The Advocate General opined that data subjects must prove that they suffered damage from a GDPR breach in order to claim compensation.

By Tim Wybitul, Isabelle Brams, Lara Nonninger, and Hayley Pizzey

Article 82 of the General Data Protection Regulation (GDPR) states that any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation. The meaning of non-material damage, in particular, has been debated for some time. Some European courts have been generous in assessing non-material damages to claimants. A number of German courts, for example, have found that loss of control of personal data can amount to damage.[1] A series of cases before the Court of Justice of the European Union (CJEU) also question, among other things, whether damage — or proof of damage — is required at all under Article 82 GDPR.[2]

On 6 October 2022, Advocate General Campos Sánchez-Bordona considered the issue of non-material damage in his opinion in Case C-300/21 UI v Österreichische Post AG (EU:C:2022:756) (the Opinion).[3] The Opinion found that a mere infringement of the GDPR is insufficient to claim compensation absent any material or non-material damage suffered by the data subject. The Opinion also considered that the right to compensation under the GDPR does not cover mere upset caused by the infringement. However, the Opinion leaves it to national courts to determine at which point being upset spills over into non-material damage which could be compensable. While helpful to establish the existence of a de minimis threshold for non-material damage under the GDPR, the Opinion offers limited guidance as to the exact parameters of this threshold.

The Opinion is also largely in line with the UK Supreme Court judgment in Lloyd v Google LLC [2021] UKSC 50 and may indicate that despite a gradual departure of the UK from EU data protection legislation, judicial thinking on questions relating to damages remain aligned — at least for now.

Background

The underlying complaint concerned information that Österreichische Post collected on the political party affinities of individuals and used with statistical algorithms to define “target group addresses”. Austrian political parties then used this data for targeted election advertising. UI, one of the individuals whose data were processed in this way without his consent, sought compensation in the form of non-material damages for the upset he experienced.

The Austrian Court of First Instance dismissed the applicant’s claim. That ruling was confirmed on appeal and subsequently challenged in the Austrian Supreme Court, which referred the case to the CJEU asking the court to clarify the position on non-material damage under Article 82 following infringements of the GDPR.

The Opinion

The Austrian Supreme Court referred three questions to the CJEU:

  1. Does compensation under Article 82 GDPR require that the data subject has suffered harm, or is the infringement itself sufficient for compensation?
  2. Does the assessment of the compensation require any further considerations under EU law other than the principles of effectiveness and equivalence?
  3. Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?

Violation of the GDPR is not in itself compensable damage

The Advocate General clearly rejected the view that a breach of the GDPR by itself constitutes damage within the meaning of Article 82(1) GDPR. The Advocate General held that Material or non-material damage must occur to pave the way for monetary compensation — automatic compensation following an infringement of the GDPR is incompatible with the wording of Article 82 GDPR.

“The argument that there is a right to compensation even though the data subject did not suffer damage as a result of the breach of the GDPR creates obvious difficulties, starting with that relating to the wording of Article 82(1) of the GDPR”[4]

No punitive damages under the GDPR

The Advocate General also stated that the GDPR does not permit punitive damages — “the GDPR makes no reference to the punitive nature of compensation for material or non-material damage (…) From a literal point of view, therefore, it does not allow punitive damages to be awarded”.[5] The Opinion acknowledged the dual nature of civil liability under the GDPR, namely by way of private initiative and public enforcement. However, Article 82 GDPR primarily operates as a means to enable a wronged party to claim damages proportionate to the harm suffered and to prevent future harm by the infringer — and not to impose punitive damages.

This position on punitive damages is linked to the first point above that there can be no compensation without damage. Imposing civil liability for a mere infringement absent damage is tantamount to permitting punitive damages, which as noted above, according to the Advocate General, is not in keeping with the spirit of the GDPR.

Loss of control need not constitute recoverable damage

The Opinion clarified that there is no “irrebuttable presumption”[6] of damage in the event of a GDPR infringement, and there is no automatic right to compensation. In the same vein, an infringement does not automatically amount to a loss of control over data, for which damages would be available.

