Sage Journals: Discover world-class research

Abstract

The Court of Justice of the European Union delivered a decision in Case C-300/21 to address three questions on how to compensate a data subject for the non-material damage suffered from a violation of GDPR provisions. First, infringement by itself does not give rise to compensation. Actual damage must be demonstrated by the data subject. Second, the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. Third, since the GDPR does not provide an explicit guideline for assessing damages, it falls to Member States to establish such a criterion. The criterion, nevertheless, must comply with the principle of equivalence and effectiveness. The judgment, together with the Advocate General's opinion, touches upon several fundamental issues at the intersection of risk, harm and tort damage.

Keywords

General Data Protection Regulation Article 82 non-material damage CJEU equivalence and effectiveness

1. Introduction

The General Data Protection Regulation¹ (GDPR) provides a fully harmonized legal framework of protecting personal data. Regarding the legal consequence of violating GDPR provisions, it not only provides a public enforcement mechanism that authorities could use to punish data controllers and processors,² but it also enables data subjects to rely on a private enforcement to remedy the damage they have suffered.³

The private enforcement mechanism is crucial to make sure that the damage suffered by data subjects can be effectively remedied.⁴ Nevertheless, the scope of tort damage is determined by law. In GDPR, it is Article 82 that specifies the liability of data processors and controllers as well as the scope of damage that data subjects are entitled to claim. It states that ‘any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered’. Therefore, data processors and controllers are subject to strict liability: they shall bear the liability as long as their activity violates the GDPR provisions.⁵ Additionally, from the compensation perspective, both the material and the non-material damage suffered by a data subject could be compensated before a national court.

Since the GDPR is a fully harmonized EU regulation, its supremacy decides that all its provisions including Article 82 should have direct effect to Member States.⁶ However, Article 82 is still incomplete in light of certain issues, such as the concept of damage and how to assess it. In accordance with the principle of national procedural autonomy, national laws will remain competent to complement the remedy regime laid down by the GDPR.⁷ However, since the remedy regime existed within the domestic regime for a long time prior to GDPR, there is a significant debate on whether certain existing rules are compatible with the objectives of the GDPR. One fundamental controversy over Article 82 concerns the compensation for non-material damage, which is normally understood as the harm that cannot be explicitly linked to an objective price.⁸ Despite its non-quantifiable quality, no one can deny its substantive disadvantage to a person.⁹ Therefore, it reaches a consensus in literature and cases that non-material damage should in principle be fully compensated in no difference with material damage. Pains and suffering, loss of opportunity and detriment to reputation are typical claims for non-material damage. Nevertheless, it remains unclear whether specific national rules regarding non-material damage meet the objectives of the GDPR.¹⁰ Whenever an ambiguity of the substantial issue of the EU law is raised, only the Court of Justice of the European Union (CJEU) has the competence to give an authoritative interpretation. Consequently, national courts may rely on the CJEU to provide further clarification, when they are unclear whether specific national remedy methods meet the requirements under the GDPR.¹¹

On 4 May 2023, the CJEU released its judgment of Case C-300/21¹², which provides some significant insights into the compensation of non-material damage resulting from the violation of the GDPR provisions. This case note intends to provide a thorough review of this case, summarizing the legal reasoning provided by the AG as well as the CJEU and more importantly, critically discussing the key issues behind this case and GDPR provisions.

2. Relevant facts

Österreichische Post AG (Austrian Postal Service) has been gathering personal information from millions of Austrians since 2017. It estimates the affinity of a person to different political parties, by deploying the algorithms based on certain social-demographic features. The inference then generates ‘target group addresses’ that are expected to enable third parties to send targeted advertising. ‘UI’, the applicant in the main proceedings, found his personal data had been illegally processed for the purpose of generating political affinity, even if he had not consented to this. UI claimed that the fact that he was erroneously linked to a political party and such wrong inference was kept in Österreichische Post AG made him upset and ashamed. Also, he felt his reputation was harmed.

