The first week of May 2023 saw further EU case law emerge on the right to compensation under the GDPR, and in this blog we analyse the implications of these latest rulings and consider what may be coming next.

Before the introduction of the GDPR many commentators predicted that the right to compensation under Article 82 would be a significant tool for individuals to gain redress for data protection infringements, including infringement of their data subject rights. Compensation cases therefore posed significant financial and reputational risks for businesses, alongside other enforcement actions such as fines. The GDPR is different to other regulatory regimes, such as financial services, in that compensation can only be awarded by the courts, not by a regulator or ombudsman.

In reality, a clear picture has taken some time emerge and we have waited for around five years for the first precedent setting case to come out of the Court of Justice of the EU (CJEU)(UI v Österreichische Post (Case C-300/21)).We had the first key English case in 2021 (Supreme Court in Lloyd v Google).

The key headline is that data protection compensation claims are not likely to diverge from other areas of consumer law and the direction from the EU and English courts is clear that mere infringement of data protection law will not automatically trigger compensation. Assessing the level of damage from GDPR infringements still remains a challenging area, particularly the non-material harms. As we note below there is still not full clarity on whether a level of seriousness needs to be reached for a successful claim, given the differing positions of the CJEU and Advocate General on the separate cases we discuss below.

CJEU rules on the scope of the right to compensation for non-material damage under the GDPR

In its judgment in case UI v Österreichische Post C-300/21, issued on 4 May 2023, the CJEU considered the right to compensation for non-material damage under Article 82 GDPR. The case relates to a claim for compensation arising from the processing of data concerning political affinities without consent. Colleagues at A&O previously blogged about the Advocate General’s October 2022 Opinion in this case under the headline “Österreichische Post AG: Another nail in the coffin of class actions under the GDPR?”

Background of the case

The Austrian postal service (Österreichische Post) collected information on the political affinities of the Austrian population from 2017 onwards, using an algorithm that took into account various social and demographic characteristics, and defined “target group addresses”. The data generated in this way was sold to various organisations for targeted advertising. One individual claimed compensation of EUR 1,000 under the GDPR on the basis that the conduct of the postal service caused him “great upset”, and that the political affinity attributed to him was insulting and shameful as well as extremely damaging to his reputation. The claim was dismissed by the Austrian courts at first instance and on appeal, prompting the Austrian Supreme Court to refer a number of questions on the matter to the CJEU for clarification, including:

1. Is mere infringement of the GDPR itself sufficient for an award of compensation, or must the individual have suffered harm?
2. Is it compatible with EU law to take the view that, to award compensation for “non-material damage” under the GDPR, the damage must go beyond the upset caused to the individual by that infringement or, in other words, must reach a certain degree of seriousness?

Is it important to note that this case was a single claim and not made on a collective basis, which must be borne in mind when considering the implications for collective claims that are still ongoing in the EU and the UK. We discuss this later in the blog.

Mere infringement of the GDPR does not confer a right to compensation

The CJEU ruled that mere infringement of the GDPR is not sufficient to grant a data subject the right to compensation. It also clarified that the right to compensation provided in

Article 82 GDPR is subject to three cumulative conditions:

1. infringement of the GDPR;
2. existence of material or non-material damage resulting from that infringement; and
3. a causal link between the damage and the infringement.

Therefore, it would be contrary to Article 82(1) GDPR to hold that any “infringement” of the GDPR provisions could give rise, by itself, to a right to compensation. This is a key part of the ruling and should enable a level of proportionality in the approach to GDPR compensation claims and ensure the GDPR is aligned with other areas of consumer law.

The AG’s Opinion in this case had made a finding that “loss of control” was not a right granted by the GDPR, or a formal aim under it, and therefore “loss of control” could not confer a right to compensation. The CJEU did not follow up on this particular analysis in its main ruling. It is worth noting that the AG was not persuaded on the control issue despite the reference to control in the GDPR recitals, highlighting the importance of first considering the aims and construction of the GDPR in its primary statutory form before considering the recitals.

