On 7 December 2023, the European Court of Justice (ECJ) issued two landmark rulings against the German credit scoring agency SCHUFA. Both decisions significantly strengthen the rights of a data subject under the General Data Protection Regulation (GDPR) in several substantive and procedural dimensions.
First, from the substantive point of view, in C-634/21, the Court completely overturned the company’s business model by stating that credit ranking decisions constitute automated decision-making and thus should be subject to human oversight. Moreover, in the joint cases C-26/22 and C-64/22, the Court prohibited private agencies from storing data longer than the public register. For an extensive commentary on the decision concerning credit scoring and automated decision-making, see this op-ed by Francesca Palmiotto.
Instead, this contribution looks into the equally paramount consequences of the judgment in C-26/22 and C-64/22 on the GDPR procedural rights. There, the ECJ investigated essential questions about the status of the GDPR complaint and its judicial review. Above all, the Court confirmed that contrary to the views of some data protection authorities (DPAs), an individual’s data protection complaint to a DPA is not a petition. Additionally, the Court emphasised the right for a full judicial review of any legally binding decision of the DPA. This may lead to fundamental shifts in how the GDPR is enforced in the EU.
Background of the case
Article 8(3) of the Charter for the Fundamental Rights of the European Union (CFREU) assigns oversight of compliance with the data protection rules to an independent authority – the DPAs. The DPAs are the only national-level authorities protected by the CFREU and, as such, enjoy a particular position in EU law. The GDPR acknowledges that by confirming high standards of complete independence of the DPAs. The DPAs also enjoy a vast catalogue of corrective, investigative and supervisory powers.
One of the DPAs’ tasks is handling complaints filed by the data subjects or their representatives. The DPAs are bound by the GDPR and their national administrative procedures when handling a complaint. As a result, their practices are fragmented and differ across the EU. For example, in some Member States, the complainant does not have the status of a party to the proceedings. These differences cause further problems in cross-border cases, where two or more jurisdictions can clash under divergent understandings of administrative law concepts such as ‘complaint’, ‘handling’ or ‘party of the proceeding’. These notions go beyond the scope of the GDPR and present a challenge for the DPAs in terms of how to harmonise them adequately.
Under the GDPR, every data subject has a right to lodge a complaint with a DPA, as well as the right to an effective judicial remedy against the DPA’s legally binding decision concerning her, which also applies in the instances of not handling a complaint or not informing about its progress on time. Apart from the public enforcement redress mechanism, the data subject has a parallel right to an effective judicial remedy against GDPR violations before the national courts.
The judgment results from a preliminary request filed by the German Court in the cases of two data subjects, UF (Case C-26/22) and AB (C-644/22). They had been both involved in insolvency proceedings in Germany and were subsequently granted early discharge from remaining debts by the courts. Consequently, following German law, their insolvency information was erased from the public register after six months.
However, SCHUFA, the German credit scoring agency, had already scraped this information from the public register into its database. SCHUFA, acting on the grounds of a code of conduct approved by the DPA, had intended to store the insolvency information for much longer, namely three years after registration. SCHUFA claimed it had a legitimate interest in this information because its business practices entail assessing individuals’ creditworthiness based on their financial history.
UF and AB applied to SCHUFA to delete the debt discharge decisions earlier, according to the storage period of the public register. SCHUFA refused to do so. As a result, the data subjects lodged the complaints with the Hessian DPA.
The DPA dismissed the complaints and found SCHUFA’s data processing lawful. It argued that the company could have stored the data if it was necessary for the purpose of processing, which, in that case, was to assess the creditworthiness of UF and AB.
The data subjects appealed against the DPA’s decision before the administrative court in Wiesbaden under Article 78 GDPR. They argued that the DPA was obliged, within the scope of its duties and powers, to take appropriate measures with respect to SCHUFA and to order the data erasure.
Is a Complaint a Petition?
