Background

In the last five years since the GDPR entered into force, the private enforcement of GDPR requirements has become more and more relevant, and the number of cases of national courts dealing with claims for compensation of non-material damages for (alleged) infringements of the GDPR is constantly growing. However, the exact legal requirements for the compensation of non-material damages under Art. 82 GDPR are still heavily disputed, leading to an inconsistent picture of national case-law (for background on Art. 82 GDPR see our posts hereand here).

As a consequence, various proceedings for preliminary rulings (Art. 267 TFEU) are currently pending with the CJEU. These include questions referred to the CJEU by national courts on the interpretation of the legal term of “damages” in Art. 82(1) GDPR (see e.g. proceeding C-340/21) and the applicability of a substantiality threshold for awarding damages (C-741/21 and C-456/22).

The judgment at hand (C-300/21) is the CJEU’s first ruling on the interpretation of the requirements of Art. 82 GDPR.

Underlying main proceedings

The underlying case arose from a dispute in Austria where a data subject (plaintiff) claimed compensation for non-material damages of 1.000 EUR from Österreichische Post (Austrian Post, defendant) which also provided data broker services. The plaintiff argued that the algorithm used by the defendant wrongfully inferred that he had a degree of affinity with a certain Austrian political party. The plaintiff, who had not consented to the processing of his personal data, stated that he felt offended by this wrongfully attributed affinity with the party in question and that the fact that data relating to his supposed political opinions were retained caused him great upset, a loss of confidence and a feeling of exposure.

The Austrian courts of first and second instances rejected the claim for non-material damages in the main proceedings by arguing that Austrian law requires a certain “threshold of seriousness” for the compensation of damages, which was not exceeded by the negative feelings which the plaintiff had invoked in the proceedings. The Austrian Supreme Court, as the court of last instance, referred questions on the interpretation of Art. 82 GDPR with regard to the substantiality threshold to the CJEU.

Key findings of the CJEU

In its judgment, the CJEU made the following key findings:

• Mere infringement does not constitute damage and confer the right to compensation: First, the CJEU clarifies that the mere infringement of the provisions of the GDPR is not sufficient to confer a right to compensation. Instead, the CJEU points out that Art. 82(1) GDPR sets forth three key requirements that must be met cumulatively, namely

1. the existence of an infringement of the GDPR,

2. the existence of an actual damage which has been suffered, and

3. a causal link between that damage and that infringement.

• No substantiality threshold: Further, the CJEU found that compensation for non-material damages cannot be made subject to the condition that the damage suffered by the individual has reached a certain degree of seriousness.

• No compensation for mere negative consequences without non-material damage: However, the CJEU expressly stipulated that the interpretation adopted cannot be understood as meaning that a person concerned by an infringement of the GDPR which had negative consequences for him or her would be relieved of the need to demonstrate that those consequences constitute a non-material damage within the meaning of Art. 82 GDPR. The court leaves open, however, where to draw the line between what constitutes mere “negative consequences” and an actual “non-material damage” for the individual.

• Amount of compensation to be determined by national rules and courts: The CJEU found that, to determine the amount of damages payable under the right to compensation, national courts must apply the domestic rules relating to the extent of financial compensation, provided these rules comply with the principles of equivalence and effectiveness. This means that the amount of compensation will remain to be determined largely by national laws and practices. However, very importantly, the court determined that financial compensation is to be considered “full and effective” if it allows the damage suffered as a result of the GDPR infringement to be compensated in its entirety. Other than suggested by recent judgements of some national courts, there is no need, for the purposes of compensation for the damage under Art. 82 GDPR, to require the payment of punitive damages.

Practical implications

The judgment of the CJEU is highly relevant in practice and confirms that, in order to receive financial compensation under Art. 82 GDPR, plaintiffs need to demonstrate that an alleged violation of the GDPR has in fact caused an actual non-material damage. This brings an important clarification and certainty for companies facing individual claims for damages.

However, despite the intensive public debate and the elaborate statements made by the Advocate General in the parallel case C 340/21, the decision does not answer the highly relevant question on how to determine whether any negative consequences caused by an infringement of the GDPR constitute an non-material damage. It remains to be seen whether the upcoming CJEU decision in case C 340/21 will provide further guidance in this respect.

Given that the CJEU has not accepted a substantiality threshold, it is further to be expected that, in practice, plaintiffs will be further encouraged to bring claims against companies for non-material damages, and individual claims for damages will continue to be on the rise.

However, the CJEU decision does not mean that companies facing claims under Art. 82 GDPR have no means to defend themselves. Rather, the burden of proof for an actual damage caused by the specific GDPR infringement remains with the plaintiff. Also, the determination of the amount of compensation will remain with the practices of national courts under their domestic practices, which allow for leeway in the individual case. Going forward, the outcome of still pending proceedings for preliminary rulings before the CJEU related to Art. 82 GDPR will likely further specify the practical implications of the position of the CJEU.

For the (near) future, companies should also closely monitor the progress of the implementation of the Representative Actions Directive 2020/1828 on a Member State level. This Directive covers the representative enforcement of damage claims on behalf of consumers by so-called “qualified entities” (see list here) for infringements of the GDPR and the ePrivacy Directive. This might result in a further rise of “data class actions”, including related to damage claims under Art. 82 GDPR for infringements of the GDPR, such as in cases of data breaches or unlawful processing of personal data.