7 minute read | October.14.2022
While claims for damages in the event of data protection violations have theoretically existed for some time, they have been gaining in importance since the introduction of the General Data Protection Regulation ("GDPR").
In Germany in particular, there are more and more private actors which, after a GDPR violation, specifically advertise to affected persons in order to enforce their claims for damages. In addition, it has become popular for attorneys in employment dismissal cases to claim substantial damages against employers for, at times, very minor breaches of GDPR obligations.
Several EU Member States courts have thus asked the European Court of Justice ("ECJ") for its view on how to interpret the right to claim damages [See here]. On 6 October 2022 the ECJ’s Advocate General issued a long-awaited opinion in case C-300/21on how to interpret Art. 82 GDPR. Unlike many predicted, the Advocate General sets the bar for obtaining damages high. If the ECJ follows this opinion (which is often the case), the ruling would bring a significant relief to businesses.
The opinion of Advocate General Manuel Campos Sánches-Bordona is based on proceedings against Österreichische Post AG, a mail carrier that also publishes address directories.
Based on various socio-demographic characteristics, the company collected the political party affinities of Austrian data subjects using an algorithm for the purpose of targeted election advertising. The data subjects were unaware of this process and were not asked for their consent.
One of the individuals affected by the data processing felt "upset and angered" by the party attributed to him by Österreichische Post AG and therefore sued the latter for damages in the amount of EUR 1,000 to compensate for the resulting immaterial damage (internal discomfort and damage to his credit reputation).
In the first two court instances, the action was dismissed on the grounds that under Austrian civil law a claim for damages requires a certain materiality of the damages claimed.
After the plaintiff had filed an appeal against these decisions, the Austrian Supreme Court referred a number of questions to the ECJ, which dealt with the interpretation of the claim for damages under Art. 82 (1) GDPR. In particular, the questions were: (1) Does infringement of the GDPR alone give rise to a claim for compensation, regardless of whether actual harm is caused?; (2) Does the assessment of the compensation depend on EU-law requirements in addition to the principles of effectiveness and equivalence?; and (3) Is it compatible with European law to require that compensation for non-material damages meet some threshold of seriousness over and above merely being "upset and angered" over the infringement? The Advocate General answered the first two questions in the negative, and the third question in the affirmative. The main findings of the decision are set out below.
The Advocate General concludes that a GDPR violation does not necessarily lead to damage or to a claim for damages independent of the existence of actual damage. The Advocate General argues that such an interpretation is not reflected in the wording of Art. 82 GDPR. The purpose of the provision also speaks against such an interpretation, because a claim for damages serves to compensate for a disadvantage suffered. However, if a GDPR violation alone always led to an obligation to pay damages, these would in fact constitute a sanction.
The Advocate General considered whether a national legal system could introduce punitive damages that would be independent of the actual existence of damage. He rejects this on the following grounds:
According to the wording of the GDPR, only sanctions, but not damages, are intended to have a "real deterrent effect," which speaks against the admissibility of punitive damages. Historically, and resulting from a systematic interpretation, this is because the compensatory nature of the damages is regulated separately from the system of sanctions by the supervisory authorities. The possibility to profit from a GDPR violation would render the right to complain to a supervisory authority unattractive. Additionally, according to the purpose of the GDPR, the right to claim punitive damages would inhibit the free movement of data as it could discourage data processing because of fear of civil litigation and are not needed for the protection of data subjects.
The Advocate General also rejects the parties' argument that, in the event of a GDPR violation, an irrebuttable presumption of damage arises from the loss of control over the data.
The GDPR does not contain a clear statement on this. It is true that there are mechanisms that allow a certain degree of control over one's own data. However, this individual control must be balanced against the interests of third parties and society. Furthermore, the fundamental right to data protection under Art. 8 of the Charter of Fundamental Rights cannot be equated with the right to informational self-determination, which exists in some Member States.
The Advocate General explains the different forms of damages. Apart from the already mentioned indication that the award of punitive damages does not find any support in the GDPR, the GDPR does not contain any further restrictions or requirements in this regard. Thus, damages may be awarded in accordance with national requirements. However, the difficulty of proving damages is not in itself sufficient to award symbolic damages.
Finally, the Advocate General considers whether, in order for damages to be awarded, the infringement must have a certain weight which at least goes beyond the annoyance or upset caused by the infringement.
The Advocate General proposes, against the background of the ECJ case law, a distinction between mere disadvantages that have to be accepted in a society and real damages that have to be compensated. If every feeling of displeasure were to qualify as damage, the threshold would be so low that this in turn would lead to a claim for damages with regard to every violation of the GDPR. Further, the data subject has other remedies available under the GDPR as compensation for negative emotions resulting from a breach of the GDPR.
The respective national courts will have to decide when the limit to non-material damage is reached in each case. In doing so, they enjoy a certain margin of appreciation.
Similar national regulations on damages also exist in EU member states other than Austria. Since European law takes precedence over national law, this interpretation may have implications for all EU Member States.
Next, the ECJ will deliberate on the case and then give its decision. In doing so, it is not bound by the Advocate General's opinion. While the CJEU often follows the opinion of its attorneys general, it has in the past made rulings that were imbued with a very strict understanding of data protection. This makes it difficult to predict the CJEU's decision. There is also the possibility that the ECJ will not rule on all the points raised by the Advocate General—for example, if it interprets the questions differently. In such case, the courts are not bound by the Advocate General's reasoning. However, it is to be expected that they will attach some importance to them.
The national courts of all member states will then have to adhere to the ECJs ruling in their decisions.
There are currently many legal uncertainties regarding claims for damages under the GDPR, which contributes to the fact that the case law on claims for damages is inconsistent.
It will thus be helpful that the ECJ will soon comment on one of these ambiguities and ensure a more uniform interpretation. Furthermore, from the point of view of companies, it is positive that the Advocate General is proposing a more moderate view to the court for a decision.
If the ECJ follows the opinion of the Advocate General, plaintiffs will have difficulty receiving damages unless they can prove that a GDPR infringement resulted in actual damages. This proves particularly difficult in many cases and facilitates the defense against corresponding claims. Punitive damages will also no longer be in line with the GDPR if the ECJ follows the opinion of the Advocate General. However, member states would otherwise be relatively free in the design of damages. Finally, "petty damages" such as mere discomfort or annoyance about a GDPR violation should no longer be sufficient for a claim for damages. However, since the courts have a great deal of discretion in this regard, there is still a risk that there will be uncertainty as to the content and that some courts will award damages even at a very low threshold. Hopefully, the CJEU will lay down more specific criteria in its judgment. It is worthwhile to keep an eye on these proceedings.