The Court of Justice of the European Union (CJEU) issued its long-awaited judgment on damages and the interpretation of Art. 82 GDPR. The judgment is important for national legal practice in particular due to the decision on the existence of a so-called materiality threshold for the affirmation of non-material damage suffered. This materiality threshold had been introduced by national courts (judgment of May 4, 2023, case no.: C-300/21).
Background to the decision
In the course of a preliminary ruling procedure, three questions on the claim for damages under Art. 82 GDPR were submitted to the CJEU by the Austrian Supreme Court (OGH). This in turn was preceded by a lawsuit filed by a private individual against the Austrian Post AG for EUR 1,000 in damages due to unlawful data processing.
Post AG collected information on the political leanings of the Austrian population without consent. It used an algorithm to define political target groups based on certain sociodemographic characteristics. This algorithm classified the plaintiff as being close to the FPÖ party. The plaintiff described his annoyance at this political categorisation, as it offended him.
The courts of first and second instance dismissed the claim essentially on the grounds that the non-material damage claimed did not exceed the supposed materiality threshold required for the claim for damages.
The Austrian Supreme Court stayed the appeal proceedings and referred the following three questions to the CJEU for a preliminary ruling:
- Does an award of damages under 82 GDPR require, in addition to a breach of provisions of the GDPR, that the claimant has suffered damage? Or is the mere breach of provisions of the GDPR already sufficient for an award of damages?
- Are there other requirements under EU law for the assessment of damages, in addition to the principles of effectiveness and equivalence?
- Is the view compatible with European Union law that a precondition for the award of non-material damage is that there is a consequence or consequence of the infringement of at least some weight which goes beyond the annoyance caused by the infringement?
Following the Advocate General’s Opinion of 6 October 2022, the CJEU has now ruled on the issues raised.
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
GDPR violation and damage must both be present
With regard to the question of damages in the event of a mere violation of provisions of the GDPR, the CJEU states that the GDPR does not refer to the law of the individual Member States for the meaning and scope of the terms contained in Art. 82 GDPR and that these are therefore to be regarded as autonomous terms of Union law.
It already follows from the wording of Art. 82 GDPR that the existence of damage, in addition to the breach of provisions of the GDPR, is one of the prerequisites for the establishment of a claim for damages.
Furthermore, there must be a causal connection between the breach and the damage. These prerequisites would thus have to be cumulatively present. A mere breach of the provisions of the GDPR is not sufficient in itself to establish a claim for damages.
Determination of the assessment of damages by courts on the basis of national provisions
With regard to the second question referred for preliminary ruling, whether there are further requirements of Union law for the assessment of damages in addition to the principles of effectiveness and equivalence, the CJEU reiterates that the GDPR does not contain any policy dedicated to the rules for assessment of damages where damage has been caused by the breach of the GDPR.
The procedural modalities of the remedies and thus the determination of the amount of damages are left to the national courts, which have to apply the national rules. However, the principles of equivalence and effectiveness must be observed.
As a result, the national courts would have to apply the national rules on the extent of financial compensation when determining the amount of damages, provided that the Union law principles of equivalence and effectiveness were observed.
No materiality threshold for non-material damages
Regarding the third and most relevant question of the existence of a materiality threshold, the CJEU confirmed that Art. 82 GDPR also allows for a claim for damages in case of non-material damage. The wording of the provision does not indicate a “materiality threshold” of any kind.
It can be deduced from the third sentence of Recital 146 GDPR, according to which “the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation”, that it would be contrary to the broad understanding of the concept of “damage” chosen by the Union legislator if it were limited by a materiality threshold.
Therefore, a national policy would be contrary to the wording of the GDPR, which makes compensation for non-material damage dependent on the damage having reached a certain level of materiality.
Data protection law assessment
The CJEU’s ruling is very close to the Regulation. In addition to the wording of Art. 82 GDPR, Recital 146 is also relevant for the assessment of when damages suffered by data subjects due to a data breach must be compensated.
Correctly, the damage is not equated with any violation of a norm from the GDPR. This is because a norm of the regulation will not always necessarily aim to protect data subjects.
Where a policy has the protection of data subjects as its direct object, it will be easier in the future to establish that damage has been suffered and is therefore compensable. This underlines the intention of the legislator that “the persons concerned (…) shall receive full and effective compensation for the damage suffered.”
Consequently, this damage must be substantiated, but not also of some weight. Materiality is presumed in the case of damage brought about by the injury (i.e., causal).
The short formula is: Affected persons must indeed show causal damage, but the amount of the damage suffered is then irrelevant.
The ruling was eagerly awaited and delivers what it promises. Namely, a lot of explosives. And it is clear that the judgment has significantly lowered the barriers for the enforcement of claims for damages by way of legal action. Previously, the small claims threshold had to be calculated as an additional risk factor when considering filing a lawsuit.
In consequence, this will lead to an increased number of lawsuits, but also to more effective legal protection for data subjects. Lawsuits following administrative fine proceedings due to data breaches are particularly interesting. This is because these ultimately also always prove the limitations of the rights and freedoms of those affected by the data breach. It is then easy to simply demonstrate the damage suffered.
As a result of the mandatory notice of data subjects by a data breach or unlawful processing activity, waves of lawsuits can be expected in the future. The decisive battlefield will then be the question of the amount of damage and no longer the justification for the damage claim.
Preventive work is therefore more important than ever. Companies must get to grips with their obligations on the basis of regulated and practiced data protection management structures. This applies in particular with regard to avoiding and dealing with data breaches.