By Sophia Hassel
Blogpost 18/2024
Since C-300/21 Österreichische Post, the first ECJ decision on non-material damages under GDPR, the ECJ has handed down multiple other decisions on the topic (C-340/21 Natsionalna agentsia za prihodite, C-667/21 Krankenversicherung Nordrhein, C-456/22 Gemeinde Ummendorf and C‑687/21 MediaMarktSaturn). There seems to be a marked effort by the Court to create a reliable jurisprudence for non-material damages. In fact, all the decisions have been assigned to and decided by the Third Chamber under Article 60 of the Rules of Procedure of the Court of Justice. This post analyses the subsequent cases after Österreichische Post to flesh out the Court’s conception of non-material damages under Article 82 GDPR and to analyse whether a coherent approach emerges from the case law.
Requirements
Based on Article 82(2) GDPR, the Court delineates three cumulative elements for non-material damages (Österreichische Post at 36, Natsionalna agentsia za prihodite at 77, Gemeinde Ummendorf at 14, Krankenversicherung Nordrhein at 82 and MediaMarktSaturn at 58):
- Infringement of the GDPR
- Damage
- A causal link between the infringement and damage
Once these three elements are in place, a controller is liable for the non-material damage and must compensate the claimant in accordance with Article 82(1) GDPR.
(1) Infringement
As per Article 82 GDPR, a controller has to compensate for a damage which arose as the consequence of an infringement of the GDPR (Österreichische Post at 31). However, mere infringement alone is insufficient to confer a right to compensation (MediaMarktSaturn at 58, Österreichische Post at 33 and 34). This is because the three elements are cumulative (as seen above).
Infringement of the GDPR cannot simply be determined by the fact that there was, for example, a data breach (MediaMarktSaturn at 45). In MediaMarktSaturn, the hearing of an action for damages under Article 82 must also take into account all the evidence that a controller provides to demonstrate, for example, that their technical and organisational measures were sufficient and therefore, complied with Articles 24 and 32 GDPR (MediaMarktSaturn at 44).
In other words, to ascertain whether an “infringement” occurred in the specific case, the Court seems to consider not only the factual consequences of it (i.e. whether the controller lost control over the personal data following a breach). It also determines whether that event is attributable to the controller in terms of intent or culpability (did the controller want that event or were they negligent in adopting any reasonable countermeasures?). It seems that a controller can use a lack of intent or negligence to argue against their alleged infringement. For example, if a breach occurred but the controller proved that they were not negligent and had the necessary technical and organisational measures, then there is arguably no infringement and a claim for damages would end here.
(2) Damage
Recital 85 to the GDPR provides a non-binding list of what could constitute material or non-material damage under the GDPR. It lists the following: ‘loss of control over […] personal data, limitation of […] rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.’
The first of this list – loss of control over personal data – has been clarified further and defined rather broadly by the ECJ. Fear deriving from the loss of control over personal data from an infringement of the GDPR is sufficient to give raise to non-material damages (Natsionalna agentsia za prihodite at 80). The amount of time that the fear is felt by the claimant can be short. In Gemeinde Ummendorf, a few days, which did not have a noticeable consequence for the claimant beyond the fear itself, were sufficient for non-material damages (Gemeinde Ummendorf at 22). This follows a previous decision, which in doing away with a threshold of seriousness for non-material damages, allows all non-material damages, even if they are limited in scope, to lead to possible claims (Österreichische Post at 49). The fear itself is sufficient, as there is no requirement that the damage be linked to an actual misuse of the data by third parties by the time of the claim (Natsionalna agentsia za prihodite at 79). Nor does the claimant need to show that there has been a misuse to their detriment (Natsionalna agentsia za prihodite at 82 and Gemeinde Ummendorf at 22). Thus, it is sufficient that the breach of the GDPR be linked to the claimant’s fear that such misuse may occur in the future.
This is a broad reading of loss of control. As noted by AG Pitruzzella, the GDPR does not state that fear should create a ground for compensation for non-material damages (AG Opinion in C‑340/21 at 78). There is undoubtedly ‘a fine line between mere upset (which is not eligible for compensation) and genuine non-material damage (which is eligible for compensation)’ (AG Opinion in C‑340/21 at 83). The Court here could have gone either way, especially in a case on the facts such as Natsionalna agentsia za prihodite where the fear suffered by the claimant of a possible misuse of personal data in the future had no established misuse and the claimant had not suffered further harm (AG Opinion in C‑340/21 at 77). Nonetheless, because the definition of damage should be ‘broad’ and allow for ‘full and effective’ compensation as per Recital 146 to the GDPR, the AG Pitruzzella stated that the Court should hold the fear itself to be sufficient (AG Opinion in C‑340/21 at 71 and 77). Not only did the Court follow the AG’s Opinion at paragraph 81 of the judgment, but it has consistently referred to the broadness point of Recital 146 in its later non-material damages judgments (Gemeinde Ummendorf at 19 and 20 and MediaMarktSaturn at 65).
The ECJ did not, however, go as far as to establish a presumption that all infringements would result in a damage (cf. AG Opinion in C‑340/21 at 74). The claimant still needs to show consequences from the infringement (Österreichische Post at 50 and MediaMarktSaturn at 60). Thus, they must show that they have suffered an actual damage, however minimal it may be (Gemeinde Ummendorf at 22). The burden of proof is also on the claimant to show this damage (MediaMarkt at 61 and 68 and Natsionalna agentsia za prihodite at 84). This makes sense given that the claimant is the only one who has experienced the damage (for example, fear) and is in a position to prove it.
