Update Data Protection No. 141
European Court of Justice (ECJ): No Compensation without Damage!
With the decision of May 4, 2023 (C-300/21, available here), the ECJ clarified essential questions in connection with the right to compensation pursuant to Art. 82 GDPR. This relates in particular to the question of whether a mere violation of the GDPR justifies a claim for compensation and whether the claim for compensation for non-material damage must reach a certain threshold of seriousness.
Background
The defendant in the main proceedings was Österreichische Post AG, which, as a publisher of addresses, collected information on the party affiliations of the Austrian population. Using an algorithm, it defined target group addresses on the basis of certain social-demographic characteristics. The plaintiff had not consented to the storage of his data by Österreichische Post and brought an action for payment of compensation pursuant to Art. 82 GDPR. He claimed that he felt great annoyance, a loss of confidence and a feeling of being exposed by having been attributed a specific affinity with the party in question. Accordingly, he demanded 1,000 euros for the non-material damage suffered.
The Austrian courts rejected the lawsuit in the first and second instance. The Supreme Court in Austria submitted the case to the ECJ for a preliminary ruling in May 2021. Specifically, the Supreme Court wanted to know whether a mere violation of the GDPR alone would be sufficient to justify a claim for compensation pursuant to Art. 82 GDPR, and whether compensation is only possible once the non-material damage suffered reaches a certain threshold of seriousness. It also asked whether it should be the law of the individual Member State which specifies the criteria for determining the amount of compensation due in this context.
Damage is a Prerequisite
In its decision, the ECJ has now clearly answered that not every infringement of the GDPR gives rise, by itself, to a right to compensation. Rather, any claim for compensation under Art. 82 GDPR requires three cumulative conditions: infringement of the GDPR, material or non-material damage resulting from that infringement and a causal link between the damage and the infringement. The ECJ justifies this with the wording of the provision and the underlying recitals of the GDPR.
No Threshold Required for Non-Material Damage
Contrary to the Advocate General’s opinion, the ECJ answered the question of whether the damage incurred must reach a certain threshold of seriousness in the negative.
The Advocate General previously held the opinion that a response beyond mere annoyance at the violation of the law was required. Any violation of a standard that serves to protect personal data would lead to negative reactions from the data subject. Compensation resulting from mere resentment at another party’s failure to respect the law would be very close to compensation with no damage incurred.
The ECJ has now deviated from this approach and has made it clear that the claim for compensation is not limited to non-material damages that reach a certain level of seriousness. According to the ECJ, such a requirement is not provided for by the GDPR and would also conflict with the concept of damages on which the GDPR is based. It is therefore a matter for the courts to decide in each individual case how high the compensation for a damage suffered should ultimately be.
Determining the Criteria for Assessing the Scope of Compensation
Finally, the ECJ confirms that the GDPR does not contain any provisions for the assessment of compensation. Accordingly, the structure of legal proceedings and the specification of the criteria for determining the scope of claims for compensation are a task of the national law of the respective Member State. The principles for equivalence and effectiveness should be noted here, i. e. full and effective compensation for the damage suffered must be ensured.
Conclusion and Outlook
As a result of the ECJ’s decision, it is now the task of the national courts in each Member State to establish practicable criteria for determining material and non-material compensation payments, i. e. to measure the level of entitlement. Over the last few years, the number of action for damages has increased significantly and initial casuistry has already been formed, which will continue to increase in the future following the ECJ’s the judgment.
At the same time, the judgment also means that with regard to the assertion of claims for compensation, data subjects can no longer simply bring an action out-of-the-blue without concrete evidence of damage. Rather, plaintiffs must now prove causal damage. In any case, this corresponds to the burden of proof and presentation in German procedural law, so no special regulations are to be expected in the future.
However, it remains to be seen how courts will deal with situations in which the plaintiff asserts negative impairments in the form of feelings of resentment, anger, disappointment or uncertainty. Event though the ECJ does not require a materiality threshold, the plaintiff must in any case provide evidence of non-material damage. Experience has shown that this is rather difficult in practice, especially in the case of non-material impairments.
It also remains to be seen to what extent class actions – especially in connection with “hacking” and “data leaks” – will now gather momentum. As, according to the ECJ, the mere violation of the GDPR is not sufficient, and instead causal damage must be present, it can be assumed that a specific hurdle has been placed in front of class actions. However, it remains to be seen which requirements the national courts will place on the burden of proof and presentation of the existence of damage.