On 4 May 2023, the Court of Justice of the European Union (“CJEU”) published its decision in Case C-300-21 where it ruled that not any infringement of the General Data Protection Regulation (“GDPR”) triggers the right to compensation provided by Article 82 of the GDPR. The Court did, however, rule that there is no minimum threshold for damage claims.
The right to compensation as set out in Article 82 of the GDPR does have three requirements, namely that there is an infringement of the GDPR, a damage caused to the affected individual and a casual link between the infringement and the damage.
Background of the case:
During 2017, a company trading in addresses, Austrian Post (Österreichische Post), collected information on the political associations of individuals by using an algorithm that considered various social and demographic characteristics. The data that was generated from this was sold to various organizations for targeted advertising.
While conducting its activities, the Austrian Post identified the plaintiff with a high likelihood to a certain Austrian political party based on the statistical deductions of the collected data. This information was not transmitted to third parties.
The plaintiff had not consented to the processing of his personal data and felt offended by the fact that an association to a certain political party had been attributed to him. The plaintiff further argued that the storage of this data, which was based on a presumption, caused him great upset, a loss of confidence and a feeling of being exposed. The plaintiff brought an action against the Austrian Post for an injunction to stop the disputed data processing and payment in the amount of €1,000.00 as compensation for non-material damage.
Implications of the Ruling:
– Any company that is established in the European Union (“EU”) or subject to the GDPR, can be subject to a damage claim under the GDPR. The risk of damage claims may be particularly high in cases of data breaches and where data subjects can exercise their rights under the GDPR, especially regarding the right of access.
– It clarifies that a materiality threshold is not required and that the violation of the GDPR alone does not trigger a damage claim.
– It is expected that a scattered approach will now arise across the EU on the question under which conditions a non-material damage may be justified.
– The claim for (immaterial) damages does not require that a threshold of seriousness must be met, however, individuals must demonstrate that the infringement of the GDPR caused a (non-material) damage.
– Each Member State is to prescribe the rules governing actions for damage claims under Article 82 GDPR, which must include the criteria for determining the extent of compensation payable in that regard. The principles of equivalence (procedures for the remedies according to Union Law must not be less favourable that those governing similar domestic matters) and effectiveness (the implemented procedures do not make it excessively difficult or impossible in practice for individuals to exercise their rights under Union Law).
It will be very interesting to see how this judgment impacts upon future cases and Case C-340/21, where the Advocate General provided its Opinion regarding compensation for non-material damage for data breaches.
Does your organization have any questions about how this ruling may impact your compliance with the GDPR? Contact us, the Experts in Data Privacy at email@example.com, for assistance.