It is perhaps due to this logic, that the ECJ (on the concept of loss of control) also stated that the fear must be ‘well-founded’ and that the risk cannot be hypothetical (MediaMarkt at 67 and 68 and Natsionalna agentsia za prihodite at 85). While it is for national courts to determine whether these requirements are met (MediaMarktSaturn at 67 and 6), the ECJ nonetheless determined that the disclosure of data to a third party, who did not know about it, would not give rise to non-material damages (MediaMarktSaturn at 69). In this case, it was clear that the risk was unfounded; the third party never became aware of the personal data during the breach and the document containing the data was returned within half an hour. So, the fear linked to this so-called hypothetical risk proved insufficient for non-material damages. If the claimant cannot evidence damage as defined above, then a successful claim for damages will also end at this point.
(3) Causal link
A causal link must exist between the infringement and damage (Österreichische Post at 32 and under Article 82(1) GDPR). The Court has not yet developed this criterion in detail, but it can be inferred that the claimant should show there to be some form of reasonable relationship between the infringement and their damage. If there is no causal link it follows that there cannot be a right to receive compensation under Article 82 GDPR.
The fact that damage was caused by a third party, as defined by Article 4(10) GDPR, rather than the controller themselves, is not a limiting factor. Article 4(10) GDPR defines third parties as being under the ‘direct authority’ of the controller or processor and authorised to process the data. The Court in Natsionalna agentsia za prihodite found hackers to be third parties under Article 4(10) GDPR (at 71). Thus, Article 4(10) has been interpreted broadly in that it does not require third parties to be employees of the controller or subject to its control (at 66). Nonetheless, for the third party act to be attributable to the controller, the controller must have made the infringement possible in the first place by failing to comply with their GDPR obligations, for example, by failing to implement appropriate technical and organisational measures (at 71).
Defences
Liability is subject to fault on the part of the controller, which is presupposed unless it proves that it is ‘not in any way responsible’ for the event giving rise to the damage (MediaMarkt at 52, Recital 146 GDPR, and Natsionalna agentsia za prihodite at 37 and 69). The circumstances in which the controller may claim to be exempt from civil liability under Article 82 GDPR are ‘strictly limited’ to those in which the controller is able to demonstrate that the damage is not attributable to it (Natsionalna agentsia za prihodite at 70). It is explicitly for the controller to rebut this presumption of fault (Krankenversicherung Nordrhein at 94 and also Natsionalna agentsia za prihodite at 69 and 70). This allocation of the burden of proof to the controller ensures that the effectiveness of the right to compensation (Article 82 GDPR) is maintained ( MediaMarktSaturn at 42).
Questions remain over what type of defence Article 82(3) is and how it relates more widely to the concept of non-material damages. For example, if liability (the link between the controller’s fault and the damage) is presupposed, does this mean that the causal link (between the infringement and the damage) is presupposed as well? Is Article 82(3) GDPR, therefore, a defence against causation or a separate general defence against liability? Moreover, does this presumption of fault also mean that intent or negligence should become a rebuttable presumption when deciding on an infringement? These are questions that will inevitably arise before the ECJ in the future.
Compensation
Article 82(1) GDPR has a compensatory instead of punitive function (MediaMarktSaturn at 48). Compensation is limited to monetary compensation and should only fully compensate for the damage suffered by the infringement of the GDPR (Krankenversicherung Nordrhein at 84 to 87, Österreichische Post at 58 and MediaMarktSaturn at 54). It is because of this compensatory function that national courts should not look at the controller’s behaviour when quantifying non-material damages. The compensation will not be affected by the degree of the controller’s responsibility, and it does not matter whether there was intent or negligence from the side of the controller (Krankenversicherung Nordrhein at 86, 87, and 102 and MediaMarktSaturn at 48).
Final compensation must be ‘full and effective’ (Recital 146 to the GDPR). This means that national rules must enable the claiming of compensation (Österreichische Post at 56). Nonetheless, it is for national courts to determine the exact amount of pecuniary damages in accordance with their national law (Krankenversicherung Nordrhein at 83 and 101), as long as the internal rules of the Member State follow the principles of equivalence and effectiveness of EU law (MediaMarktSaturn at 53).
Damages under the GDPR are conceptually autonomous and therefore ‘special national’ interpretations, except for the amount of the compensation, should not occur (MediaMarkt at 59). In general, the divergence or unity of GDPR damages in comparison with national law conceptions of damages will require a more detailed discussion than is possible within this blogpost.
A coherent vision
Having briefly analysed the cases above, there seems to be a coherent line of argumentation behind the non-material damages cases under Article 82 GDPR. The rulings do not radically diverge from each other, and the concepts developed are re-used, cross-referenced, and built upon. As more preliminary references arrive and non-material damages develop further, the Court could even begin to send some questions back to national courts under Article 99 (Reply by Reasoned Order) of the Rules of Procedure of the Court. This is where the question referred is identical to a question on which the court has already ruled or where the answer to such a question may be clearly deduced from existing case law.
A practical point to mention is that the definition of non-material damages is likely to affect also class action suits and collective redress. A broad interpretation of non-material damages could lead to data breaches becoming exorbitantly expensive for controllers, to the point that they may no longer want to operate in Europe. Instead of restricting the concept of damages, a solution would be to avoid the creation of an impossible threshold for controllers and processors to prove that they have complied with Articles of the GDPR. It is perhaps for this reason that the Court has so far been reasonable with its thresholds and decided, for example, that unauthorised disclosure of personal data to third parties is not sufficient in itself to hold that Articles 24 and 32 GDPR have been infringed by the controller (MediaMarktSaturn at 40).
Material and non-material damages are well defined concepts within national law, and so conflicts will inevitably occur between national systems and the GDPR. It is important that the ECJ maintain its coherent vision of non-material damages to create a uniform application of the GDPR and therefore, protect the effectiveness of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union.
