Privacy litigation is booming. Particularly because Regulation (EU) 2016/679 (the "GDPR") has put data protection in the spotlight since May 2018 and created a great awareness of data protection and related rights. Accordingly, the number of legal proceedings before courts is increasing - both against actions by authorities, but also in the form of private enforcement with which individuals want to enforce claims under the GDPR.
Article 82 GDPR provides that "any person who has suffered material or non-material damage as a result of a breach of [the GDPR] shall be entitled to receive compensation from the controller or the processor". On the basis of Article 82 GDPR we see rulings on a daily basis. Courts in Germany, just by way of example, awarded individuals inter alia
Looking at the new consumer collective redress mechanism in Europe, which is currently implemented in all Member States, such damage claims trigger quite substantial compliance risks for companies since these damages are granted per concerned individual and can easily sum up. However, the question of whether every breach of the provisions of the GDPR leads to damages and whether a certain threshold of harm is required in order to be entitled to damages was quite controversially discussed.
The Court of Justice of the European Union has now addressed this question in case C-300/21 "Austrian Post" for the first time. According to the CJEU it is clear that the right to compensation provided for by the GDPR is subject to three cumulative conditions: (i) infringement of the GDPR, (ii) material or nonmaterial damage resulting from that infringement and (iii) a causal link between the damage and the infringement.
Not every infringement of the GDPR gives rise, by itself, to a right to compensation. Any other interpretation would run counter to the clear wording of the GDPR. In addition, according to the recitals of the GDPR relating specifically to the right to compensation, infringement of the GDPR does not necessarily result in damage, and there must be a causal link between the infringement in question and the damage suffered in order to establish a right to compensation.
The right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. The GDPR does not contain any such requirement and such a restriction would be contrary to the broad conception of ‘damage’, adopted by the GDPR. However, this interpretation does not mean that a person affected by a breach of the GDPR that has had negative consequences for him or her would be exempt from proving that those consequences constitute non-material damage within the meaning of Art. 82 GDPR.
It is therefore for the legal system of each Member State to prescribe the detailed rules for actions intended to safeguard the rights which individuals derive from the GDPR and, in particular, the criteria for determining the extent of compensation payable in that context, provided that the principles of equivalence and effectiveness are complied with. The CJEU, however, pointed out there is a compensatory function of the right to compensation provided by the GDPR and recalls that that instrument seeks to ensure full and effective compensation for the damage suffered.
The case in more detail:
Since 2017, Österreichische Post AG (the "Austrian Post"), as an address publisher, collected information on the political party affinities of the Austrian citizens and processed such information with an algorithm to define "target group addresses". The Austrian Post also processed data of an individual in the form of a statistical extrapolation in order to determine to which target group for advertising of political parties he was to be assigned. The individual claimed damages of EUR 1,000 on the basis of Article 82 GDPR for this conduct. According to the individual, the political affinity attributed was an "insult" and "shameful" as well as detrimental to his reputation. The conduct of the Austrian Post had caused him great distress and a loss of confidence as well as a feeling of being exposed resulting in non-material damage.
The Supreme Court (Austria) submitted the following questions to the CJEU for a preliminary ruling:
The Advocate General stated in his opinion on 6 October 2022 that
The CJEU followed the Advocate General's opinion in many but not all aspects. The CJEU assumes that it is not sufficient for a claim for damages under Art. 82 GDPR that the provisions of the GDPR have been violated at all. Rather, it is also necessary that damage has occurred and that this damage is also causally attributable to the violation of the provisions of the GDPR.
However, unlike the Advocate General, the CJEU is not of the opinion that there is a threshold that must be reached for a claim for damages to exist. The CJEU found that, if compensation for non-material damage were to be made dependent on a materiality threshold, this could affect the coherence of the regime introduced by the GDPR, as the gradual gradation of such a threshold, on which the possibility of obtaining damages would depend, could vary depending on the assessment of the courts seised.
The CJEU leaves open the subsequently important question of which claim for damages exists for minor infringements and minimal inconveniences. According to the court, the GDPR does not contain any provisions in this regard so that it is up to the national legal systems of the member states and courts to determine criteria for determining the extent of the damages owed in this context. However, the CJEU makes it clear that the principles of equivalence and effectiveness must be observed.
The judgment makes clear that the GDPR does not require a certain threshold ("infringement of at least some weight") but also that damage needs to be proven. Since the rules governing the assessment of damages are subject to Member State laws, we will see very different damages that will be granted across the EU and also within Member States (depending on the individual judges/courts). We may also see the establishment of (more) private organisations that acquire claims from individuals to enforce them in court (something which currently happens in Germany, for example; similar to flight rights) and we will see that different courts will be tested to single out those which grant the highest damages ("forum shopping"). In this respect it is also worth mentioning that not only do different Member States quantify damages differently but that also they award damages for different types of loss. The CJEU only points out that the GDPR requires that under domestic rules compensation for damages (in its entirety) must be ‘full and effective’, without there being any need to require the payment of punitive damages. There will certainly be a need for further guidance by the Court.
It is clear that there will be (a further) increase of damage claims not only in the context of data breaches but also other incompliance with the GDPR, also considering that soon a new collective redress mechanism will be implemented by all Member States (either on an "opt-in" or an "opt out basis"). The latter allows for claims for damages to be bundled and to easily add up to claims that amount to millions of Euros.
Companies certainly need to follow this development since it has a material impact on their risk profile. They also need to carefully consider their language vis-à-vis individuals and authorities since admission of guilt can be used in damage claim cases.
The question of damages under the GDPR will, however, be further defined and detailed since a number of cases are still pending with the Court. We will keep you updated on these developments.