In our global data breach risk report, we covered litigation risk and damages claims across a range of jurisdictions.
In a new series of blog posts, we dive deeper into the current case law on non-material damages in Europe, addressing questions such as:
- What is the threshold for awarding non-material damages?
- What is the average award for non-material damages for breaches of data protection provisions?
This blog post looks at the situation in Austria.
First decisions emerged early on
Austrian courts have been among the first courts in the European Union to award compensation for non-material (emotional) harm due to unlawful processing of their personal data. As discussed in our previous blogpost, the Regional Court of Feldkirch awarded a data subject €800 for merely being “disturbed” by the unlawful processing of their political orientation. This decision had been overturned by the Higher Regional Court of Innsbruck pointing out that the mere fact that a company (allegedly) processed data contrary to the GDPR does not automatically establish any non-material damages suffered by the claimant (see our previous blogpost). According to the Higher Regional Court of Innsbruck, for non-material damages to be relevant under the GDPR, a minimum level of personal impairment is required. Not every hurt feeling is sufficient. For example, in the opinion of the court, the data subject’s negative thoughts (eg 'being disturbed') resulting from the GDPR violation are not relevant. Instead, the court set a 'materiality threshold' requiring a more differentiated impairment of feelings to be established by claimants in order to be successful.
Except for fault, the burden of proof lies entirely with the data subject
Already back in 2019, the Austrian Supreme Court ruled that data subjects bear the burden of proof for the occurrence of the damage and for causality, whereas only for fault the burden of proof is shifted in favour of the data subject.
So, the data subject must allege and prove the facts giving rise to liability: the occurrence of (material or immaterial) damage, the violation of a GDPR provision, as well as the (co-)causality of the damaging party's conduct in the damage that occurred in the sense of adequate causality.
The Austrian Supreme Court stated that the rule in Art 82 (3) GDPR (according to which controllers or processors are exempted from liability under Art 82 (2) GDPR if they prove that they are not in any way responsible for the event giving rise to the damage) is a supplement to national Austrian tort law as a kind of special data protection tort law. The (in legal commentary: highly debated) question of whether this is a reversal of the burden of proof or a type of strict liability was not addressed by the Supreme Court in the present case.
Austrian Supreme Court requests preliminary ruling
Austrian courts have repeatedly had to address the question of whether non-material damage as per Art 82 GDPR must exceed a materiality threshold in the form of a minimum degree of personal impairment or whether, for example, a violation of the right to information or deletion can in itself constitute compensable immaterial damage.
In the decisions handed down so far, on the overall the Austrian courts have been rather cautious when compensating for non-material damage. Only non-material damage in the form of negative emotional impairment such as fear, stress or states of suffering due to exposure, discrimination or the like (whether already occurred or only threatened), are eligible to be compensated. The impairment of personal suffering must go beyond those negative feelings that one automatically develops when a law is violated to one's disadvantage.
Many claims for non-material damages are already pending before higher instance courts and the Austrian Supreme Court. In May 2021, the Austrian Supreme Court referred the following questions to the Court of Justice of the European Union for clarification:
- Does the award of compensation under Article 82 GDPR also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
- Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
- Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?
Austrian Supreme Court awards compensation for non-material damages
As a result, most proceedings dealing with GDPR damage claims were paused pending clarification of this legal issue by the Court of Justice of the European Union.
Yet, in June 2021 the Austrian Supreme Court has awarded a data subject compensation of €500 due to a violation of the data subject’s right to access. The Austrian Supreme Court stated that the claim for damages was not based on the mere violation of the GDPR, but on the fact that the plaintiff was “massively annoyed” as a result of the GDPR violation whereby according to the Austrian Supreme Court the word “massively” also expressed an actual noticeable and objectively comprehensible non-material damage.
It is generally conceivable that an individual may suffer non-material harm due to GDPR violations. But if the courts allow substantial amounts of damages to be claimed simply by establishing that a data subject was “massively annoyed” by a GDPR violation rather than requiring a claimant to prove the actual non-material harm suffered, this may lead to a flood of GDPR litigation.
On the basis of the Austrian Supreme Courts request for a preliminary ruling, the Court of Justice of the European Union now has the opportunity to set the direction for the threshold to GDPR damage claims. In particular, whether a mere violation of the GDPR already constitutes compensable non-material damage or whether at least a (minor) impairment of feelings must be proven.
Given that systematic GDPR breaches are, by their nature, bound to affect a large number of individuals, future developments in data protection litigation should be monitored closely.
Other posts in this series: