Damages claims arising from alleged violations of the General Data Protection Regulation (GDPR) can pose a significant liability risk for businesses. In recent years, a litigation industry has developed in this area that targets businesses, particularly those affected by cyber-attacks. Damages claims from affected individuals are typically not based on concrete evidence of specific impairments to the individuals, but on blanket allegations of “loss of control” over personal data or “identity theft”. We are also seeing plaintiff law firms claiming high non-material damages by reference to an alleged “deterrent function” of the GDPR.
In line with the observations we filed for our client, the Court of Justice of the European Union (CJEU) reinforced the existing high threshold for claiming non-material damages under Article 82 GDPR (C-182/22 and C-189/22). In doing so, the CJEU followed Advocate General Collins’ opinion in these proceedings (see our blog post here).
Identity theft
According to the CJEU, compensation for non-material damage based on an allegation of “identity theft” requires that a third party has actually misused the identity of a person whose personal data has been compromised. In its reasoning, the CJEU references the Advocate General’s opinion and finds that the theft of personal data does not, in itself, constitute in principle compensable “identity theft”.
Compensation - which may be minimal - only if there is actual proven harm
The CJEU also reaffirmed that Article 82 GDPR is not deterrent or punitive, but exclusively compensatory in nature, allowing only for compensation of the actual damage suffered. If an affected individual actually succeeds in demonstrating that the infringement of the GDPR has caused him or her (actual) damage and not only mere negative consequences, the amount of compensation is to be determined on the basis of criteria set out in the legal system of each member state, provided that such compensation is effective. This also means that in cases where the damage is not serious, national courts may compensate for it by awarding minimal compensation.
Impact of the high threshold for compensation on the GDPR litigation landscape
With an increasing number of CJEU rulings on Article 82 GDPR, an overall picture is emerging that, on closer inspection, reveals significant thresholds for (non-material) damages. The mere infringement of the GDPR is not sufficient to confer a right to compensation. As a general rule, the affected individual must instead prove the infringement, actual damage suffered, and a causal link between the two. In this respect, the CJEU has also decided that a mere allegation of fear, with no proven negative consequences, cannot give rise to compensation (C-590/22).
In recent decisions, German courts have placed increasing importance on non-material damage actually being suffered as a separate prerequisite for compensation claims. The CJEU rulings mentioned above are likely to reinforce this trend. As a result, the failure rate of plaintiffs’ attempts to demonstrate non-material damage by mere reference to a data breach or blanket descriptions of data theft (such as loss of control, fear of identity theft, or displeasure over the incident) is expected to increase.