On 4 May 2023, European Court of Justice (“CJEU”) delivered its judgment regarding the interpretation of Article 82 of the General Data Protection Regulation (“GDPR”). The CJEU held that mere infringement of the GDPR does not give rise to a right to compensation. However, there is no requirement for the non-material damage suffered to reach a certain threshold of seriousness in order to confer a right to compensation.

Background

Since 2017, Austrian postal service (Österreichische Post AG), a logistics and postal service provider in Austria, published address directories and collected information on political party affinities of the Austrian population. Using an algorithm, it determined whether individuals had an affinity to a particular political party, based on certain socio-demographic features of their address information. The controller also carried out extrapolations in order to determine classifications within the possible target groups for election advertising from various political parties, although the processed data was not transferred to third parties. From one of these extrapolations, Österreichische Post determined that the data subject had a high affinity with one of the political parties.

The data subject, who had not consented to the processing of his personal data, was upset by the storage of his party affinity data and stated that the political affinity specifically attributed to him by Österreichische Post was insulting, shameful and damaging to his reputation. In addition, the data subject claimed that Österreichische Post’s conduct caused him great upset and a loss of confidence, and also a feeling of public exposure. The data subject claimed compensation of EUR 1000 in respect of non-material damage for “inner discomfort” and upset in light of the data processing by Österreichische Post.

Both the first instance court and appellate court dismissed the data subject’s claim, ruling that:

  • Compensation for non-material damages does not automatically accompany every breach of the GDPR, and only damage that goes beyond upset or the feelings caused by the breach are eligible for compensation; and
  • In accordance with underlying Austrian Law, mere discomfort and feelings of unpleasantness must be borne by everyone without any consequence in terms of compensation. For compensation, the damage ought to be of a certain significance.

Subsequently, the data subject lodged an appeal at the Austrian Supreme Court, which referred the following questions to the CJEU:

  1. Does the award of compensation under Article 82 GDPR also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
  2. Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
  3. Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?

CJEU Judgment

The CJEU held that:

  1. It is clear that the right to compensation provided for by the GDPR is subject to three cumulative conditions:
  • infringement of the GDPR,
  • material or non-material damage resulting from that infringement; and
  • a causal link between the damage and the infringement.

As such, it cannot be held that any ‘infringement’ of the provisions of the GDPR, by itself, confers that right to compensation on the data subject – there must be a causal link between the infringement in question and the damage suffered in order to establish a right to compensation. Article 82(1) of the GDPR must therefore be interpreted as meaning that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation.

  1. As the GDPR does not contain any rules governing the assessment of damages, national courts must apply the domestic rules of each Member State relating to the criteria for determining the extent of financial compensation payable, provided that the principles of equivalence and effectiveness are complied with.
  1. Article 82(1) GDPR must be interpreted as precluding a national rule or practice which makes compensation for non-material damage subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness. The GDPR does not contain any such requirement and such a restriction would be contrary to the broad conception of ‘damage’, adopted by the EU legislature.

Commentary

The CJEU decision will likely be welcomed by organisations facing civil claims for damages following alleged breaches of the GDPR. In particular, the judgment confirms that a mere infringement is not sufficient to confer a right of compensation if there is no ‘causal link’ between the infringement in question and the damage suffered. The judgment highlights the need for data subjects to prove or clarify damage beyond loss of control over personal data and feelings of upset or discomfort. However, the decision does still leave some uncertainty for both controllers and data subjects –  leaving it to national courts to determine whether compensation is appropriate on a case by case basis, by reference to the domestic rules and case law of each relevant Member State.

This issue is one that is frequently litigated in the US, with somewhat different results due to the constitutional requirements of Article III of the US Constitution.  Those issues were highlighted in the Schrems II case and continue to create legal issues on both sides of the Atlantic.

For further information or if you have any questions, please contact your usual DLA Piper contact.