The Advocate General of the Court of Justice of the EU has issued an Opinion stating that mere "upset" is not sufficient to give rise to a claim for compensation under Article 82 of the GDPR.
In the underlying case, the defendant (a postal company) collected personal data (including that of the claimant) for the purpose of publishing address directories. The defendant used an algorithm to classify the claimant within possible target groups for election advertising. The claimant objected to this use of his personal data, and commenced proceedings against the defendant, seeking compensation of EUR 1,000 as non-material damage under Article 82 of the GDPR. He argued that this processing caused him great upset by being insulting, shameful, and extremely damaging to his reputation.
The claim was dismissed in the court of first instance and that dismissal was confirmed by the appellate court. It was then appealed to the Austrian Supreme Court of Justice, who referred the following questions to the Court of Justice of the European Union ("CJEU"):
- Does an award of compensation under Article 82 of the GDPR require that an applicant must have suffered harm resulting from an infringement of the GDPR? Or is the existence of the infringement, in itself, enough to entitle an applicant to compensation?
- Does the assessment of compensation depend on further EU law requirements in addition to the principles of effectiveness and equivalence?
- Is it compatible with EU law to take the view that an award of compensation for non-material damage requires the applicant to have suffered a harm (resulting from infringement of the GDPR) that goes beyond the "upset" caused by the infringement?
In his Opinion, Advocate Manuel Campos Sánchez-Bordona drew the following conclusions:
- Mere infringement of the GDPR (without any resulting material or non-material damage) should not entitle an applicant to compensation under Article 82.1
- The EU law principles of "equivalence" and "effectiveness" should not play an important role in the assessment of compensation. The Advocate General lists the relevant issues, but concludes that decisions on compensation will depend on the nature of each claim. Ultimately, the Opinion leaves the task of assessing the level of any compensation to the relevant national court.2 One point to note is that the Advocate General leaves open the possibility that compensation might not only take the form of financial compensation, and could also include components such as an admission of wrongdoing.
- Compensation for non-material damage requires a claimant to demonstrate more than mere "upset". Nevertheless, there is a fine line between "mere upset" (which is not eligible for compensation) and "genuine non-material damage" (which is eligible for compensation) - the task of determining whether subjective feelings of displeasure are sufficient to amount to non-material damage falls to the national courts of Member States.3
On the whole, these conclusions are good news for controllers. The Advocate General acknowledges the need to prevent a wave of potentially unjustified civil proceedings based on technical infringements without proof of any harm.4 The Opinion advises the CJEU to create appropriate safeguards so that data subjects cannot abuse the GDPR to claim compensation for a plain allegation of annoyance or being upset.5 In particular, the Advocate General stated that there is "no reason why loss of control over data should necessarily create damage".6 In drawing these conclusions, the Advocate General notes that the concept of "punitive damages" should not apply to civil liability under Article 82 of the GDPR.7
Nevertheless, this Opinion leaves Member State courts with some discretion as to where to draw the line between mere "upset" (which is not sufficient to claim damages) and "non-material damage" (which is sufficient to claim damages). It therefore remains to be seen whether (and at what level) national courts in the EU will set the de minimus threshold of anger and frustration towards an infringement to entitle a data subject to compensation under Article 82 of the GDPR. As with all Advocate General Opinions, it also remains to be seen whether the CJEU will adopt the positions set out in this Opinion. Controllers would be well advised to keep this case under review, as it is likely to have substantial consequences with respect to financial liability for infringements of the GDPR.
1 Opinion, paragraph 52.
2 Opinion, paragraphs 83-94.
3 Opinion, paragraph 116.
4 Opinion, paragraph 55.
5 Opinion, paragraph 112.
6 Opinion, paragraph 62.
7 Opinion, paragraph 52.
Renee Phil-Agbasi and Aliya Manji, Trainee Solicitors at White & Case, assisted in the development of this publication.