On October 6, 2022, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) released an opinion in case C-300/21 to the effect that a controller or processor’s non-compliance with the GDPR does not automatically entitle data subjects to receive compensation for non-material damages pursuant to Article 82 GDPR. According to the AG, compensation is meant to remedy the consequences caused by a breach of the GDPR, and therefore a data subject must have suffered damage that he or she can affirmatively demonstrate.
The case arises from Austrian Post’s practice of collecting data, without consent, to determine the political affinity of members of the Austrian population. The claimant was assigned to a particular political affinity, although the claimant disagreed, and he thus decided to bring a claim for non-material damages (i.e., his inner discomfort).
The referring Austrian court asked the CJEU whether:
(1) compensation for non-material damages can be awarded solely based on an infringement of the GDPR, or whether, in addition, the claimant must have suffered harm as a result of the breach of the GDPR.
The AG is of the opinion that the claimant must have suffered damages as a result of the breach of the GDPR, in order to receive compensation under Article 82(1) of the GDPR. A mere infringement of the GDPR, without incurring damages will not give rise to a claim of non-material damages. The AG is also of the opinion that the GDPR does not provide for punitive damages, a position that is much less contested than the former.
(2) the damage caused by the infringement must have gone beyond the claimant’s “mere inconvenience” in order for an award for non-material damages to be appropriate. In other words, the GDPR requires a certain “threshold of seriousness” to be met in relation to the damage incurred, following which compensation may be awarded.
The AG is of the opinion that despite the broad definition of damage in the GDPR, compensation does not apply to all types of non-material damage and depends on the seriousness of the harm. More specifically, the AG distinguishes, on the one hand, between non-material damages that warrant compensation and, on the other hand, “mere upset” that would be insufficient to merit non-material damages.
(3) there is a presumption of damage once an infringement of the GDPR has occurred, due to the loss of control of the personal data.
The AG is of the opinion that the GDPR does not provide for a presumption of damage. According to the AG, the presumption of damage would be the same as granting compensation solely due to an infringement of the provisions GDPR, without needing to prove the existence of any actual damage. The AG therefore states that the loss of control, resulting from a data breach, would not necessarily generate recoverable damage.
Other cases pending before the CJEU on damages under the GDPR
- Case C-687/21 (German referral): This case concerns a data subject’s right to non-material damages resulting from the accidental disclosure of his or her personal data.
- Case C-741/21 (German referral): This case concerns a data subject’s right to non-material damages resulting from an infringement of the GDPR attributed to human error of a person acting under the authority of the controller.
- Case C-182/22 (German Referral): This case concerns a data subject’s right to non-material damages resulting from unauthorized access to data.
* * *
The AG’s opinion is not binding on the CJEU. The Covington Privacy and Cyber team will report back once the CJEU renders its judgment.