This is because on a literal interpretation, the GDPR contains rules on evidence to establish harm and loss. In contrast, other EU legislation specifically provides for automatic compensation, such as regulations relating to passengers being denied boarding of flights. Had the GDPR envisaged an automatic right to compensation for a mere infringement, it would say so.

The Advocate General also pointed out that neither the GDPR nor the Charter of Fundamental Rights of the EU (Charter) derives unlimited control by data subjects over the processing of their personal data. In doing so, he recalled that Article 8 of the Charter cannot be readily equated with the right to informational self-determination derived from the constitutional law of some Member States.[7]

The question of compensation ultimately remains tied to whether or not the data subject actually suffered damage, and contrary to the views of some courts and academics, damage “must be proved”.[8]

Less common monetary remedies are not automatically available

The Opinion acknowledged that less common non-monetary remedies, such as declaratory relief or symbolic compensation, may be available in certain jurisdictions. However, Article 82 GDPR does not provide for this and Member States can make such relief available under Article 79 GDPR. Importantly, a data subject’s financial loss would be governed by Article 82 GDPR, and the data subject must establish such damage to obtain compensation: alternative relief under Article 79 GDPR cannot act as a substitute for the burden of proof under Article 82 GDPR.

No damages for mere upset or annoyance

The Opinion further advocated for a de minimis threshold for non-material harm suffered by data subjects. For instance, mere upset or annoyance caused to data subjects by a GDPR infringement is not compensable, not least because certain inconveniences resulting from infringements of the GDPR are “an inevitable corollary of life in society”.[9] While the Opinion acknowledged the “fine line” between mere upset and genuine non-material damage, feelings of displeasure, annoyance, or inconvenience in light of non-compliance with the GDPR should not be compensable by way of damages.[10]

Significance of the Opinion

The recovery of non-material damages is a lucrative area of business. Some providers specialise in bundling and enforcing such claims under Article 82 GDPR. Some offer to bring clients’ claims for a commission. Others “buy” these claims or have them assigned to them in return for a payment and then assert them themselves in bundled form.[11] Providers and law firms engaged in such practices could face considerable challenges if the CJEU follows the opinion of the Advocate General. This would make it more challenging for claimants to assert immaterial damages as they, for example, would have to prove concrete damage as a result of the alleged violation.

The CJEU in the vast majority of cases tends to follow the guidance of its Advocate Generals. However, if the court takes the unusual step of not following the Opinion, “the prospect of obtaining compensation independently of any harm would, in all likelihood, encourage civil litigation with proceedings that are perhaps not always justified, and, to that extent, could discourage data processing”.[12] Since data processing often affects a large number of individuals, there may also be an increase in class actions.

How is the relevant to the UK? Although CJEU judgments no longer bind UK courts, they may still be influential on judicial reasoning in the UK. In this case, the Opinion by and large mirrors the UK Supreme Court’s position in Lloyd v Google on de minimis provisions for non-material damages claims. As such, despite the fact that the UK is no longer part of the EU and may introduce new data protection legislation in the near future, judicial thinking on non-material damages appears to be largely aligned — at least for the time being.

This post was prepared with the assistance of Timo Hager in the Frankfurt office and Diana Kostina in the London office of Latham & Watkins.

 

Endnotes

[1] See Dusseldorf Court of Appeal, Ruling of 28 October 2021 – 16 U 275/20, awarding €2,000 in non-material damages for unlawful disclosure of health-related personal data and Cologne Regional Court, Ruling of 18 May 2022 – 28 O 328/21, awarding €1,200 in non-material damages for unlawful disclosure of personal data.

[2] See, Request for a preliminary ruling filed by Saarbruecken Regional Court, Request of 22 November 2021 (5 O 151/19).

[3] See Latham & Watkins’‘ blog post on the Austrian Supreme Court referral here.

[4] Paragraph 27.

[5] Paragraph 39.

[6] Paragraph 60.

[7] Paragraph 75.

[8] Paragraph 77.

[9] Paragraph 111.

[10] Paragraph 116.

[11] An overview of these business models and the relevant points of contention in corresponding court cases can be found here. An overview of the current case law on damages under Article 82 GDPR can be found here (in German).

[12] Paragraph 55.