Until now, damages claims awarded by German courts pursuant to Article 82 of the General Data Protection Regulation (“GDPR”) – in particular, claims for non-material damages – have been relatively low.  This restrained approach thus far has been predicated primarily on the position that German law requires a serious violation of personality rights to justify higher claims for non-material damages.  Two recent cases decided by regional courts illustrate and confirm this prevailing stance.  However, a more recent decision issued by the Federal Constitutional Court indicates that views in Germany may be evolving on this topic, and courts may soon be willing to entertain higher damages claims.

Prevailing German View of Damages Claims under the GDPR

In September 2020, the Regional Court of Hamburg held that not every infringement of privacy law justifies a damages claim.  Rather, the Court said, there must be an identifiable and effective violation of personality rights, which does not necessarily exist as a result of potential disadvantages that one might suffer as a consequence of a data breach.

Similarly, in November 2020, the Regional Court of Landshut also held that a violation of privacy law does not automatically result in a damages claim.  Rather, said the Court, the infringement must in each case also lead to a specific (not merely insignificant or perceived) infringement of the personality rights of the data subject.  Accordingly, the data subject must have suffered a noticeable disadvantage, and the impairment must be objectively comprehensible (with some consideration given to personal interests).

The courts in both of these cases align with the prevailing view in Germany of damages claims brought under the GDPR – namely, that an aggrieved party will need to demonstrate a clear, specific and objective harm that has resulted from a violation of data protection law to be awarded a claim for damages.

Change on the Horizon?

This restrained approach to damages claims in Germany may be subject to change in the near future.  In a case decided in January 2021, Germany’s Federal Constitutional Court held that the issue of whether or not (and if so, the extent to which) a damages claim brought pursuant to Article 82 GDPR is subject to certain evidentiary requirements must be decided under European law and – if necessary – clarified by the Court of Justice of the European Union (“CJEU”).  Here, the German Federal Constitutional Court quoted Recital 146, sentence 3 of the GDPR, which states “…the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation.”

This decision of the Federal Constitutional Court was preceded by a ruling of the Local Court of Goslar, in which the Court refused a non-material damages claim submitted by a person who received an advertising e-mail without giving prior consent.  There, the Court held that no harm was apparent – only a single unsolicited advertising e-mail was sent, the email clearly indicated from its appearance that it was related to advertising, and this resulted only in a temporary inconvenience to the individual.  Interestingly, it appears the Federal Constitutional Court has (perhaps intentionally) selected a de minimis case to raise this question to the attention of the CJEU, rather than a more egregious violation of data protection law.

Conclusion

In addition to the high fines imposed by German supervisory authorities in the recent past for data breaches, this development opens up another potential avenue for legal proceedings.  Data breaches often affect a large number of data subjects who can easily transform into plaintiffs – including collectively, for mass proceedings.  If the CJEU continues to follow its data protection-friendly line of reasoning and pursue effective enforcement of data protection law, damages claims pursuant to Article 82 GDPR and legal proceedings based on such claims may become the new norm and much more important in the future.

While the area of data protection law – at least in Germany – has so far focused primarily on material compliance issues, in the future, other tactical and strategic legal aspects may also become increasingly more important.