Last Thursday the Court of Justice of the European Union ("CJEU") issued a long awaited ruling on damages resulting from a data protection infringement (C-300/21). Since the Regulation (EU) 2016/679 (General Data Protection Regulation; "GDPR") came into force on 25 May 2018, claims for damages under Art 82 GDPR due to alleged data protection violations like unlawful data processing or incompliance with the GDPR as well as in the context of data breaches or leaks have been steadily increasing. The CJEU's recent ruling clarifies essential issues but raises just as many questions.
The CJEU decision relates to a dispute before the Austrian Regional Court for Civil Law Matters Vienna (Landesgericht für Zivilrechtssachen Wien), where the claimant (data subject as per the GDPR's definition) requested EUR 1,000 damages as compensation. The claimant allegedly suffered harm, because the defendant generated upon statistical extrapolation a prognosis of the claimant's willingness to receive marketing materials of certain Austrian political parties. This information was not passed on to third parties, but the claimant had not consented to such data processing and felt offended.
The Austrian courts have dealt with an increasing number of cases where claimants asserted annoyance, offence, or discomfort about alleged unlawful data processing or loss of control of their data and requested compensation under Art 82 GDPR. Art 82 GDPR provides that any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered.
Austrian and German courts, in particular, have always been reluctant to award compensation to data subjects for non-material damages, since by their nature such claims are often not easy to verify and also bear a significant potential of misuse. Therefore in both countries non-material damages are only awarded rather restrictedly in specific cases, e.g. compensation for pain and suffering in case of bodily injury, mourning loss or loss of enjoyment of a holiday.
Notably, the Austrian courts, specifically the Higher Regional Court of Innsbruck (Oberlandesgericht Innsbruck) and the Austrian Supreme Court (Oberster Gerichtshof), issued contradictory decisions in proceedings for non-material damages resulting from alleged GDPR infringements prior to the referral for a preliminary ruling to the CJEU.
CJEU referral for a preliminary ruling
In the present case the Austrian Supreme Court submitted three questions to the CJEU and asked the CJEU to clarify
· whether an individual shall be entitled to receive compensation under Art 82 GDPR from a GDPR infringement alone or whether such a claim requires the individual to have suffered harm from that infringement;
· if so, whether harm suffered must exceed a certain degree of seriousness;
· if so, the methods of assessing the amount of damages.
Mere GDPR violation is not enough for compensation
The CJEU's response clearly provides that the fact that the provisions of the GDPR had been violated is insufficient for compensation claims. In other words, the CJEU does not see Art 82 GDPR as an entitlement for punitive damage claims. Rather, the CJEU rebuffed any thoughts of Art 82 GDPR conferring punitive damages and followed the Advocate General's Opinion. The court also mentions that liability under Art 82 GDPR requires three conditions: (i) an infringement of the GDPR, (ii) damage suffered by the data subject and (iii) a causal link between the unlawful processing and the damage.
These three conditions conform with national tort law, however, there is one missing. Whereas in Austria the conditions for a tortious claim are (i) damage, (ii) causal link between damage and infringement of the law, (iii) infringement of the law and (iv) fault, the CJEU has not made any mention at all with respect to fault.
Up until now, the vast majority interprets Art 82 (3) GDPR, exempting a controller or processor from liability if proven they were not responsible for the event giving rise to the damage, as a reversal of the burden of proof on fault. This means that the controller or processor must prove that they did not act culpably. Since Art 82 (3) GDPR does not use the term fault, Verschulden or faute in English, German or French, the following questions remain: Does the controller have to be at fault for the data subject to receive damages? How does not being responsible differ from not being at fault?
The CJEU did not address Art 82 (3) GDPR at all. It might be argued that the CJEU thus has not decided whether fault is required as a condition for damages. However, the wording of Art 82 (3) GDPR is ambiguous at best, and the CJEU did state that damage, causal link and infringement are required to establish a right to compensation – with no mention of a fourth condition. A clear ruling of the CJEU on these questions would be highly welcome, not least because, unlike Art 82 GDPR, Art 83 GDPR addresses the concept of fault and even differentiates between intentional and negligent behaviour. Further, the practical implications of the difference between responsibleness and fault are unclear.
Reliance on national law to assess damages
One of the questions of Austrian Supreme Court also aimed at clarification whether the assessment of the compensation shall be governed by EU law requirements. In response, the CJEU pointed out that the GPDR and EU law do not provide for rules on assessment of damages. Therefore, the national courts shall apply domestic law to assess damages, complying with the EU principles of equivalence and effectiveness.
The response is not unexpected but may increase the number of claimants or claimant groups trying out different EU courts to find out where the highest damages are awarded (forum shopping).
No threshold of seriousness
With respect to a threshold for immaterial damages, the CJEU did not follow the Advocate General's opinion, who demanded an infringement of at least some weight. Instead, the CJEU found that Art 82 GDPR does not mention any threshold of seriousness, which is in the view of the court supported by the objectives of the GDPR. Further, a threshold of seriousness of harm suffered would risk the coherence of the GDPR; meaning that the threshold could then vary from member state to member state, from court to court.
Therefore, even minor (emotional) grievances following a GPDR violation could technically lead to an award of compensation for non-material damages. However, the CJEU points out that the data subject claiming compensation would still need to prove that negative consequences after a GDPR violation are a consequence of a non-material damage. It goes without saying that this caveat is not helpful in practice as the most convenient evidence would be the data subject's own testimony.
It is straight forward and rather simple that claimants do indeed require proof that they suffered harm – even when asserting non-material damage like annoyance, anger or the like. The questions are: Will judges believe it? How can the temptation of misuse reasonably be balanced against legitimate interferences in peoples' personal spheres? How much is an hour of annoyance over a data breach worth in monetary terms? How much a week of feeling slight discomfort?
It is regrettable that the CJEU did not follow the Advocate General and German (and Austrian) courts, who required a certain degree of seriousness of the damage suffered.
Way forward?
This will certainly not be the last case for the CJEU on compensation for (non-material) damages resulting from data protection violations. An increase in claims is expected, with privacy groups celebrating the CJEU decision, especially as claimants do not need to demonstrate that the non-material damage suffered has reached a certain degree of seriousness. However, it certainly paints a picture that a decision acknowledging compensation for personal "distress" gets instantly hailed by organisations that cannot suffer any but rather earn their living with large scale distressed individuals.
Even more so in light of the Directive (EU) 2020/1828 on Collective Redress, which member states should have implemented at the end of 2022. Austria, like most EU member states, has failed to do so, but this will certainly make class action-style litigations easier for any group of claimants. Damages claims of countless data subjects could be bundled and filed in one court.
By Sara Khalil, Counsel, Schoenherr