary injunction dealing with international data transfers (case 6 L 738/21.WI, available in German here). In the specific case, there was no data transfer mechanism in place and thus the court ordered the defendant to stop using a cookie consent management platform. Contrary to some reports, the court did not rule that U.S.-based consent management solutions or cookies cannot be used anymore. The injunction can still be appealed and could also be lifted in the main proceedings.

Continue Reading German court prohibits U.S. data transfers in “Cookiebot” decision: Why this decision is special and should alert, but not upset your organization

In one of the most highly anticipated judgments in recent years, the UK Supreme Court has unanimously rejected a class-action style compensation claim under the Data Protection Act 1998. The Supreme Court decision was handed down as a result of a claim raised against Google LLC (Google) by Richard Lloyd on behalf of four million data subjects.

Continue Reading Lloyd v. Google: Supreme Court rejects compensation claim