Instead of directly responding to these allegations, the DPA decided to defend itself before the court by protesting the data subject’s right to the full judicial review of the decisions concerning them. More specifically, it argued in its defence that the data subjects’ actions should be dismissed. To justify that, the DPA claimed that the data subject’s right to lodge a complaint under Article 77 GDPR is conceived ‘solely as a right of petition’. This would mean that the complaint is a piece of mere information or an informal direction for the DPA to act (or not to act) rather than a formal trigger to the procedure. Consequently, in the view of the DPA, the court, while carrying out the judicial review, could not decide on the merits of the decision. Instead, it could only examine whether the complaint had been handled and whether the DPA had informed the complainants of their progress and outcome. It could not have the competence to review the substantive correctness of the decision.
The Wiesbaden court expressed doubts about this position. It observed that this reasoning would undermine the effectiveness of the judicial remedy under Article 78 GDPR, and therefore, given the objective of the GDPR to protect the fundamental rights and freedoms of individuals, also Articles 7 and 8 CFREU. According to the court, the DPA’s legally binding decision on the merits must be subject to full judicial review, acknowledging the authority’s discretionary power.
As a result, the dispute around the substantive question of the data storage period turned into an ontological debate on the nature of the complaints and procedural rights of the data subjects.
The Preliminary Questions
The preliminary questions concerned two issues – the nature of judicial review over a DPA’s handling of complaints by data subjects and the legality of the credit agencies’ data storage.
First, the national court asked whether a DPA’s decision regarding a complaint made by a data subject under Article 77 GDPR has the character of a decision on a petition or, instead, is to be understood as a decision on the merits taken by a public authority. It also inquired whether the entitlement of data is subject to judicial review of the DPA under Article 78 GDPR. Specifically, it asked if that right to judicial review is limited to the question of whether the DPA has handled the complaint, investigated the subject matter of the complaint to the extent appropriate and informed the complainant of the outcome of the investigation or, instead, is the DPA decision subject to a full substantive review by the court, and in individual cases could also be obliged to take a specific measure envisaged by the GDPR.
The national court also asked the ECJ about the legality of the storage of data by private credit agencies beyond the period ordered by law concerning the public insolvency registers, the applicability of the GDPR right to be forgotten, the legitimate interest as the legal basis for the storage and on the functioning of the codes of conduct in relation to the legitimate interest.
The Court Steps In: On the Nature of the Complaints
The ECJ approached the problem from the literal, contextual and teleological point of view. It answered the question of the nature of the complaints and the scope of judicial review. In doing so, it also touched upon the questions of the DPA’s independence and procedural autonomy and the relation between the parallel Article 77 and 79 enforcement redresses before the DPA and before the court.
No, the Data Protection Complaint is Not a Petition
First, the Court settled the procedural core of the dispute: it stated that the data protection complaint is not, in fact, a petition (para 58). It thus disagreed with the DPA view to treat the GDPR complaint as solely informative and the complaint-based decision as not producing substantive legal effects towards the complainant.
The court confirmed that the Hessian DPA’s decisions on SCHUFA constituted legally binding decisions under the GDPR and were thus subject to judicial review because the DPA examined the merits of the complaints and found that SCHUFA’s data processing was lawful. The subsequent dismissal of the data subjects’ complaints is an action which, according to Recital 143 GDPR, constitutes a decision producing legal effects concerning the complainant.
Subsequently, the Court reinstated its Schrems II finding that the DPA must handle complaints with ‘all due diligence’. The DPA under Article 57 GDPR is required on its territory to address data subject complaints under Article 77 GDPR and to examine the nature of that complaint ‘as necessary’.
Similarly, and also in line with Schrems II, the Court observed that the DPAs under the GDPR enjoy extensive investigative and corrective measures to handle complaints lodged. Should the DPA, following the investigation, find a GDPR infringement, it is required to ‘act appropriately to remedy the shortcoming found’ (para. 57).
Most importantly, the Court connected the nature of the complaints as directly linked with the tasks and powers of the DPAs, and because of that, they are not similar to petitions. It concluded that the complaints procedure is ‘designed as a mechanism capable of effectively safeguarding the rights and interests of data subjects’ (para. 58). This interpretation stresses the importance of reading the procedural framework of the GDPR in the context of the whole regulation, particularly with a view to respect and fulfil its core objective to protect the fundamental rights of individuals.
