On 4 May 2023, the Court of Justice of the European Union (CJEU) delivered its decision in the Österreichische Post case (Case C-300/21), in essence deciding that a mere infringement of the General Data Protection Regulation (GDPR) does not automatically lead to compensation for damages; compensation for nonmaterial damage does not need to meet a minimum threshold of seriousness; and it is up to the national courts to assess the amount of damages. This case was referred to the CJEU by the Austrian Supreme Court and is the first of many preliminary rulings pending before the CJEU regarding the right to compensation under Article 82 GDPR.
Österreichische Post collected information on the political affinities of the Austrian population in order to sell this information for election advertising purposes. Using an algorithm, Österreichische Post created a profile of the claimant, which said that he had a high affinity for a particular political party. This data collection, therefore, enabled Österreichische Post to establish that a particular citizen had a strong liking for a certain Austrian political party. However, Österreichische Post did not inform third parties that it had engaged in such data processing activities.
The claimant, who had not consented to the processing of his personal data, claimed 1,000 euros in compensation for nonmaterial damage for internal harm, arguing that the political affinity attributed to him was insulting and shameful. He said it was also damaging to his reputation, caused him suffering and loss of confidence, and produced a feeling of vulnerability in public.
The claim was dismissed in the lower Austrian courts. The Austrian Supreme Court expressed its doubts as to the extent of the right to compensation that the GDPR establishes for material or nonmaterial damage resulting from mere infringement of the GDPR. The Austrian Supreme Court thus asked the CJEU whether mere infringement of the GDPR was sufficient to confer that right, and whether compensation would be awarded only if the nonmaterial damage suffered was of a certain degree of seriousness. It also asked what the European Union law requirements were for determining the amount of damage.
Not all infringements of the GDPR – by themselves – confer a right to compensation
The CJEU stated that Article 82(1) GDPR must be interpreted as meaning that a mere infringement of the provisions of the GDPR is not sufficient to confer a right to compensation. For the CJEU, this is clear from the wording of Article 82 GDPR, which requires three cumulative conditions to be met:
- The existence of an “infringement” of the GDPR.
- The existence of “damage” that has been “suffered.”
- A causal link between that “damage” and that “infringement.”
Therefore, not all “infringements” of the provisions of the GDPR – by themselves – confer a right to compensation on the data subject.
The CJEU stated that any other interpretation would run counter to the clear wording of the GDPR. The separate references to “damage” and “infringement” in Article 82(1) GDPR would not have been included if the EU had decided that any infringement of the GDPR would be sufficient to give rise to a right to compensation.
Moreover, Article 82(2) GDPR, which specifies the rules on liability – the principle of which is established in paragraph 1 of that article – outlines the three conditions necessary to give rise to the right to compensation (as listed above). According to Recitals 75, 85 and 146, relating to the right to compensation, infringements do not necessarily result in damage, and there must be a causal link between the infringement in question and the damage suffered to establish a right to compensation.
No threshold required for nonmaterial damage
Further, the CJEU held that the right to compensation is not limited to serious nonmaterial damage alone. The GDPR contains no such restriction, which would anyway be contrary to the broad conception of damage adopted by the EU. Specifically, the context and objective of Recital 146 indicate that the concept of damage should be broadly interpreted in light of CJEU case law in a manner that fully reflects the objectives of the GDPR. It would be contrary to that broad conception of “damage” if the concept were limited solely to damage of a certain degree of seriousness.
The CJEU held that making any compensation for nonmaterial damage contingent on a threshold of seriousness would risk undermining the GDPR, because the threshold would be subject to the discretion of the courts in each instance, resulting in the potential for inconsistent application. It stated that only without such a threshold is it possible to achieve a consistent, high-quality level of protection within the EU.
National courts must apply domestic rules to determine amount of damages
Finally, the CJEU noted that Article 82 GDPR must be interpreted as meaning that, in order to determine the damages payable, national courts must apply domestic rules, provided that the principles of equivalence and effectiveness of EU law are complied with. This is because the GDPR contains no rules on assessment of damages.
However, the CJEU noted the compensatory function of Article 82 GDPR and highlighted that data subjects should receive “full and effective compensation for the damage they have suffered.” Nevertheless, it is ultimately for the national courts to apply this rule.
Clear rules for damage calculation still missing
The decision provides welcome news for companies, as it “raises” the bar for successful damage claims for nonmaterial damage and lowers the attractiveness to initiate mass claims in the EU concerning compensation for a mere infringement of the GDPR. However, regarding the calculation of damage, the CJEU does not offer a full answer and leaves it to the national courts to determine the amount of damages payable.
The CJEU will, however, have further opportunities to clarify its understanding of damage for breach of the GDPR in a number of pending cases, including juris GmbH (Case C-741/21), Natsionalna agentsia za prihodite (Case C-340/21), Scalable Capital GmbH (Case C-182/22) and Saturn Electro (Case C-687/21). These cases concern the correct interpretation of Article 82 GDPR – in particular, the meaning of “material or nonmaterial damage,” the conditions for imposing liability under Article 82 GDPR and the degree of “fault” that is required to impose liability. It remains to be seen whether the CJEU will take the opportunity to refine its reasoning and provide more detailed guidance to companies, member states and national courts. To be followed up!