The GDPR is pervasive legislation. It impacts almost every business active in the EU and, indeed, public authorities and even private citizens in some cases. 

The issue of when compensation is available for breach of the GDPR is thus a critical question. A right to compensation that might arise from a mere infringement could open the floodgates to individual claims and class actions against large companies.

Österreichische Post – Opinion of the Advocate General

On 6 October 2022, Advocate General Campos Sánchez-Bordona delivered his opinion in UI v Österreichische Post (Case C-300/21). This case was referred to the CJEU by the Austrian Supreme Court and is the first of many requests for preliminary ruling pending before the CJEU (including from Germany) on the application of the right to compensation under Article 82 of the GDPR.

The Advocate General suggests to the CJEU that compensation claims under the GDPR should be limited to cases of actual material or non-material damage.

Background

The background of the Österreichische Post case is straight-forward. The Austrian Post collected information on the political party affinities of the Austrian population for the purpose of election advertising.

The claimant is one of the individuals affected by the data collection. The Austrian Post – using an algorithm – created a profile for the claimant which associated him with high affinity to a particular political party. The claimant claimed EUR 1,000 compensation for non-material damages for inner discomfort, arguing that the political affinity that the Austrian Post attributed to him is insulting and shameful, as well as extremely damaging to his reputation, causing him great upset and a loss of confidence, and also a feeling of public exposure.

His claim was dismissed in the lower Austrian courts but the Austrian Supreme Court referred the following questions to the CJEU:

“(1)      Does the award of compensation under Article 82 of [the GDPR] also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?

(2)      Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?

(3)      Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?”

Question 1: The Advocate General considers there is no compensation right for a “mere” GDPR infringement

Some national courts have adopted a very extensive interpretation of Article 82 GDPR. The first question deals with that interpretation and asks if the right to compensation for non-material damages is triggered by a “mere” violation of the GDPR – irrespective of any damages suffered.

The Advocate General rejects this interpretation firmly based on a well-founded assessment of the law closely following the wording of Article 82 GDPR under which a right to compensation requires a person to have “suffered material or non-material damage”.

Further, the Advocate General rejects the arguments that there is an irrebuttable presumption of damage once a GDPR violation has occurred – particularly that an infringement results in a “loss of control” over data which is a compensable damage under Article 82 GDPR. The wording of the GDPR does not support this presumption and, instead, the recitals name loss of control over data as simply one possible damage that can occur.

As part of the analysis, the Advocate General makes a number of wider observations on the concept of “loss of control”. He concludes it is not the GDPR’s objective to grant data subjects absolute control over their personal data as a right in itself, or that data subjects must have the greatest control possible over those data – rather this merely means data subjects have a right to “supervise” the processing of the personal data and to intervene by exercising their rights. Accordingly, processing in violation of the GDPR that leads to loss of control over data is on its own not a ground for compensation in damages.

The Opinion also addresses the wider purposes of the GDPR, concluding that it is not directed at the protection of personal data and individual’s rights to the exclusion of everything else. Rather, it seeks “to reconcile each person’s right to protection of personal data with the interests of third parties and society.” Therefore, Article 82 GDPR should be considered in the light of the GDPR’s broader objectives to promote the free movement of data in the Single Market by legitimising data processing under strict conditions rather than systematically limiting it.

Furthermore, the Advocate General assesses the role of punitive damages under the GDPR. This is relevant as allowing compensation purely for breach of the GDPR (and in the absence of any actual damage) would, in effect, create a regime of punitive damages.

The Advocate General concludes that Article 82 GDPR does not allow for punitive damages. In contrast to other EU legislation, punitive damages are not mentioned in the text of the GDPR nor during the legislative process. Further, the GDPR clearly separates compensatory functions (under Article 82) and punitive functions (available through fines under Article 83 GDPR and other sanctions). There is no room for compensation claims to replicate the sanction powers of supervisory authorities.

