The Italian Supreme Court recently addressed the issue of serious non-material damage suffered by an employee resulting from the unintentional publication of personal data on an employer’s website. This ruling, 13073/2023, delivered on 19 April 2023 and published on 12 May 2023, sheds light on the application of GDPR provisions in such cases. Furthermore, it coincided with a related ruling from the European Court of Justice (ECJ) on 15 April 2023 and published on 4 May 2023, adding another layer of significance to the discussion. In this article, we will delve into the key aspects of both rulings and examine their implications for the legal community.
Italian Supreme Court’s decision: A departure from ECJ’s ruling?
In a previous blog post, we highlighted the issues in the ECJ case, in which an Austrian citizen claimed compensation for non-material damages arising from the unlawful and inaccurate processing of his personal data relating to political opinions.
The ECJ ruled that compensation under Article 82 GDPR:
- not only requires an infringement of provisions of the GDPR, but also the claimant complaining and proving the suffering of an actual prejudice, thus excluding compensability of a damage in re ipsa; and
- does not require a damage to exceed a certain ‘threshold of seriousness.’
The Italian Supreme Court's ruling diverges from the stance taken by the ECJ on a crucial matter, specifically the requirement of establishing a certain level of seriousness when seeking compensation for non-material damages. While the first preliminary ruling by the ECJ aligns with well-established case law across various member states, including Italy, the second preliminary ruling ruling by the ECJ creates room for debate. Indeed, the seriousness of the damage seems to have been the main issue of contention in the case brought before the Italian courts since the first instance proceedings.
The Italian case background: Employee data breach
The case brought before the Italian courts revolves around a local public entity that published on its institutional website the text of a formal notice. This notice communicated that, due to a third party’s foreclosure, the entity was committed to pay a portion of an employee's salary to a creditor, and included the debtor's personal details. Although the employee's personal information was correctly omitted in the accompanying notice, the attachment containing the debt details and personal data had been unintentionally made public.
The employee, seeking compensation for reputational damages arising from the unlawful publication of his personal data, brought the case before the local court. At first instance, the employer argued that the claim lacked seriousness since the publication occurred unintentionally, as a result of a mere oversight. Additionally, the employer emphasised that the incident had been promptly rectified within 24 hours, claiming no significant harm had been caused by the accidental posting of the notice.
The local court dismissed the employer's arguments and established the existence of serious damage suffered by the employee due to the unlawful processing of his personal data. It concluded that the publication of the document had indisputably occurred and that, even though brief, it had caused reputational harm by making the claimant's debt exposure public knowledge.
Supreme Court's ruling: A balanced approach
The defendant appealed the first instance decision, challenging the establishment of damages without the employee providing evidence of actual harm resulting from the short-term publication of his personal data. The Italian Supreme Court, however, rejected the employer’s claim and set forth two key principles:
(i) The simple violation of GDPR does not automatically imply damages in re ipsa (ie the claimant must provide evidence of actual harm). Differently, to award compensation it is required that a certain threshold of seriousness, which must surpass the minimum level of tolerance set by Article 2 of the Italian Constitution, is trespassed.
(ii) In case of unlawful publication of personal data, the Data Controller is exempt from liability only if adequate evidence that the data breach is not attributable to the latter is provided.
The Italian Supreme Court clarified its position on damages arising from unlawful data processing under GDPR, taking into account the recent ECJ rulings. It affirmed the requirement for claimants to demonstrate actual damage (ie it is not in re ipsa) and emphasised the need for a serious breach to warrant compensation.
In dismissing the employer's objections, the Supreme Court highlighted the careful fact-based assessment conducted by the lower court, which established the seriousness of the damage based on the content of the document, the context, and the temporal factors involved.
The Italian Supreme Court's ruling sheds light on the compensation for non-material damages resulting from the unintentional publication of personal data under GDPR. By departing from the ECJ's ruling, the Supreme Court emphasises the importance of demonstrating actual harm and establishes a threshold of seriousness for such damages.
We will continue to monitor how the Italian Court shall address the non-material damages under GDRP in light of the Italian Supreme Court & ECJ rulings. For more information, please contact your local Freshfields contact.