The claim for damages under the GDPR has always been disputed in terms of its requirements and legal consequences, because the regulation uses vague legal terms in the relevant provisions instead of specific criteria. Now, for the first time, the ECJ has taken a position on the requirements for a claim and has also decided whether compensable non-pecuniary damage must reach a certain threshold. This article shows what, according to the ECJ, must be fulfilled for justified GDPR damages.
I. The initial case
An Austrian court proceeding preceded the abstract legal issues that the ECJ had to rule on.
In 2017, the Austrian Post tried to use an algorithm to determine the political affinities of the population based on social and demographic characteristics and, from the information generated, formed target groups in which sympathy with political parties was suspected.
A citizen who was attributed the ideological proximity to a certain party after the data processing saw this as unlawful processing of his personal data and sued for damages under Art. 82 GDPR.
The suggestion that he was close to the party in question caused him great irritation and led to a loss of trust and a feeling of embarrassment.
The Austrian judiciary unequivocally determined that the aggregation of information about demographic and social circumstances and its algorithm-based evaluation to determine a political spectrum violated data protection law because it was carried out without consent.
However, the Supreme Court, which was the last instance dealing with the request for compensation, saw the interpretation of Art. 82 GDPR as the basis for a claim for damages as problematic.
Paragraphs 1 and 2 of the provision state the following:
1. Any person who has suffered material or non-material damage as a result of a breach of this Regulation is entitled to compensation from the controller or processor.
2. Any controller involved in processing is liable for damage caused by processing that does not comply with this Regulation. A processor is only liable for damage caused by processing if it has not complied with its obligations under this Regulation specifically imposed on processors or has acted in non-compliance with or against the instructions given by the data controller lawfully.
He therefore suspended the proceedings and submitted the questions to the ECJ for a preliminary ruling, among other things, whether
- The prerequisite for a claim for GDPR damages is only a violation of GDPR provisions or specific damage that the data subject must have suffered as a result of the violation
- The prerequisite for immaterial damage that can be compensated for is that the consequence of the violation of the law is of a certain significance and goes beyond mere annoyance caused by the data protection violation
II. The decision of the ECJ
With judgment of May 4th, 2023 (Az. C-300/21), the ECJ ruled on the submission of the Austrian Supreme Court on the eligibility requirements of the GDPR damages and on the concept of immaterial damage.
1.) Specific occurrence of damage required
In response to the first question, the Court clarified that justification for damages cannot result from a mere breach of the GDPR provisions.
Rather, a data breach must also result in actual damage.
In addition, a causal link between data breach and damage is required, so the breach must be the cause of the damage.
The wording of Art. 82 (2) GDPR and recitals 75 and 85 already show that the violation of a GDPR provision on the one hand and damage on the other are different claim requirements.
2.) (Probably) no threshold for immaterial damage
With regard to the legal question of the extent to which the recognition of immaterial damage within the meaning of the GDPR depends on a certain degree of relevance, the ECJ took a less clear position.
Based on the fact that the concept of damage is not defined in the GDPR, but the Union legislature intended a broad understanding, the requirement of a certain weight for a substitute capacity cannot be assumed.
Otherwise, there would be a risk of claims for damages being handled heterogeneously in the various member states because the courts seised would assess the criteria of relevance and thus the recognition or rejection of compensation differently.
However, the judges maneuvered past the actual core of the question of whether a nuisance felt merely due to the data protection violation could justify non-material damage.
The ECJ did not make a statement as to whether immaterial damage should already be assumed in the case of weak and temporary emotions in connection with violations of data processing regulations.
This is particularly problematic because in the same judgment he declared infringement and damage to be two different entitlement requirements.
However, if feelings of mere annoyance, which are inherent in a data protection violation and are likely to be caused by it, are also considered non-pecuniary damage, the duality of the entitlement requirements would be watered down again or even abolished.
In this respect, the ECJ Advocate General spoke in his Opinion of October 6th, 2022 not to consider mere subjective feelings of dissatisfaction as the result of a data breach as sufficient non-pecuniary damage.
It is also recognized in German case law that immaterial damage only exists if the person concerned has suffered a noticeable disadvantage resulting from an objectively comprehensible impairment of personality-related interests with a certain weight.
It remains to be seen to what extent this can still be maintained in the light of the decision of the ECJ.
Finally, the ECJ did not comment on what was to be recognized as “immaterial damage” at all, but only ruled that the ability to compensate for damage – once accepted – does not depend on its significance.
In its judgment of May 4th, 2023 (Az. C-300/21), the ECJ ruled on the eligibility requirements for the GDPR damage claim and the ability to compensate for immaterial damage.
While the court clearly established that a mere breach of data protection does not already entitle to compensation, but that concrete and causal damage must also have occurred as a result of the breach, it dodged the very crucial question of what should be recognized as immaterial damage.
The ECJ ruled in this respect that the ability to compensate for non-pecuniary damage does not depend on a certain degree of relevance, and remained silent on the question of the extent to which a mere feeling of displeasure about a data protection violation suffered could justify the assumption of damage.
Tipp: Do you have any questions about the contribution? Feel free to discuss this with us in the
Entrepreneur group of the IT law firm on Facebook.