Right to compensation for breach of GDPR

A recent decision by the Court of Justice of the European Union (CJEU) has brought welcome clarification to the question of compensation for non-material loss for breaches of the General Data Protection Regulation (GDPR).

Background

Österreichische Post (the Austrian postal service) collected information on the political affinities of the Austrian population. Using an algorithm, it categorised people's political beliefs as being aligned to specific political parties.

The applicant, who had not consented to the processing of his personal data, felt offended by the fact that an affinity with the party in question had been attributed to him.  He claimed that data relating to his supposed political opinions caused him great upset, a loss of confidence and a feeling of exposure. No harm other than those adverse emotional effects of a temporary nature were alleged.

The applicant complained to the Austrian Courts seeking an injunction to cease the processing of his personal data in question and sought compensation for the non-material damage that he claims to have suffered.

The Austrian Courts expressed doubt over whether Article 82 of the GDPR (which deals with compensation for infringement) extended to non-material damages for mere "upset". The Court referred a number of questions to the Court of Justice for a preliminary ruling, one of which was whether an award of compensation under Article 82 requires that the applicant must have suffered harm or is the GDPR infringement in itself sufficient to warrant an award of compensation.

Decision

The CJEU noted that the wording of Article 82 expressly provides that "any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from to the controller or processor for the damage suffered". The Court found it was clear from the wording of that provision, that the existence of "damage" which has been "suffered" constitutes one of the conditions to the right to compensation, as does the existence of an infringement of the GDPR and of a causal link between that damage and that infringement, those three conditions being cumulative. As a result of this, the CJEU found that the mere infringement of the GDPR is not sufficient on its own to confer a right to compensation. 

The Court differentiated between a claim that an individual litigant may have and administrative fines. It found that these fines have a punitive purpose and are not conditional on the existence of individual damage. The relationship between the rules set out in Article 82 (for individual damages) and those set out in Articles 83 and 84 (for punitive fines) shows that there is a difference between those two categories of provisions, but they are also complementary, so as to encourage compliance with the GDPR.

The Court also found that making any compensation award for non-material damage contingent on a threshold of seriousness, would risk undermining the GDPR because the threshold would be subject to the discretion of the member states in each instance resulting in the potential for inconsistency.

Implication of Decision

This decision is likely to be welcomed by companies who are subjected to claims for compensation as it effectively raises the bar whereby litigants will have to prove a causal link between the damages they suffer and the GDPR infringement. The case will also provide much needed guidance to the Irish Courts on how to address the question of damages, including in the case of Gary Cunniam v Parcel Connect Limited t/a Fastway Couriers Ireland and Ors where the Circuit Court granted a stay on the proceedings pending a determination by the CJEU in the Österreichische Post case. In that case, the plaintiff sought damages following a cyber attack which resulted in the data of over 450,000 people being compromised.

UI v Österreichische Post C-300/21

For more information, please contact Thomas O'Dwyer or any member of the data protection team.