Out-Law News 6 min. read
11 Jul 2024, 10:08 am
The circumstances in which businesses might have to pay compensation to individuals for infringing EU data protection law have been clarified in two recent rulings of the EU’s highest court.
The judgments of the Court of Justice of the EU (CJEU) clarify that compensation rights provided for under the EU General Data Protection Regulation (GDPR) fulfil “an exclusively compensatory function”, meaning courts should not award compensation to deter others from engaging in similar conduct nor to penalise businesses financially beyond the level necessary to “allow the damage actually suffered as a result of the infringement of that regulation to be compensated in full”.
The judgments provide further clarity on the factors that can be accounted for when considering whether compensation rights arise, including in the context of personal data breaches and cases of identity theft. They build on existing CJEU case law relevant to how the compensation provisions in Article 82(1) of the GDPR should be interpreted.
Article 82(1) of the GDPR provides individuals who suffer material or non-material damage as a result of an infringement of the GDPR with the right to receive compensation from the controller or processor for the damage suffered.
It is widely understood that the concept of ‘material’ damage refers to financial loss, but the meaning of ‘non-material damage’ has been less clear and, as a result, the subject of litigation.
The GDPR does not define "non-material damage", but a non-binding recital in the regulation, recital 146, suggests that the "concept of damage should be broadly interpreted" and that data subjects should receive "full and effective compensation for the damage they have suffered".
In May 2023, the CJEU ruled that the mere infringement of the GDPR is not sufficient to confer a right to compensation but that EU member states are precluded from imposing rules or practices that require claims for compensation based on non-material damage to reach “a certain degree of seriousness”. According to the CJEU case law confirmed in January 2024, the right to compensation is subject to the fulfilment of three cumulative conditions: that processing of personal data is in breach of GDPR provisions; there is damage or harm suffered by the data subject; and there is a causal link between that unlawful processing and that damage. The CJEU said at that time that it is for each EU member state to decide the rules on compensation for non-material damages in their jurisdiction.
In its latest rulings, the CJEU reiterated that earlier case law but also provided further guidance to help courts across EU countries to apply Article 82(1).
In the first case referred to it by a local court in Germany, the CJEU considered a claim for compensation arising from when a letter containing tax return information was sent to the wrong address and opened by the tenant at that address.
In this case, the CJEU found that evidence of a person’s fear that their personal information has been wrongfully disclosed to a third party is sufficient to substantiate claims for “non-material damage” that concern a loss of control over personal data. In that regard, it considered that it is not necessary for a data subject to have to prove, in such a scenario, that there had been actual disclosure of their personal data – i.e. that the recipient had actually opened and read the wrongly addressed letter – for them to be eligible to raise a GDPR compensation claim provided, however, that that fear, with its negative consequences, is duly proven.
The CJEU also stated that there is no minimum threshold of damage that must be crossed before compensation becomes payable. It further confirmed that when assessing compensation under Article 82(1), the court is not required to apply the same criteria as those used to determine the level of an administrative fine under Article 83 of the GDPR, and that an award of compensation under Article 82(1) is not required to have a dissuasive effect or to serve as a deterrent to infringement.
The second case, also referred to the CJEU from Germany, brought together two compensation claims raised against the provider of a trading app by two account holders. The claims relate to a personal data breach where the account holders’ data was seized by unknown individuals.
The CJEU confirmed that the purpose of Article 82(1) is exclusively compensatory – to cover damage actually suffered by the data subject – and not to punish organisations nor act as a deterrent. However, the CJEU did stress that compensation awarded under Article 82(1) must be allowed to compensate the data subject’s loss or damage in full.
The CJEU reiterated its January 2024 case law by confirming that the seriousness of a GDPR infringement is not a relevant factor in determining eligibility for GDPR compensation. In that respect, all that matters is whether there is evidence of damage actually suffered. The CJEU said courts can award “minimal compensation” to reflect “minor” infringement – provided that this is representative of compensation in full for the damage suffered.
In respect of claims for compensation that cite ‘non-material’ damage, the CJEU said courts, in assessing what level of compensation to award arising in the context of a personal data breach, should consider such damage to be no less “significant than physical injury”.
Where ‘non-material’ damage claims are rooted in claims of identity theft arising from a GDPR infringement, the CJEU confirmed that individuals would need to show that their data has “actually been misused by a third party” to be eligible for compensation in respect of identity theft. However, if such proof to substantiate the identify theft-related claims cannot be provided, individuals may still be able to raise claims for compensation for non-material damage caused by loss of control due to theft of personal data.
Paris-based Guillaume Morat of Pinsent Masons said: “In France, there is no case law to date on the compensation of non-material damage under the GDPR. This is because itis still very rare for data subjects to choose to sue a data controller before the French civil courts in order to obtain compensation, with priority generally given to ‘public enforcement’ through the French data protection authority. However, this may potentially change in the near future with the development of class action-style litigation in France.”
Data protection law expert Malcolm Dowden of Pinsent Masons said UK case law pertaining to compensation rights under the UK GDPR, which largely mirrors the EU legislation, has evolved differently. However, he said “the degree of divergence should not be overstated”.
Dowden said: “In the case of Rolfe v Veale Wasbrough Vizards, the High Court in England and Wales rejected a claim for compensation when a letter concerning unpaid school fees was sent to the wrong email address but where the recipient immediately informed the sender and confirmed that the email had been deleted. In dismissing the claim, the judge in that case said that ‘no person of ordinary fortitude would reasonably suffer the distress claimed as arising in these incidents in the 21st century, in a case where a single breach was quickly remedied’. He added: ‘In the modern world it is not appropriate for a party to claim (especially in the High Court) for breaches of this sort which are, frankly, trivial’. A similar view was reached in the case of Johnson v Eastlight Community Homes ruled on by the High Court, also in 2021.”
“Even in cases where compensation has been awarded, the figures have been low. For example, in the 2022 case of Driver v Crown Prosecution Service, the High Court refused a claim for £5,000. Compensation was awarded at £250 to reflect what the judge described as a data breach ‘at the lowest end of the spectrum’,” he said.
“While those cases might suggest a view in the English courts that there is a minimum threshold for compensation claims, with some damage being too ‘trivial’ to merit an award, it is more accurate to say that they are intended to steer such claims away from the High Court and towards the county court to be dealt with as small claims. Costs in the High Court will significantly exceed the level of damages and are unlikely to be recoverable. Consequently, a decision to pursue a claim in the High Court might well be regarded – as it was in Johnson v Easlight case – as an abuse of process,” he added.
“The application by the High Court of something like a de minimis threshold does not mean that compensation must pass a threshold to be recoverable – rather, it means that if damage does not pass a minimum threshold then compensation should be sought through the small claims procedure rather than in the High Court and, even then, with a view that the figures awarded for ‘non-material’ damage are likely to be very low,” Dowden said.
Out-Law Analysis
03 Jun 2024