After clarifying the procedural dispute, the ECJ ruled on the substantive questions. Above all, it stated that SCHUFA’s prolonged data storage was unlawful and that it should comply with the storage period requirements for the public insolvency register instead. It also confirmed the data subject’s right to demand data erasure as soon as possible when the processing is unlawful and after objecting to data processing.
Scope of judicial review of the DPA’s decisions
The ECJ emphasised that the GDPR explicitly establishes a right to an ‘effective’ judicial remedy under Article 47 CFREU. It repeated its finding that the national courts, when reviewing a decision of the DPA, should exercise complete jurisdiction, which also entails ‘jurisdiction to examine all questions of fact and law relevant to the dispute before them’ (para. 52). The Court, therefore, disagreed with the Hessian DPA that the judicial review of the DPA’s decision is limited only to a specific procedural scope. Following such an interpretation would mean that the requirement for effective judicial protection would not be met, given the wide-ranging powers vested in the DPAs. The ECJ thus affirmed that for a judicial remedy to be ‘effective’, such a decision must be subject to full judicial review.
On a similar note, according to the Court, this interpretation also follows from the objectives of the GDPR to ensure a high level of protection of natural persons concerning their data. Following the letter of the GDPR and its recitals, effectively fulfilling this objective must also strengthen data subjects’ rights. A limited judicial review of the DPA’s decisions would make these objectives impossible.
DPAs’ Independence, Procedural Autonomy and Parallel Procedures
Subsequently, the Court also commented on the DPAs’ independence, procedural autonomy and parallel procedures in the context of full judicial review of its decisions. According to the ECJ, this interpretation does not undermine the guarantees of DPAs’ independence (para. 63).
However, the DPAs still have a margin of discretion regarding the appropriate and necessary means to deal with the complaint with all due diligence. Consequently, when the national court reviews the DPA decision, the requirement of an effective judicial remedy does not imply that the court can substitute the DPA’s assessment of the choice of appropriate and necessary remedies; instead, the court is required to examine whether the DPA ‘has complied with the limits of its discretion’ (para. 69).
Finally, the Court also reinstated that the right to judicial review of the DPA’s decision under Article 78 and an effective judicial remedy against a controller under Article 79 may be exercised ‘concurrently with and independently of each other’ (para. 66). According to the Court, this interpretation strengthens the protection of the data subject by making several remedies available. It also does not affect the scope of the judicial review of the DPA’s decision.
GDPR Objectives as the Core of Effective Enforcement
What is particularly striking in the Court’s reasoning is the emphasis placed on the category of ‘effectiveness’ of a remedy, whether judicial or before the DPA. Several times across the judgment, the ECJ stresses the individual’s right to an effective judicial remedy and, to that end, invokes Article 47 CFREU. This is not new in the ECJ data protection jurisprudence and confirms that effective enforcement of data protection is directly and inseparably linked to complete, efficient judicial protection.
With similar attention, the Court underscored the core objective of the GDPR to ensure a high level of protection of natural persons with regard to their data. Again, achieving this objective – which also involves strengthening the rights of data subjects – entails ensuring access to the remedies is full and fair. Drawing from this interpretation, the ECJ inferred that the GDPR complaints procedure is one of the means to achieve this objective.
In turning the focus on the objectives and purposes of the GDPR, the Court reinstated the crucial function of the data protection laws to protect individuals. This is an important reminder that, despite the approaches towards the GDPR enforcement continuing to meander between its economic and fundamental rights objectives, the latter should not be treated as only an auxiliary.
Towards Harmonisation of the DPAs Practices?
The argumentation of the Hessian DPA that the GDPR complaint is ‘solely a petition’ is not unique or new among the EU DPAs. As this European Data Protection Board study demonstrates, the DPAs highly differ in the admissibility standards of complaints, ranging from strictly formalised to informal. For example, while in Germany, even anonymous complaints are processed, in Poland, the complainant needs to be identified as a data subject in the processing in question. While some national procedural laws allow the complainant to participate in the proceedings in the party’s role, others deny it. Strategic litigation NGOs report on the practices of some of the DPA to issue ‘outcome letters’ under Article 77(2) GDPR rather than the final decisions under Article 77(1). Further, this results in divergent standards of the right to be heard, the right to access documents, and the right to a judicial remedy.
