Compensation for data protection breaches requires a causal relation between the breach and actual harm incurred by the data subject: Österreichische Post decision of the CJEU case no. C-300/21
E-Bulletin 04/2023
The CJEU ruled that not every violation of the GDPR automatically gives data subject the right to claim damages. It is instead necessary to demonstrate a causal relation between the data protection breach and actual harm incurred by the data subject.
Facts
From 2017, Österreichische Post, a company incorporated under Austrian law, an address broker, collected information on the political affinities of the Austrian population. Using an algorithm that takes into account various social and demographic criteria, it defined ‘target group addresses’. The data thus generated were sold to various organisations, to enable them to send targeted advertising.In the course of its activity, Österreichische Post processed data which, by way of statistical extrapolation, led it to infer that the applicant in the main proceedings had a high degree of affinity with a certain Austrian political party. That information was not communicated to third parties, but the applicant in the main proceedings, who had not consented to the processing of his personal data, felt offended by the fact that an affinity with the party in question had been attributed to him.
In that context, the applicant in the main proceedings brought an action before the Landesgericht für Zivilrechtssachen Wien (Regional Court for Civil Matters, Vienna, Austria) seeking, first, an injunction for Österreichische Post to cease processing the personal data in question and, second, an order requiring that company to pay him the sum of EUR 1 000 by way of compensation for the non-material damage which he claims to have suffered. By decision of 14 July 2020, that court upheld the application for an injunction but rejected the claim for compensation.
On appeal, the Oberlandesgericht Wien (Higher Regional Court, Vienna, Austria) confirmed, by judgment of 9 December 2020, the decision at first instance. As regards the claim for compensation, that court referred to recitals 75, 85 and 146 of the GDPR and held that the Member States’ provisions of national law on civil liability supplement the provisions of that regulation, in so far as the latter does not contain special rules. In that regard, it noted that, under Austrian law, a breach of the rules on the protection of personal data is not automatically associated with non-material damage and gives rise to a right to compensation only where such damage reaches a certain ‘threshold of seriousness’. In its view, that is not the case with regard to the negative feelings which the applicant in the main proceedings has invoked.
Hearing the action brought by the two parties in the main proceedings, the Oberster Gerichtshof (Supreme Court, Austria), by interim judgment of 15 April 2021, referred three questions to the ECJ:
- Is a GDPR infringement in itself sufficient for an award of compensation under Art. 82 GDPR?
- Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
- Is it compatible with EU law to impose as a requirement for awarding compensation for non-material damages that the infringement is of at least some weight that goes beyond the upset caused by that infringement?
Regarding the first question, the CJEU, by establishing an autonomous and uniform interpretation of Art. 82 GDPR, answered that “the mere infringement of the provisions of [the GDPR] is not sufficient to confer a right to compensation.” The Court pointed to the three cumulative conditions of Art. 82 GDPR, namely the existence of “damage” which has been “suffered,” the existence of an infringement of the GDPR, and of a causal link between damage and infringement.
In addition, the clarifications provided by recitals 75, 85 and 146 of the GDPR support that interpretation. First, recital 146, which specifically concerns the right to compensation provided for in Article 82(1) of that regulation, refers, in its first sentence, to ‘damage which a person may suffer as a result of processing that infringes this Regulation’. Second, recitals 75 and 85 state, respectively, that ‘the risk … may result from personal data processing which could lead to … damage’ and that a ‘personal data breach may … result in … damage’. It follows, first, that the occurrence of damage in the context of such processing is only potential; second, that an infringement of the GDPR does not necessarily result in damage, and, third, that there must be a causal link between the infringement in question and the damage suffered by the data subject in order to establish a right to compensation.
The CJEU then answered the third question and again underlined the need for an autonomous and uniform interpretation of “non-material damage” within the meaning of Art. 82 GDPR. The CJEU pointed out that the wording of Art. 82 does not make reference to any threshold of “seriousness” of (non-material) damages and that the objectives of the Regulation favour a “broad conception of ‘damage.’” It follows “that Article 82(1) of the GDPR must be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.”
Lastly, as to the second question of the assessment of damages, the CJEU noted that the GDPR does not contain any provisions in that regard. Hence, the amount of damages payable under the right to compensation pursuant to Art. 82 is subject to the domestic rules of each Member State, “provided that the principles of equivalence and effectiveness of EU law are complied with.” Regarding the latter, the CJEU alluded to the GDPR’s intention to ensure “full and effective compensation” (see recital 146 GDPR) for the damage suffered, “without there being any need […] to require the payment of punitive damages.”
Outstanding questions
While lowering the threshold for GDPR-related claims for non-material damages (at least for jurisdictions that knew a seriousness threshold), it is yet too early to denote this judgment as harbinger of a new torrent of data protection claims. Instead, the future of Art. 82 GDPR will most likely depend on the rigour national courts show regarding the assessment of damages in data protection matters. Also after the CJEU’s decision, how to assess non-material damages is still a question very much in want of a definitive answer. In this respect, data privacy pundits will be keeping a close watch on the pending case of VB -v- Natsionalna agentsia za prihodite (Case C – 340/21). On 27 April 2023, the Advocate General delivered their Opinion in this case. The case involves personal data disclosed following a cyber-attack. The claimant alleges non-material damage on the basis that they fear a future misuse of their data by the hackers or others. The Advocate General concluded that if the Claimant can demonstrate a “real and certain emotional damage” then this can constitute a basis for compensation for non-material damage. Even though the CJEU of course does not always follow the Advocate General’s Opinion, it is often highly persuasive. Though this might be thought to indicate a move towards mass compensation claims where GDPR data security obligations have not been observed which have then led to a cyber-breach, it still seems necessary for each Claimant to demonstrate that they have suffered “real and certain emotional damage”.