On October 6, 2022, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) released an opinion in case C-300/21 to the effect that a controller or processor’s non-compliance with the GDPR does not automatically entitle data subjects to receive compensation for non-material damages pursuant to Article 82 GDPR.  According to the AG, compensation is meant to remedy the consequences caused by a breach of the GDPR, and therefore a data subject must have suffered damage that he or she can affirmatively demonstrate.

The case arises from  Austrian Post’s practice of collecting data, without consent, to determine the political affinity of members of the Austrian population.  The claimant was assigned to a particular political affinity, although the claimant disagreed, and he thus decided to bring a claim for non-material damages (i.e., his inner discomfort).

The referring Austrian court asked the CJEU whether:

(1) compensation for non-material damages can be awarded solely based on an infringement of the GDPR, or whether, in addition, the claimant must have suffered harm as a result of the breach of the GDPR. 

The AG is of the opinion that the claimant must have suffered damages as a result of the breach of the GDPR, in order to receive compensation under Article 82(1) of the GDPR.  A mere infringement of the GDPR, without incurring damages will not give rise to a claim of non-material damages.  The AG is also of the opinion that the GDPR does not provide for punitive damages, a position that is much less contested than the former. 

(2) the damage caused by the infringement must have gone beyond the claimant’s “mere inconvenience” in order for an award for non-material damages to be appropriate.  In other words, the GDPR requires a certain “threshold of seriousness” to be met in relation to the damage incurred, following which compensation may be awarded.

The AG is of the opinion that despite the broad definition of damage in the GDPR, compensation does not apply to all types of non-material damage and depends on the seriousness of the harm.  More specifically, the AG distinguishes, on the one hand, between non-material damages that warrant compensation and, on the other hand, “mere upset” that would be insufficient to merit non-material damages.

(3) there is a presumption of damage once an infringement of the GDPR has occurred, due to the loss of control of the personal data.

The AG is of the opinion that the GDPR does not provide for a presumption of damage.  According to the AG, the presumption of damage would be the same as granting compensation solely due to an infringement of the provisions GDPR, without needing to prove the existence of any actual damage.  The AG therefore states that the loss of control, resulting from a data breach, would not necessarily generate recoverable damage.

Other cases pending before the CJEU on damages under the GDPR

  • Case C-687/21 (German referral): This case concerns a data subject’s right to non-material damages resulting from the accidental disclosure of his or her personal data.
  • Case C-741/21 (German referral): This case concerns a data subject’s right to non-material damages resulting from an infringement of the GDPR attributed to human error of a person acting under the authority of the controller.
  • Case C-182/22 (German Referral): This case concerns a data subject’s right to non-material damages resulting from unauthorized access to data.

*                             *                             *

The AG’s opinion is not binding on the CJEU.  The Covington Privacy and Cyber team will report back once the CJEU renders its judgment.

Tags: Article 82 GDPR, case C-300/21, CJEU, Compensation, GDPR, Non-Material Damages
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Read more about Dan CooperEmail
Show more Show less
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less
Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses advises on EU data protection, cybersecurity, and consumer law. Her practice covers the full range of Europe’s digital regulatory framework, including GDPR, ePrivacy, NIS2, the Cyber Resilience Act, the AI Act, the Digital Services Act, the Data Act…

Anna Sophia Oberschelp de Meneses advises on EU data protection, cybersecurity, and consumer law. Her practice covers the full range of Europe’s digital regulatory framework, including GDPR, ePrivacy, NIS2, the Cyber Resilience Act, the AI Act, the Digital Services Act, the Data Act, the European Health Data Space, and EU consumer protection law, including product safety, product liability, and consumer rights legislation. She focuses on the operational side of compliance — helping clients design policies and processes, draft documentation, and build the internal frameworks needed to meet regulatory requirements in practice.

She also advises on contentious matters, drawing on experience managing investigations before national regulators and proceedings before national courts and the Court of Justice of the European Union. She works closely with Covington’s disputes teams on matters at the intersection of regulatory compliance and litigation.

Read more about Anna Sophia Oberschelp de MenesesEmailAnna Sophia's Linkedin Profile
Show more Show less