CJEU Clarifies the Right to Compensation for GDPR Infringements Causing Non-Material Damage
The Situation: There has been uncertainty over the circumstances in which data subjects can claim compensation for "mere" infringement of their rights without specific evidence of harm. On May 4, 2023, the Court of Justice of the European Union ("CJEU") ruled on the requirements governing the right to compensation for damages caused by infringement of the General Data Protection Regulation ("GDPR").
The Result: The CJEU held that (i) the mere infringement of the GDPR does not give rise to a right to compensation, (ii) there is a right to compensation even when the damage was non-material—the claimant doesn't have to prove the damage was serious, and (iii) national courts must assess damages in accordance with the domestic rules of each Member State which prescribe the prerequisites for determining the extent of compensation.
The Outlook: This ruling clarifies the requirements to successfully claim compensation for damages caused by infringement to the GDPR. It provides a new strategic opportunity for data privacy litigation, especially as the EU Directive on Representative Actions applies to representative actions brought against infringements of the GDPR. Seven other preliminary rulings on the same subject are currently pending before the CJEU.
In the case at hand, Case C-300/21, the request for the CJEU's ruling was made in the context of proceedings between an Austrian citizen and Österreichische Post, the Austrian's postal service. The Österreichische Post collected data on the political affinities of the Austrian population and inferred that this citizen had a high degree of affinity with a certain Austrian political party. This citizen, who had not consented to the processing of his personal data, felt offended by the suggestion of this affiliation. He considered that this use of his data caused him non-material damages, i.e. emotional distress, including a loss of confidence and a feeling of exposure.
In that context, the Austrian citizen brought an action before Austrian courts seeking an injunction and €1000 of compensation from Österreichische Post for his emotional distress. The Austrian Supreme Court expressed doubts as to the extent of the right to compensation provided by Article 82 of the GDPR for the non-material damage resulting from infringements of the GDPR.
Therefore, the Austrian Supreme Court requested guidance from the CJEU as to (i) whether the mere infringement of the GDPR is in itself sufficient to confer a right to compensation, (ii) whether that right presupposes that the damage suffered has reached a certain degree of seriousness, and (iii) the applicable rules to determine the amount of damages to be paid.
Addressing the first question, the CJEU held that the right to compensation is subject to three cumulative requirements: infringement of the GDPR, damage, and a causal link between the infringement and damage. Therefore, infringement of the GDPR alone is not sufficient to confer a right to compensation, especially since, as the CJEU pointed out, the occurrence of damage is only potential and an infringement of the GDPR does not necessarily result in damage.
Regarding the second question, the CJEU ruled that the right for compensation for non-material damage resulting from infringements of the GDPR cannot be subject to the requirement that the damage suffered has reached a certain degree of seriousness. This is in line with the literal interpretation of Article 82 of the GDPR which does not refer to such a threshold.
These two first answers complement one another. Indeed, while the CJEU required three cumulative requirements to be met to claim for compensation, it also considered that the requirement of damage can be met regardless of the degree of seriousness.
Finally, in response to the third question, the CJEU noted that the GDPR does not contain any rule on the assessment of the damages. Therefore, when assessing damages, national courts must apply the domestic rules of each Member State which prescribe the prerequisites for determining the extent of compensation. The CJEU specified that the right to compensation under the GDPR is intended to include full and effective compensation for the damage suffered.
It should be noted that proceedings can be brought before domestic courts where the controller or processor has an establishment or where the claimant has his or her residence. As a result, this ruling may steer the choice of forum to be made in the light of the domestic rules of each Member State on damage assessment.
The CJEU has confirmed that the approach to quantification and proof of damages will be for national courts to decide. The fact that it has also confirmed that no damages will necessarily follow in the case of "mere" breach may represent something of a brake on some broadly defined class or representative actions, since it confirms that claimants may be required to produce evidence of the loss suffered. That may represent an impediment to the economically effective pursuit of claims on behalf of large groups of data subjects with disparate characteristics. In that respect, the decision may have a similar effect to the UK Supreme Court's decision in Lloyd v Google, where (consistent with the CJEU decision here) it was held that evidence of actual loss would be required to establish a right to compensation.
At the same time, by confirming unequivocally that such loss can be non-material, it is possible that this ruling, in conjunction with the EU Directive on Representative Actions, could lead to a large number of representative actions, or class actions, for infringement of the GDPR in the years to come. Indeed, this directive applies to representative actions brought against infringements of the GDPR and aims to ensure that a representative action mechanism for the protection of the collective interests of consumers is available in all Member States.
Three Key Takeaways
- The mere infringement of the GDPR is not sufficient to confer a right to compensation as it requires three cumulative requirements: infringement of the GDPR, damage, and a causal link between the infringement and damage.
- There is a right to compensation even when the damage was non-material—the claimant doesn't have to prove the damage was serious.
- National courts must assess damages in accordance with the domestic rules of each Member State, which in turn determine the extent of compensation.