The GDPR Regulation is a mandatory legal framework for the European Economic Area. The Treaty on the Functioning of the European Union provides for the fundamental principles of free movement of goods, capital, services and people. The GDPR Regulation includes personal data as a fundamental right completing the treaty principles. Compliance with these treaty principles may be challenged by the European Court of Justice (ECJ). ECJ legal and caselaw provides for increased understanding of the interpretation of Union law.
The European Data Protection Supervisor publishes and regularly updates a Case law overview on relevant judicial decisions of the ECJ. The collection of decisions acts as guidance in future disputes relating to data protection. The following case law and information is currently available:
- C28-08 P – Bavarian Lager (appeal)
- T-161/04 – Valero Jordana
- F-46/09 – V v. Parliament
- F-130/07 – Vinci v. ECB
- T-190/10 – Egan & Hackett v. Parliament
- T-82/09 – Gert-Jan Dennekamp v. European Parliament
- C-210/16 – Wirtschaftsakademie Schleswig-Holstein
- C-40/17 – Fashion ID
- C-25/17 – Jehova’s Witnesses
- T-903/16 – Re v. European Commission
Prior to the implementation of the GDPR Regulation, the ECJ ruled in a number of occasions on the supremacy of EU law whilst maintaining national sovereignty of the individual member states. Crucial ECJ case law supporting the implementation of the GDPR regulation is found in:
- Van Gend en Loos: The ECJ stated that the Community constituted a new legal order for international law for the benefit of which the states had limited their sovereign rights. Case 26/62 NV Algemene Transport- en Expeditie Onderneming van Gend en Loos v Nederlandse Administratie der Belastingen [1963] ECR 1.
- Dassonville: Additional requirements or quantitative restrictions of trade in the European single market must be avoided. A distinctly applicable measure of equivalent effect became not allowed under what is now TFEU article 34. Case 8/74 Procureur du Roi v Dassonville [1974] ECR 837.
- Cassis de Dijon: The ECJ held that unfair trade practices and discrimination against imported products were not allowed within member states. It also introduced the principle of mutual recognition. Case 120/78 Rewe-Zentral AG v Bundesmonopolverwaltung fur Branntwein [1979] ECR 649.
Advancements of the internal market and furthering economic and social integration trigger measures for data protection and other safeguards for personal privacy. Legalize and regulatory wording does not always have a uniform meaning. Over the years, local courts therefore decided on distinct parts and definitions involved in matters of data protection and personal privacy. The following cases clarify the meaning and interpretation of several data protection frameworks:
- C213/14 – Weltimmo: helps to identify the meaning of establishment where a firm is incorporated in a different jurisdiction than where the potential violation or data breach occurs.
- C131/12 – Google Spain SL: laid the groundwork for the right to be forgotten as defined by Article 17 of the GDPR Regulation.