How much damage is some damage? CJEU finds some damage, but no minimum level of damage, is required for GDPR compensation claims
Almost five years after the GDPR came into force, uncertainty prevails over the scope of the right to compensation for non-material damage under the GDPR. Prior to the GDPR, it was not possible for individuals (or groups of individuals) to recover damages for "non-material loss" i.e. pain, suffering and anxiety arising from breach of their data protection rights.
The issue has been subject to scrutiny recently before the Irish courts. The Irish Circuit Court, in Cunniam v Parcel Connect Limited & Ors  IECC 1, granted a stay on proceedings brought by a data subject where non-material damages were alleged, pending the delivery of six decisions from the Court of Justice of the European Union ("CJEU") relating to compensation claims under the GDPR (discussed further here), effectively putting claims of this kind on hold for the time being.
The first of these six decisions was delivered on 4 May 2023, in UI v Österreichische Post AG (Case C-300/21) ("the Austrian Post case"). In its judgment, the CJEU confirmed that a mere infringement of the GDPR does not give rise to the right to compensation in itself. Rather, the court confirmed that, as in all tort cases, there must be a breach, some damage and a causal link between the two. However, in an unexpected departure from the Advocate General's Opinion, the CJEU ruled that there is no requirement for the non-material damage suffered to reach a minimum threshold of seriousness in order to confer a right to compensation.
Accordingly, the position, in summary, following the judgment is that:
1. some damage or harm is required in order for a claimant to ground a claim for non-material loss; but
2. there is no de minimis level of damage prescribed for this.
In reality, given that non-material loss claims are, by their nature, psychological claims which are difficult to prove and assess, the judgment raises as many questions as it provides answers.
In the Austrian Post case, the complainant brought proceedings in the Austrian courts seeking €1,000 in compensation from Austrian Post for alleged non-material damage arising from the unlawful processing of his personal data, specifically relating to his supposed political affiliations. The complainant claimed that he did not consent to the collection of his data, and the fact that data relating to his supposed political affiliations were processed and retained by Austrian Post caused him great upset, a loss of confidence and a feeling of exposure. He was also offended by the specific political affinity attributed to him.
The Austrian court referred three questions for preliminary ruling by the CJEU:
- Does the award of compensation under Article 82 of the GDPR require, in addition to the infringement of provisions of the GDPR, that an applicant must have suffered harm, or is infringement of the GDPR in itself sufficient for the award of compensation?;
- Does the assessment of compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?; and
- Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence (or effect) of the infringement of at least some weight that goes beyond the upset caused by that infringement?
As previously discussed, the Advocate General delivered a non-binding opinion last October 2022, finding that mere infringement of the GDPR, without accompanying damage, did not warrant compensation. The Advocate General further found that non-material damage must meet a minimum “threshold of seriousness”, and mere upset or annoyance about a GDPR infringement was insufficient to ground a claim. He also found that the level of compensation was a matter for the law of the Member State.
In its decision delivered on 4 May 2023, the CJEU notably departed from the Advocate General's Opinion by finding that no minimum threshold of seriousness is required for a claim for non-material damage to succeed.
1. Mere infringements of the GDPR do not confer a right to compensation
The CJEU held that a mere infringement of the GDPR is not sufficient to confer a right to compensation, noting that any other interpretation would run counter to the wording of Article 82 of the GDPR.
The CJEU found that the right to compensation is subject to three cumulative conditions being satisfied, including:
- infringement of the GDPR;
- material or non-material damage resulting from that infringement; and
- a causal link between the damage and the infringement.
The CJEU noted, in contrast, that Articles 83 and 84 of the GDPR, which permit the imposition of administrative fines and other penalties, have essentially a punitive purpose and are not conditional on the existence of individual damage.
2. GDPR does not contain rules for assessment of damage
The CJEU ruled that the GDPR does not contain any rules about the assessment of damages to which a data subject may be entitled where an infringement of the GDPR has caused him or her material or non-material loss. It is therefore for national courts to determine the criteria for the extent of compensation to be awarded.
