Should you receive compensation for the harm caused by illegal data use? This question may soon have an answer. The Austrian Supreme Court asked the Court of Justice of the European Union (ECJ) how the right to compensation for non-material damages in the GDPR should be interpreted. Other courts have referred comparable questions to the ECJ.
On October 6th 2022 the Advocate General (AG) Campos Sánchez-Bordona delivered his Opinion regarding the Case C-300/21. This blog post aims at providing a short analysis of the AG Opinion. It is argued that the proposed threshold for compensation is not in line with the GDPR and that objective criteria should guide compensation for non-material damages.
II. What is at stake?
Since 2018 the General Data Protection Regulation (GDPR) has provided a uniform regulation for data protection in the EU and EEA. It grants rights to individuals and imposes obligations upon data controllers and data processors in order to safeguard the fundamental right to data protection.
Stronger enforcement was one of the main promises of the GDPR. It includes, generally speaking, two enforcement mechanisms. First, the data protection authorities: Individuals (called data subjects in the GDPR) can lodge a complaint with an authority that should then be handled and addressed accordingly. The authority can also act on their own initiative. The second mechanism is litigation. Data subjects may bring a claim directly against a controller or processor in court.
Certain claims are to be brought in court only. This is the case when an individual is claiming compensation for damages they suffered because provisions of the GDPR were infringed.
Damages in the GDPR are divided into two categories: material and non-material. A material damage could be the loss of income, whereas a non-material damage could be the emotional harm when your data was misused. Non-material damage is typically hard to quantify, as it is not related to assets or wealth (p. 38-39).
The ECJ has now been asked what qualifies as a non-material damage. Given the broad scope of applicability of the GDPR and the common infringement of its provisions, the issue at stake is particularly relevant as it shapes an important part of the redress mechanisms for data subjects.
III. What happened in the case?
The Austrian postal service (Österreichische Post AG) collected and sold personal data of residents in Austria since 2001. As of 2017 the affinity to certain political parties was calculated. This party affinity was generated based on socio-demographic features (p. 8), like the address or age of a person.
“UI“, as the affected person is named in the Opinion, was categorised to have a high affinity with the Austrian FPÖ, a far-right populist party. He did not consent to the processing of such data and was ‘angered and offended‘ (p. 10) by the assigned political party affinity.
Therefore, he brought a claim for compensation for non-material damages. In his opinion, the calculated affinity was ’insulting and shameful, as well as extremely damaging his reputation‘ and ‘caused him great upset and a loss of confidence, and also a feeling of public exposure‘ (p. 11).
While the Austrian courts found that the processing of data was unlawful, the damages claim was dismissed by the first-instance and later the second-instance court. In the second instance the court noted that, according to Austrian law, mere feelings of discomfort are not sufficient for compensation. To be able to qualify for compensation ’the damage claimed must be of a certain significance‘ (p. 13).
Being the third and last instance, the Austrian Supreme Court referred three questions to the ECJ.
IV. Question I: An irrelevant question?
IV.1 Question and Opinion of the Advocate General
(1) Does the award of compensation under Article 82 of [the GDPR] also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
The AG Opinion states that harm is a prerequisite for compensation and that a simple infringement does not entitle the data subject to compensation (p. 28-29). The Opinion then explores that in some Member States punitive damages, not just compensation, could be provided for in their legal system. This is followed by a long exploration of punitive damages and that they are not covered by the GDPR (p. 35-55).
The Opinion continues by an alternative interpretation of the question, that is if any infringement of the GDPR does cause and imply harm automatically (p. 56). Put differently, is there a presumption of damage, as an infringement of the GDPR would directly imply a loss of control over data (p. 57)? After referring to consent and the control the GDPR grants, the Advocate General concludes that ‘loss of control over his or her data’ does not make one directly eligible for compensation (p. 77).
First of all, it seems that the referred question does not correspond to the facts of the case: UI, the applicant, claims compensation for the specific harm he suffered. Consequently, the question if the regulation provides for compensation without any harm is unrelated to the facts and could therefore be inadmissible (p. 25).
