CJEU judgment: Right to compensation for non-material damage for violation of GDPR
The Court ruled that the damage did not have to reach a certain level of seriousness
On 4 May 2023, the Court of Justice of the European Union (CJEU) ruled for the first time on a claim for non-material damages under Article 82(1) of the GDPR (judgment of 4 May 2023 - C-300/21). The judgment was eagerly awaited by many, as there had previously been disagreement on the conditions for private enforcement following violations of the GDPR.
The CJEU clarifies that a claim for damages exists only if the individual has actually suffered non-material damage. However, it is not necessary that the proven non-material damage exceeds a certain threshold of seriousness. If a claim for damages is established, the company must make a payment to the individual that fully compensates for the damage.
Increased legal certainty, and the CJEU's data protection-friendly interpretation, may now encourage many people to sue for damages following violations of the GDPR. This trend could be further strengthened by more collective enforcement of claims.
Background of the case
On 12 May 2021, the Supreme Court (of Austria) referred several questions to the CJEU on the interpretation of Article 82(1) of the GDPR.
The reference for a preliminary ruling was based on the following case: since 2017, Österreichische Post, an address broker had been collecting data on the political affiliation of the Austrian population. Based on social and demographic characteristics, an algorithm predicted that the claimant had a certain political affiliation. This data was stored by Österreichische Post without the claimant's consent but was not passed on to third parties. The claimant stated that he felt insulted, upset, exposed and that his trust had been violated by the political affiliation attributed to him.
The Austrian court referred the following questions to the CJEU: (1) Is the breach of the GDPR in itself sufficient to award non-material damage to an individual, or must the individual also prove that he or she has suffered damage? (2) How should the amount of non-material damage be assessed? (3) Is non-material damage only present if the damage exceeds a certain threshold or does, for example, anger already constitute a compensable damage?
No claim without damage
The CJEU first clarified that there is a claim for damages only if the individual proves that three conditions are met: violation of the GDPR, material or non-material damage, and a causal link between the violation and the damage. The Court reached this conclusion by dogmatically applying the various methods of interpreting European Union law. The result was not surprising. In European and German liability law, damages claims only compensate the claimant for the causal damage. The rare German judgment awarding compensation irrespective of damage should therefore be a thing of the past.
Non-material damage does not have to exceed a certain threshold of seriousness
The CJEU ruled that non-material damage does not have to exceed a certain threshold of seriousness. This was the most important decision in the judgment. Individuals therefore only need to prove that they have suffered non-material damage. This could encourage individuals to claim compensation for less serious non-material damage in many more cases than before.
The Court's reasoning was based on the wording of the GDPR, its meaning and purpose, and the methodology of the regulation. For example, the CJEU stated that in order to maintain a uniform and high level of data protection within the meaning of recital 10 of the GDPR, it is necessary for all courts to apply the same broad concept of damage. According to this reasoning, all open legal questions must be decided in favour of the most data protection-friendly view. This reasoning means that other interests, such as the interests of companies and society in economic and social progress, are not sufficiently taken into account.
The Advocate General, in his Opinion (case C-300/21), argued for a much more balanced understanding, assuming a de minimis level.
The CJEU expressly left open the question of which harm constitutes non-material damage. In many cases before German courts, claimants allege that they have suffered a loss of control over their data as a result of a data breach. It is questionable whether such a loss of control constitutes non-material damage. This is likely to be the subject of future referrals.
Damages suffered must be fully compensated
The CJEU points out that the amount of the claim for damages is initially assessed according to national law. However, the principle of effectiveness requires that the claim for damages is not made practically impossible or excessively difficult. In this context, the CJEU also points out that the claim for damages must have a compensatory function, i.e. the actual damage suffered must be fully compensated. Neither Union law nor German law provides for a deterrent or punitive effect of a claim for damages.
The criteria for establishing a claim and how to determine the amount of damages are matters for national courts. To date, German courts have often provided little detail in justifying the amount of damages. There are many possible methods, including economic ones, to determine more precisely the amount of compensation necessary to compensate for the damage.
Outlook
The professionalised claimant industry has waited a long time for these clarifications, which the CJEU has now provided. An increase in damages claims is likely. In addition, from summer 2023, consumer associations will be able to sue for damages directly for consumers in a collective action for redress, which may further boost enforcement. For companies, the worst-case scenario for violations of the GDPR can therefore be both fines from supervisory authorities and direct claims for damages from individuals.
However, claims for damages still depend on a number of unresolved legal issues, and there are many good arguments for defending against such claims. The interpretation of Article 82(1) of the GDPR is likely to keep us, the German courts and the CJEU busy for some time to come. We will continue to monitor and document German case law in our Noerr Damages Tracker.
We advise companies to be on the safe side by putting in place robust data privacy governance, effective data subject rights management and professional assessment and handling of potential data privacy incidents. Companies should therefore address the challenges, opportunities and risks of data privacy litigation strategically and at an early stage. Our team of recognised data privacy and litigation experts will be happy to advise you.