On March 4, 2023, the European Court of Justice (”CJEU”) issued its judgment on case C-300/21, UI v Österreichische Post AG. The CJEU held that the mere infringement of the GDPR does not, alone, give rise to a right to compensation for individuals. In the Court’s view, Article 82 requires establishing: (i) “damage”, either material or non-material; (ii) an actual infringement of the GDPR; and (iii) a causal link between the two. However, the CJEU also ruled that the right to compensation in the GDPR cannot be made contingent upon individuals satisfying a certain “seriousness” threshold, which is the case under Austrian law at present.
Background. The judgment in Österreichische Post arises from Austrian Post’s practice of processing data, without consent, relating to the actual or likely political affinities of members of the Austrian population. Austrian Post assigned the claimant to a particular political party in Austria, allegedly causing the claimant “upset, loss of confidence and a feeling of exposure”, i.e., purely non-material damage. On these grounds, the claimant sued Austrian Post in the civil courts, seeking both injunctive relief and EUR 1,000 in compensation for his damages (see our earlier blog on the Advocate General’s opinion in the case).
The case reached the Austrian Supreme Court, which referred certain questions of EU law to the CJEU. Among other things, the CJEU was asked to clarify whether mere infringement of the GDPR is sufficient to give rise to a right to compensation under Article 82 and, further, whether any compensation for non-material harm could be made contingent upon the alleged damages having “some weight” beyond “the upset”, effectively satisfying a certain threshold of “seriousness” in Austrian law.
Right to compensation. The CJEU clarified that, in order for the right to compensation to arise, three cumulative conditions need to be met: an infringement of the GDPR, material or non-material damage resulting from that infringement, and a causal link between the damage and the infringement. Consequently, the CJEU ruled that a mere infringement of a GDPR provision is insufficient to confer a right to compensation, without more being demonstrated by a claimant, notably that he or she suffered damage and that the infringement in question actually caused it.
Seriousness of the damage. The CJEU held that Member States may not condition the right to compensation for non-material damage upon a threshold of “seriousness” first being met, noting that the terms set out in Article 82, including the term “damage”, are to be given an “autonomous and uniform” interpretation in the EU. The Court placed particular weight upon other provisions of the GDPR, including recitals 10 and 146, in holding that the notion of “damage” should be interpreted expansively. Moreover, the Court made the practical observation that any other result would lead to compensation claims becoming subject to different Member State “seriousness” thresholds across the EU, which would be unhelpful to the uniform application of the GDPR. Significantly, however, the Court’s judgment does not relieve claimants of their burden of proving such damages exist, and that they were caused by the alleged infringement.
Determination of the compensation. Finally, on a further referred question, the CJEU noted that the GDPR does not contain any rules for determining the amount of damages to be paid out to claimants once they have established their claim. On this point, the CJEU held that national courts in the EU must apply existing domestic rules when deciding the amount of compensation to award to successful claimants, provided that the principles of equivalence and effectiveness in EU law are respected. The practical upshot of this is that the level of civil damages awarded across the Member States, for the same GDPR infringement, undoubtedly will continue to vary in the future. Put another way, while the GDPR standards for granting compensation for non-material harm may be aligned as a result of Österreichische Post, real-world damage awards will not be.
* * *
Covington’s Data Privacy and Cybersecurity Practice monitors CJEU cases closely and reports on relevant Court decisions and Advocate General opinions. If you have any questions about the interaction between data protection and local laws we are happy to assist.
(This blog post was written with the contributions of Alberto Vogel.)