Threshold of seriousness of damage

The CJEU further ruled that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness, because:

• the GDPR does not contain any such requirement;
• such a restriction would be contrary to the broad conception of “damage”, adopted by the EU legislature; and
• making compensation for non-material damage subject to a certain threshold of seriousness would lead to inconsistent application of the GDPR across EU, as different courts might have varying assessments of the seriousness of harm and whether compensation should be granted or not.

The CJEU concluded that the GDPR precludes a national rule or practice which makes compensation for non-material damage, within the meaning of Article 82 GDPR, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness. This goes further than the AG who had argued that that damage needed to go beyond mere upset.

There is a risk that this gives rise to liability for low impact infringements. Individual claimants could face less of a burden to bring claims. Whether it is likely that this will translate to these claims being combined into some form of class action is much less clear. In the UK, the Lloyd v Google decision means that pools of claims still have to overcome the very significant challenge showing that members of any class have the “same interest” and are not individualised (all the more so because mere infringement is not sufficient). As we discuss later, demonstrating the “same interest” for GDPR cases is likely to be challenging and no examples have been established by EU or English case law yet.

Amount of damages payable under right to compensation

The CJEU pointed out that the GDPR does not contain any rules governing the assessment of damages, and therefore the legal system of each Member State should prescribe the criteria for determining compensation payable. These rules must comply with the principles of equivalence and effectiveness of EU law.

The CJEU also pointed out the function of the right to compensation provided by Article 82 GDPR. Financial compensation should be full and effective to compensate for the damage actually suffered.

We can therefore look ahead to some potential issues around how Member State laws may interact with GDPR and CJEU caselaw, and national courts may need to apply this part of the judgment to resolve. There may also be national rules that guide the level of damages, even if there is not a bar of seriousness.

EU AG issues opinion on the right to compensation for non-material damage following a cyberattack

On 27 April 2023, the Advocate General (AG) of the CJEU published its opinion in the Case C-340/21 VB v Natsionalna agentsia za prihodite.

The case concerns unauthorised access to the information system of Bulgaria’s National Revenue Agency (the Agency) and the subsequent publication of personal data (including tax and social security information) of millions of people on the internet. Many of individuals whose data were affected by the breach (including VB) sought compensation for non-material damage in the form of worry and fear that their data would be misused in the future. The lower courts dismissed the claim of VB, holding that the data breach was not attributable to the Agency, that VB bore the burden of proof that the security measures implemented by the Agency were inappropriate, and that the non-material damage suffered was not eligible for compensation. The Supreme Administrative Court of Bulgaria asked the CJEU to clarify various questions.

The AG reached the following conclusions:

• detriment consisting of the fear of a possible misuse of the data in the future (the existence of which the data subject has demonstrated) may constitute non-material damage giving rise to a right to compensation. However, it should be “actual and certain” emotional damage and not simply trouble or inconvenience;
• an occurrence of a “personal data breach” is not sufficient in itself to conclude that the technical and organisational measures implemented by the controller were not “appropriate” to ensure protection of the data. This will be a welcome finding for controllers that look to mount a fair defence of their cyber security measures in court.
• what is “appropriate” depends on the nature, scope, context and purposes of processing, as well as the likelihood and severity of the risks, and the economic interests and technological capacity of the controller;
• the national court must assess the content of those measures, the manner in which they were applied and their practical effects, taking into account all the factors set out in the GDPR (eg that controller obtained certifications or adheres to codes of conduct);
• in the context of an action for compensation based on Article 82 GDPR, the controller bears the burden of proof that the measures were “appropriate”, and the admissible methods of proof depend on national rules in each Member State.
• the fact that the infringement was caused by a third party does not in itself constitute a ground for exempting the controller from liability. In order to benefit from the exemption provided for in Article 82(3) GDPR, the controller must prove that it is not in any way responsible for the event giving rise to the damage.

Comparing the AG Opinion in VB v Natsionalna agentsia to the CJEU judgment in Österreichische Post the most notable difference is around whether a test of seriousness needs to be met for the damages claimed. The AG’s finding is that there should be “actual and certain” emotional damage from an infringement appears to set a different bar. As noted above, the CJEU ruled against using such a test of seriousness under the GDPR, even though the CJEU did rule that actual damage resulting from an infringement must exist. We must now await to see whether the CJEU gives this any weight in the final judgment or whether they firmly stick to the line in Österreichische Post.