Regarding the question itself, the answer seems to be directly contained in Article 82(1) GDPR: ‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation […]’. The text states that damage is a prerequisite for compensation.
However, the Opinion expands the issue further and asks if punitive damages are covered by the GDPR. Albeit interesting, the applicant did not seek punitive damages.
It should be quite clear that any awarded compensation is to be equivalent to the damage suffered. Art. 82(1) GDPR states: ‘[…] receive compensation from the controller or processor for the damage suffered.’ Recital 146 GDPR does clarify this even more: ‘[…] Data subjects should receive full and effective compensation for the damage they have suffered. […]’.
The goal of this compensation seems to be the restitution of a former situation or to make up for non-material harm. As data protection authorities can already impose sanctions it would be surprising to see this general prevention function replicated through punitive damages (outside of common law systems).
The second interpretation of the question, if an infringement of the regulation does necessarily (iuris et de iure) imply harm is remarkable. The plaintiff has not made such an argument and there is no basis for such a presumption in the GDPR. Obviously, a lot of GDPR infringements will not cause harm to data subjects.
For example, certain controllers are obliged to maintain their Records of Processing Activities or to designate a Data Protection Officer. If they do not comply this constitutes an infringement of the GDPR. Nevertheless, if there was an ‘irrebuttable presumption of damage’ (p. 56) this would give raise to compensation. This is a rather absurd idea that seems to have no basis in the case or the legal debate on Article 82 GDPR.
In summary, there seems to be consensus that compensation under the GDPR requires some harm and that there is no irrebuttable presumption of such harm.
V. Question II: EU law requirements to assess the compensation?
V.1 Question and Opinion of the Advocate General
(2) Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
The Opinion states that in the assessment both the principle of effectiveness and equivalence are not particularly relevant, as the GDPR harmonises the regulation of damages (p. 84-85).
At the same time the Opinion adds that the calculation of compensation is not regulated (p. 86). To provide some examples of possible claims, the AG mentions that the recognition of a violation should be possible (p. 89), whereas symbolic compensation or the transfer of unfairly obtained advantage are not provided for in the GDPR (p. 90-93).
The referring court considered the principles of effectiveness and equivalence of EU law (p. 25, 49) to be applicable and asked if further requirements shall be taken into account for assessing the compensation.
It is unfortunate that instead of giving insights on the calculation of the compensation, the Opinion concludes that both principles are not particularly important because the GDPR would be harmonizing the law. This contradicts its finding that the calculation of the compensation is not regulated in the GDPR. The matter, as a whole, can only be harmonized or not – not both.
Although the Opinion gives some general hints on specific situations, it does not clarify if there are other principles or requirements to be taken into account for setting a compensation. This generates legal uncertainty and options for forum shopping.
Certain elements that would point at higher and lower awards, as well as a general position if the claim in this case is adequate or not would be useful. From such elements, the national courts could develop case law and tables. Many Member States use objective tables for other non-material damages.
VI. Question III: Adding a threshold for non-material damages?
VI.1 Question and Opinion of the Advocate General
(3) Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?
The third question concerns whether there should be a threshold for compensation in the case of non-material damage (p. 97). According to the Opinion, the wording of Recital 146 stating that ‘any damage’ shall be compensated is not suitable to answer the question (p. 100). In light of the case law of the ECJ there is no general definition of ‘damage’ applicable in all different fields of law; however, the interpretation of ‘damage’ shall be broad (p. 104).
The Opinion argues that minor non-material damage shall not be compensated (p. 105) and states that ‘annoyance or upset’ by GDPR infringements do not merit compensation (p. 112). As any violation of the data protection legislations causes ‘negative reaction[s]’, this feeling shall not qualify for compensation, as it could amount to compensation without damage (p. 113).
Moreover, the AG expresses that being able to bring a claim for ‘mere upset’ is not efficient for the applicant and the defence (p. 114). There are still other remedies, such as the data protection authorities, an affected person can resort to (p. 115). Finally, the Opinion admits that the delimitation of what non-material damage qualifies for compensation is hard, but shall be left to the courts of the Member States (p. 116). Even regarding the referred case, the Opinion does not take a position.
