On April 28, the Court of Justice of the European Union (CJEU)โthe EUโs highest court responsible for interpreting European Union lawโpublished a comprehensive fact sheet summarizing 26 major rulings related to personal data protection. The document provides a legal map of how European privacy law has developed from early directives to the post-GDPR era.
Fundamental Right and Global Implications
The right to personal data protection is enshrined in EU primary law, notably Article 8 of the Charter of Fundamental Rights. Over the past two decades, the CJEU has played a central role in shaping Europeโs strong data privacy standardsโregulations that increasingly affect global companies, especially tech firms operating across borders.
The newly released fact sheet covers judgments from both before and after the implementation of the EUโs landmark General Data Protection Regulation (GDPR), which took effect in 2018.
The 26 Rulings That Shaped EU Data Law
The fact sheet highlights 26 landmark rulings from the CJEU, addressing a wide range of topics, including:
Valid consent for data use โ e.g., Planet49 (C-673/17), where the court ruled that pre-checked boxes do not constitute valid user consent.
International data transfers โ e.g., Schrems I (C-362/14) and Schrems II (C-311/18), which invalidated the EUโUS Safe Harbour and Privacy Shield frameworks for not offering sufficient protection.
Responsibility of data controllers โ including joint responsibility of platforms (Facebook Ireland).
Automated decision-making โ ensuring transparency and fairness in algorithmic processing (C-203/22).
Access rights โ ruling that individuals must be informed of the actual recipients of their data (C-154/21).
National supervisory authorities โ emphasizing their independence and enforcement powers (C-33/22).
Retention of communications data โ striking down mass surveillance obligations in cases like Digital Rights Ireland (C-293/12) and Tele2 Sverige (C-203/15).
Public registers and privacy โ Luxembourg Business Registers (C-37/20 & C-601/20) invalidated rules that made beneficial ownership data accessible to the public.
Why This Matters Globally
Many of these rulings directly affect international tech companies, cloud service providers, and digital platforms operating in or with the European Union. For example, the Schrems II ruling triggered global compliance efforts due to its restriction on transatlantic data flows.
The court emphasized that privacy and data protection are not only legal requirements but core human rightsโand regulators must enforce them with proportionality, necessity, and transparency.
A Practical Resource
This summary document is a valuable resource for companies, policymakers, legal professionals, and human rights advocates worldwide. It offers clarity on how Europe interprets and enforces its privacy frameworkโoften setting a de facto global standard.
Where to Read It
The full fact sheet titled โProtection of Personal Dataโ is available in English on the CJEUโs official website:
๐ https://curia.europa.eu/jcms/jcms/p1_1043150/en
