When do you receive compensation for illegal data use? How do you calculate the amount? Is a compensation always monetary? The judgment of the Court of Justice of the European Union (ECJ) in Case C-300/21 brings us a step closer to the answers.
The judgment is the first ECJ decision on non-material damages under the General Data Protection Regulation (GDPR), as an answer to several questions referred by the Austrian Supreme Court. Similar cases pending before the ECJ will likely be answered in comparable terms.
This blog post is aimed at providing a summary of the ECJ decision. It also outlines the main takeaways, in particular in regard to national courts and future judgments. This is a follow-up to a previous blog post regarding the Opinion of the Advocate General (AG) Campos Sánchez-Bordona in the same case.
What is at stake?
Please note that this section is a short version of the one in this previous blog post here
The GDPR includes, generally speaking, two enforcement mechanisms. The first one is done via the national data protection authorities: individuals can lodge a complaint with an authority that should then be handled and addressed accordingly. The authority can also act on their own initiative. The second mechanism is litigation. Data subjects may bring a claim directly against a controller or processor in court. This is the case when an individual is claiming compensation for damages they suffered because provisions of the GDPR were infringed.
The GDPR covers both material and non-material damages. A material damage could be the loss of income, whereas a non-material damage could be the emotional harm when data was misused. Non-material damage is typically difficult to quantify, as it is not related to assets or wealth (paras 38-39) — and also more typical for GDPR violations.
Given the broad scope of applicability of the GDPR and the common infringement of its provisions, the decision on non-material damages is particularly relevant as it shapes an important part of the redress mechanisms for data subjects, as well as the consequences for controllers and processors.
What happened in the case?
Please note that this section is a short version of the one in this previous blog post here
The Austrian postal service (Österreichische Post AG) calculated the affinity to certain political parties of Austrian residents. ’UI’ was categorised to have a high affinity with the Austrian FPÖ, a far-right populist party. He did not consent to the processing of such data and was ‘angered and offended‘ (para. 10) by the assigned political party affinity.
Therefore, he sought compensation of €1,000 for non-material damages. In his opinion, the calculated affinity was ’insulting and shameful, as well as extremely damaging his reputation‘ and ‘caused him great upset and a loss of confidence, and also a feeling of public exposure‘ (para. 11).
While the Austrian courts found that the processing of data was unlawful, the damages claim was dismissed in the first and second instance court. The second instance court noted that, according to Austrian law, mere feelings of discomfort are not sufficient for compensation. To be able to qualify for compensation ’the damage claimed must be of a certain significance‘ (para. 13).
Being the third and last instance, the Austrian Supreme Court referred three questions to the ECJ.
The ECJ judgment
Requirements for compensation – Question 1
(1) Does the award of compensation under Article 82 of [the GDPR] also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
Albeit ’UI’ did not claim that a GDPR violation confers a right to compensation directly, the ECJ decision clarifies the criteria for compensation. The ECJ found that in the context of Article 82(1) GDPR ‘the mere infringement of the provisions of that regulation [GDPR] is not sufficient to confer a right to compensation.‘ (para. 42)
According to the Court, the terms ‘material or non-material damage’ and ‘compensation for the damage suffered’ are autonomous concepts of EU law, as Article 82 GDPR does not refer to Member State law. The wording and context of the provision, among other aspects, should thus be taken into account for its interpretation (paras 29-30).
The wording of Article 82(1) GDPR requires ‘damage suffered’ as one of three conditions of compensation. The other two are an infringement of the GDPR and, logically, a link between this infringement and the damage. Obviously, all three requirements must be met cumulatively (para. 32). In consequence, an infringement of the GDPR alone is not sufficient for compensation (para. 33). The ECJ highlights that the context also provides for this interpretation, citing Article 82(2) and recitals 75, 85 and 146 GDPR (paras 36-37).
All in all, the ECJ provides for useful and clear criteria naming three cumulative requirements for compensation: (i) Infringement of a GDPR provision, (ii) a damage suffered and (iii) a causal link between the infringement and the damage (para. 32). If there is no damage, the requirements of Article 82 GDPR are not met.
No threshold for non-material damages – Question 3
(3) Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence [or effect] of the infringement of at least some weight that goes beyond the upset caused by that infringement?
According to the ECJ, Article 82(1) GDPR precludes a ‘national rule or practice’ that requires non-material damages to reach a ‘certain degree of seriousness’ (para. 51).
While the ECJ recalls that an ‘autonomous and uniform definition specific to EU law’ of concepts such as ‘non-material damage’ is required (para. 44), it points out that Article 82 GDPR does not contain any reference to any threshold of seriousness (para. 45). Here, the ECJ departs clearly from the position of AG Campos Sánchez-Bordona (para. 105).
The context of the provision does not favour a threshold either. A ‘broad conception of ‘damage‘‘, as required by recital 146 GDPR, would not be achievable if only damages that reach a ‘certain degree of seriousness’ were compensated (para. 46). The ECJ adds that a threshold of seriousness could undermine a coherent GDPR application, as it would depend on each court to determine if such a threshold is met (para. 49).
In line with its previous findings that damage is required for compensation, the Court states that a person affected needs to prove non-material damage (para. 50).
How to calculate the amount of compensation – Question 2
(2) Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
The ECJ found that the national courts need to apply their domestic rules regarding the ‘extent of financial compensation’ (para. 59).
Given that the provisions of Article 82 GDPR do not provide for criteria regarding the assessment and the amount of compensation, the law of the Member States comes into play. This also means, that the EU law principles of equivalence and effectiveness must be complied with (paras. 53-54).
