Internet Explorer 11 (IE11) is not supported. For the best experience please open using Chrome, Firefox, Safari or MS Edge

Damages for Breach of GDPR - The Promise of Clarity Fulfilled?

A long-awaited decision of the Court of Justice of the European Union concerning whether compensation for ‘non-material damage’ is payable where a data subject’s rights have been infringed has now been delivered. Our Insurance & Risk team examine the facts of the case, its ultimate decision and consider if any clarity can be gleaned from this first instalment in the non-material damage saga.

The GDPR extended liability for an infringement of a data subject’s privacy rights to expressly cover ‘non-material damage’. The concept of non-material damage was new to Irish law and practitioners have grappled with its meaning and scope over the last five years. This legal uncertainty is not unique to Ireland and has led to a series of preliminary references to the Court of Justice of the European Union (CJEU) seeking guidance on how to interpret Article 82 of the GDPR.

In October 2022, we wrote about the Advocate General’s opinion in the first of these preliminary references, UI v Österreichische Post AG 300/21. We now look at the CJEU decision in this case and ask: did we actually get the clarity we had hoped for on what is needed to prove ‘non-material damage’?

The first question referred

Under Article 82 of the GDPR, is the infringement of GDPR, of itself, sufficient for the award of compensation or must a claimant prove damage?

The CJEU held that a mere infringement of GDPR does not confer an automatic right to compensation under Article 82(1).

The CJEU made it clear that a claimant must prove three things:

  1. The existence of a violation of GDPR
  2. The existence of ‘damage’ or ‘harm’ having been ‘suffered’, and
  3. A causal link between the said damage and violation

The second question referred

Does the assessment of compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?

The CJEU noted that the GDPR does not contain any rules about the assessment of damages. It held that it is a matter for the Member States to ensure full and effective compensation for the damage suffered. In this way, each Member State must determine the appropriate level of compensation, subject to compliance with the principles of effectiveness and equivalence.

The third question referred

To prove you have suffered from non-material damage, do you need to prove something more than the upset caused by that infringement?

This part of the decision was arguably the most eagerly awaited. Notably, the CJEU’s decision departed from the AG’s opinion, recent UK caselaw[1] and recent expressions from the Irish bench[2].

The CJEU found that the GDPR precluded the application of a minimum threshold of “seriousness” for non-material damage based on the following considerations:

  • Article 82 of the GDPR makes no reference to such a threshold
  • Recital 146(3) of the GDPR states that damage should be broadly interpreted. The application of a threshold, or any such limitation, would therefore be contrary to this, and
  • Recital 146 of the GDPR expressly requires damage to be construed in such a way as to support the objectives of the GDPR and requiring a threshold of seriousness to be met would not do so. The CJEU determined that applying such a threshold may lead to a risk of undermining the consistency of GDPR interpretation and the ‘graduation’ of such a threshold may fluctuate between Member States, according to the subjective assessment of the judge hearing the case

The CJEU therefore decided that the GDPR must be interpreted as precluding a national court from imposing a threshold of seriousness in a claim for compensation for non-material damage.

Case comment

And so, we turn to the burning question, how much clarity did we get from this decision on the concept of ‘non-material damage’? Unfortunately, from a civil liability perspective, not as much as expected.

This decision is set against a backdrop of conflicting decisions across Europe and multiple preliminary references. There had been a recent general trend across national courts in EU Member States and the UK of imposing a minimum threshold above “mere upset” for claiming compensation for non-material damage.

It is undoubtedly helpful that the CJEU has clarified that claimants must prove damage and that damage cannot be presumed to follow as a natural consequence of an infringement. However, given that the CJEU rejected any application of a threshold for non-material damage, we are no clearer, following this decision, on the proofs required to claim for such damage.

At multiple points in the decision the CJEU emphasised the distinction between ‘infringement’ and ‘damage’. However, after carefully drawing this distinction, the CJEU does not then go on to provide any real guidance on how the concept of non-material damage should be interpreted. Rather, it reaffirmed, in a more general sense, the obligation on each Member State to apply the GDPR in such a way as to ensure full and effective compensation for the damage suffered.

There are a further five preliminary references pending before the CJEU which include questions on the interpretation of Article 82 of the GDPR. Therefore, this decision is just the first installment of the non-material loss interpretation saga, and we hope for more clarity to be provided as each decision is rendered[3].

For more information regarding the impact of this decision, contact a member of our Insurance & Risk or Privacy & Data Security teams.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

[1]Rolfe v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB)


[3] Next up – Case C-340/21 – VB v Natsionalna agentsia za prihodite

Share this: