Will there be more actions for non-material damages in the future in case of data protection violations?
Companies always face the risk of being sued by data subjects in the event of a data breach. The outcome of such cases has long been the subject of considerable uncertainty, particularly in cases where damages are sought for pain and suffering, i.e. where the plaintiff asserts claims to non-material damages. After all, very different views have been expressed in the national case law and in the literature with regard to the requirements for an action for damages in accordance with Article 82 of the GDPR. But the ECJ put an end to all that in its landmark ruling of 4 May 2023 (Case No. C‑300/21), which sets clear guidelines for the award of damages for pain and suffering.
The case involves an action brought by a data subject against Österreichische Post AG. The action charged that the latter had conducted an automated survey of the political affinities of the Austrian public in which it had – falsely – ascribed to the data subject an affinity for a right-wing political party. The data subject argued that he is owed reasonable compensation for the unpleasantness he suffered as a result. After being denied in the first two instances, the action was referred to the ECJ by the Austrian Supreme Court with a request for a preliminary ruling as to the conditions for asserting a right to compensation in accordance with the GDPR.
Overview of the ECJ’s Ruling
In its ruling, the ECJ found that a damage claim in accordance with the GDPR may be asserted if three cumulative conditions are met: violation of the GDPR, presence of material or non-material damages as a consequence of that violation and the existence of a causal link between the violation and the damages.
- Mere violation of the GDPR is not enough to establish a damage claim
According to the ECJ’s decision, a damage claim in accordance with Article 82 of the GDPR requires not only a violation of the GDPR but also the causation of damages to the data subject. In other words, the data subject must have sustained material or non-material damages. The ECJ found that Article 82 of the GDPR serves a compensatory function unlike Articles 83 and 84 of the GDPR (fines and other penalties), which are of a punitive character. The ECJ therefore concluded that these statutes represent two different characters of legal remedies which complement each other “in terms of encouraging compliance with the GDPR.”
- No materiality threshold
The ECJ also found in its decision that damage claims are not restricted to non-material damages which reach a certain level of seriousness. In other words, there is no de minimis limit for claims. Rather, the ECJ held that Article 82 of the GDPR applies to all damages arising from violations of data protection law, both material and non-material, so that even mere discomfort on the part of the data subject may be enough to establish a claim to compensation. But at the same time, the ECJ stressed that its broad interpretation on this question does not excuse data subjects from their duty to furnish evidence establishing that their damages were actually attributable to the data protection violation. A causal link between the damages and the violation remains necessary and must be established by the data subject.
- Assessment of damages in accordance with national law
Aside from the general principles of equivalence and effectiveness, the ECJ found that he amount of the damages must be determined in accordance with the national rules of the relevant country. As grounds for this finding, the ECJ particularly cited the fact that Article 82 contains no guidelines with regard to assessment of damages, and that no other provision of EU law exists which does so. Accordingly, the GDPR places no obstacle to assessment of the damage amount based on the national liability laws of the member states. The actual form of the compensation may also be determined in accordance with national law, so that e.g. a confession of the infringement or skimming off unlawful profits may come into consideration in addition to purely financial compensation. The only requirement is that the financial compensation, while regarded as “full and effective,” must not be of a punitive character.
Conclusion and Recommendation for Companies
Although the ECJ’s ruling goes a long way towards creating legal certainty by specifying the conditions for a claim under Article 82 of the GDPR, it is in fact a negative development for companies. Because the decision lowers the requirements for awarding damages, companies can expect to face a large number of damage claims and increasingly negative verdicts. This poses a considerable risk for companies, particularly in the event of major data breaches, e.g. as a result of a cyberattacks. Companies should therefore maintain a permanent and scalable data protection compliance process in each case, including preventive action to avoid future violations of the GDPR as well as measures for defence against damage claims. Only in this way will companies be able to ensure a successful defence in court proceedings.back