It is also relevant to note that this Opinion came out a week before the Österreichische Post judgment, so we cannot be sure what cross consideration was made of the similarity between the cases. The AG in Natsionalna agentsia would at least have been aware of previous Opinion in Österreichische Post and its view that that “mere upset” alone does not give rise to compensation under the GDPR.

This case will also provide useful guidance on how the courts are likely to consider compensation cases involving cyber security breaches and what controllers may need to demonstrate when defending the technical measures they had in place.

EU Representative actions under the GDPR and Directive (EU) 2020/1828

The GDPR already provides for Member States to allow for representative actions. Article 80(1) provides for opt-in representative actions, while Article 80(2) permits Member States to offer collective redress on an opt-out basis, although, importantly, not for compensation rights. In their GDPR implementation, most Member States have focused on allowing opt-in redress and few have taken up the option under Article 80(2). Under Article 80(1) GDPR, representative bodies can only seek to claim compensation on an opt-in basis ‘where provided for by Member State law’ and if the class representative meets the requirements mentioned in Article 80(1) GDPR (eg the class representative must be a not-for profit body or organisation, must have statutory objectives which are in the public interest and it must be active in the field of data protection). The most likely interpretation of Article 80(1) is that the ‘Member State law’ provision only applies to compensation rights and not to the other rights in Chapter VIII - to complain to a data protection authority (DPA) under Article 77, judicial remedy against a DPA under Article 78 and against a controller or processor under Article 79.

It is also relevant to consider how the wider EU legal landscape is changing with regard to compensation claims and representative actions. Colleagues at A&O have already written a blog providing a general overview of the Directive. The Directive aims to provide a level of harmonisation and ensure that each Member State has a representative redress mechanism for certain consumer rights listed in an Annex to the Directive. The GDPR is listed in Annex I to the Directive, indicating that the European Commission intends the regimes to work together in a complementary manner. The Directive is also without prejudice to the provisions of European Union law referred to in Annex I (Article 2(1) of the Directive). As such, Member States must allow for representative actions, within the boundaries of the rights that already exist in the GDPR. The Directive allows Member States to choose whether representative actions operate on an opt-in or opt-out basis.

Members States should have transposed the Directive into national legislation as of 25 December 2022, to take effect from 25 June 2023. Thus far, few Member States have transposed the Directive into national legislation. In January 2023, the European Commission indicated that it would start the process of issuing formal notices to require the significant number of outstanding countries to transpose as quickly as possible. France, the Netherlands, Denmark, and Belgium already have a form of representative action regimes in place, plus Hungary, Lithuania, and the Netherlands have transposed the Directive into their national legislation.

It also relevant to note that the Directive will enable representative claims to be made under the e-Privacy Directive. This could lead to claims related to mass e-marketing campaigns, for example.

Implications for ongoing and future compensation cases in the EU

In various EU Member States a number of representative actions for compensation are still proceeding in courts. The legal system for compensation claims in a number of key EU Member States is covered in more detail in this A&O blog from 2021.

A significant number of cases against major technology companies have progressed in the Netherlands. Claimants argue that opt-out claims for damages for GDPR violations are possible under the Dutch class action system (which allows for damage awards in class actions on an opt-out basis). Defendants challenge this, as the ability to claim damages for GDPR-violations collectively is set out in the ‘opt-in’ part of Article 80 rather than the opt-out part of Article 80 GDPR, as articulated above.

In addition to the opt-in vs opt-out debate, class actions under the GDPR in Member States will face considerable obstacles to establish evidence of damage on a collective basis and at an equal level of common interest. Generally, case law indicates that national level courts are still reluctant to allow claims for non-material damage for violations of privacy and data protection law. The ruling by the CJEU in Österreichische Post case also makes clear that that claimants cannot rely on the mere fact of a GDPR infringement and will have to prove damage in the circumstances of the case, which will add further difficulty to the claim.