Question 2: Nominal damages may be available but the GDPR does not include an “account of profits”

The next question considers how compensation should be assessed and if there are any further requirements beyond the principles of effectiveness and equivalence. The Advocate General does not provide a comprehensive answer to this and instead addresses potential types of compensation available under the laws of the Member States.

For example, the power of national courts to award symbolic or nominal amounts to vindicate the infringement is permitted under the GDPR but should only be available under Article 79 GDPR and the Advocate General stresses that under Article 82 GDPR “the difficulty in proving the damage must not result in nominal damages”.

Further, some Member States’ laws allow the neutralisation of an unfair advantage, i.e. an account of profits. The Advocate General does not clearly say whether account of profits is allowed under the GDPR, and instead states that the GDPR “does not include this in its provisions”.

Question 3: Mere “annoyance” or “upset” is not sufficient to award compensation

If compensation is only available for actual material or non-material damage, what does this mean in practice? Is “mere upset” enough?

This issue has been widely discussed. For example, in Germany the courts have followed several different opinions, and the German Constitutional Court even decided that – without referral to the CJEU – a claim could not be dismissed due to the damage suffered not surpassing a materiality threshold.

The Advocate General concludes the definition of damage must be broad but, at the same time, cannot form a rule under which all non-material damage, irrespective of its seriousness, would be eligible for compensation. Compensation should not be available for mere “annoyance or upset”, especially since any data protection violation will lead to some form of negative feeling for the data subject.

Interestingly, the Advocate General rejects the argument that a broad right to damage arises under recital 146 (which states that “any damage” should be compensated). He also rejects the argument that the concept of damage “should be broadly interpreted” in light of the CJEU’s case law. He notes that the CJEU had yet to rule on the subject when the GDPR was adopted. To answer the question, the Advocate General suggests the CJEU draws a distinction “between non-material damage for which compensation may be awarded and other inconveniences arising as a result of abuse of the law which, owing to their insignificance, do not necessarily create the right to compensation.” He states that this distinction, as “an inevitable corollary of life in society”, is accepted in national legal systems and by the CJEU. Further, he points out that compensation for a mere feeling of displeasure would easily be confused with compensation without damage.

However, the Advocate General does not attempt to draw the exact line between compensable damage and insignificant inconveniences. This is instead left to the courts of the Member States who will have to take into account the exact facts and the “perception prevailing in society at a given time regarding the permissible degree of tolerance where the subjective effects of infringement of a provision in this area do not exceed a de minimis level.”

What else is in the pipeline?

This Opinion relates to just one of the referrals on the question of compensation for breach of the GDPR. Other pending decisions include:

• juris GmbH (Case C-741/21). This relates to an individual who asked not to receive direct marketing. Despite that request he received three more direct marketing letters. Although the individual has suffered no financial loss as a direct result of the marketing, and even no distress, he argues that he has a right to compensation for this breach. The CJEU will need to consider, amongst other things, if the mere infringement of the GDPR is sufficient to found a claim for compensation and whether this is subject to any de minimis limit.
• VB v Natsionalna agentsia za prihodite (Case C-340/21). This reference asks if “worries, fears and anxieties suffered by the data subject” following a cyberattack are sufficient to justify compensation even where “there is no evidence that [the plaintiff’s] data has been misused”. Similar questions are posed in in Case C-182/22 (Scalable Capital GmbH) and Case C-189/22 (Scalable Capital GmbH).
• BL v Saturn Electro (Case C-687/21). A final reference asks if a data subject is entitled to compensation after its sales contract for a household appliance was accidentally given to another customer notwithstanding the accidentally disclosed sales contract was recovered within thirty minutes and the data subject rebuffed an offer of free delivery in compensation for the error.

The CJEU’s judgment in UI v Österreichische Post is likely to be critical to the outcome in these cases.

What happens next?

The Opinion provides welcome clarification of critical issues under the GDPR. The assessment is clear and well-founded, drawing balanced lines for the application of Article 82 that reject the notion that infringement should automatically trigger some form of flat-rate compensation.

The CJEU should hand down its judgment within a few months, most likely early next year. It often follows opinions of Advocate General but this is not a given.