In recent months, the European Court of Justice (“CJEU”) issued five judgments providing some clarity on the scope of individuals’ rights to claim compensation for “material and non-material damage” under Article 82 of the GDPR. These rulings will inform companies’ exposure to compensation claims, particularly in the context of the EU’s Collective Redress Directive, but open questions remain about the quantum of compensation courts will offer in these cases and we expect both the CJEU and national courts to deliver additional case-law clarifying this topic in the coming year (for more information on recent CJEU cases related to compensation, see our previous blog posts here and here).
- In VB v Natsionalna agentsia za prihodite (C-340/21), the CJEU concluded that individuals may have suffered “non-material damage”—and therefore be able to claim compensation—if they can demonstrate that they feared future misuse of personal data that was compromised in a personal data breach.
- In VX v Gemeinde Ummendorf (C-456/22), the CJEU found that there is no de minimis threshold for damage, below which individuals cannot claim for compensation.
- In BL v MediaMarktSaturn (C-687-21), the CJEU restated its existing case-law, and expanded upon its analysis in VB by clarifying that alleged harms cannot be “purely hypothetical”.
- In Kočner v Europol (C-755/21), the CJEU awarded non-material damages of €2000 for the publication in newspapers of transcripts of “intimate” text messages.
- In GP v Juris GmbH (C-741/21), the CJEU found that where one processing activity infringes multiple provisions of the GDPR, this should not allow claimants to “double-count” the harm they suffered.
We provide further detail on each case below.
The VB case
The VB case arose out of a 2019 cyberattack suffered by the Bulgarian National Agency for Public Revenues. This attack resulted in the publication of millions of individuals’ personal data on the internet. One affected individual brought a claim for compensation, alleging that she had suffered non-material damage because she was afraid the publication of her personal data could lead to misuse of that data in the future—despite there being no evidence that her data had in fact been misused.
The CJEU noted that the concept of “damage” in Article 82 should be “broadly interpreted in light of the case-law of the CJEU in a manner which fully reflects the objectives of the GDPR”. Consequently, the CJEU held that the mere fear of future misuse of personal data that was compromised in a personal data breach can constitute non-material harm under the GDPR, even if there is no evidence that any misuse has occurred. That said, individuals will only be able to claim compensation if they can prove that they have in fact suffered such harm as a result of the breach, i.e., that they in fact had a well-founded fear of future misuse, and can demonstrate that the damage is causally linked to the alleged GDPR infringement. EU Member States’ courts will need to assess this factual question as well as the thorny question of assigning a monetary value to this “fear”, on a case-by-case basis.
The VX case
The VX ruling originated from the online publication of personal data (including names and home addresses) contained in municipal council meeting agendas. This data was accidentally published for a period of 3 days on the council’s website before the error was noticed and the files were taken down. Some of the individuals whose data appeared in the meeting agendas brought claims for compensation under Article 82 of the GDPR; the municipal council argued that no compensation should be payable as the affected individuals had not suffered any meaningful harm. That is, the municipal council argued that Article 82 should not allow compensation for trivial harms that fall below a “de minimis” threshold.
Similarly to the VB ruling, the CJEU reiterated that non-material damage should be interpreted broadly. It therefore dismissed the municipal council’s arguments and held that, “it would be contrary to Article 82 of the GDPR to limit it solely to the damage of a certain degree of seriousness”. The effect of this is that, while it is up to the claimants to prove as a matter of fact that they suffered damage, and to prove that the damage was causally linked to a GDPR breach (as described below), there is no “de minimis” threshold preventing claimants from bringing claims relating to minor or trivial harms.
The BL case
The BL case arose when BL bought some items from an electronics store and chose to pay for the goods on credit; to apply for the credit, he had to fill out a form containing his personal data such as his bank details and salary. Due to a mistake by the store, BL’s goods and his forms were given to the wrong customer, as a result of which that other customer held BL’s goods and forms for about 30 minutes until the store realised the error and retrieved them. BL claimed that the provision of the forms (i.e., BL’s personal data) to the other customer violated the GDPR and he demanded compensation from the store.
