The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

Relationship between remedies – guidance from the CJEU

26 April 2023

The different remedies available under the DPA and UK GDPR have always been confusing. It’s a point made by the Upper Tribunal in both Scranage v Information Commissioner [2020] UKUT 196 (AAC) and Killick v Information Commissioner [2021] UKUT 299 (AAC), in which Farbey J said ‘A comprehensive strategic review of the various appellate mechanisms for rights exercisable under the DPA is arguably long overdue.’

The CJEU has not exactly provided that, but its decision in BE v Nemzeti Adatvedelmi es Informacioszabadsag Hatosag (the Hungarian supervisory authority), case C-132/21, does attempt to provide some guidance. Sadly, it has probably not succeeded.

The question asked was whether the remedies provided in Articles 77 and 78 GDPR (a complaint to a supervisory authority, and an effective judicial remedy against a supervisory authority – rights that in the UK have effect through ss.165 and 166 DPA) are capable of being exercised concurrently with and independently of the right to an effective judicial remedy against a data controller (Art 79 GDPR, ss.167 DPA).

In other words, can a data subject bring both a complaint to the supervisory authority and a claim for a compliance order at the same time? And how does the outcome of one process affect the other?

The CJEU held that the GDPR ‘does not provide for any priority or exclusive competence or jurisdiction or for any rule of precedence’ between the remedies. They can be pursued concurrently and independently of each other. It is down to individual states to determine how those remedies should be implemented, but that implementation ‘should not call into question the effectiveness and effective protection of the rights’ in question. One way in which they might do that is if they led to contradictory judicial outcomes: that would undermine the effectiveness of the remedies and weaken the protection for data subjects by creating legal uncertainty.

Overall, one could be forgiven for thinking that the decision in BE has increased, rather than reduced, legal uncertainty. The various overlapping remedies must be independent and can go ahead concurrently, but also should not be inconsistent or contradictory. As Farbey J suggested, it’s beyond time for a comprehensive strategic review in this area of the law.

Further reading: The BE case

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Title Type CV Email

Remove All


Click here to share this shortlist.
(It will expire after 30 days.)