Data protection law was significantly changed by the GDPR on 25 May 2018. From a civil liability perspective, the main impact of GDPR was the inclusion of the term ‘non-material damage’. Since then, debate has raged both in Ireland and the rest of Europe about what the term actually means. Some welcome insight has now been provided by the opinion of an Advocate General (AG) of the Court of Justice of the European Union (CJEU). The opinion centers on a referral by the Austrian Supreme Court in UI v Österreichische Post AG[1].This case addresses a number of very important questions:
- Does the very fact that a breach occurred entitle the affected data subject to compensation without them having to prove any damage?
- If the answer is that proof of actual damage is required, is being simply annoyed or upset enough?
Why is this opinion so important?
Pre GDPR, the High Court in Collins v FBD Insurance Plc confirmed that, in order to recover under the Data Protection Acts 1988-2003, a claimant had to prove damage. When the GDPR introduced the concept of ‘non-material damage’ there was confusion about:
- What the concept actually meant
- What was needed to prove it
- How to assess the value of the damage
The uncertainty caused by this new concept is not unique to Ireland. It led to disparate decisions in many European member states. Some courts granting damages for “annoyance” while others refused to do so. At the time of the AG’s opinion, courts in seven member states had sent preliminary references to CJEU, seeking guidance. A petition is before the European Parliament Committee on Petitions seeking clarification of the concept.
In the UI v Österreichische Post AG, Case C‑300/21, the CJEU was asked three questions.
Does the award of Compensation under Article 82 of the GDPR also require in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the ward of compensation?
There has been much debate about whether harm naturally flows from a proof of infringement. In the recent Lloyd v Google case, it was argued that compensation should be awarded for a ‘loss of control’ of data, independent of any proof of distress or upset. The court in that case did not accept that argument and the AG’s opinion has followed a similar line. He notes that this interpretation is inconsistent with the wording and the purpose of the GDPR. In the AG’s view, a claimant must prove an infringement of GDPR and harm in the form of either material or non-material damage. But what is non material damage? The remainder of the opinion does shed some light on this.
Does the assessment of compensation depend on further EU law requirements, in addition to the principles of effectiveness and equivalence?
The AG considered whether there are any EU law requirements that should be taken into account when assessing compensation. This is a very broad question. The underlying driver for the question appears to be a concern that the GDPR would be overly punitive if, in addition to fines, the award of compensation for non-material damage was in some way punitive.
The AG expressed the view that, generally, the concept of punitive damages does not appear in the GDPR. He also pointed out that the GDPR is not prescriptive about the calculation of compensation of damages. He confirmed that this is a matter for the courts of each member state to apply on a case-by-case basis.
Is it compatible with EU law to take the view that the award of compensation for non material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?
The final question referred is essentially a practical one. What does a plaintiff need to prove to get compensation for non-material damage? Do they need to prove something greater than ‘upset’?
The AG noted that any infringement of GDPR is likely to lead to a negative reaction by the data subject and allowing ‘mere upset’ to be recoverable would be akin to not requiring proof of harm. He was of the opinion that there must be some threshold of harm above a de minimus level. He reiterated that the task of determining whether the ‘harm’ in a case exceeds this threshold is for the courts of each member state to determine. It is worth noting that the concept of a similar threshold for harm in non-material damage cases was also discussed in the recent UK decision of Rolfe v Veale.
Conclusion
AG opinions are not binding on the CJEU. However, they are influential and generally provide a useful indicator on what way the court will ultimately lean. Research suggests that between 67%-80% of CJEU decisions agree with the AG opinion. No date for the decision of the CJEU has yet been provided.
If followed, some of the uncertainty created by the concept of ‘non-material’ damage’ will be resolved. It would certainly be extremely helpful to put an end to the debate about whether a mere infringement of GDPR is automatically proof of damage. However, uncertainty will continue, as the assessment of the “threshold” for what level of non-material damage will attract compensation will be left to the national courts. Experience tells us that the Circuit Court, where the majority of these cases will be heard, can be very generous to claimants. Even if damages are assessed at a low level, the accompanying costs will be significant. All that remains clear is that even if the CJEU follows this opinion, the road to certainty on damages in breach of GDPR cases has many twists and turns ahead.
For expert guidance and more information, contact a member of our Insurance & Risk or Privacy & Data Security teams
The content of this article is provided for information purposes only and does not constitute legal or other advice.
[1] Case C‑300/21
