On 4 May 2023 the CJEU handed down judgment in the Österreichische Post case, ruling that mere infringement of the GDPR is not itself sufficient to confer a right to compensation; and that material or non-material damage is required. The reasoning adopted by the CJEU is markedly similar to that adopted by the Supreme Court in Lloyd v Google in relation to the DPA 1998, and it seems highly likely that that the courts in this jurisdiction will adopt the same approach in relation to the UK GDPR and DPA 2018.  The CJEU did not however directly address the question posed by Recital 85 of the GDPR, which is whether “loss of control” over personal data constitutes non-material damage for the purpose of this principle.

In the same Judgment the CJEU rejected an argument that compensation for non-material damage could only be awarded where damage suffered by the data subject has reached a certain degree of seriousness, holding that the GDPR precluded such a national rule or practice. This was not the approach adopted in Lloyd, but largely accords with current practice in this jurisdiction. Whether the steer of the CJEU has any impact on domestic law remains to be seen.

Facts

From 2017, Österreichische Post collected information on the political affinities of the Austrian population. Using an algorithm, it defined ‘target group addresses’ according to socio-demographic criteria. The data thus collected enabled Österreichische Post to establish that a given citizen had a high degree of affinity with a certain Austrian political party.

The citizen in question, who had not consented to the processing of his personal data, claimed that he felt great upset, a loss of confidence and a feeling of exposure (matters the CJEU referred to as “adverse emotional effects of a temporary nature”) due to the fact that a particular affinity had been established between him and the party in question. He sought an injunction and compensation of €1,000. The national courts granted the injunction but reject the claim for compensation.

The Austrian Supreme Court referred three questions concerning the claim for compensation to the CJEU.

Questions for the Court

  • Does the award of compensation under Article 82 of [the GDPR] also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
  • Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
  • Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence [or effect] of the infringement of at least some weight that goes beyond the upset caused by that infringement?’

Determination

Question 1

Basing itself on the wording of GDPR Article 82(1), the CJEU concluded relatively shortly that the provision imposed three conditions necessary to give rise to the right to compensation: (1) processing of personal data that infringes the provisions of the GDPR; (2) damage suffered by an individual, and (3) a causal link between that unlawful processing and that damage. Therefore, the existence of ‘damage’ “constitutes one of the conditions for the right to compensation”; a conclusion the CJEU stated was supported by context, in particular Article 82(2) and recitals 75, 85 and 146.

The CJEU noted the wording in Article 82 differed from that in Articles 77 and 78 – by which a claim may be brought before or against a supervisory body – and concluded that this showed “the importance of the ‘damage’ criterion, and therefore of its distinctive nature as against the ‘infringement’ criterion, for the purposes of claims for compensation based on the GDPR.” It similarly distinguished Articles 83 and 83 – concerning administrative fines and penalties – which it said had “a punitive purpose and are not conditional on the existence of individual damage”.

Question 2

The CJEU noted that the GDPR “does not contain any provision intended to define the rules on the assessment of the damages to which a data subject… may be entitled under Article 82” and that therefore it is a question for Member States to determine “the criteria for determining the extent of the compensation payable in that context”, subject to compliance with those principles of equivalence and effectiveness.

It drew attention to recital 146 and the approach adopted by the Advocate General in his Opinion, noting that to be regarded as ‘full and effective’ financial compensation must “allow the damage actually suffered as a result of the infringement of that regulation to be compensated in its entirety” without the need for payment of any form of punitive damages.

Question 3

The CJEU again approached the question by reference to the wording of Article 82(1), noting that it “confines itself to expressly stating that not only ‘material damage’ but also ‘non-material damage’ may give rise to a right to compensation, without any reference being made to any threshold of seriousness”. It noted that the context and the purpose of the GDPR undermined any existence of such a threshold and concluded that: “Making compensation for non-material damage subject to a certain threshold of seriousness would risk undermining the coherence of the rules established by the GDPR, since the graduation of such a threshold, on which the possibility or otherwise of obtaining that compensation would depend, would be liable to fluctuate according to the assessment of the courts seised.

The Court did emphasis that any individual who complained that they had suffered negative consequences was still required to “demonstrate that those consequences constitute non-material damage within the meaning of Article 82”.

 Comment

Three short observations:

  • The CJEU’s conclusion is clear. The Judgment may not however entirely have put the matter to bed, since it does not contain a clear statement on what may constitute “non-material damage” for the purposes of Article 82(1). In contrast to the Advocate General, the CJEU did not address (although it did cite) Recital 85, which provides that “A personal data breach may … result in physical, material or non-material damage to natural persons such as loss of control over their personal data…” The argument – accepted by the Court of Appeal in Lloyd then shunned by the Supreme Court – is that this provision shows that under the GDPR a claimant is permitted to claim compensation on the basis that he or she has suffered non-material damage in the form of a “loss of control” of the data in question. Given that all that the CJEU have concluded in response to question 1 is that a claimant cannot obtain compensation for a bare violation of the GDPR, on one reading of the Judgment this argument has not been rejected by the court.
  • The prospects of successful CPR 19.6 claims for large-scale data breaches are dealt another blow. Two avenues were arguably left open in Lloyd for such claims – those brought under the GDPR and those framed not as data breach claims at all but as claims for misuse of private information (MOPI). The latter route is the subject of a pending decision in Prismall v Google, in which Google have sought to strike out the MOPI claims on the basis (inter alia) that they suffer from the same defects as identified in This CJEU judgment – subject potentially to issue (1) – undermines the prospects of a successful CPR 19.6 claim under the GDPR or UK GDPR. The judgment is of course not binding on domestic courts, but given the degree to which it chimes with Lloyd it is very hard to see a different approach being adopted.
  • The rejection of a threshold of seriousness is of interest, and the CJEU has long emphasised the deliberately wide reach of the GDPR. The approach runs counter to that adopted in Lloyd in respect of the DPA 1998 – the Supreme Court noted, for example, that “on the claimant’s own case there is a threshold of seriousness which must be crossed before a breach… will give rise to an entitlement to compensation”. The CJEU did emphasise that claimants must prove that they have suffered non-material damage, and more generally this may shift courts’ emphasis from addressing questions of de minimis to questions of causality or proof of damage (which is what appears to have been done, rightly or wrongly, in Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB)). Ultimately, it seems likely that the trend of low value data claims not being struck out but being heard in the County Court will continue.

Ian Helme is a barrister at Matrix Chambers and the head of Matrix’s Data Protection Group. He appeared with Catrin Evans KC for Tech UK in the Supreme Court in Lloyd v Google.