In the case at hand, the Court, taking into account the information it was provided with, did not identify an issue regarding the principle of equivalence (para. 55). The ECJ left it for the Austrian Supreme Court to establish if national law ‘make[s] it impossible in practice or excessively difficult to exercise the rights conferred by EU law’ (principle of effectiveness), in particular to obtain compensation under the GDPR (para. 56).
Finally, the ECJ clarifies that ‘full and effective compensation’ (recital 146 GDPR) means that the damage is compensated in its entirety, ‘without there being any need’ to require the payment of punitive damages (para. 58). In consequence, the payment due under Article 82(1) GDPR aims to make up for the damage suffered, not to punish a controller or processor.
What is the takeaway?
While some controllers or processors may have hoped for a threshold, the GDPR simply does not contain one. The ECJ decision is not only a sound interpretation of Article 82 GDPR, but also reaffirms the idea that wrongdoers should make up for any damage they cause — even for relatively small damage. In fact, this seems to be widely accepted for material damages (you may also bring a lawsuit for €1), and is now also clear for non-material ones. Tiny or frivolous claims are still not likely, given that litigation costs in most Member States are much higher, and litigation over small amounts simply does not pay off for plaintiffs.
The concept of damage
Both material and non-material damages are to be treated equally in practice. There is no artificial distinction, such as a threshold that would limit only non-material damages. Simply any proven harm stemming from a GDPR violation needs to be compensated.
Conceptually non-material damages are not limited to emotional and psychological harm (see, inter alia, recital 75 GDPR) and any negative consequence (see also para. 50 of the ECJ judgment) may be compensated, as long as the damage is proven. The District Court of Bonn, for example, recently found that a data breach lead to a damage as the user was affected in their control over their personal data, assuming that the leaked data could easily be abused. Similarly, the District Court of Lübeck found that the infringement of the right to informational self-determination constitutes a damage (paras 104-108).
Not a question of negligence nor intent
Both non-material and material damages need to be compensated independently of a specific level of intent or negligent conduct. This follows firstly from the GDPR that does not mention any such requirement in Article 82(1) or 82(2) GDPR. Secondly, the ECJ decision seems to confirm such an interpretation, as compensation should make up for the harm suffered by a natural person (para. 58 of the ECJ judgment), disregarding therefore the subjective behaviour of a controller or processor. As an exception to this general rule, a controller or processor that proves not to be in any way responsible for the damage (Article 82(3) GDPR), for example in cases of force majeure, does not need to pay compensation.
The ECJ could clarify these aspects further in the pending Case C‑667/21. The AG stated that the ‘degree of fault’ (para. 119) of a controller or processor does not make a difference for compensation.
However, as it is hard to quantify non-material damages, it is probable that some courts of the Member States graduate compensation based on the actions taken by a controller or processor.
How to calculate compensation?
The amount of compensation will vary among the courts, even within the same Member State. The jurisprudence in each Member State may elaborate useful precedents and criteria for future cases. However, it will likely take some years for such case law to be established.
To avoid disperse decisions, tables with reference to relevant national or local precedents have usually been developed in other areas of the law. In these tables, a compensation of €50 for a slight delay in responding to an access request could be set, for example, while sharing false information about a person’s credit-worthiness may be set at €500. It might be adequate to have such tables as orientation, leaving a certain discretion to the court.
In any case, such a practice or a legislative initiative seems to be desirable for both data subjects and controllers/processors. Data subjects would gain clarity regarding the amount of compensation they would be entitled to (and could put them in relation with the costs and risks of the procedure), whereas controllers/processors could easily estimate the potential sums that a final decision may cost them. Certainty in this regard may also favour extra-judicial settlements, which in turn is in the interest of society, as it keeps court costs low and resources available for other matters.
Reception in national cases
The reception of the ECJ decision has been quick, although some national courts still introduce a threshold in claims regarding non-material damages.
In particular, this seems to be the case in Germany. The District Court of Cologne, despite citing the ECJ decision, still managed to reintroduce a threshold in one of its decisions and did not grant compensation. Just a quick train ride away, the District Court of Bonn did not mention any threshold and granted a compensation in a case that concerns the same data breach. Also the District Court of Lübeck states that no such threshold exists (para. 105).
In Ireland, the Circuit Court surprisingly finds that ‘mere upset’ does not warrant compensation, while at the same time citing the ECJ decision (para. 11.6). According to this Irish decision, the damage “must be genuine, and not speculative” (para. 11.6) which in turn raises the practical question of how to effectively prove non-material damage.
This and many related questions may well be answered in the cases currently pending before the ECJ, as well as the national courts in the Member States.
GDPR damages and collective redress
The ECJ judgment is also of importance for the Collective Redress Directive and its national transposition laws. With collective redress mechanisms, it will be possible to seek minor GDPR compensation, e.g., for €500, for a larger group of people. As it is rather exceptional that individuals would pursue such a case personally, a collective action is a viable alternative. A threshold would have limited such claims substantially. Such collective redress actions may boost GDPR compliance indirectly, as damages to be paid could quickly amount to millions of euros.
The ECJ delivered a sound judgment clarifying the requirements for non-material damages under the GDPR: an infringement of a GDPR provision must cause damage that needs to be proven in court. No threshold of seriousness for non-material damages exists. The amount of compensation is to be awarded according to the rules of each Member State, which will likely lead to divergent decisions.
Disclaimer: noyb has been in contact with the plaintiff before the Austrian courts in the Case C-300/21 and has advised and assisted the data subject free of charge in connection with the reference for a preliminary ruling. The author was not involved with the case.