Groundbreaking Decision in Europe: CJEU Denies a Minimum Threshold for Raising Non-Monetary GDPR Damage Claims

5 minute read | May.05.2023

On 4 May 2023 the European Court of Justice ("CJEU") published its decision (case no. C-300/21) in which it ruled that not any infringement of the General Data Protection Regulation ("GDPR") triggers the right to compensation provided by Art. 82 of the GDPR. The Court held that the right to compensation provided by Art. 82 of the GDPR requires (i) an infringement of the GDPR, (ii) a damage caused to the impacted individual, and (iii) a causal link between the infringement and the damage. The CJEU further ruled that there is no minimum threshold for damage claims. National Member States’ law need to define the criteria for assessing damages while ensuring that the compensation of a damage is comprehensive and effective.

What happened?

Starting in 2017, Austrian Post (Österreichische Post), a company trading addresses, collected information on the political affinities of individuals using an algorithm that considered various social and demographic characteristics. The data thus generated was sold to various organizations for targeted advertising. During its activities, the Austrian Post identified a high affinity of the plaintiff to a certain Austrian political party based on statistical extrapolation of the collected data. This information was not transmitted to third parties. However, the plaintiff – who had not consented to the processing – felt offended by the fact that an affinity to a certain party was attributed to him. He further argued that the storage of data on his presumed political opinions by Austrian Post had caused him great upset, a loss of confidence as well as a feeling of being exposed. The plaintiff therefore brought an action against Austrian Post for (i) an injunction to stop the disputed data processing and (ii) payment of EUR 1,000.00 as compensation for the non-material damage.

The Austrian Supreme Court did not uphold Austrian Post's appeal against the injunction imposed on it, but submitted following questions to the CJEU in the appeal proceedings against the dismissal of the claim for damages:

Does the award of compensation under Article 82 of [the GDPR] also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence [or effect] of the infringement of at least some weight that goes beyond the upset caused by that infringement?

Implications and Key Takeaways of the Ruling for Controllers?

Any company that is established in the European Union ("EU") or is otherwise subject to the GDPR, for example as the company offers goods and services to individuals in the EU, can be subject to a damage claim under the GDPR. Thus, this decision may concern any company with connections to the EU. The risk of damage claims is particularly high in case of data breaches and where individuals exercise their rights under the GDPR, such as access rights.

This ruling is unlikely to make the dispute over the correct interpretation of damage claims under the GDPR disappear altogether. However, it clarifies that a materiality threshold is not required and that the violation of the GDPR alone does not trigger a damage claim. The ruling will likely ignite a dispute over the question of whether and under what conditions a non-material damage is justified, and we expect a scattered approach across the EU.

Essentials of the Ruling

Criteria for Damage Claims

The GDPR distinguishes between the term "damage" and "infringement" so that an infringement of the provisions of the GDPR in itself does not automatically give rise to a right to compensation.
There are three conditions that must be cumulatively met to claim damages under Art. 82 GDPR, namely;
- a processing of personal data that infringes the provisions of the GDPR;
- a damage suffered by the individual; and
- a causal link between the unlawful processing and the damage.
The claim for damages differs from other remedies, such as administrative fines that have punitive purpose and are not conditional on the existence of individual damage.

Threshold of Seriousness

The claim for (immaterial) damages does not require a certain threshold of seriousness to be met (i.e., no need to reach a certain level of materiality) - a deviating interpretation would contradict the GDPR's intention to interpret the concept of damage broadly to be in consistence with the GDPR's objectives of a high level of protection of individuals and a consistent and uniform application of the GDPR.
Individuals impacted by an infringement of the GDPR must demonstrate that the infringement of the GDPR caused a (non-material) damage.

Assessment of Damages

The GDPR does not contain any provision to define the rules on the assessment of the damages to which an individual is entitled as a result of an infringement of the GDPR. In the absence of such provisions, it is for the legal system of each member state to prescribe the detailed rules governing actions for safeguarding damage claims under Art. 82 GDPR, including the criteria for determining the extent of the compensation payable in that context. However, these systems must observe the principles of equivalence (i.e., procedures for the remedies according to Union law must not be less favorable than those governing similar domestic matters) and effectiveness (i.e., the implemented procedures do not make it excessively difficult or impossible in practice to exercise the rights under Union law).
In light of the compensatory function of the damage claim, financial compensation based on Art. 82 GDPR must be regarded as "full and effective" if it allows the damage suffered to be compensated in its entirety – this does not require the payment of punitive damages.
National courts must apply member state rules relating to the extent of financial compensation, provided that the Union law principles of equivalence and effectiveness (see above) are observed.

Further Proceedings

The Austrian court of appeal will now have to decide whether a claim for damages in the amount of EUR 1,000.00 is justified under the terms of this ruling. In so far, the court will also have to decide on whether an individual suffers immaterial damage if (s)he feels offended, greatly annoyed, loses confidence, or feels being exposed by the processing activities at issue.

Authors

Julia Apostle Partner, Technology Transactions, Cyber, Privacy & Data Innovation

Paris

See my bio

D:+33153537500
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Julia Apostle Partner

Paris

Julia counsels on compliance issues in relation to European and French tech and data regulations, including the GDPR, the Digital Services Act, the regulation of AI, the Data Act and other new and emerging legislation impacting online platforms, technology developers, and eCommerce businesses. She advises companies of all sizes on a wide range of compliance matters, ranging the drafting of internal policies, to assisting with regulatory investigations, and product counseling.

In the context of strategic transactions covering significant and complex technological issues, she is involved in the drafting and negotiation of agreements relating to data transfer, IT, software, content and brand licensing.

Qualified to practice in the UK and France, Julia is deeply familiar with the commercial considerations’ clients face, having practiced in-house at Twitter, Financial Times and CBS for more than a decade prior to joining Orrick.

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.