Non-material damage compensation: Court of Justice may limit enforcement of the GDPR
Not that long ago it was hard to believe that one day we would go to court to seek redress for our leaked email password.
However, since the GDPR came into force, private enforcement has been receiving considerably less attention. Still, the regulation not only includes a right to an effective judicial remedy but also a specific mechanism that provides compensation for damage caused by a breach of the regulation. Pursuant to Article 82 GDPR, a data subject may seek redress for material and non-material damage suffered because of a GDPR violation from the liable controller and/or processor. Such a claim for liability is currently governed by national civil law.
Under national laws, it is often not easy to get compensation for this non-substantial damage. Firstly, non-material damage is hard to assess. Secondly, the GDPR does not specify when non-material damage exists, nor does it name examples of possible non-material damages. Additionally, contrary to the public enforcement, there is no cooperation between Member States in this regard, nor does the EDPB issue any guideline or keep track on the amounts awarded. The mere wording of the Art. 82 is not usual, as the flexibility of its implementation is more characteristic for the provision taken out of a directive rather than from a regulation.
No damages for most GDPR violations?
Recently, the Advocate General (AG) Campos Sanchez Bordona of the Court of Justice of the European Union (CJEU) has issued an opinion regarding Art. 82 (compensation for damages under the regulation). The opinion severely limits the possibility of compensation. The final judgement will be issued in a few months; however, judges often follow previously issued opinions. And that is alarming.
The case started in Austria. The Austrian Post (Österreichische Post) was gathering data on the political party sympathies of the Austrian population for the purpose of election advertising. The claimant is one of the people affected by the data collection. The claimant sought €1,000 in damages for discomfort, arguing that the political likeness attributed to him by Austrian Post is offensive and disgraceful, and highly damaging to his image, causing him great distress and loss of confidence. The court was seeking an answer to the question of whether it could limit the award of non-material damages under Art. 82, if the anger of a plaintiff does not go beyond the anger that comes with the violation of GDPR rights. As this definition would include all realistic types of anger that may come from a violation of the GDPR, it would largely undermine the legislator’s intent to grant non-material damages for violations of the right to data protection.
According to the AG, infringement of the GDPR alone does not give rise to the payment of compensation. He underlined that the individual must have suffered real damage as a result of the infringement to trigger compensation. There is also a distinction to be drawn between mere upset (which does not give rise to a right for compensation) and non-material damage (which does). Furthermore, there is no presumption of damage having occurred as a result of a breach of the GDPR. A loss of control of personal data by the controller will not itself amount to damage that is eligible for compensation.
AG stated that instead of paying damages, courts should consider issuing a simple declaration, injunction, or so-called nominal damages (usually €1) which would give some moral satisfaction to the applicant.
However, such solutions are not going to address past infringements or retrieve unlawfully accessed data. Claimants would have to invest high amounts of money into the process just to receive a confirmation that they are indeed right. Data controllers could walk away without any realistic consequences. What is more, according to the AG, Member States should come up with their own “thresholds” or other national laws that may limit the clearly intended full compensation of non-material damages. Considering the current uneven situation in this field, this would lead to much greater divergence regarding the implementation of the Art. 82, even though the regulation itself states that: ‘The level of protection of the rights and freedoms of natural persons regarding the processing of such data should be equivalent in all Member States’.
What is next?
In the Österreichische Post case, the jury (consisting of three and five judges) has not yet ruled, as we are now waiting for a formal decision from the Court of Justice. However, rights organisations and campaigners, including Max Schrems, have already expressed concern about the impact of the Advocate General’s opinion.
According to Nyob, the privacy organisation which Max Scherms is representing: ‘If the view of the Austrian Supreme Court and the Advocate General prevails, most users will never see compensation for GDPR violations anymore.’ The BEUC called the opinion ‘troubling’, saying that, if followed, it would hamper the possibilities to seek compensation when an individual has suffered non-material damages, such as reputational damage and emotional distress.’
The CJEU should hand down its judgment within a few months, most likely early next year. It often follows opinions of Advocate General, but this is not a given.