This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Freshfields TQ

Technology quotient - the ability of an individual, team or organization to harness the power of technology

| 3 minute read

Data privacy litigation: claiming non-material damages likely to become more difficult

Actions for non-material damages following (alleged) infringements of the General Data Protection Regulation (GDPR) have been on the rise in recent times. We represent various clients across the European Union in these cases. In many of them claimants request compensation solely based on a mere feeling of discomfort due to, for example, the loss of control over their personal data. Increasingly often, we are seeing mass claims being brought by specialised claims vehicles, often backed by litigation funders. The common thread in all these cases is the absence of existing case law from the European Court of Justice (ECJ). This makes national courts uncertain as to what actually constitutes non-material damage and what are the relevant considerations for assessing the amount of non-material damages to be awarded. Several courts have thus referred questions to the ECJ for preliminary rulings regarding non-material damages claims under Article 82 GDPR. We also advise clients on these preliminary ruling proceedings before the ECJ.

Opinion by Advocate General Campos Sánchez-Bordona 

On October 6, 2022, AG Campos Sánchez-Bordona delivered his opinion (see here) in an Austrian case (UI v Österreichische Post AG, Case C-300/21), which is the first of its kind in preliminary ruling proceedings before the ECJ concerning non-material damages. The Advocate General’s main statements are in line with the position we have put forward in our submissions. The four key take-aways from the opinion are:

  • No compensation without actual damage

A mere breach of the GDPR does not per se justify compensation under the Regulation if it does not result in material or non-material damage. Furthermore, there is no irrebuttable presumption of (non-material) damage in the event of a breach of the GDPR.

  • Article 82 GDPR serves the purpose of compensation and does not perform a punitive or deterrent function

The right to compensation under the GDPR does not allow punitive damages to be awarded and does not perform a ‘deterrent’ function. In this regard, the AG refers to the wording of the provision, its history, and applies contextual and purposive interpretation. Based on its history and context, the AG finds, among other things, that Article 82 GDPR was designed to compensate the injured party for the harm they suffered, but not to punish the infringer. He also finds that the punitive and deterrent function is served by fines that supervisory authorities and courts may impose, and other penalties that Member States may adopt, under Article 84 GDPR.

  • Loss of control over data does not necessarily constitute damage

A loss of control over personal data following a GDPR breach does not necessarily constitute (non-material) damage. A contrary conclusion cannot be inferred from Recitals 75 and 85 GDPR. In cases of a loss of control over personal data, it must be proved that the person concerned has also suffered damage.

  • Mere upset feelings do not constitute non-material damage

The right to compensation for non-material damage under the GDPR does not cover mere upset feelings that the person concerned may feel as a result of the GDPR breach.

This AG’s opinion resembles the UK Supreme Court’s decision in the case of Lloyd v. Google from November 2021, which held that a mere loss of control over data does not per se result in compensation under the Data Protection Act 1998 (see our blog post here). In the same spirit, in June 2021 a five-justice majority of the US Supreme Court held in Transunion v. Ramirez (141 S.Ct. 2190) that plaintiffs whose individual credit reports contained inaccurate data had not suffered a sufficiently concrete injury to have standing to sue for damages in US federal court, even where the data inaccuracy at issue resulted from a violation of a federal statute. In Germany, the Higher Regional Court of Dresden also found that a mere loss of control does not yet qualify as non-material damage under the GDPR (decision dated August 20, 2020, file no 4 U 784/20) which was recently confirmed by the Higher Regional Court of Frankfurt am Main (decision dated March 2, 2022, file no 13 U 206/20).

Outlook

The AG takes an unequivocal position on some controversial issues of non-material damages claims under Article 82 GDPR and clearly puts a stop to the extensive interpretation of the right to compensation under the GDPR that was being applied by some national courts. Although AG opinions are not legally binding, they are usually followed by the ECJ and we will keep you updated once the ECJ has handed down its guidance.

Tags

cyber security, data, data protection, gdpr