Compensation after infringement of the General Data Protection Regulation: European developments
The General Data Protection Regulation (GDPR) is one of the most significant development in the European data strategy in the past years and is continuously evolving. One of the topics that has recently received a lot of attention, in both literature and court rulings, is the compensation for damage as a result of infringement of the GDPR and, more specifically, whether this right applies only to damage actually suffered or whether a GDPR violation without concrete damage also gives rise to this right. In its judgment of 4 May 2023 in the case of UI/Österreichische Post AG, the European Court of Justice (the Court of Justice) answered the question when a party is entitled to compensation for non-material damage. Unsurprisingly, the Court of Justice found that mere violation of the GDPR does not create the right to compensation. It also found that no specific threshold applies in order for a party to be entitled to compensation for non-material damage.
Grounds for damages: Article 82 of the GDPR
Article 82 of the GDPR gives any person who has suffered material or non-material damage as a result of an infringement of the GDPR the right to receive compensation from the controller or processor for the damage suffered. An infringement of the GDPR, material or non-material damage, and a causal link between the infringement and the damage suffered are therefore necessary conditions for compensation.
The attribution of the right to compensation under the GDPR differs from the regime that customarily applies in the Netherlands, such as the doctrine of the wrongful act under Article 6:162 of the Dutch Civil Code, whereby an attributable wrongful act gives rise to the obligation to compensate damage suffered. This damage may be either material or non-material. The GDPR, on the other hand, does not require that the damage is attributable to the party in question. Although Article 82 of the GDPR does not expressly refer to national law, it is evident that Member States apply their national rules on damages in this regard.
Non-material damage
There is still a great deal of debate in literature and case law regarding situations in which non-material damage resulting from an infringement of the GDPR may give rise to a right to compensation. Specifically, it was unclear whether an infringement of the GDPR in and of itself may give rise to such a right.
Proponents of the view that under certain conditions an infringement of the GDPR automatically results in compensable damage argue in favour of an autonomous and broad interpretation of Article 82 of the GDPR. A significant limitation that they make is that only a substantial infringement can give rise to compensable damage, such as a data subject’s loss of control over his or her personal data. Control over personal data is one of the objectives of the GDPR, and loss of that control is referred to in the recitals to the GDPR as possible damage.
Opponents of this view take the position that the compensation under Article 82 focuses only on actual damage suffered. Accordingly, that article should be interpreted as having only a compensatory rather than a punitive function. Such a punitive function can allegedly sooner be found in Articles 83 and 84 of the GDPR, which deal with fines that can be imposed by supervisory authorities.
In Dutch case law it is clear that, although lower case law sometimes differs from this view, the Administrative Law Division of the Council of State has repeatedly ruled that an infringement of the GDPR does not automatically lead to compensable damage (e.g. in the judgment of the Council of State of 26 January 2022, ECLI:NL:RVS:2022:230). Alleged damage must be substantiated in the form of concrete evidence to demonstrate, for example, that a violation of the GDPR leads to violation of a person’s privacy rights, and what adverse consequences this has had (Council of State judgment of 1 April 2020, ECLI:NL:RVS:2020:898).
Opinion of the Advocate General
The same matter has also been discussed at a European level for some time already. An Austrian citizen, for instance, claimed €1,000 in damages from the Österreichische Post (Austrian Post) because that postal company collected information on the political affinity of Austrian citizens by using an algorithm. The citizen in question claimed that this political attribution caused him serious emotional distress and embarrassment. The Austrian Oberster Gerichtshof then submitted preliminary questions to the European Court of Justice regarding the determination of non-material damages. Briefly stated, the Austrian court asked whether it is correct to assume that a violation of the GDPR always implies the existence of non-material damage.
In his advisory opinion of October 2022, Advocate General Campos Sánchez-Bordona found that the damage suffered must be specified in order for compensation to be claimed. Unlike the parties in question, the Advocate General did not find that an indisputable assumption of damage exists as soon as an infringement of the GDPR occurs. According to the Advocate General, a loss of control over personal data therefore does not inevitably lead to damage. Actual damage must be proven.
It is also not the case that all non-material damage, regardless of its severity, is eligible for compensation: ‘annoyance’ as a result of an infringement of the GDPR cannot lead to compensation. A distinction must be made between non-material damage that is eligible for compensation and other inconveniences that, while arising from non-compliance with the GDPR, do not necessarily create the right to compensation owing to their insignificance.
The European Court of Justice
The European Court of Justice subscribed to the Advocate General’s opinion. It found that the concept of damage, both material and non-material, must be interpreted autonomously under the GDPR. According to the Court of Justice, mere violation of the GDPR does not create entitlement to compensation. In its opinion, that would not be in line with the clear wording of the GDPR. To be eligible for compensation under the GDPR, three cumulative conditions must be met: (i) violation of the GDPR; (ii) material or non-material damage; and (iii) a causal link between the violation and the damage.
However, the term ‘damage’ must be interpreted in a broad sense. The GDPR does not contain a materiality threshold for the required severity of the damage. According to the Court, any such limitation in national law would conflict with the broad concept of ‘damage’ used by the EU legislature. At the same time, a person affected by a GDPR violation that has detrimental effects for him or her would still have to prove that those effects constitute non-material damage within the meaning of Article 82 of the GDPR. In other words, there is no entitlement to compensation if no damage is suffered. On the other hand, the Court of Justice does not impose any further requirements in the case of non-material damage regarding the severity of that damage.
Finally, the Court of Justice noted that the GDPR contains no rules for determining the amount of the compensation. It is up to the Member States to adopt further rules on the enforcement of data subjects’ rights under the GDPR. In doing so, Member States should pay particular attention to the criteria for determining the amount of the compensation due, while complying with the principles of equivalence and effectiveness. The Court of Justice noted that this is line with the compensatory function of the right to compensation under the GDPR, which aims to achieve full and effective compensation for the damage suffered.
What's next
Since the Court of Justice has ruled that violation of the GDPR does not automatically lead to damage, the damage must be specifically demonstrated if compensation is claimed. As previous case law has shown, it is difficult to prove such damage as a result of a GDPR violation, and the amount of the compensation in Dutch case law has always been relatively low. The Court of Justice’s ruling thus appears to offer some assurance and certainty to organizations facing claims for damages under the GDPR. It will be a relief to many organizations that mere violation of the GDPR does not create a right to compensation, particularly given the developments regarding the Wet afwikkeling massaschade in collectieve actie (Settling of Large-scale Losses or Damage (Class Actions) Act). Claims and collective actions are less likely to succeed if no damage is suffered beyond mere ‘annoyance’. On the other hand, the Court of Justice has made it somewhat easier to obtain compensation by ruling that no severity threshold applies to non-material damage. This significantly lowers the limit previously applied.
The authors would like to thank legal assistant Thijs van Hooren, working student at Stibbe's TMT/IP practice group, for his contribution to this blog.