The General Data Protection Regulation (GDPR) has been a central framework for data protection in the EU and beyond since its enforcement in May 2018. Over the past six months, there have been several significant court rulings that have further clarified and, in some cases, tightened the interpretation and enforcement of the GDPR. These decisions have far-reaching consequences for both businesses and individuals. Below, some of these rulings and their implications for data protection and the EU business landscape are examined in more detail.
1. Meta (Facebook) and the Record Fine in Ireland
In January 2024, the Irish Data Protection Commission (DPC) imposed a record fine of €1.2 billion on Meta (formerly Facebook) for violating the GDPR by transferring personal data of EU users to the U.S. The main accusation was that Meta failed to implement adequate safeguards to ensure that data transferred to the U.S. received the same level of protection as in the EU.
Impact: This ruling sends a strong message to large tech companies that the EU is serious about protecting its citizens’ privacy. It underscores the importance of “Standard Contractual Clauses” (SCCs), which are meant to ensure that international data transfers comply with the GDPR. Companies processing data outside the EU must ensure that they implement proper safeguards, or face hefty fines. The challenge of regulating data transfers has become even more complex for many businesses.
2. Google Analytics and Its Use in the EU
Another significant ruling concerns Google Analytics, which has repeatedly come under scrutiny by data protection authorities since 2020. In February 2024, the Austrian Data Protection Authority ruled that the use of Google Analytics by an Austrian website operator violated the GDPR, as personal data was transferred to the U.S. without sufficient safeguards.
Impact: This ruling has led many businesses across Europe to reconsider their use of Google Analytics or switch to alternative analytics tools. The ruling highlights the risks of using third-party tools that transfer data to third countries, particularly to the U.S., where data protection laws do not meet EU standards. It is likely that other European data protection authorities will take similar actions, prompting a shift toward more privacy-friendly alternatives.
3. The Ruling Against Clearview AI
In May 2024, the French Data Protection Authority (CNIL) confirmed a €20 million fine against Clearview AI. The company was accused of collecting and using photos of millions of people without their consent to build a facial recognition database. Clearview AI violated fundamental GDPR principles, particularly those of consent and transparency.
Impact: This ruling sets a precedent for dealing with biometric data, especially in the context of facial recognition. It shows that companies using such technologies must exercise extreme care in obtaining consent from affected individuals. Moreover, the use of AI technologies that process personal data on a large scale will come under increased scrutiny from regulators. Companies using AI-based tools must now design their processes even more carefully to avoid violating data protection rules.
4. Schrems II and the Consequences for Data Transfers
The Schrems II decision by the European Court of Justice (ECJ) in 2020 continues to have effects in recent months. In March 2024, the German Higher Regional Court in Munich ruled in another case that a medium-sized company must pay a €200,000 GDPR fine for transferring data to the U.S. without sufficient protection.
Impact: The Schrems II decision poses significant challenges for companies reliant on transatlantic data transfers. Businesses must continuously monitor and adjust their international data transfers to ensure GDPR compliance. This issue affects not only large corporations but also smaller businesses that use cloud services or other providers based in the U.S.
5. The European Court of Justice Ruling on the “Cookie Directive”
In June 2024, another key ruling by the European Court of Justice (ECJ) tightened consent requirements for the use of cookies. The ruling clarified that website operators must obtain explicit consent from users before cookies can be stored or accessed, unless these are strictly necessary for the technical operation of the site.
Impact: For businesses, this ruling represents a further tightening of requirements in the area of online marketing. Many websites have had to adjust their cookie banners and consent mechanisms to ensure they comply with the GDPR’s stringent requirements. The pressure on companies to operate transparent and user-friendly privacy policies continues to grow. At the same time, there is ongoing debate about potential overregulation that could negatively affect user experience.
Conclusion
The rulings of the past six months show that the GDPR remains a strict and enforceable regulatory framework. Large tech companies processing personal data across borders, as well as smaller businesses relying on international partners, are feeling the increasing regulatory pressure. These decisions highlight the importance of adhering to data protection guidelines, particularly regarding data transfers, consent, and the use of new technologies such as facial recognition.
Companies must adapt to the heightened requirements and continue investing in data protection measures to avoid potential fines and maintain customer trust. At the same time, the rulings provide further refinement and clarification of GDPR provisions, offering businesses guidance on how to implement data protection in practice.
English (UK) 
Deutsch (Sie)