The Court of Justice of the European Union (CJEU)1 ruled out automatic damages awards for civil litigants establishing infringements of the General Data Protection Regulation (GDPR). At the same time, the CJEU suggested that Member State courts should compensate any sufficiently proven non-material damage claim, however minor.
Article 82(1) GDPR entitles plaintiffs who have "suffered material or non-material damage as a result of an infringement" of the GDPR "to receive compensation from the controller or processor for the damage suffered." The CJEU’s decision explicitly rejected the idea that Article 82(1) creates an automatic right to compensation once a controller violates the GDPR:
"Article 82(1) of the GDPR must be interpreted as meaning that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation."3
The CJEU emphasized compensation can only be awarded where, cumulatively: (i) the defendant has violated the GDPR; and (ii) this causes material or non-material damage suffered by plaintiff.4
However, the CJEU also broadly interpreted "damage" pursuant to Article 82(1), emphasizing that, where plaintiffs sufficiently prove that a defendant’s infringement of the GDPR caused non-material damage, the plaintiffs should be compensated in full for such damage (even, apparently, where such damage is de minimis).5 To that end, the CJEU effectively invalidated an Austrian law that imposed a “threshold of seriousness”, and that had been applied by the Austrian courts to reject de minimis non-material damage claims based on the GDPR.6 The CJEU also precluded the possibility that other EU Member States could create or apply equivalent laws in future.
While invalidating any minimum threshold requirements, the CJEU otherwise left it to Member States to determine the criteria for compensating claims for non-material damage under Article 82.7
UI, an individual, sued Österreichische Post AG (Post AG), the Austrian postal service, seeking EUR 1,000 as compensation for non-material damage stemming from Post AG’s allegedly unlawful processing of his personal data.8 In particular, Post AG processed data from which it deduced, by way of statistical extrapolation, Plaintiff’s high affinity for a certain Austrian political party, without his consent. This information was not transmitted to third parties, but plaintiff claimed that the storage of data on his alleged political opinions temporarily caused him "great upset, a loss of confidence and a feeling of exposure."9
The Austrian Supreme Court referred the following questions to the CJEU for decision:
- Does the award of compensation under Article 82 of [the GDPR] also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?;
- Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?; and
- Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence [or effect] of the infringement of at least some weight that goes beyond the upset caused by that infringement?
After concluding questions 1 and 2 were admissible,10 the CJEU answered question 1 in the negative—mere infringements of the GDPR do not, by themselves, give rise to damage that is compensable.
Next, the CJEU answered question 3, concluding that the Austrian courts were precluded from applying Austrian law’s damages threshold to GDPR claims for non-material damage pursuant to Article 82(1). In doing so, the CJEU observed that the EU legislature intended "damage" to be "broadly interpreted," and that a "seriousness threshold" would contradict that objective and "risk undermining the coherence" of the GDPR throughout the EU. However, the CJEU reiterated that plaintiffs must show that "negative consequences…constitute non-material damage within the meaning of Article 82" in order to bring a claim for compensation.
Finally, regarding question 2, the CJEU recognized that Member State laws would supply "the criteria for determining the extent of the compensation payable" based on Article 82 claims, on the condition that:
- "[T]hose rules are not, in situations covered by EU law, less favorable than those governing similar domestic situations (principle of equivalence)"; or
- Member State rules "do not make it excessively difficult or impossible in practice to exercise the rights conferred by EU law (principle of effectiveness)."
The CJEU concluded that the principle of equivalence was not at issue.11 Regarding the principle of effectiveness, the CJEU emphasized that, in applying Member State law to determine damages, Member State courts would have to consider whether those Member State laws "make it impossible in practice or excessively difficult to exercise the rights conferred by" the GDPR. In particular, the CJEU, citing Recital 146 GDPR, emphasized that Member State courts would have to ensure that Article 82 plaintiffs receive "full and effective compensation for the damage they have suffered." However, the CJEU clarified that "full and effective compensation" under Article 82 does not require the imposition of punitive damages.
The CJEU’s ruling is not a clear win for either defendants or plaintiffs. On the one hand, the decision makes clear that a GDPR infringement alone is insufficient to obtain compensation; plaintiffs must prove actual harm attributable to the defendant. This holding will make it more difficult for some claims vehicles and organizations to assert claims for collective relief on behalf of data subjects. On the other hand, the ruling seemingly establishes a low threshold for harm, suggesting that compensation may be available in certain Member States for feelings of upset or annoyance.
In short, Member State courts will need to determine the extent of, and burden of establishing, compensable damage. Moving forward, we expect that the central issues in proceedings under Article 82 will be:
- whether negative consequences (e.g., upset or annoyance) suffered by a data subject as a consequence of a GDPR breach actually constitute compensable "non-material damage" caused by the controller’s infringing conduct; and
- if so, the level of compensation the Member State court, according to Member State laws, will be willing to award plaintiffs as a result of such consequences.
Finally, we note that numerous pending CJEU proceedings may produce rulings in the next year or two that provide further clarity (e.g., by defining “non-material damage” under Article 82). White & Case is monitoring these proceedings, and we will provide updates as they come in.
1 UI v. Österreichische Post AG (C-300/21) (4 May 2023).
2 Non-material damage includes non-economic losses (e.g., pain and suffering).
3 Para. 42 (emphasis added).
4 Paras 32-34.
5 Paras 46-51.
6 Para. 51.
7 Para. 54.
8 Plaintiff alleged Post AG violated Article 9 GDPR (Processing of special categories of data). Plaintiff’s claim stemmed from the same facts triggering a EUR 18 million fine imposed on Post AG by the Austrian Data Protection Authority in 2019 (also due to violations of Article 9 GDPR).
9 Paras 11-13.
10 It appears that plaintiff did not challenge Question 3’s admissibility.
11 Para. 55.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2023 White & Case LLP