However, the Court noted that national courts are required to take into account two principles, namely:
- domestic rules may not be any less favourable in situations governed by EU law in comparison to similar situations governed by national law (the principle of equivalence); and
- such rules must not render the exercise of rights afforded by EU law as practically impossible or excessively difficult (the principle of effectiveness).
The CJEU further noted that it is clear from recital 146 of the GDPR, that the right to compensation requires data subjects to receive "full and effective compensation for the damage they have suffered". Financial compensation must be regarded as "full and effective" if it allows the damage actually suffered as a result of the infringement of the GDPR to be compensated in its entirety, and there is no requirement for the payment of punitive damages.
3. No threshold of seriousness required in respect of non-material damage
In a departure from the Advocate General's Opinion, the CJEU found that the GDPR precluded the application of a minimum threshold of “seriousness” for non-material damage.
Firstly, the CJEU noted that there is no definition of "damage" or "non-material damage" under the GDPR. Article 82 of the GDPR provides that the right to compensation may be triggered by both material and non-material damage, and there is no reference to any threshold of seriousness.
Secondly, the CJEU noted that recital 146 of the GDPR, provides that "the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of [the GDPR]". It concluded that it would be contrary to that broad concept of "damage", if that concept was limited to damage of a certain degree of seriousness.
Thirdly, such an interpretation is supported by the objectives of the GDPR. Recital 146 expressly calls for an interpretation of the concept of "damage" that "fully reflects the objectives of [the GDPR]". The CJEU noted that it is apparent from recital 10 of the GDPR that the objectives of the GDPR are, inter alia, to ensure a consistent and high level of protection for the processing of individuals data throughout the EU. Making compensation for non-material damage subject to a certain threshold of seriousness would risk undermining the consistency of the regime established by the GDPR, since the graduation of such a threshold, on which the possibility of obtaining compensation would depend, may fluctuate between Member States, according to the assessment of the judge hearing the case.
In light of the above, the CJEU held that the GDPR must be interpreted as precluding Member States from imposing any national rules or practices which make compensation for non-material damage, subject to a condition that the damage suffered by the data subject must reach a certain threshold of seriousness.
Impact of the Decision
The decision confirms that claimants do have to prove damage of some kind in order to recover compensation for non-material loss on foot of a GDPR infringement. However, it fails to clarify what proof of non-material damage is required, other than to say that the damage does not require any threshold of seriousness. As such, the position remains somewhat uncertain.
The decision will likely trigger a rise in claims for non-material damage following data breaches and other infringements of the GDPR. To date, the Irish superior courts have not been required to deliver any written judgment assessing a claim for damages for non-material loss. As such, it has not been possible to glean an understanding of the approximate value which the courts in this jurisdiction would place on claims of this kind. It is clear, however, from this decision that any compensation awarded must provide data subjects with "full and effective compensation for the damage they have suffered", but there is no requirement to provide punitive damages.
To date, there has been a trend across the EU of national courts awarding only minimal awards, if any at all, where cases have progressed to hearing. Moreover, the courts of some EU jurisdictions, such as Germany and Austria, have been proceeding on the basis of requiring a minimum threshold above "mere upset". In Ireland, the first civil action for compensation under the GDPR proceeded to hearing last year before the Irish Circuit Court and followed that trend. In that case, SIPTU members took a case against their Union, in circumstances where the Union had inadvertently sent an email with their names and addresses to a group of 212 other SIPTU members. The Circuit Court dismissed the case, finding that proof of more than minimal loss was necessary, and that no evidence was presented of any actual loss suffered by the claimants resulting from the email distribution. The SIPTU members who took the case against the Union were also ordered to pay its costs. The Austrian Post case can be expected to put an end to this concept of a minimum threshold.
However, as noted above, the decision in the Austrian Post is just the first of six decisions to be delivered by the CJEU concerning the correct interpretation of Article 82 of the GDPR and the entitlement to damages. It is hoped that the remaining five decisions will provide a greater degree of clarity on the proof required in order to recover compensation for non-material damage under the GDPR.
If you would like to find out more, please contact Michael Byrne, Partner, Commercial and Dispute Resolution, or Davinia Brennan, Partner, Technology and Innovation Group, or your usual Matheson contact.