5 minute read | May.05.2023
On 4 May 2023 the European Court of Justice ("CJEU") published its decision (case no. C-300/21) in which it ruled that not any infringement of the General Data Protection Regulation ("GDPR") triggers the right to compensation provided by Art. 82 of the GDPR. The Court held that the right to compensation provided by Art. 82 of the GDPR requires (i) an infringement of the GDPR, (ii) a damage caused to the impacted individual, and (iii) a causal link between the infringement and the damage. The CJEU further ruled that there is no minimum threshold for damage claims. National Member States’ law need to define the criteria for assessing damages while ensuring that the compensation of a damage is comprehensive and effective.
Starting in 2017, Austrian Post (Österreichische Post), a company trading addresses, collected information on the political affinities of individuals using an algorithm that considered various social and demographic characteristics. The data thus generated was sold to various organizations for targeted advertising. During its activities, the Austrian Post identified a high affinity of the plaintiff to a certain Austrian political party based on statistical extrapolation of the collected data. This information was not transmitted to third parties. However, the plaintiff – who had not consented to the processing – felt offended by the fact that an affinity to a certain party was attributed to him. He further argued that the storage of data on his presumed political opinions by Austrian Post had caused him great upset, a loss of confidence as well as a feeling of being exposed. The plaintiff therefore brought an action against Austrian Post for (i) an injunction to stop the disputed data processing and (ii) payment of EUR 1,000.00 as compensation for the non-material damage.
The Austrian Supreme Court did not uphold Austrian Post's appeal against the injunction imposed on it, but submitted following questions to the CJEU in the appeal proceedings against the dismissal of the claim for damages:
Implications and Key Takeaways of the Ruling for Controllers?
Any company that is established in the European Union ("EU") or is otherwise subject to the GDPR, for example as the company offers goods and services to individuals in the EU, can be subject to a damage claim under the GDPR. Thus, this decision may concern any company with connections to the EU. The risk of damage claims is particularly high in case of data breaches and where individuals exercise their rights under the GDPR, such as access rights.
This ruling is unlikely to make the dispute over the correct interpretation of damage claims under the GDPR disappear altogether. However, it clarifies that a materiality threshold is not required and that the violation of the GDPR alone does not trigger a damage claim. The ruling will likely ignite a dispute over the question of whether and under what conditions a non-material damage is justified, and we expect a scattered approach across the EU.
Essentials of the Ruling
Criteria for Damage Claims
Threshold of Seriousness
Assessment of Damages
The Austrian court of appeal will now have to decide whether a claim for damages in the amount of EUR 1,000.00 is justified under the terms of this ruling. In so far, the court will also have to decide on whether an individual suffers immaterial damage if (s)he feels offended, greatly annoyed, loses confidence, or feels being exposed by the processing activities at issue.