Groundbreaking Decision in Europe: CJEU Denies a Minimum Threshold for Raising Non-Monetary GDPR Damage Claims

On 4 May 2023 the European Court of Justice ("CJEU") published its decision (case no. C-300/21) in which it ruled that not any infringement of the General Data Protection Regulation ("GDPR") triggers the right to compensation provided by Art. 82 of the GDPR. The Court held that the right to compensation provided by Art. 82 of the GDPR requires (i) an infringement of the GDPR, (ii) a damage caused to the impacted individual, and (iii) a causal link between the infringement and the damage. The CJEU further ruled that there is no minimum threshold for damage claims. National Member States’ law need to define the criteria for assessing damages while ensuring that the compensation of a damage is comprehensive and effective.

What happened?

Starting in 2017, Austrian Post (Österreichische Post), a company trading addresses, collected information on the political affinities of individuals using an algorithm that considered various social and demographic characteristics. The data thus generated was sold to various organizations for targeted advertising. During its activities, the Austrian Post identified a high affinity of the plaintiff to a certain Austrian political party based on statistical extrapolation of the collected data. This information was not transmitted to third parties. However, the plaintiff – who had not consented to the processing – felt offended by the fact that an affinity to a certain party was attributed to him. He further argued that the storage of data on his presumed political opinions by Austrian Post had caused him great upset, a loss of confidence as well as a feeling of being exposed. The plaintiff therefore brought an action against Austrian Post for (i) an injunction to stop the disputed data processing and (ii) payment of EUR 1,000.00 as compensation for the non-material damage.

The Austrian Supreme Court did not uphold Austrian Post's appeal against the injunction imposed on it, but submitted following questions to the CJEU in the appeal proceedings against the dismissal of the claim for damages:

1. Does the award of compensation under Article 82 of [the GDPR] also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
2. Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
3. Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence [or effect] of the infringement of at least some weight that goes beyond the upset caused by that infringement?

Implications and Key Takeaways of the Ruling for Controllers?

Any company that is established in the European Union ("EU") or is otherwise subject to the GDPR, for example as the company offers goods and services to individuals in the EU, can be subject to a damage claim under the GDPR. Thus, this decision may concern any company with connections to the EU. The risk of damage claims is particularly high in case of data breaches and where individuals exercise their rights under the GDPR, such as access rights.

This ruling is unlikely to make the dispute over the correct interpretation of damage claims under the GDPR disappear altogether. However, it clarifies that a materiality threshold is not required and that the violation of the GDPR alone does not trigger a damage claim. The ruling will likely ignite a dispute over the question of whether and under what conditions a non-material damage is justified, and we expect a scattered approach across the EU.

Essentials of the Ruling

Criteria for Damage Claims

• The GDPR distinguishes between the term "damage" and "infringement" so that an infringement of the provisions of the GDPR in itself does not automatically give rise to a right to compensation.
• There are three conditions that must be cumulatively met to claim damages under Art. 82 GDPR, namely;
  • a processing of personal data that infringes the provisions of the GDPR;
  • a damage suffered by the individual; and
  • a causal link between the unlawful processing and the damage.
• The claim for damages differs from other remedies, such as administrative fines that have punitive purpose and are not conditional on the existence of individual damage.

Threshold of Seriousness

• The claim for (immaterial) damages does not require a certain threshold of seriousness to be met (i.e., no need to reach a certain level of materiality) - a deviating interpretation would contradict the GDPR's intention to interpret the concept of damage broadly to be in consistence with the GDPR's objectives of a high level of protection of individuals and a consistent and uniform application of the GDPR.
• Individuals impacted by an infringement of the GDPR must demonstrate that the infringement of the GDPR caused a (non-material) damage.

Assessment of Damages

• The GDPR does not contain any provision to define the rules on the assessment of the damages to which an individual is entitled as a result of an infringement of the GDPR. In the absence of such provisions, it is for the legal system of each member state to prescribe the detailed rules governing actions for safeguarding damage claims under Art. 82 GDPR, including the criteria for determining the extent of the compensation payable in that context. However, these systems must observe the principles of equivalence (i.e., procedures for the remedies according to Union law must not be less favorable than those governing similar domestic matters) and effectiveness (i.e., the implemented procedures do not make it excessively difficult or impossible in practice to exercise the rights under Union law).
• In light of the compensatory function of the damage claim, financial compensation based on Art. 82 GDPR must be regarded as "full and effective" if it allows the damage suffered to be compensated in its entirety – this does not require the payment of punitive damages.
• National courts must apply member state rules relating to the extent of financial compensation, provided that the Union law principles of equivalence and effectiveness (see above) are observed.

Further Proceedings

The Austrian court of appeal will now have to decide whether a claim for damages in the amount of EUR 1,000.00 is justified under the terms of this ruling. In so far, the court will also have to decide on whether an individual suffers immaterial damage if (s)he feels offended, greatly annoyed, loses confidence, or feels being exposed by the processing activities at issue.