Until now, damages claims awarded by German courts pursuant to Article 82 of the General Data Protection Regulation (“GDPR”) – in particular, claims for non-material damages – have been relatively low.  This restrained approach thus far has been predicated primarily on the position that German law requires a serious violation of personality rights to justify higher claims for non-material damages.  Two recent cases decided by regional courts illustrate and confirm this prevailing stance.  However, a more recent decision issued by the Federal Constitutional Court indicates that views in Germany may be evolving on this topic, and courts may soon be willing to entertain higher damages claims.

Prevailing German View of Damages Claims under the GDPR

In September 2020, the Regional Court of Hamburg held that not every infringement of privacy law justifies a damages claim.  Rather, the Court said, there must be an identifiable and effective violation of personality rights, which does not necessarily exist as a result of potential disadvantages that one might suffer as a consequence of a data breach.

Similarly, in November 2020, the Regional Court of Landshut also held that a violation of privacy law does not automatically result in a damages claim.  Rather, said the Court, the infringement must in each case also lead to a specific (not merely insignificant or perceived) infringement of the personality rights of the data subject.  Accordingly, the data subject must have suffered a noticeable disadvantage, and the impairment must be objectively comprehensible (with some consideration given to personal interests).

The courts in both of these cases align with the prevailing view in Germany of damages claims brought under the GDPR – namely, that an aggrieved party will need to demonstrate a clear, specific and objective harm that has resulted from a violation of data protection law to be awarded a claim for damages.

Change on the Horizon?

This restrained approach to damages claims in Germany may be subject to change in the near future.  In a case decided in January 2021, Germany’s Federal Constitutional Court held that the issue of whether or not (and if so, the extent to which) a damages claim brought pursuant to Article 82 GDPR is subject to certain evidentiary requirements must be decided under European law and – if necessary – clarified by the Court of Justice of the European Union (“CJEU”).  Here, the German Federal Constitutional Court quoted Recital 146, sentence 3 of the GDPR, which states “…the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation.”

This decision of the Federal Constitutional Court was preceded by a ruling of the Local Court of Goslar, in which the Court refused a non-material damages claim submitted by a person who received an advertising e-mail without giving prior consent.  There, the Court held that no harm was apparent – only a single unsolicited advertising e-mail was sent, the email clearly indicated from its appearance that it was related to advertising, and this resulted only in a temporary inconvenience to the individual.  Interestingly, it appears the Federal Constitutional Court has (perhaps intentionally) selected a de minimis case to raise this question to the attention of the CJEU, rather than a more egregious violation of data protection law.

Conclusion

In addition to the high fines imposed by German supervisory authorities in the recent past for data breaches, this development opens up another potential avenue for legal proceedings.  Data breaches often affect a large number of data subjects who can easily transform into plaintiffs – including collectively, for mass proceedings.  If the CJEU continues to follow its data protection-friendly line of reasoning and pursue effective enforcement of data protection law, damages claims pursuant to Article 82 GDPR and legal proceedings based on such claims may become the new norm and much more important in the future.

While the area of data protection law – at least in Germany – has so far focused primarily on material compliance issues, in the future, other tactical and strategic legal aspects may also become increasingly more important.

Photo of Lars Lensdorf Lars Lensdorf

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, digitalization/ industry 4.0, IT related bank regulatory matters and data protection. Dr. Lensdorf’s practice covers all types of IT and outsourcing agreements, all matters of digitalization and industry…

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, digitalization/ industry 4.0, IT related bank regulatory matters and data protection. Dr. Lensdorf’s practice covers all types of IT and outsourcing agreements, all matters of digitalization and industry 4.0, including online procurement platforms, IT-compliance matters (including cybersecurity) as well as data protection.

Furthermore, he is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law. A significant part of Dr. Lensdorf’s practice is currently advice in connection with the implementation of the GDPR (data protection) in Europe.

Photo of Moritz Hüsch Moritz Hüsch

Moritz Hüsch is partner in Covington’s Frankfurt office and co-chair of Covington’s Technology Industry Group and Covington’s Internet of Things (IoT) Group. His practice focuses on complex technology- and data-driven licensing deals and cooperations, outsourcing, commercial contracts, e-commerce, m-commerce, as well as privacy…

Moritz Hüsch is partner in Covington’s Frankfurt office and co-chair of Covington’s Technology Industry Group and Covington’s Internet of Things (IoT) Group. His practice focuses on complex technology- and data-driven licensing deals and cooperations, outsourcing, commercial contracts, e-commerce, m-commerce, as well as privacy and cybersecurity.

Moritz is regularly advising on issues and contracts with respect to IoT, AV, big data, digital health, and cloud-related subject matters. In addition, he regularly advises on all IP/IT-related questions in connection with M&A transactions. A particular focus of Moritz’s practice is on advising companies in the pharmaceutical, life sciences and healthcare sectors, where he regularly advises on complex licensing, data protection and IT law issues.

Moritz is regularly listed as one of the best lawyers in the areas of IT and data protection, among others by Best Lawyers in cooperation with Handelsblatt, Wirtschaftswoche and Legal 500.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Nicholas is a member of the Bar of Texas and Brussels Bar (Dutch Section, B-List). District of Columbia bar application pending; supervised by principals of the firm.