Rosaleen Byrne, Amy Brick and Louise Mitchell

As set out in our previous briefing Compensation in Data Breach Claims – Recent Developments, a number of member state courts, including those in Austria, Germany and Bulgaria, have referred questions to the Court of Justice of the European Union (CJEU) concerning the extent and scope of the right to compensation for non-material damage under the General Data Protection Regulation (GDPR).

On 4 May 2023 the CJEU handed down its much anticipated judgment in Case C-300/21 – UI v Österreichische Post AG. This marks the first CJEU judgment to address the question of non-material damage under Article 82 of the GDPR.

Background

In this case, the data subject brought proceedings in the Austrian court seeking €1,000 in compensation for alleged non-material damage arising from the processing of his personal data for the purposes of political advertising, using an algorithm. The data subject claimed that he was upset by the storage of his party affinity data and angered and offended by the political affinity specifically attributed to him by Austrian Post.

The Austrian Supreme Court referred a series of questions to the CJEU seeking clarification as to whether the award of compensation under Article 82 requires, in addition to an infringement of the GDPR, that the claimant has suffered harm. The reference also sought clarification as to whether compensation for non-material damage requires the existence of more than upset caused by the infringement.

AG Opinion

Advocate General Campos Sánchez-Bordona delivered his opinion in October 2022 and found, in summary, that:

• GDPR infringements do not in and of themselves warrant compensation;
• non-material damage should meet a minimum “threshold of seriousness”; and
• the level of compensation is a matter for the law of the member state.

CJEU judgment — key findings

The CJEU followed the opinion of the AG in many, but not all, respects. The most notable divergence is in respect of whether a minimum threshold of seriousness is required for a claim for non-material damage to exist.

1. Mere violation of GDPR does not confer a right to compensation

The Court held that a mere infringement of the GDPR is not sufficient in and of itself to confer a right to compensation, noting that any other interpretation would run counter to the wording of the Regulation, it being clear from Article 82 that the existence of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation. Three cumulative conditions must be met, as follows:  

1. an infringement of the GDPR;
2. material or non-material damage resulting from that infringement; and
3. a causal link between the infringement and the damage.

2. No threshold of seriousness required in respect of non-material damage

One of the key issues considered was whether a certain minimum level or threshold of seriousness must be exceeded for non-material damage to be compensable. The Court chose not to follow the AG’s opinion, which had called for a “threshold of seriousness” above which non-material damage could warrant compensation.

In the first instance the Court noted that non-material damage is not defined in Article 82 GDPR and that the Article makes no reference to any threshold of seriousness. Noting that Recital 146 of the GDPR states that “the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation”, the Court found that it would be contrary to the broad conception of ‘damage’ favoured by the EU legislature if it was to be limited solely to damage of a certain degree of seriousness.

The Court also noted that, as set out in Recital 10, an objective of the GDPR is to ensure the consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data throughout the EU. The Court expressed a concern that imposing a threshold could affect the coherence of the GDPR regime across the EU as the possibility of obtaining damages could vary according to the assessment of that threshold by relevant national court. 

In light of this, the Court found that the GDPR precludes any national rule or practice imposing a materiality threshold.

3. GDPR does not prescribe rules for the assessment of damage

In circumstances where the GDPR does not contain any rules for assessing damages, the Court found that it is for the legal system of each member state to prescribe the detailed rules governing actions under Article 82 and, in particular, the criteria for determining the extent of the compensation payable in that context, subject to compliance with the principles of equivalence and effectiveness.

The Court noted that the recitals to the GDPR state that it is intended to provide for “full and effective compensation” for damage suffered. Any domestic rules for compensation will need to satisfy this requirement.  

Impact on other proceedings before the CJEU and Irish courts

The CJEU judgment in the Austrian Post case will likely have an impact on the outcome of other preliminary references before the CJEU in which guidance is sought on the interpretation of Article 82 GDPR.

Only last month, Advocate General Pitruzzella delivered his opinion in respect of a reference from the Bulgarian court on the right to compensation for non-material damage under the GDPR where there had been unlawful disclosure of personal data as a result of a cyber-attack. The AG in that case found that detriment consisting in the fear of a potential misuse of one’s personal data in the future, the existence of which the data subject has demonstrated, may constitute non-material damage giving rise to a right to compensation, provided that it is a matter of “actual and certain emotional damage” and not simply trouble and inconvenience — there is certainly a question now as to whether this view is consistent with the Court’s decision in the Austrian Post case.

The decision will also be relevant to the Irish Circuit Court proceedings in Fastway Couriers Ireland and Others [2023] IECC 1 which involved the loss of customer data following a cyber-attack and which had been stayed pending the outcome of this and other preliminary references concerning non-material damage, as well as to other cases which had similarly been stayed pending the outcome of these references.

UK-EU divergence

The CJEU’s stance on the materiality threshold is out of step with recent decisions in the UK, including the decision of the High Court of England and Wales in Rolfe v Veale [2021] EWHC 2809 (QB) which required damage over a de minimis threshold in order for compensation to be payable.

It is worth noting that UK case law cannot be relied on as persuasive authority in this jurisdiction in respect of GDPR matters where it is at odds with the jurisprudence of the CJEU.

Conclusion

Overall, the decision of the CJEU may not provide the level of guidance that some had hoped for in terms of what is meant by non-material damage, and leaves many questions over to be dealt with by the national courts. For those defending data breach claims, the decision that a threshold of seriousness cannot be applied to the concept of non-material damage will not be welcome news.

As the CJEU still has to pronounce on a number of other preliminary references concerning Article 82 of the GDPR, more guidance may follow, and will keep you updated on all such developments.

• Rosaleen Byrne and Amy Brick are partners and Louise Mitchell is an associate at McCann FitzGerald LLP.