The CJEU finds that mere breach of GDPR is not sufficient for damages: harm and proof are required, but no threshold of seriousness.

Privacy litigation is booming. Particularly because Regulation (EU) 2016/679 (the "GDPR") has put data protection in the spotlight since May 2018 and created a great awareness of data protection and related rights. Accordingly, the number of legal proceedings before courts is increasing - both against actions by authorities, but also in the form of private enforcement with which individuals want to enforce claims under the GDPR.

Article 82 GDPR provides that "any person who has suffered material or non-material damage as a result of a breach of [the GDPR] shall be entitled to receive compensation from the controller or the processor". On the basis of Article 82 GDPR we see rulings on a daily basis. Courts in Germany, just by way of example, awarded individuals inter alia

  • EUR 2,000 damages for the unnecessary transfer of employee data within a group of companies;
  • EUR 2,000 damages for the delayed response to an access request by an employee;
  • EUR 100 damages for the mere transfer of the IP address to the USA when visiting a website; and
  • EUR 2,500 damages for the loss of account and financial data in a data breach.

Looking at the new consumer collective redress mechanism in Europe, which is currently implemented in all Member States, such damage claims trigger quite substantial compliance risks for companies since these damages are granted per concerned individual and can easily sum up. However, the question of whether every breach of the provisions of the GDPR leads to damages and whether a certain threshold of harm is required in order to be entitled to damages was quite controversially discussed.

C-300/21 – Decision of the CJEU in a nutshell

The Court of Justice of the European Union has now addressed this question in case C-300/21 "Austrian Post" for the first time. According to the CJEU it is clear that the right to compensation provided for by the GDPR is subject to three cumulative conditions: (i) infringement of the GDPR, (ii) material or nonmaterial damage resulting from that infringement and (iii) a causal link between the damage and the infringement.

  1. Actual damage required

    Not every infringement of the GDPR gives rise, by itself, to a right to compensation. Any other interpretation would run counter to the clear wording of the GDPR. In addition, according to the recitals of the GDPR relating specifically to the right to compensation, infringement of the GDPR does not necessarily result in damage, and there must be a causal link between the infringement in question and the damage suffered in order to establish a right to compensation.

     

  2. No threshold of seriousness

    The right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. The GDPR does not contain any such requirement and such a restriction would be contrary to the broad conception of ‘damage’, adopted by the GDPR. However, this interpretation does not mean that a person affected by a breach of the GDPR that has had negative consequences for him or her would be exempt from proving that those consequences constitute non-material damage within the meaning of Art. 82 GDPR.

     

  3. GDPR does not contain any rules governing the assessment of damages

It is therefore for the legal system of each Member State to prescribe the detailed rules for actions intended to safeguard the rights which individuals derive from the GDPR and, in particular, the criteria for determining the extent of compensation payable in that context, provided that the principles of equivalence and effectiveness are complied with. The CJEU, however, pointed out there is a compensatory function of the right to compensation provided by the GDPR and recalls that that instrument seeks to ensure full and effective compensation for the damage suffered.

The case in more detail:

Initial case: Claim for damages for target group profiling

Since 2017, Österreichische Post AG (the "Austrian Post"), as an address publisher, collected information on the political party affinities of the Austrian citizens and processed such information with an algorithm to define "target group addresses". The Austrian Post also processed data of an individual in the form of a statistical extrapolation in order to determine to which target group for advertising of political parties he was to be assigned. The individual claimed damages of EUR 1,000 on the basis of Article 82 GDPR for this conduct. According to the individual, the political affinity attributed was an "insult" and "shameful" as well as detrimental to his reputation. The conduct of the Austrian Post had caused him great distress and a loss of confidence as well as a feeling of being exposed resulting in non-material damage.

Request for a preliminary ruling by the CJEU

The Supreme Court (Austria) submitted the

Full article available on Disputes +

Latest insights

More Insights
Suspension bridge over water at sunset

China Cybersecurity: MIIT Releases Data Security Risk Assessment Rules

Jun 24 2024

Read More
card reader and receipt

Open banking rules and GDPR interplay revisited under the EC’s Payment Services Legislation Proposals

Jun 24 2024

Read More
Generative AI

The FCA publishes its expectations of UK financial services firms adopting or deploying the use of AI

Jun 24 2024

Read More