On 4 May 2023, the Court of Justice of the European Union (CJEU) released its highly anticipated judgment in Case-300/21 UI v Österreichische Post (Österreichische Post Case).
The CJEU decision is the first to deal with an individual’s right to compensation for non-material loss for breaches of the General Data Protection Regulation (GDPR). The CJEU determined that:
- mere infringement of the GDPR will not give rise to a right to compensation for material or non-material damage;
- there is no de-minimis standard of loss to be suffered for an individual to recover compensation under the GDPR;
- there must be a causal link between an infringement of data protection law and damage suffered to recover compensation under the GDPR.
The CJEU stated that it is for national courts to interpret this decision and apply it to data protection claims on a national basis. This will therefore apply to those cases that have been stayed pending the CJEU’s decision (see our earlier article here).
Österreichische Post, the postal service of Austria, processed personal data relating to the political beliefs of the Austrian public since 2017. Unbeknownst to these individuals, Österreichische Post used an algorithm which used this personal data to categorise members of the Austrian public’s political beliefs as being aligned with specific political parties. An Austrian citizen argued that he had not consented to the use of his personal data for such purposes, claiming he suffered upset and felt exposed due to him being affiliated with a certain political party. The claimant brought a data protection claim, before the Austrian courts, for compensation of €1,000 for the non-material damage.
The Austrian Supreme Court expressed its doubts that Article 82 GDPR, which allows for compensation for infringements of the GDPR, extended to non-material damages for “mere upset”. The court referred three questions for preliminary ruling by the CJEU:
- Does the award of compensation under Article 82 of the GDPR require, in addition to the infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?;
- Does the assessment of compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?; and
- Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?
Is infringement of the GDPR in itself sufficient to award compensation?
The CJEU clarified that the right to compensation is subject to three cumulative conditions being established:
- infringement of the GDPR;
- material or non-material damage resulting from that infringement; and
- a causal link between the damage and the infringement.
Therefore, mere infringement of the GDPR will not give rise to the right to compensation under Article 82 GDPR. The CJEU also referred to the recitals of the GDPR, which state that infringement of the GDPR does not necessarily result in damage, and there must be a causal link between the infringement in question and the damage suffered to establish a right to compensation.
Compensation for non-material damages
The CJEU held that non-material damage arising from a breach of the GDPR does not need to reach a certain threshold of seriousness for the affected party to acquire the right to compensation. As the GDPR does not impose any such requirement, the CJEU held it would be contrary to the broad concept of “damage” adopted by EU law, if it was limited to a certain degree of seriousness. However, the CJEU acknowledged that the likelihood of national courts awarding compensation would vary depending on the seriousness of the damage.
This finding is contrary to the opinion the Advocate General which found that the “compensation for non-material damage provided for in the regulation does not cover mere upset”.
Rules for the assessment of damages
The CJEU noted that the GDPR does not contain any rules governing the assessment of damages and that it was for the legal system of each Member State to prescribe detailed rules for actions arising from the GDPR. Member States must set criteria for determining the extent of compensation payable in a given context, and the principles of equivalence and effectiveness must be complied with.
As previously discussed by William Fry here, existing Irish litigation was stayed pending the outcome of the Österreichische Post Case, along with other preliminary references before the CJEU. The Österreichische Post Case will provide much-needed guidance to the Irish courts in deciding on such cases, including Cunniam v Parcel Connect Limited trading as Fastway Couriers Ireland and Others. That case concerns non-material damage that occurred as a result of a cyber-attack, and whether the plaintiff can be awarded compensation.
Another Significant Decision Awaited
Another CJEU case that has provoked much interest, stems from an incident of unauthorised access to Bulgaria’s National Revenue Agency’s (NAP) information system. The NAP system held millions of citizens’ tax records and social security information, which were published on the internet. Affected parties brought proceedings against the NAP for compensation for non-material damage in the form of worry and fear that their personal data would be misused.
Advocate General Giovanni Pitruzzella has recently opined that where there has been unlawful access to personal data by third parties, fault on the part of the controller will be presumed and may give rise to liability for non-material damage. The Advocate General stated that compensation can be awarded for such non-material damage. To avoid liability, a controller must prove that it is not in any way responsible for the unlawful access to the personal data.
The Advocate General also opined that fear of possible misuse of personal data in the future can constitute non-material damage, giving rise to a right to compensation, but only if it is actual and certain emotional damage, not simply trouble or inconvenience. Given the Advocate General’s opinion in this case, the CJEU’s final decision will be eagerly awaited, particularly in light of the Österreichische Post Case.
The Österreichische Post Case provides clarity on the right to compensation for mere infringement of the GDPR and non-material damages. It will be interesting to see how this decision will be interpreted by national courts in the ever-growing landscape of data protection claims by individuals. It seems likely that Member State courts will not allow frivolous or vexatious claims to over-run the courts, a position supported by the Österreichische Post Case.
For more information about anything discussed above, please contact Adele Hall, Rachel Hayes, Leo Moore, Paul Convery or your usual William Fry contact.