CJEU rules on right to compensation under Article 82 EU GDPR

The question

What must a data subject demonstrate to claim compensation for non-material damage (eg emotional distress/loss of confidence) under the EU General Data Protection Regulation (GDPR)?

The key takeaway

To receive an award of compensation for non-material damage under Article 82 GDPR, a data subject must demonstrate that (i) they have suffered damage, (ii) there has been an infringement of the GDPR, and (iii) the infringement is linked to the damage the data subject has suffered. As such, the Court of Justice of the European Union (CJEU) has confirmed that there is no “de minimis” level of damages under Article 82 GDPR but that the infringement must have caused some form of damage to the data subject. Infringement of the GDPR, by itself, is not sufficient for compensation.

The background

On 4 May 2023, the CJEU handed down its much-anticipated preliminary ruling in UI v Österreichische Post AG (Case C‑300/21). A preliminary ruling is the mechanism by which the CJEU issues a binding decision on questions about the interpretation or validity of EU law. These questions are referred to the CJEU by national courts or tribunals in Member States.

This case concerned an algorithm which was applied to information by Austria’s leading postal services provider, Österreichische Post. Österreichische Post’s algorithm analysed various social and demographic criteria to predict the political affinities of the Austrian population. From these predictions, Österreichische Post created “target group addresses” and sold these to third parties, enabling those third parties to send targeted political advertisements to individuals.

In this case, Österreichische Post’s algorithm predicted that the claimant had a high degree of affinity with a particular Austrian political party. The claimant had not consented to the processing of his personal data for this purpose. While this information was not communicated to third parties, the claimant was caused feelings of great upset, exposure, and loss of confidence, when he discovered that an affinity with this political party was attributed to him and retained by Österreichische Post. Given these feelings, the claimant sought (i) an injunction for Österreichische Post to cease its processing of his personal data for this purpose (granted at first instance and upheld on appeal), and (ii) compensation of €1,000 for the non­material damage he suffered (rejected at first instance and dismissed on appeal).

In particular, the claimant’s claim for compensation was dismissed because Austria’s Higher Regional Court found that Member States’ laws supplement the GDPR. Under Austrian law, the right to compensation for non-material damage arising from a breach of data protection rules would only give the claimant a right to compensation where that damage reached a certain “threshold of seriousness”, and “negative feelings” did not reach this threshold.

The development

When the case came before the Austrian Supreme Court, Österreichische Post appealed against the injunction imposed on it, but this was dismissed. As such, only the claimant’s appeal against the rejection of his claim for compensation remained before the Supreme Court. The Supreme Court, in examining the concepts of damage, compensation, and effectiveness under EU law, decided to refer three questions to the CJEU. These were:

• Is a claimant required to suffer actual harm before they can be awarded compensation under Article 82 GDPR, or is an infringement of GDPR, by itself, sufficient to allow the claimant to receive compensation?
• Does EU law require that an infringement of GDPR must have a serious consequence, beyond “mere upset”, before compensation may be awarded?
• Should an award of compensation be considered in light of EU law requirements?

Question 1

In relation to this question, the CJEU analysed Article 82 GDPR which provides that any person who has suffered material or non-material damage, due to an infringement of GDPR, has the right to receive compensation. The CJEU found that to receive compensation, a claimant must show:

• they have suffered damage
• that there has been an infringement of the GDPR, and
• that the infringement of the GDPR is linked to the damage they suffered.

Further, because the words “damage” and “infringement” appear separately in Article 82 GDPR, the CJEU found that they should be considered different concepts. It found that only an infringement of the GDPR which causes a data subject to suffer damage, will be sufficient to give rise to an award of compensation. In relation to infringements by themselves, the CJEU found that they are covered by Article 77 and Article 78 GDPR which provide legal remedies to a data subject, before, or against, a supervisory authority where there has been an infringement of GDPR (ie administrative fines).

Question 2

Here, the CJEU stated that, according to settled case-law, a provision of EU law (ie Article 82 GDPR), which makes no reference to national Member States’ laws, must be given (i) an independent, and (ii) uniform definition throughout the EU. The CJEU found that:

• Article 82 GDPR is independent, and does not refer to Member States’ national laws as a way of determining how serious any material, or non-material damage must be to receive compensation, and
• the objective of GDPR is to ensure a consistent, high level of protection of individuals regarding the processing of their personal data in the EU.

As such, while a data subject is required to demonstrate that the consequences of an infringement of GDPR caused the non-material damage they suffered, the Austrian Supreme Court could not say that compensation for such damage should be subject to any set “threshold of seriousness”. The CJEU stated that such a finding would undermine the autonomy and uniformity of GDPR, as a “threshold of seriousness” would be different in different Member States.

Question 3

In determining the amount of compensation which would be payable to a data subject, the CJEU found that the GDPR does not contain any provision intended to define rules for the assessment of damages to which a data subject may be entitled under Article 82 GDPR. As such, the CJEU found that individual Member States should prescribe such rules subject to the EU law principles of effectiveness and equivalence:

• Effectiveness - the CJEU found that national courts should determine whether their national rules for assessing the amount of compensation payable under Article 82 GDPR make it impossible or excessively difficult for a data subject to exercise their rights under GDPR.
• Equivalence - the CJEU found that it would assess whether the legislation of Member States was less favourable to data subjects who are seeking to enforce their rights under EU law. However, there was no evidence of this in this case.

Why is this important?

While this case confirms that data subjects may claim compensation for non-material damage (ie feelings of upset) caused by an infringement of the GDPR, it provides more clarity to controllers on the situations in which a data subject may claim compensation under the GDPR. This ruling is not binding on the UK, but it still represents a persuasive authority, and is likely to inform how the UK courts and the Information Commissioner’s Office deal with compensation claims from data subjects in respect of UK controllers going forward.

Any practical tips?

This decision could lead to an increase in non-material damage claims for a data breach linked to the GDPR, including “mere upset”. That said, it does not set out what a claimant has to prove for such damage. It remains to be seen, therefore, quite where this decision will take the compensation argument for breaches of the GDPR.