Actions for non-material damages following (alleged) infringements of the General Data Protection Regulation (GDPR) are increasingly being brought before courts across Europe. But legal requirements for the recognition of non-material damages are still to a large extent unclear.
In our new blog post series, we explain the situation in several countries across Europe (see our introduction). Please find out below about GDPR damages claims in Germany.
Even after the CJEU-decision (UI v Österreichische Post AG, Case C-300/21), it remains unclear under which conditions German law recognises a claim for damages due to an infringement of the GDPR. It has been left to the national courts to answer the question of when a compensable non-material damage occurs.
In addition to actions under the Unterlassungsklagengesetz (Injunctions Act, UKlaG), the Unlauterer Wettbewerb-Gesetz (Unfair Competition Act, UWG) and the ‘declaratory model action’, the EU Representative Actions Directive (EU) 2020/1828 (EU-RAD) is a further option for collective actions on GDPR claims in Germany. For German consumers the EU-RAD has the advantage over the ‘declaratory model action’ in that it does not require a subsequent action for damages by the affected individual. However, there are various questions about how Germany’s implementation of the EU-RAD will operate and interact with the GDPR, which may need to be tested in court. Moreover, collective actions in the context of legislation implementing the EU-RAD are only possible if the claims pursued are sufficiently ‘similar’. In the case of a data breach, it must therefore first be assessed whether the alleged damage is the same for each claimant. This may be challenging in some cases, given that non-material harm is highly subjective and individual in nature.
Further, under German law, it is generally possible to sell and assign claims to third parties. The courts have not yet decided whether claims for damages under the GDPR can be assigned. This particular question is disputed under German law because of the highly personal nature of the claim. The outcome will determine whether the usual cession models will establish themselves as a viable mechanism for pursuing collective data protection claims.
The future shape of the data and tech litigation landscape in Germany will also depend on whether the implementation of the EU-RAD proves to be financially lucrative for plaintiff law firms. Whether as a result of individual claims (and based on legal cost insurances) or collective redress actions, civil litigation is likely to grow in the field of privacy and data protection law in Germany.
The next blog post in our data and tech mass claims series will focus on England and Wales.