Reuschlaw

Land­mark ruling by the ECJ on Artic­le 82 of the GDPR

Will the­re be more actions for non-material dama­ges in the future in case of data pro­tec­tion violations?

Com­pa­nies always face the risk of being sued by data sub­jects in the event of a data breach. The out­co­me of such cases has long been the sub­ject of con­sidera­ble uncer­tain­ty, par­ti­cu­lar­ly in cases whe­re dama­ges are sought for pain and suf­fe­ring, i.e. whe­re the plain­ti­ff asserts claims to non-material dama­ges. After all, very dif­fe­rent views have been expres­sed in the natio­nal case law and in the lite­ra­tu­re with regard to the requi­re­ments for an action for dama­ges in accordance with Artic­le 82 of the GDPR. But the ECJ put an end to all that in its land­mark ruling of 4 May 2023 (Case No. C‑300/21), which sets clear gui­de­lines for the award of dama­ges for pain and suffering.

Back­ground

The case invol­ves an action brought by a data sub­ject against Öster­rei­chi­sche Post AG. The action char­ged that the lat­ter had con­duc­ted an auto­ma­ted sur­vey of the poli­ti­cal affi­ni­ties of the Aus­tri­an public in which it had – fal­se­ly – ascri­bed to the data sub­ject an affi­ni­ty for a right-wing poli­ti­cal par­ty. The data sub­ject argued that he is owed reasonable com­pen­sa­ti­on for the unp­lea­sant­ness he suf­fe­r­ed as a result. After being denied in the first two ins­tances, the action was refer­red to the ECJ by the Aus­tri­an Supre­me Court with a request for a preli­mi­na­ry ruling as to the con­di­ti­ons for asser­ting a right to com­pen­sa­ti­on in accordance with the GDPR.

Over­view of the ECJ’s Ruling

In its ruling, the ECJ found that a dama­ge cla­im in accordance with the GDPR may be asser­ted if three cumu­la­ti­ve con­di­ti­ons are met: vio­la­ti­on of the GDPR, pre­sence of mate­ri­al or non-material dama­ges as a con­se­quence of that vio­la­ti­on and the exis­tence of a cau­sal link bet­ween the vio­la­ti­on and the damages.

  1. Mere vio­la­ti­on of the GDPR is not enough to estab­lish a dama­ge cla­im
    Accor­ding to the ECJ’s decis­i­on, a dama­ge cla­im in accordance with Artic­le 82 of the GDPR requi­res not only a vio­la­ti­on of the GDPR but also the cau­sa­ti­on of dama­ges to the data sub­ject. In other words, the data sub­ject must have sus­tained mate­ri­al or non-material dama­ges. The ECJ found that Artic­le 82 of the GDPR ser­ves a com­pen­sa­to­ry func­tion unli­ke Artic­les 83 and 84 of the GDPR (fines and other pen­al­ties), which are of a puni­ti­ve cha­rac­ter. The ECJ the­r­e­fo­re con­cluded that the­se sta­tu­tes repre­sent two dif­fe­rent cha­rac­ters of legal reme­dies which com­ple­ment each other “in terms of encou­ra­ging com­pli­ance with the GDPR.”
  2. No mate­ria­li­ty thres­hold
    The ECJ also found in its decis­i­on that dama­ge claims are not rest­ric­ted to non-material dama­ges which reach a cer­tain level of serious­ness. In other words, the­re is no de mini­mis limit for claims. Rather, the ECJ held that Artic­le 82 of the GDPR appli­es to all dama­ges ari­sing from vio­la­ti­ons of data pro­tec­tion law, both mate­ri­al and non-material, so that even mere dis­com­fort on the part of the data sub­ject may be enough to estab­lish a cla­im to com­pen­sa­ti­on. But at the same time, the ECJ stres­sed that its broad inter­pre­ta­ti­on on this ques­ti­on does not excu­se data sub­jects from their duty to fur­nish evi­dence estab­li­shing that their dama­ges were actual­ly attri­bu­ta­ble to the data pro­tec­tion vio­la­ti­on. A cau­sal link bet­ween the dama­ges and the vio­la­ti­on remains neces­sa­ry and must be estab­lished by the data subject.
  3. Assess­ment of dama­ges in accordance with natio­nal law
    Asi­de from the gene­ral prin­ci­ples of equi­va­lence and effec­ti­ve­ness, the ECJ found that he amount of the dama­ges must be deter­mi­ned in accordance with the natio­nal rules of the rele­vant coun­try. As grounds for this fin­ding, the ECJ par­ti­cu­lar­ly cited the fact that Artic­le 82 con­ta­ins no gui­de­lines with regard to assess­ment of dama­ges, and that no other pro­vi­si­on of EU law exists which does so. Accor­din­gly, the GDPR places no obs­ta­cle to assess­ment of the dama­ge amount based on the natio­nal lia­bi­li­ty laws of the mem­ber sta­tes. The actu­al form of the com­pen­sa­ti­on may also be deter­mi­ned in accordance with natio­nal law, so that e.g. a con­fes­si­on of the inf­rin­ge­ment or skim­ming off unlawful pro­fits may come into con­side­ra­ti­on in addi­ti­on to purely finan­cial com­pen­sa­ti­on. The only requi­re­ment is that the finan­cial com­pen­sa­ti­on, while regard­ed as “full and effec­ti­ve,” must not be of a puni­ti­ve character.

Con­clu­si­on and Recom­men­da­ti­on for Companies

Alt­hough the ECJ’s ruling goes a long way towards crea­ting legal cer­tain­ty by spe­ci­fy­ing the con­di­ti­ons for a cla­im under Artic­le 82 of the GDPR, it is in fact a nega­ti­ve deve­lo­p­ment for com­pa­nies. Becau­se the decis­i­on lowers the requi­re­ments for awar­ding dama­ges, com­pa­nies can expect to face a lar­ge num­ber of dama­ge claims and incre­asing­ly nega­ti­ve ver­dicts. This poses a con­sidera­ble risk for com­pa­nies, par­ti­cu­lar­ly in the event of major data brea­ches, e.g. as a result of a cyber­at­tacks. Com­pa­nies should the­r­e­fo­re main­tain a per­ma­nent and sca­lable data pro­tec­tion com­pli­ance pro­cess in each case, inclu­ding pre­ven­ti­ve action to avo­id future vio­la­ti­ons of the GDPR as well as mea­su­res for defence against dama­ge claims. Only in this way will com­pa­nies be able to ensu­re a suc­cessful defence in court proceedings.

back

Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.