On October 6, 2022, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) released an opinion in case C-300/21 to the effect that a controller or processor’s non-compliance with the GDPR does not automatically entitle data subjects to receive compensation for non-material damages pursuant to Article 82 GDPR.  According to the AG, compensation is meant to remedy the consequences caused by a breach of the GDPR, and therefore a data subject must have suffered damage that he or she can affirmatively demonstrate.

The case arises from  Austrian Post’s practice of collecting data, without consent, to determine the political affinity of members of the Austrian population.  The claimant was assigned to a particular political affinity, although the claimant disagreed, and he thus decided to bring a claim for non-material damages (i.e., his inner discomfort).

The referring Austrian court asked the CJEU whether:

(1) compensation for non-material damages can be awarded solely based on an infringement of the GDPR, or whether, in addition, the claimant must have suffered harm as a result of the breach of the GDPR. 

The AG is of the opinion that the claimant must have suffered damages as a result of the breach of the GDPR, in order to receive compensation under Article 82(1) of the GDPR.  A mere infringement of the GDPR, without incurring damages will not give rise to a claim of non-material damages.  The AG is also of the opinion that the GDPR does not provide for punitive damages, a position that is much less contested than the former. 

(2) the damage caused by the infringement must have gone beyond the claimant’s “mere inconvenience” in order for an award for non-material damages to be appropriate.  In other words, the GDPR requires a certain “threshold of seriousness” to be met in relation to the damage incurred, following which compensation may be awarded.

The AG is of the opinion that despite the broad definition of damage in the GDPR, compensation does not apply to all types of non-material damage and depends on the seriousness of the harm.  More specifically, the AG distinguishes, on the one hand, between non-material damages that warrant compensation and, on the other hand, “mere upset” that would be insufficient to merit non-material damages.

(3) there is a presumption of damage once an infringement of the GDPR has occurred, due to the loss of control of the personal data.

The AG is of the opinion that the GDPR does not provide for a presumption of damage.  According to the AG, the presumption of damage would be the same as granting compensation solely due to an infringement of the provisions GDPR, without needing to prove the existence of any actual damage.  The AG therefore states that the loss of control, resulting from a data breach, would not necessarily generate recoverable damage.

Other cases pending before the CJEU on damages under the GDPR

  • Case C-687/21 (German referral): This case concerns a data subject’s right to non-material damages resulting from the accidental disclosure of his or her personal data.
  • Case C-741/21 (German referral): This case concerns a data subject’s right to non-material damages resulting from an infringement of the GDPR attributed to human error of a person acting under the authority of the controller.
  • Case C-182/22 (German Referral): This case concerns a data subject’s right to non-material damages resulting from unauthorized access to data.

*                             *                             *

The AG’s opinion is not binding on the CJEU.  The Covington Privacy and Cyber team will report back once the CJEU renders its judgment.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.