It may be that certain types of GDPR infringements are more susceptible to meeting a de-minimis threshold of equal damage across a class action claim but this is yet to be established and as it stands, the variations of personal data collection and use impacts across class action cohorts is often likely to be variable.

Comparisons with UK case law

In the UK, the defining case law is still provided by the 2021 Supreme Court judgment in Lloyd v Google. Although this case was pre-GDPR, and based the previous Data Protection Act 1998, it provided some clear precedent that is likely to be persuasive under UK GDPR.

Back in 2021, these two A&O blogs provided a full overview of the implications:

In many respects the CJEU and the Supreme Court have travelled a similar path on compensation and data protection - on the pivotal issue of whether a mere infringement of data protection law confers a right to compensation, both UK and EU case law is clear that the answer is in the negative.

The CJEU judgment in the Österreichische Post case is unlikely to lead to a significant change of direction in the UK on the issue of seriousness of damage. Post-Brexit, the judgment is not binding on the UK courts and they only have regard to judgments of the CJEU. We can expect UK courts to continue to establish seriousness for GDPR cases under civil procedure and ensure that a GDPR claim is not of a non-trivial nature, as per the remarks contained the Supreme Court judgment.

The Supreme Court in Lloyd v Google also found that that Data Protection Act 1998 (and the EU Data Protection Directive on which it is based) does not recognise loss of control of personal data as a form of damage. The UK courts are yet to consider this issue under the GDPR and the relevant GDPR recitals that mention loss of control may not be persuasive, as per the AG’s Opinion in the Österreichische Post case.

It is also worth reflecting that the possibilities for collective compensation actions in the UK under the GDPR remain very difficult. The Lloyd v Google judgment made clear that the “same interest” test as an overriding objective of the civil procedural rules must be applied and it was unlikely the class members were impacted uniformly by the Safari browser workaround (the activity that was said to cause the alleged harm).

A number of representative actions against major technology companies have been withdrawn from the UK courts since the Lloyd v Google judgment. Some claimants are now proceeding with a focus on the tort of misuse of private information rather than the GDPR, but their case on damages will still need to pass the test of uniformity across the collective group and meet the “same interest” test. For example, on 19 May 2023, judgment was handed down in the Primsall v Google UK and Deepmind Technologies Limited case. The High Court decided that the representative claim (damages for misuse of private information, specifically “loss of control” of private information) could not proceed to trial as the action failed to meet the “same interest” test. It couldn’t be shown that every member of the claimant class had a realistic prospect of establishing a reasonable expectation of privacy or of crossing the de minimis threshold in relation to such an expectation. Further, the High Court concluded that it couldn’t be said of any member of the claimant class that they have a viable claim for more than trivial damages for loss of control of their information.

It appears that, the position in the UK courts on non-material damages for data protection breaches currently looks less claimant friendly and so more favourable to businesses, compared to the EU.

Competition law is the one area in the UK where true opt-out mass actions can currently be brought. The regime was introduced by changes to the Consumer Rights Act 2015. Initially it was not heavily used but several factors, such as the Supreme Court's decision in the case of Merricks v Mastercard in 2021, the availability of litigation funding, and the increasing prominence of claimant law firms, have changed that. We can also expect a greater number of competition claims to focus on issues related to uses of data.

Despite some arguments raised that this is an unfair discrepancy between competition and data protection law, the UK Government has not been persuaded to add any GDPR amendments to the UK Data Protection and Digital Information Bill No2 (currently at Committee stage in the House of Commons) on GDPR compensation and the UK regime looks set to stay the same for the foreseeable future.

Conclusion

Whilst a level of proportionality seems to be emerging in the regime for compensation claims under the GDPR, and there are now significant tests to be met to establish a claim, the prospect of parties trying to bring class actions for compensation in the EU remains real. Businesses should continue to monitor the landscape and ensure their GDPR compliance programs mitigate the risks of such claims being brought, alongside the risk of other enforcement actions from data protection authorities. GDPR fines and other enforcement actions remain a greater area of risk as there is a clearer and more established framework for their execution.