Particularly significantly, by finding that the GDPR complaint is not a petition and may be a subject of the full judicial review, the ECJ consequently establishes the status of the data subject as a rightful party in the procedure. The DPAs are now officially obliged to issue a legally binding decision to finalise the complaint procedure to allow the data subject to take action against it before the respective courts. The ‘outcome letters’ or other communication forms are insufficient to ensure this.
Scope of DPAs’ Independence and Procedural Autonomy
The Court confirmed the DPAs’ obligation to handle the GDPR complaints accordingly and to deal with them with all due diligence. Most importantly, the ECJ stressed that this obligation does not interfere with the DPAs’ independence or procedural autonomy. They still have a margin of discretion to decide on measures to apply when handling the complaint.
This finding provides an important direction for the DPAs in approaching and tackling procedural differences between their practices. While maintaining some level of national discretion is necessary for the sake of cultural and legal tradition contexts, it should not be an obstacle in achieving the objective of the GDPR to protect the rights of natural persons with regard to their data.
Effective Judicial Protection
The Court demonstrated a systemic, complex approach to adequate individual protection in the GDPR. It approached the data protection complaint procedure before the DPAs and its subsequent judicial review as one two-layered mechanism where each layer needs to work correctly and complementarily to make the system effective.
Firstly, it acknowledged that the underlying conceptual design of the complaint-handling procedure dictates its functioning as primarily the strengthening of data subject rights. The availability of full judicial review must also reinforce this mechanism. Otherwise, the effectiveness of the whole enforcement framework would be seriously impaired. For the Court, the vast catalogue of the powers and tasks vested in the DPAs means holding them accountable for exercising those powers and functions. Consequently, the DPAs’ decisions on complaints need to be legally binding, especially for the data subjects to have an opportunity to take action against them. The court should be able to review such a decision thoroughly, including factual and legal matters. This does not mean interfering with the DPAs’ independence. Rather, the court examines whether the DPA ‘has complied with the limits of its discretion’ (para. 69).
Secondly, by bringing up the question of the potential for the data subject to bring parallel judicial proceedings under Article 78 (against the DPA) and Article 79 (against the controller), the Court confirmed that it views the data protection enforcement system as a multi-faceted patchwork of procedural protections that are to work ‘concurrently with and independently of each other’ to strengthen the protection of the data subject.
What Future for the GDPR Procedural Harmonisation Proposal?
The judgment might bring paramount consequences for the future shape of the GDPR Procedural Harmonisation. The proposal presented by the Commission in June 2024 aims to harmonise fragmented national procedural laws in the context of cross-border cases under the GDPR.
In the Commission’s proposal, the party’s status is explicitly given only to the ‘parties under investigation’, i.e. the controller or the processor. The complainant has a limited role and can access the case file or make their views known only in several circumstances. On the other hand, the parties under investigation enjoy a broader scope of procedural rights. According to the Commission’s proposal, the complainant can enjoy the right to a fair hearing only when the decision adversely affects their legal position. This reasoning seems to be contrary to the findings of the Court, which stresses the importance of effective judicial protection against any DPA decision concerning the data subject, not only the dismissal or rejection of the case.
The legislative process around the GDPR Procedural Harmonisation is still ongoing. The draft report of the European Parliament’s LIBE Committee proposes to include the complainant in the party’s definition and confer the right to be heard in cases other than the dismissal or rejection of the complaint. While the future of the GDPR Procedural Harmonisation is still being unveiled, the most recent juridical developments must be considered.
Data Subject Procedural Rights under the GDPR: One Step Forward
By confirming that the GDPR complaint is not a petition and thus subject to full judicial review, the ECJ made an essential step towards enhanced protection of the data subject’s procedural rights under the GDPR. The Court stressed the importance of the right to an effective remedy in adequately enforcing the data protection law. It obliged the DPAs to handle the complaints with all due diligence and to conclude them with a formal, legally binding outcome. The Court thus significantly empowered the data subjects.
How this finding will be applied in the future remains to be seen, particularly in cross-border cases and dispute-resolution procedures before the EDPB. The judgment also calls into question the reasoning used by the Commission in the proposal for the procedural harmonisation of the GDPR. Because of that, this aspect will need to be reassessed in the next steps of the legislative process.