Not every mere infringement of the GDPR may result in compensation

2023 marks 5 years since the adoption of the General Data Protection Regulation (‘‘GDPR’’), and whilst the relevant stakeholders have become largely accustomed to it, questions about its interpretation and enforcement still crop up requiring preliminary rulings from the CJEU. Such a question came up in UI vs. Österreichische Post AG, decided on 4 May 2023, which confirmed, inter alia, that the mere infringement of the GDPR does not equate to a claim for compensation.

Background of the case

By way of background, the case concerned Österreichische Post, an Austrian company which collected information on the political affinities of the Austrian population. By means of an algorithm, the collected data was repacked and sold to various organisations to enable them to send targeted advertising. Through statistical extrapolation of the data, Österreichische Post was able to determine that the applicant in the main proceedings (the ‘‘Applicant’’) was more inclined to vote for a particular party. Although this data was not shared with any third parties, the Applicant felt aggrieved that it was processed without his consent, holding that it caused him great distress, a loss of confidence and a feeling of exposure.

The Applicant brought proceedings before the Regional Court of Civil Matters in Vienna (the ‘‘Regional Court’’), requested that his data is no longer processed, whilst also claiming the sum of EUR1000 from Österreichische Post, by way of compensation for the non-material damages that were caused to him, as a result of the unlawful processing of his data. Whilst being receptive of his request for the injunction for Österreichische Post to stop processing his data, the Regional Court rejected the claim for compensation.

This led the Applicant to appeal before the Higher Regional Court in Vienna (the ‘‘Appellant Court’’), however this once again proved unsuccessful, and the Appellant Court rejected his claim for damages. The Appellant Court argued that Austrian law requires that for a claim for compensation of damages to be successful, the damage caused must reach a certain ‘threshold of seriousness’ which was not reached in this particular instance.

Ultimately, the matter ended up before the Supreme Court of Austria (the ‘‘Referring Court’’), where it had to determine whether the mere infringement of a provision of the GDPR can give rise to damages, and whether compensation can only be claimed if the non-material damage suffered, reaches a certain degree of seriousness. Unsure on the way forward the Referring Court, inter alia, referred the following questions to the European Court of Justice (the ‘‘ECJ’’):

  1. Does the award of compensation under Article 82 of the GDPR also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
  2. Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
  3. Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence [or effect] of the infringement of at least some weight that goes beyond the upset caused by that infringement?’

Is mere infringement enough to have a claim for damages?

Regarding the first question, the Referring Court requested a clarification from the ECJ as to whether the mere infringement of the GDPR alone could give rise to a claim in damages. On this matter, the ECJ firstly argued that Article 82 makes no reference to Member States’ national law, meaning that it is an autonomous concept of EU law, and a harmonized interpretation must be adopted across the EU.

Adopting a literal interpretation, the ECJ observed that an infringement of the GDPR is only one of the conditions included in article 82(2). As reasoned by the Court, for a right to compensation to arise, the data subject must have suffered damage and there must exist a causal link between that damage and the infringement. Without these three cumulative conditions, the right to compensation does not arise. Thus, the ECJ argued that it cannot be held that ‘‘any infringement’’ creates a right to compensation; the other conditions of “damage suffered” and a “causal link” must also be satisfied. The ECJ further noted that the recitals of the GDPR support the interpretation that there must be damage suffered and a causal link between the infringement and damage suffered, for a right to compensation to be established.

In support of its interpretation, the ECJ also compared the wording of article 82 to other provisions of the GDPR. It held that, provisions such as Articles 83 and 84 GDPR which relate to the imposition of administrative fines and other penalties, can be applied without needing to have an element of individual damage. Contrastingly, Article 82 GDPR requires that there is the existence of damage.

The determination of damages payable and national rules

Through its second question, the Referring Court essentially asked the ECJ to clarify whether the amount of damages payable under Article 82 GDPR as compensation for breaches is to be determined by domestic rules, in line with the principles of equivalence and effectiveness of EU law.

On this matter the ECJ held that, given that the GDPR does not itself contain any rules that govern the assessment of such damages, it falls on the national rules of each Member State to determine the criteria for determining the extent of the compensation payable. However, when making said determination, Member States must ensure that they respect the principles of equivalence and effectiveness. Notably, the Court also endorsed the opinion advanced by the Advocate General that compensation based on this provision must be regarded as “full and effective” if it allows the damage actually suffered as result of the infringement to be compensated in its entirety, without there being any need to require the payment of punitive damages.

The validity of the threshold of seriousness test

The CJEU was further tasked with clarifying whether Article 82 GDPR allows national rules which limit the award of compensation on condition that the damage suffered as a result of an infringement of the GDPR, reaches a ‘threshold of seriousness’. In substance, the question was whether an infringement of the GDPR, which results in non-material damage, was sufficient in itself to create a right to compensation or must that non-material damage reach a certain threshold of seriousness?

In providing insight on this matter, the ECJ held that recital 146 clearly indicates that the concept of damage is to be given a broad interpretation, to ensure that the objectives of the GDPR are protected. Thus, choosing to limit the concept of damage to only instances where the damage relates to a certain degree of seriousness would be contrary to the wide interpretation of damage that the GDPR is intended to have. The ECJ further noted that having in place such a threshold would lead to undermining the harmonized rules that the GDPR intends to put in place, since the threshold of seriousness would be subject to a case-by-case assessment by the relevant court seized with the matter, rather than a uniform interpretation. This led to the ECJ to conclude that natural rules or practices which, in terms of non-material damage, create a condition that the damage must reach a certain degree of seriousness to be eligible for compensation are precluded under Article 82 of the GDPR.

Concluding Remarks

Although relatively lean, the Court’s decision will almost certainly have a pronounced impact on the nature and extent of compensation which Member State courts will in principle be able to award for data protection infringements.  On the one hand, the judgement makes it clear that mere infringement of the GDPR will not amount to a claim of damages, which going forward could potentially deter or stifle frivolous claims which allege a breach of the GDPR without being substantiated by any damages having actually been suffered.  On the other hand, by proclaiming that national rules limiting claims for damages subject to them reaching a ‘threshold of seriousness’ are invalid, the CJEU’s decision effectively impedes Member States from distinguishing between claims for compensation and their eligibility based on their perceived degree of seriousness. The existence of an infringement, damage suffered by the claimant, and a causal link between that damage and the infringement, are the conditions which need to be taken into account.

On a concluding note, given that the ECJ has held that rules governing assessment of the extent of the damages payable are to be determined by national law, there is, in the author’s opinion, a possibility that this could lead to diverging practices between Member State courts. This is however a matter which will need to be monitored over time.

This article was first published on The Malta Independent on 05/07/2023.