ENG

The CJEU finds that mere breach of GDPR is not sufficient for damages: harm and proof are required, but no threshold of seriousness.

Published

May 04 2023

Written By

lars garling module
Lars Garling

Associate
Germany

lennart schuessler module
Lennart Schüßler

Partner
Germany

Privacy litigation is booming. Particularly because Regulation (EU) 2016/679 (the "GDPR") has put data protection in the spotlight since May 2018 and created a great awareness of data protection and related rights. Accordingly, the number of legal proceedings before courts is increasing - both against actions by authorities, but also in the form of private enforcement with which individuals want to enforce claims under the GDPR.

Article 82 GDPR provides that "any person who has suffered material or non-material damage as a result of a breach of [the GDPR] shall be entitled to receive compensation from the controller or the processor". On the basis of Article 82 GDPR we see rulings on a daily basis. Courts in Germany, just by way of example, awarded individuals inter alia

  • EUR 2,000 damages for the unnecessary transfer of employee data within a group of companies;
  • EUR 2,000 damages for the delayed response to an access request by an employee;
  • EUR 100 damages for the mere transfer of the IP address to the USA when visiting a website; and
  • EUR 2,500 damages for the loss of account and financial data in a data breach.

Looking at the new consumer collective redress mechanism in Europe, which is currently implemented in all Member States, such damage claims trigger quite substantial compliance risks for companies since these damages are granted per concerned individual and can easily sum up. However, the question of whether every breach of the provisions of the GDPR leads to damages and whether a certain threshold of harm is required in order to be entitled to damages was quite controversially discussed.

C-300/21 – Decision of the CJEU in a nutshell

The Court of Justice of the European Union has now addressed this question in case C-300/21 "Austrian Post" for the first time. According to the CJEU it is clear that the right to compensation provided for by the GDPR is subject to three cumulative conditions: (i) infringement of the GDPR, (ii) material or nonmaterial damage resulting from that infringement and (iii) a causal link between the damage and the infringement.

  1. Actual damage required

    Not every infringement of the GDPR gives rise, by itself, to a right to compensation. Any other interpretation would run counter to the clear wording of the GDPR. In addition, according to the recitals of the GDPR relating specifically to the right to compensation, infringement of the GDPR does not necessarily result in damage, and there must be a causal link between the infringement in question and the damage suffered in order to establish a right to compensation.

     

  2. No threshold of seriousness

    The right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. The GDPR does not contain any such requirement and such a restriction would be contrary to the broad conception of ‘damage’, adopted by the GDPR. However, this interpretation does not mean that a person affected by a breach of the GDPR that has had negative consequences for him or her would be exempt from proving that those consequences constitute non-material damage within the meaning of Art. 82 GDPR.

     

  3. GDPR does not contain any rules governing the assessment of damages

It is therefore for the legal system of each Member State to prescribe the detailed rules for actions intended to safeguard the rights which individuals derive from the GDPR and, in particular, the criteria for determining the extent of compensation payable in that context, provided that the principles of equivalence and effectiveness are complied with. The CJEU, however, pointed out there is a compensatory function of the right to compensation provided by the GDPR and recalls that that instrument seeks to ensure full and effective compensation for the damage suffered.

The case in more detail:

Initial case: Claim for damages for target group profiling

Since 2017, Österreichische Post AG (the "Austrian Post"), as an address publisher, collected information on the political party affinities of the Austrian citizens and processed such information with an algorithm to define "target group addresses". The Austrian Post also processed data of an individual in the form of a statistical extrapolation in order to determine to which target group for advertising of political parties he was to be assigned. The individual claimed damages of EUR 1,000 on the basis of Article 82 GDPR for this conduct. According to the individual, the political affinity attributed was an "insult" and "shameful" as well as detrimental to his reputation. The conduct of the Austrian Post had caused him great distress and a loss of confidence as well as a feeling of being exposed resulting in non-material damage.

Request for a preliminary ruling by the CJEU

The Supreme Court (Austria) submitted the following questions to the CJEU for a preliminary ruling:

  1. Does the award of compensation under Article 82 of [the GDPR] also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
  2. Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
  3. Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?

The Advocate General stated in his opinion on 6 October 2022 that

  • Article 82 GDPR is to be interpreted that a mere infringement of the provision of the GDPR is not in itself sufficient if that infringement is not accompanied by the relevant material or non-material damage; and
  • The question whether under the GDPR the award of damages for non-material harm is conditional on an "infringement of at least some weight going beyond the harm caused by that infringement" must be answered in the affirmative.

CJEU decision: Compensation needs damage and proof

The CJEU followed the Advocate General's opinion in many but not all aspects. The CJEU assumes that it is not sufficient for a claim for damages under Art. 82 GDPR that the provisions of the GDPR have been violated at all. Rather, it is also necessary that damage has occurred and that this damage is also causally attributable to the violation of the provisions of the GDPR.

However, unlike the Advocate General, the CJEU is not of the opinion that there is a threshold that must be reached for a claim for damages to exist. The CJEU found that, if compensation for non-material damage were to be made dependent on a materiality threshold, this could affect the coherence of the regime introduced by the GDPR, as the gradual gradation of such a threshold, on which the possibility of obtaining damages would depend, could vary depending on the assessment of the courts seised.

The CJEU leaves open the subsequently important question of which claim for damages exists for minor infringements and minimal inconveniences. According to the court, the GDPR does not contain any provisions in this regard so that it is up to the national legal systems of the member states and courts to determine criteria for determining the extent of the damages owed in this context. However, the CJEU makes it clear that the principles of equivalence and effectiveness must be observed.

What are the practical implications of the judgment?

The judgment makes clear that the GDPR does not require a certain threshold ("infringement of at least some weight") but also that  damage needs to be proven. Since the rules governing the assessment of damages are subject to Member State laws, we will see very different damages that will be granted across the EU and also within Member States (depending on the individual judges/courts). We may also see the establishment of (more) private organisations that acquire claims from individuals to enforce them in court (something which currently happens in Germany, for example; similar to flight rights) and we will see that different courts will be tested to single out those which grant the highest damages ("forum shopping"). In this respect it is also worth mentioning that not only do different Member States quantify damages differently but that also they award damages for different types of loss. The CJEU only points out that the GDPR requires that under domestic rules compensation for damages (in its entirety) must be ‘full and effective’, without there being any need to require the payment of punitive damages. There will certainly be a need for further guidance by the Court.

It is clear that there will be (a further) increase of damage claims not only in the context of data breaches but also other incompliance with the GDPR, also considering that soon a new collective redress mechanism will be implemented by all Member States (either on an "opt-in" or an "opt out basis"). The latter allows for claims for damages to be bundled and to easily add up to claims that amount to millions of Euros.

Companies certainly need to follow this development since it has a material impact on their risk profile. They also need to carefully consider their language vis-à-vis individuals and authorities since admission of guilt can be used in damage claim cases.  

The question of damages under the GDPR will, however, be further defined and detailed since a number of cases are still pending with the Court. We will keep you updated on these developments.