Does an infringement of the GDPR always lead to compensation under Art 82 GDPR

The European Court of Justice (ECJ) has ruled in its decision dated 4 May 2023 (C-300/21) on compensation pursuant to the GDPR that:

1. The mere infringement of the GDPR is not sufficient to confer a right to compensation;
2. The right to compensation is not limited to material or non-material damage that reaches a certain threshold of seriousness;
3. It is for the legal systems of the member states to prescribe the criteria for determining the amount of compensation, provided that the principles of equivalence and effectiveness under Union law are complied with.

Background to the preliminary ruling request

Since 2017, Österreichische Post AG has been collecting information on the political party preferences of the Austrian population. By using an algorithm, the Österreichische Post AG formed political target groups to send out focused advertisements about the respective political parties.
 
The claimant, who was one of the addressees of such targeted advertisement, was upset, angered, and offended that the personal data was processed without his consent. Due to the inner discomfort that he suffered from the unlawful processing of his personal data, he claimed compensation for non-material damage amounting to EUR 1000. His claim was dismissed by several national courts and was eventually brought before the Austrian Supreme Court who submitted a preliminary ruling request before the ECJ.
 
In addition to the aforementioned question, the Austrian Supreme Court raised questions on whether the principles of effectiveness and equivalence as well as further EU-law requirements apply to, and whether a de minimis limit exists for, compensation under Art. 82 GDPR.

The Advocate General’s Opinion

On the subject, whether Art. 82 GDPR grants compensation to a data subject regardless of any material or non-material damage, the Advocate General Campos Sánchez-Bordona argued in October 2022 that the wording of Art. 82 GDPR indicates that the function of compensation is to address the adverse consequences caused by the breach and does not include a punitive function against the controller.
 
Furthermore, the Advocate General argued that the GDPR does not grant the data subject control over its data as a value itself, therefore it is not necessary for it to achieve the greatest control possible. The Advocate General has also emphasised that the free movement of personal data and the right to privacy must be balanced and one should not be excessively favoured over the other.
 
Lastly, the Advocate General argued, in the case at hand, that for a compensation claim, a certain level of seriousness of the emotional harm must be proven to maintain the difference between compensation with and without damage. Mere negative emotions are not sufficient.

The European Court of Justice’s Ruling

Does Art. 82 GDPR grant compensation without damage?

The ECJ followed in principle the Advocate General’s Opinion. It ruled that for a compensation claim under the GDPR, three conditions must be met: (i) a breach of the GDPR, (ii) material or immaterial damage, and (iii) a causal link between the breach and the damage. This leads to the conclusion that not every breach of the GDPR gives rise to a right to compensation. If the legislator had intended to grant compensation for every breach of the GDPR, it would not have made material or non-material damage a prerequisite of Art. 82(1) GDPR. This interpretation is also confirmed by recital 75 and 85 GDPR stating that the unlawful processing of personal data could lead to damages.
 
Additionally, compensation without damage would undermine the systematic of the GDPR, as it does not contain a punitive element but rather aims at compensation for the data subject. The GDPR provides various instruments such as fines issued by supervisory authorities pursuant to Art. 83 GDPR to penalise controllers for unlawful processing of personal data. The data subject can trigger such a procedure by lodging a complaint with the supervisory authorities pursuant to Art. 77 GDPR. Such a complaint does not require any damage. A systematic comparison to Chapter VIII reveals that the criterion of “damage” is independent and therefore does not necessarily go hand in hand with a “breach” of the GDPR.

Can national legislation set out a minimum infringement to claim damages? 

Regarding the question, whether a claim for compensation for non-material damage must reach a certain threshold of infringement, the ECJ ruled that a national understanding of a minimum infringement would conflict with the aim of the GDPR to ensure unified legal protection within the European Union. The term damage must be understood broadly to pursue complete protection of the data subject. The wording of Art. 82 GDPR does not indicate in any way that compensation is dependent on a certain threshold of damage. Furthermore, national legislation would lead to inconsistency in the ruling of national courts, since the possibility to claim damages would depend on the judgment and on the respective level of the national courts and hence conflict with the aim of equivalent protection in all member states. However, the ECJ clarified that the data subject has the burden of proof that infringement it suffered resulted in non-material damage.

Determination of the amount of damages

Lastly, the ECJ stated on the amount of compensation that it is the responsibility of the member states to set out criteria for its assessment. The GDPR itself does not contain any modalities in this respect. However, the legal system of each member state must consider the principle of effectiveness and equivalency. The ECJ also used the opportunity to emphasise the compensational function of the damage claims pursuant to the GDPR to ensure complete and effective compensation for any damage incurred.

 

Inconvenience as damage?

Previously, the Advocate General had argued that, in the case at hand, the data subject suffered a mere inconvenience instead of damage. Such an inconvenience could not be claimed under the GDPR as it is not a suitable instrument for countering infringements in connection with the processing of personal data where all those infringements create for the data subject is annoyance or upset. This would easily result in compensation without damage that is not foreseen under the GDPR. However, the Advocate General was aware that mere upset that is not eligible for compensation and genuine non-material damage that can be compensated might be complicated to delimit.
 
Unfortunately, the ECJ does not comment on the criteria which could be used for the differentiation. This question remains open and might be subject to future rulings.

Conclusion

The judgment of the ECJ is to be welcomed in principle since it corresponds to continental European legal tradition and practice and distinguishes between a mere infringement of law and damage that may result from it. The concern that claims for damages will flood the national courts in the near future, proves arguably to be unfounded. The judgment reduces the risk of excessive mass proceedings in interaction with collective redress instruments. Law firms that base their business model on claims for damages appear to have suffered a setback. However, it is regrettable that the ECJ did not establish a threshold of relevance, but it can possibly be corrected when assessing the amount of damages in accordance with member state laws. An insignificant impairment would then result in minor damage.
 
The ECJ will soon have the opportunity to clarify its case law on Art. 82 GDPR, as further preliminary proceedings are pending before it. Nevertheless, the current decision of the ECJ dated 4 May 2023 represents an important milestone for more legal certainty in the highly dynamic area of European data protection law.