The CJEU reiterated, as it did in the cases above, that the purpose of Article 82 is ultimately compensatory rather than punitive: any damages awarded under Article 82 must be calculated by reference to the detriment that BL suffered as a result of the breach, rather than the desire to punish the electronics store for the breach. The CJEU then went on to reiterate its conclusions in the Austria Post case (see our blog here on that case) as to the conditions that must be satisfied for non-material damages to be awarded, namely: (i) the individual suffered damage; (ii) there was an infringement of the GDPR; and (iii) there is a causal link between the damage and the infringement. That is, even if the electronics store had breached the GDPR by handing BL’s documents to the wrong person, this was not sufficient to enable BL to claim damages – he had to prove as a matter of fact that he suffered harm and that the GDPR breach was causally linked to that harm.
Finally, the CJEU clarified its statements in the VB case that fear of personal data misuse may amount to “damage” for the purposes of Article 82, holding that such fear must be “well-founded,” meaning that there must be reasonable grounds for the fear rather than “a purely hypothetical risk of misuse”.
The Kočner case
The Kočner case arose from an investigation into the murder of a Slovakian journalist. During this investigation, the Slovakian crime agency requested Europol’s assistance in deciphering data stored on devices owned by Mr Kočner. Some of the information stored on these phones, including transcripts of “intimate and sexual communications” between Mr Kočner and his girlfriend, were subsequently published in the media.
Mr Kočner claimed that the publication of this information caused him non-material damage, and sought compensation under Regulation 2016/794 (the Europol regulation), which requires Europol to protect individuals against unlawful processing of their personal data. The European Court of Justice found that Europol had breached the Europol regulation by allowing Mr Kočner’s information to fall into the hands of journalists, and that those journalists’ subsequent publication of this data “adversely affected [Mr Kočner’s] honour and reputation, which caused him non-material damage”.
The court then assessed that the amount of compensation owed to Mr Kočner’s for this damage was €2000. Unhelpfully, the court did not provide a justification for this figure, beyond noting that it had assessed the compensation “on an equitable basis”.
The GP case
The GP case arose when GP received, on three occasions, marketing letters from Juris (a provider of legal research services) despite having previously revoked his consent for, and exercised his right to object to, the use of his data for marketing purposes.
GP claimed that Juris had committed multiple breaches of the GDPR by failing to honour his consent withdrawal and his objection, and that the amount of compensation payable to him should be increased because of the multiple breaches. He then went on to claim that these breaches amounted to a “loss of control” of his personal data, and that he was therefore entitled to claim compensation per se, without needing to demonstrate that he had suffered any actual harm.
The CJEU first reiterated its analysis in Austria Post and BL that a breach of the GDPR does not lead to a right to compensation per se; instead, that breach must be linked to an actual harm that the claimant can demonstrate.
The CJEU then went on to note that, when calculating non-material damages, it is not relevant to consider the factors set out in the GDPR for calculating fines issued by supervisory authorities (such as “any relevant previous infringements” or “financial benefits gained” by the data controller). As in BL, the court noted that the purpose of the GDPR’s non-material damages provisions is fundamentally to compensate the harm suffered by the data subject, rather than punish the data controller – so the “gravity of the infringement… that caused the alleged [damage] cannot influence the amount of compensation granted”.
Finally, the CJEU considered how courts should calculate damages in cases where a controller is accused of multiple breaches of the GDPR, all of which cause the same harm (e.g., because one processing operation infringes multiple articles of the GDPR). Again, the CJEU noted that the purpose of Article 82 is fundamentally compensatory, so the fact that a processing activity breaches multiple articles of the GDPR should not allow claimants to “double-count” the harm they have suffered.
What happens next
With the exception of Kočner, the court has refrained from giving definitive answers on the appropriate quantum of non-material damages payable – that issue was instead remitted to the relevant national courts. We therefore expect further national case-law to see how the principles laid down by the CJEU will be applied in practice. We also expect further commentary from the CJEU in the coming months – the cases discussed in this post are just a handful of a raft of cases currently pending before the CJEU which are set to examine compensation under the GDPR. The topic of defining non-material damages is also of increasing importance as EU Member States continue their transposition of the Representative Actions Directive.
This post was written with the assistance of Diane Valat and Alberto Vogel.
* * *
Covington’s Data Privacy and Cybersecurity Practice regularly advises on European privacy laws, including data breaches, cyber incidents, and litigation at the European Court of Justice. If you have any questions about the implications of these rulings for your business, please let us know.