GDPR damages: EU Advocate General does not let liability get out of hand
No punitive damages – no damages without damage – no “de-minimis” damages
Today, the Advocate General delivered his eagerly awaited opinion in case C-300/21. The case deals with fundamental questions as to the conditions under which non-material damages are to be paid for violations of the General Data Protection Regulation (GDPR). The Austrian Supreme Court had asked whether a violation of the GDPR in itself constitutes damage and whether the application of a “materiality threshold”, according to which mere feelings of displeasure would not qualify as compensable damage, complies with the GDPR.
In the proceedings in which Wolf Theiss successfully represented the defendant against claims for damages in all instances, the Advocate General shares a similar legal view: he exercises restraint when it comes to allowing claims for damages for alleged immaterial damage to get out of hand.
The core statements of his legal opinion are:
1) GDPR infringements are not “per se” compensable damage;
2) Clear rejection of “GDPR punitive damages”;
3) No compensation for “de minimis” damages.
The legal opinion of the Advocate General (AG) takes a position on a number of legal issues and with welcome clarity:
1) GDPR infringements are not “per se” compensable damage
For the recognition of a claim for compensation for damage suffered by a person as a result of a breach of the GDPR, the mere breach of the norm as such is not sufficient if it is not accompanied by corresponding material or immaterial damage.
In other words, data processing that is simply in breach of the GDPR does not in itself constitute “damage” in the sense of the GDPR; there must also be an element of material or emotional disadvantage for the data subject. However, the AG also rejects the often-held opinion that a GDPR violation automatically constitutes a “loss of control” over the data (or the loss of this control) and that this automatically constitutes “damage”. None of the recitals 75 and 85 used for this purpose mention that the violation of a norm per se implies a compensable damage. Moreover, the GDPR also provides other possibilities for exercising this control, in particular the right to erasure, from which the controller is obliged to delete the relevant information “without undue delay”.
2) Rejection of “GDPR punitive damages
The AG is also clear in its rejection of a GDPR punitive damages award: sometimes the view has been expressed that GDPR damages should not only be “complete and effective” but also “deterrent”. The AG counters this: the GDPR does not contain any reference to the sanction character of the compensation of material or immaterial damages or to the fact that the calculation of its amount reflects this character, or to the deterrent effect of the damages (which, on the other hand, is the case with criminal sanctions and administrative fines). The claim under Article 82(1) of the GDPR is conceived in the service of typical functions of civil liability and serves to compensate for damage (to the injured party) and, secondarily, to prevent future damage (committed by the infringer).
This means: the notion that “punitive damages” would have been introduced via the GDPR backdoor has clearly been rejected by the AG. Even though the claimant did not explicitly seek punitive damages in the underlying proceedings, any portion of damages awarded in excess of the actual damage “suffered” would bear a punitive character and effectively sanction the data controller instead of (merely) compensating the data subject.
3) No compensation for “de minimis” damage
Also with regard to the further question referred for a preliminary ruling, the AG strengthens the view, which has already been widely held by the Austrian courts, that no compensation is to be paid for low-threshold feelings of discontent: the compensation for non-material damage regulated in the GDPR does not extend to “mere annoyance” to which the violation of its provisions may have led the data subject.
In this context, the distinction between compensable non-material damage and other disadvantages caused by the disregard of the requirement to act lawfully, which do not necessarily lead to a claim for compensation due to their minor importance, is relevant. Such a split is regarded in national legal systems as an inevitable consequence of living in a society. Nothing prevents this from being applied to the GDPR, the AG stated.
This means: it will be up to the national courts to work out when the subjective feeling of displeasure can be regarded as non-material damage due to its characteristics in the individual case. However, this does not imply an overly generous approach, as the AG does not hide its criticism of excessive claims for damages; moreover, the right to damages provided for in Article 82 (1) of the GDPR does not seem to be “the appropriate instrument” to take action against violations in the processing of personal data if they only lead to “anger or annoyance” on the part of the data subject. This is true to life, as a GDPR breach will regularly lead to a negative reaction from the data subject. Damages resulting from a “mere feeling of displeasure” due to the non-observance of the right by another person would come quite close to the “damages without damage”, as clearly rejected by the AG. However, affected persons are not completely deprived of their rights. In particular, they still have the right to have their data deleted and to lodge a complaint with the supervisory authorities.
4) Outlook: major relevance for defence against GDPR damage claims
The decision in this landmark case will set the stage for the future of controllers’ compliance efforts and the data subjects’ appetite for immaterial damage claims.
It is now up to the ECJ to assess the arguments of the parties, Member States, the Commission and the Advocate General’s Opinion exchanged in the proceedings and to issue a judgement. In the majority of cases, the ECJ follows quite closely the proposals of the AG.
For the national courts, this means waiting: many GDPR damages proceedings are interrupted to wait for the ECJ’s judgment. In ongoing proceedings, this will have to be taken into account insofar as the “damage suffered” by affected persons will have to be scrutinised particularly closely as to whether it can constitute compensable damage in the above sense.
Download this article