Other Author Salome Peters, Legal Intern
Not every infringement of the EU GDPR automatically grants data subjects the right to compensation under Article 82.1 That is the key takeaway of a decision dated 4 May 2023 of the Court of Justice of the European Union (CJEU) (Österreichische Post case, C-300/21). The CJEU concluded that in order to obtain compensation, the following is required: (i) there must be a violation of the GDPR, (ii) it must be proven that the infringement of the EU GDPR has resulted in harm to the data subject and (iii) there must be a causal relationship between the infringement and the harm endured. While the data subject must prove that harm has occurred, the EU GDPR does not require the data subject to demonstrate that the harm exceeded a particular level of seriousness before compensation can be claimed.
Background
Starting in 2017, the Österreichische Post collected data on the political affinities of the Austrian population by using an algorithm to define "target group addresses". These addresses were then sold to different political organizations to enable them to send targeted advertisements. The data subject, who did not consent to the processing of his personal data, was offended by the idea that was associated with one particular party and claimed that the retention of data pertaining to his supposed political views caused him to experience significant emotional distress, loss of trust, and a sense of vulnerability.
The data subject's initial claim of EUR 1,000 was refused by the Regional Court for Civil Matters in Vienna, Austria on 14 July 2020. On 9 December 2020, the Higher Regional Court in Vienna confirmed this decision and stated that a violation of data protection law only gives rise to a right to compensation where such damage reaches a certain "threshold of seriousness", which had not been the case at hand. Both parties appealed this decision. The Austrian Supreme Court then opted to suspend the proceedings and referred a set of questions to the CJEU for a preliminary ruling.
CJEU's Reasoning
The takeaway of this decision is that not every infringement of the EU GDPR automatically leads to a right to compensation. According to the CJEU, such interpretation would conflict with the clear language of the EU GDPR, as it does not provide for a strict liability regime. In addition, the CJEU decided that non-material damage does not have to pass a defined threshold of seriousness before compensation can be claimed, given that the GDPR does not impose any such requirement, which would conflict with the EU's broad interpretation of the word "damage".
Lastly, the CJEU noted that the EU GDPR does not set out any regulations regarding the evaluation of damages.It is therefore the responsibility of each Member State to formulate comprehensive guidelines clarifying the criteria for determining the extent of compensation to be awarded by courts, taking into account the compensatory purpose of compensation under the GDPR.
Potential practical implications
After this decision, it will be harder for data subjects to obtain compensation following GDPR violations – including following a cybersecurity incident. Plaintiffs will need to prove the harm suffered and that it was caused by those violations. This may lead to a decrease in post-GDPR violation damage claims.
Footnote
1. Article 82 provides that "any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered."
Originally published by 17 May, 2023
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2023. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
