What’s this about?
Under Article 82(1) of the EU General Data Protection Regulation (EU GDPR) anyone who has suffered either material or non-material damage as a result of an infringement of EU GDPR has the right to receive compensation from the data controller or data processor for the damage suffered. The European Court of Justice (the European Court) has ruled that not every infringement of EU GDPR however gives rise to compensation. This article briefly looks at the issues.
What’s the background?
From 2017, an Austrian organisation that sold addresses, Österreichische Post, collected information about the political affinities of the Austrian population. Using an algorithm, it defined “target group addresses” according to socio-demographic criteria, which it then sold. The data collected enabled Österreichische Post to establish that a given individual had a high degree of affinity with the Austrian far-right populist Freedom party; the processed data were not however communicated to third parties.
An individual who had not consented to the processing of his personal data in the above context, claimed that he felt great upset, a loss of confidence and a feeling of exposure due to the fact that a particular affinity had been established between him and the political party in question. He then brought legal proceedings before a court in Vienna seeking €1,000 as compensation for non-material damage which he claimed to have suffered and also requested that the processing be stopped. The court granted the cessation of processing request but rejected the compensation claim. This ruling was then upheld on appeal and then went to the Austrian Supreme Court.
What did the Austrian Supreme Court do?
The Austrian Supreme Court had doubts as to the extent of the right to compensation under EU GDPR and made a reference for a preliminary ruling to the European Court asking whether mere infringement of EU GDPR was sufficient to confer that right, and whether compensation is possible only if the non-material damage suffered reaches a certain degree of seriousness. Further, it also asked what the EU law requirements are for the determination of the amount of damages.
What did the European Court rule?
The European Court ruled that:
- The right to compensation provided for by EU GDPR is subject to three cumulative conditions: (a) infringement of EU GDPR; (b) material or non-material damage resulting from that infringement; and, (c) a causal link between the damage and the infringement. According to the European Court, not every infringement of EU GDPR gives rise, by itself, to a right to compensation. The European Court said that any other interpretation would run counter to the clear wording of EU GDPR. In addition, according to the recitals of EU GDPR relating specifically to the right to compensation, infringement of EU GDPR does not necessarily result in damage, and there must be a causal link between the infringement in question and the damage suffered in order to establish a right to compensation;
- The right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. According to the European Court, EU GDPR does not contain any such requirement and such a restriction would be contrary to the broad conception of damage adopted by the EU legislature. The European Court said that the graduation of such a threshold, on which the possibility or otherwise of obtaining that compensation would depend, would be liable to fluctuate according to the assessment of the courts before whom claims were brought; and,
- Because EU GDPR does not contain any rules governing the assessment of damages it is for the legal system of each EU country to prescribe the detailed rules for compensation, provided that the principles of “equivalence and effectiveness” of EU law are respected.
What are the takeaways?
This commonsense ruling should act as food for thought to those seeking to bring data protection infringement compensation claims in what might be termed trivial matters. Post-Brexit this ruling does not of course bind the UK but it might add weight to the trend in the UK of the courts pushing back on damages claims in such trivial matters.
This said, businesses shouldn’t rest on their laurels – issues that businesses should nevertheless still consider in general include the following:
- Making staff and the Board aware (including through training) of both individual and class-action claim risks for alleged data protection breaches. Everyone involved should know what to do when bad things do happen. Training like the Cordery Data Breach Academy can help (see https://www.corderycompliance.com/cordery-data-breach-academy-2-2-2/);
- Setting up and undertaking regular compliance audits or reviews in order to identify, rectify and prevent issues that could involve either an individual claim or a class-action claim;
- Checking the liability provisions in vendor agreements and revising them where appropriate;
- Ensuring that legal professional privilege applies in an internal investigation of a data security breach;
- Considering looking into insurance cover issues; and,
- In case they are on the receiving end of a claim they should act quickly!
We have written about data protection and compensation issue including here https://www.corderycompliance.com/uk-court-cmd-0123/, here https://www.corderycompliance.com/thebountycase/ and here https://www.corderycompliance.com/lloyd-v-google-ruling/ and here https://www.corderycompliance.com/data-protection-breaches-and-compensation-litigation-issues-for-consideration/.
We report about data protection and privacy issues here https://www.corderycompliance.com/category/data-protection-privacy/.
The European Court judgment can be found here (in French and German only, for now) https://curia.europa.eu/juris/document/document.jsf?text=&docid=273284&pageIndex=0&doclang=FR&mode=req&dir=&occ=first&part=1&cid=4049230.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|