News from the ECJ on claims for damages under data protection law

On 20 June 2024, the ECJ dealt with several questions relating to the claim for damages under Art. 82 (1) GDPR. On the one hand, the court confirms its previous broad case law and, on the other hand, it offers new points of reference for the assessment of non-material damages in the event of data protection violations.

The background

The decision is based on a cyberattack on the provider of the trading app "Scalable Capital". The Munich Local Court had to decide on the consequences of the attack: Data subjects had opened accounts with the trading app and stored numerous personal data, including copies of ID cards, in their accounts. This data was stolen by unknown third parties in 2020 but has not yet been used for further malicious acts. However, the data subjects claim to have already suffered non-material damages because of the data theft. The Munich Local Court then referred a total of five questions to the ECJ for a preliminary ruling regarding the data subjects' claim for damages under Art. 82 (1) GDPR.

The ECJ's decision

Firstly, the ECJ found that the claim for damages under Art. 82 (1) GDPR only has a compensatory function, but not a punitive function intended to provide satisfaction to the data subjects. In this respect, the court emphasizes that Art. 82 GDPR – unlike the provisions on fines in Art. 83 and 84 GDPR – does not have the character of a sanction.

Secondly, the ECJ examined whether the degree of seriousness and any intentionality of a breach of the GDPR should be considered when assessing a claim for damages under Art. 82 (1) GDPR. The ECJ denies this with reference to the compensatory function of Art. 82 (1) GDPR: According to this, any damage suffered should be compensated in full. However, the compensatory function precludes making the amount of compensation dependent on the severity or intentionality of an infringement.

Thirdly, the ECJ dealt with the question of whether, when assessing the amount of damages under Art. 82 (1) GDPR, it should be assumed that non-material damage caused by a data protection breach is by its nature less serious than physical injury. The ECJ refers once again to the compensation function of Art. 82 (1) GDPR: The assumption that physical injury is more serious than data protection violations could, in the opinion of the court, prevent full compensation for damages. The ECJ therefore denies that physical injury is by its nature more serious than data protection violations.

Fourthly, the ECJ dealt with the question of whether, in the absence of seriousness, damage can be compensated by awarding minimal compensation, which can be perceived as "symbolic". In this respect, the ECJ emphasizes that the data subjects must prove the existence of a damage. However, such damage does not have to exceed a "de minimis threshold". A "symbolic" compensation of a small amount can therefore be awarded if it fully compensates for an established and proven damage.

Fifthly, the ECJ examined the term "identity theft". According to the court, this should only be the case if a third party has appropriated a person's identity. A mere theft of data does not therefore constitute identity theft. However, identity theft is not a prerequisite for compensation for non-material damage pursuant to Art. 82 (1) GDPR, meaning that such a claim can already be justified by mere data theft.

Implications for practice

Overall, the ruling provides little new insight. The ECJ had already established in previous rulings that Art. 82 (1) GDPR has a purely compensatory function and that the degree of fault and the severity of the data protection breach are not to be taken into account when assessing damages. It had also already established that damages eligible for compensation do not have to exceed a de minimis threshold. The only new points are that data protection violations are comparable to physical injury and that "identity theft" requires the actual misuse of another person's identity, but is not mandatory for the award of damages.

The practical impact of the Scalable Capital case is therefore extremely limited. Equating immaterial damages due to a data protection breach with those due to physical injury has no significance for the future award of damages. The requirement remains that damage must have occurred, which must be proven by data subjects. This naturally poses major challenges for data subjects, as immaterial damage is extremely difficult to demonstrate and prove.

Overview of previous ECJ case law on Art. 82 GDPR

Nevertheless, companies must not let their data protection compliance slide. The high hurdle of demonstrating and proving the – often immaterial – damage suffered remains for data subjects. Nevertheless, in its past rulings on claims for damages under Art. 82 (1) GDPR (cases Österreichische Post, Natsionalna agentsia za prihodite, Gemeinde Ummendorf, Krankenversicherung Nordrhein, MediaMarktSaturn, juris and PS GbR), the ECJ has created quite broad criteria. Combined with the findings of the Scalable Capital case, these can be consolidated into the following ten guidelines:

1. Data subjects must prove the existence of damage in order to be awarded compensation under Art. 82 (1) GDPR; the mere infringement of the GDPR does not automatically lead to a compensation.
2. Art. 82 (1) GDPR only has a compensatory and not a deterrent function. The award of punitive damages is therefore ruled out.
3. Neither the severity nor the intentionality of a data breach have any influence on the amount of the compensation allocated under Art. 82 (1) GDPR.
4. Data protection violations can be just as serious as physical injury.
5. Even if the damage is only minor, symbolic damages may be awarded in accordance with Art. 82 (1) GDPR.
6. Even the mere fear of data disclosure can justify a non-material claim for damages, as long as this fear is not purely hypothetical. However, the data subject must demonstrate and prove such a fear and corresponding damage. A claim for damages is ruled out if it is established that no third party could have taken note of the data concerned.
7. The criteria of Art. 83 (2) GDPR cannot be used to assess the amount of a compensation under Art. 82 (1) GDPR. Instead, the respective national criteria for assessing damages must be applied. The principles of equivalence and effectiveness must be considered here.
8. Breaches of national data protection law cannot be compensated under Art. 82 (1) GDPR. They must be enforced via the national claims regime, which is applicable in addition to Art. 82 (1) GDPR.
9. Controllers can exculpate themselves in accordance with Art. 82 (3) GDPR. However, mere reference to unauthorized data access by third parties or the misconduct of a person under their control is not sufficient for this.
10. Identity theft read in the light of recitals 75 and 85 GDPR only exists if a third party actually misuses the identity of the data subject.

Outlook for future developments

Despite the comprehensive case law regarding Art. 82 (1) GDPR, numerous open questions remain. The ECJ will (have to) clarify these in further preliminary ruling proceedings. Particular attention should be paid to the Quirin Privatbank case (C-655/23) and the Patērētāju tiesību aizsardzības centrs case (C-507/23).

In this context, the ECJ will have to decide whether:

• Mere negative feelings such as anger, resentment, dissatisfaction, worry and fear, which are part of the general daily risk of life, are sufficient for the assumption of non-material damage or whether a disadvantage for the data subject that goes beyond these feelings is required for the assumption of damage.
• When assessing damages, the fact that the data subject is entitled to injunctive relief in addition to the claim for damages can be considered to reduce the amount of the compensation.
• If there is no possibility of restoring the situation that existed before the damage was caused, the obligation to apologize can be imposed as the only compensation for the immaterial damage.