The plaintiff has to demonstrate that he has suffered a material or an immaterial damage. A mere infringement of GDPR is not sufficient for granting a compensation. However, any immaterial damage is compensatabel. A certain threshold or seriousness of the damage is not necessary to receive a compensation.1
For the first time, the CJEU decided on the requirements and the amount of damages.2 The court establishes his unique approach for the right to compensation whether following the restrictive view of the Advocate Gerneral nor the extensive interpretation of the German Federal Labour Court.3 As effect of the decision, companies and public bodies will face more claims for damages since any immaterial damage – like inner discomfort – is compensatabel for consumers.
Since 2017, Österreichische Post AG4 collected data on the political party affinities of the Austrian citizen. The postal service contributed ‘target group addresses’ with the assistance of an algorithm and on basis of socio-demographic data. UI is a natural person to whom the postal service attributed a high affinity to a certain political party. The data was not transferred to any third party.
Österreichische Post did not ask for UI’s consent. UI was upset and angered by the attribution of the postal service to a certain political party. He has claimed an amount of 1.000 € as compensation for the inner discomfort as non-material damage.
The requirements for the right to compensation according to Art. 82 GDPR
The CJEU establishes three conditions for the right to compensation according to Art. 82 GDPR. The first requirement is an infringement of the GDPR. The second requirement is a material or non-material damage. The third requirement is the causal link between the damage and the infringement. These conditions are culmative and have to be met simultaneously.
These requirements significantly differ from the conditions of the law of tort in Germany and are similar to the requirements for compensation according to European public liability law.5 It is remarkable, that negligent or wilful behaviour of the controller is no requirement of the right to compensation. This approach essentially lowers the burden of proof for the plaintiff.
A mere infringement of GDPR is not sufficient for a compensation
The court is straightforward on the question whether a damage is required or not. The wording, the context and the systematic interpretation of Art. 82 GDPR are all requiring a damage in addition to the breach of GDPR. The term “damage“ would be poitless in the text of Art. 82 GDPR. In addition, not every infringement of GDPR does necessarily cause a damage. This interpretation is supported by the recitals 146, 75 and 86 GDPR which require a damage caused by a breach of GDPR. Eventually, the contrast of the requirements for a fine of a DPA6 and the right to compensation according to Chapter VIII of GDPR shows that a damage is required for a compensation, whereas a fine soley requires an infringement of the GDPR.
The court clarifies the different requirements of the two remedies However, the court does not follow the interpretation of the Advocate General who estimates the right to compensation as subsidiary to the actions of the DPA.
The CJEU emphasizes that “damage“ is an autonomous term of EU law and is not open for controversial national definitions.
Any immaterial damage is compensatable according to GDPR
The CJEU held that any immaterial damage is compensatabel according to GDPR. A certain threshold or gravity of the damage is not required according to the wording of Art. 82. Recital 146 describes the concept of damage to be broadly interpreted and reflecting the objectives of GDPR. Eventually, a threshold would provide the opportunity to a different interpretation by national courts. All three arguments are supporting the conclusion of the court.
In praxis, the decision will shift many internal medium risks evaluations of companies and public bodies to high risk since it opens the window for many proceedings claiming damages by consumers. As a general rule, an substantive infringement of GDPR will indicate an immaterial damage since the damage does not need any gravity.
The amount of damages
Unfortunately, the CJEU let it open to the national courts which amount of damages is adequate for an immaterial damages caused by an infringement of GDPR. As a general rule, the court states the compensation shall be equivalent and effective. The aim of damages is seen as an aspect of recovery of the damage suffert.
GDPR does not grant punitive damages
The court states the damage of GDPR has no punitive character. In addition, the court does not elaborate on the profit of the controller caused by the infringement of GDPR. As conseqeuence, both aspect will not be added to the damage suffered by the data subject.
Burden of proof
The decision states that the burden of proof for the immaterial damage lies with the data subject.7 The CJEU does not clarify who owns the burden of proof for the infringement of GDPR. In this respect the accountability principle of GDPR and the national proceedings for damages may follow different approches. In addition, the court has not decided whether Art. 82 Abs. 3 GDPR shifts the burden of proof for the casual link to the controller – as the wording seems to indicate.
The decision of the CJEU lowers the bar for the requirements for damages according to GDPR. A negligent behaviour of the controller is not necessary. Consumer can easily show that they have suffered a small immaterial damage. The infringements of formal requirements of GDPR, like the publication of the contact details of the DPO, can be neglected. In praxis, any substantive infringement of GDPR will likely indicate an immaterial damage. In connection with the directive of representative action8 – the European form of class action – the decision of CJEU is of high relevance. Unfortunatly, the court did not evaluate which amount of money is an adequate compensation for an immaterial damage suffered from the infringement of the GDPR.
4 Austrian Postal Service
5 Thomas Kahler, Irish DPC: liability for failure to act against Facebook, DPOblog.eu, January 12, 2020
6 Data Protection Agency