Unfortunately, the Opinion includes conflicting positions. In question one it is rightly concluded that there are no punitive damages because (among other reasons) the text of the GDPR does not mention them. In question three, however, the Opinion determines that a new threshold should be added for non-material damages, even though the text of the GDPR does not mention any threshold — instead a broad interpretation of damage is required (Recital 146 GDPR).
If the ECJ follows this logic, many typical harms under the GDPR will not allow for a compensation. This seems to directly contradict the legislator’s intent to allow for compensation when the inherently abstract fundamental right to data protection is violated.
Introducing more limits also contravenes the objective of strengthening the right to data protection. If a harm does not pass the proposed threshold, an authority may issue a sanction, but the affected person will not be compensated for the violation of their fundamental right.
Interestingly enough though, anyone can lodge a claim for 1 € in material damages. There is no threshold for such claims. Nevertheless the courts are not overwhelmed with 1 € lawsuits, as in most jurisdictions just the costs of hiring a lawyer and, if unsuccessful, paying the legal costs of the other party clearly discourage litigation.
The Opinion further suggests that the recital demanding ‘full and effective compensation’ refers to situations where multiple parties violated the GDPR. In such cases, the data subject should receive full (and not a partial) compensation, but this recital is not relevant for determining what qualifies as a damage. Even if one agreed with this argument, the CJEU case law includes ‘physical suffering’, ‘emotional well-being’, ‘reputational damage’ or ‘loss of chance’ (p. 5), among others, to be non-material damages. Therefore, the concept itself seems to be generally broad.
Simply referring to national courts (p. 116) or national case law (p .111) to solve the issue does not seem useful, particularly because many questions regarding Article 82 GDPR are pending before the ECJ (C-456/22, C-189/22, C-182/22, C-741/21, C-687/21, C-667/21, C-340/21). Besides, non-material damage is an autonomous concept (p. 5) that is not to be interpreted according to national standards (p. 21), contrary to what the Austrian court implies.
A threshold for non-material damages would multiply the uncertainty about GDPR violations. Courts in the Member States would have to agree on the level of the threshold. You might be awarded 500 € for non-material damages in Greece, 10.000 € in Ireland, whereas in Germany you will not even pass the threshold. Any legal certainly would be lost.
The Opinion clearly limits the right to compensation and weakens the general enforcement of the GDPR. It restrains the possibilities of data subjects to obtain any compensation if they suffer harm and enforce their rights. This is, as Cabral and Hassel put it on this blog, a ‘restrictive interpretation’ and undermines a fundamental right.
The ECJ has its first possibility to rule on compensation under the GDPR.
There seems to be wide-spread consensus that (i) in order to qualify for a compensation under the GDPR a plaintiff has to have suffered harm and (ii) there is no presumption of such harm, a violation of the GDPR does not always imply harm. In the case at stake the data subject clearly suffered a harm. That makes the first question unrelated to the facts and the Court may find it inadmissible.
Unfortunately, regarding the calculation of damages, the Opinion does not offer a full answer. On one hand it states that damages are harmonised, but then leaves it to the national courts to determine compensation in detail. This is where the principles of effectiveness and equivalence (and others to assess the amount of a compensation) would be important. In line with experiences for other cases of non-material damages, an objective approach should be applied to ensure consistent decisions in the EU. The ECJ could provide certain guidelines for such a calculation.
Finally, a threshold for non-material damages is not foreseen in the text of the GDPR and may be in conflict with the wording of the Recitals. The newly proposed threshold would cause further legal uncertainty as there is no clear definition of this threshold.
It remains to be seen how the ECJ will answer the questions in C-300/21.
Disclaimer: noyb has been in contact with the plaintiff before the Austrian courts in the case C-300/21 and has advised and assisted the data subject free of charge in connection with the reference for a preliminary ruling. The author was not involved with the case.