In our global data breach risk report, we included some information on litigation risk and damages claims across jurisdictions worldwide.
In this series, we dive deeper into the current case law on non-material damages in Europe, addressing questions such as:
- what is the threshold for awarding non-material damages; and
- what is the average amount that has been rewarded for non-material damages for breaches of data protection provisions.
The threshold for awarding non-material damages: the Dutch (highest) courts are strict
In our previous blog post we already briefly pointed out that claiming non-material damages can be tricky. Traditionally, the Dutch courts have been strict in awarding non-material damages.
In the so-called EBI judgment from 2019 (in Dutch), the Dutch Supreme Court considered that a claimant must substantiate with sufficiently concrete information (ie evidence) that they have been harmed, meaning that they will have to substantiate the violation of a norm and the detrimental consequences thereof. Transposed into a GDPR context: arguing a violation of the norm (eg processing without a lawful basis) should be doable. However, it will be more difficult for a claimant (or class) to substantiate that the breach has detrimental consequences.
As with most rules, certain exceptions apply. A claimant does not have to provide concrete information on the detrimental consequences if the severity and nature of the breach itself makes those consequences 'so obvious' that the impairment can be assumed. Again, transposed to a GDPR context: will processing without a lawful basis meet this threshold? Based on Dutch case law, it can be carefully assumed that this exception only applies in very severe cases (eg a case referred to by the Supreme Court is where an obstetrician missed a severe birth defect during a check-up). The fact that data protection is a fundamental right is not sufficient – it is all about the severity of the breach. Therefore, if the breach is severe, an award may well be on its way. However, if the breach is more neutral/trivial, substantiating the damages will be required (and for non-material damages, this is often difficult to do). Unfortunately, there is no one-size-fits-all answer, and the outcome will likely be based on all the relevant facts.
Non-material damages for breaches of the GDPR
In Dutch case law, non-material damages based on a breach of the GDPR have been awarded several times. Noteworthy about these judgments is that it is not immediately apparent what the exact detrimental consequences were for the claimant, other than the loss of control over their personal data.
The reason for the more generous awarding of damages is that the lower courts apply the national provision on non-material damages in accordance with (article 82 and recital 146) the GDPR which provides that the concept of damages is to be interpreted broadly. To complicate things, the different lower courts apply the GDPR-conform interpretation in a different way. For example, one court considers that the loss of personal data in itself sufficiently substantiates the detrimental consequences and thus warrants compensation, while another court holds that the unlawful sharing of (special categories of) data falls in scope of the severity exception as formulated in the Supreme Court EBI judgment (awarding non-material damages of €250 and €500).
On 1 April 2020, the highest administrative court in the Netherlands considers that while article 82, recital 146 and EU case law must be taken into account, national (Dutch) law applies to the question on whether the suffered harm warrants non-material damages. In applying the EBI norm, the court considers that if there is 'special sensitivity in the nature of the personal data', a higher level of protection is needed, and the severity exception applies (thus no evidence on the non-material damages is needed). This case related to special categories of personal data but the decision leaves open whether this may also be applicable to ‘regular’ personal data.
This means that in the event of unlawful processing of very sensitive data (leaving open whether this is only special categories), the detrimental consequences are obvious. The administrative court follows the strict norm as it finds that the GDPR does not state how non-material damage must be established and calculated. Moreover, it considers that the European Court of Justice (ECJ) has not provided any guidance on the concept of damages in the event of unlawful processing of personal data. The amount awarded is €500 (overturning the lower courts’ award of €300).
The Supreme Court and the highest administrative court in the Netherlands are strict in applying the EBI norm. If the facts sufficiently support a severe breach (of the GDPR), a claimant may get away with not substantiating the non-material damages. Otherwise, it seems like the damages must be substantiated with concrete information.
In case of a more regular breach of the GDPR, claimants will likely need to substantiate fear, distress, etc. This can be quite difficult but may be even more difficult if defendants offer measures/services to counter these potential effects, such as dark web monitoring after a data breach.