The applicant brought an action before Landesgericht für Zivilrechtssachen Wien (Regional Court for Civil Matters in Vienna), requesting the court to issue an injunction to cease processing personal data and a compensation of EUR 1000 for the non-material harm suffered by him. The court issued an injunction but rejected the claim for compensating non-material harm. After that, the applicant appealed this case before Oberlandesgericht Wien (Higher Regional Court). On appeal, the court confirmed the first-instance judgment by ruling that non-compliance with GDPR alone does not automatically lead to non-material damage. In addition, even if there is damage, according to Austrian law, a certain ‘threshold of seriousness’ is required for establishing the compensation of non-material damage. The negative feelings, such as distress and shame, claimed by the applicant did not meet this criterion and were thereby not eligible for compensation.

After the case was brought to Oberster Gerichtshof (Supreme Court of Austria), the court decided to stay the proceedings while referring three questions to the CJEU for a preliminary ruling concerning the interpretation of Article 82 GDPR. The three questions are: (1) does the award of compensation under Article 82 of [the GDPR] also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation? (2) Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence? (3) Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence [or effect] of the infringement of at least some weight that goes beyond the upset caused by that infringement?¹³

3. The AG opinion and the reasoning of the CJEU judgment

On 6 October 2022, the Advocate General (AG) Campos Sánchez-Bordona provided his opinion with a specific analysis regarding the three questions asked by the referring court Oberster Gerichtshof.

Regarding Question 1, AG argued that merely violating the GDPR provisions is insufficient for awarding compensation. In addition to the wrongfulness, the claimant must demonstrate the existence of damage in addition to infringement. According to the AG opinion, the occurrence of infringement simply signifies a ‘loss of control’, which does not necessarily mean that damage occurs.¹⁴ In addition, the aim of the GDPR is not to limit the processing of personal data but to legitimize it under strict conditions.¹⁵ Thus, data processing without a legal basis (e.g., consent) per se simply contradicts the ground of protecting personal data, but it does not meet the requirement of financial compensation. Suffering damage is the ultimate factor to trigger compensation.¹⁶ Regarding Question 2, the AG found that the GDPR does not provide any additional requirements on the calculation of (non-material) damage for Member States, along with the principles of equivalence and effective, as stated in Recital (146).¹⁷ Whether such principles are properly achieved in a specific case, however, is largely dependent on the claim put forward by an applicant.¹⁸ Regarding Question 3, the AG presented that seriousness should be required for the purpose of deciding the compensability of the claimed non-material damage.¹⁹ Trivial disadvantage, such as mere upset and inconvenience, would not be eligible for compensation. As the AG found, inconvenience had been categorized separately from damage by the CJEU, so this paradigm should not be changed in the context of GDPR.²⁰ Therefore, as the AG demonstrated, only the genuine non-material damage is eligible for compensation.²¹

On 4 May 2023, the CJEU delivered the judgment with a reflection of the three aforementioned questions. Regarding Question 1, the CJEU deployed a literal interpretation to conclude that not every infringement gives rise, by itself, to a right to compensation. The Recital (146) reads that compensation may be awarded only if the data subject suffered damage, which was a result of processing that infringes the GDPR provision. The CJEU considered that this recital, together with Article 82, can sufficiently clarify that infringement of the GDPR provision and damage suffered by data subjects are two separate conditions.²² In brief, damage must exist for the sake of receiving compensation. The CJEU reflected Question 3 before Question 2, considering its coherence with Question 1. The judgment reached a different conclusion as explained in the opinion of the AG: the right to compensation is not limited to the non-material damage that reaches a certain threshold of seriousness. Since the GDPR is a fully harmonized regulation, its rules should be autonomously and uniformly applied without any reference to the domestic law of Member States.²³ Following this rule, the judgment noted that as Article 82 does not stipulate a seriousness threshold for damage, it is improper to justify a seriousness criterion solely based on the relevance of a particular Member State. In addition, the CJEU believed that establishing a threshold for the compensability of damage would contradict Recital (146), which encourages a broad interpretation of the concept of damage with a reflection of the objective of the GDPR.²⁴ Therefore, non-material damage should be compensated regardless of how trivial it is. The CJEU addressed the Question 2 with a highlight that the GDPR does not contain any rules in terms of assessing damages. Therefore, it would fall to Member States to prescribe the concrete criteria for assessing non-material damages.²⁵ Member States must adhere to the principles of equivalence and effectiveness when calculating the damages.²⁶

4. Discussion: non-material damage compensation in the EU

Article 82 establishes the rules for remedying the damage resulting from violating GDPR provisions. Despite being a fully harmonized provision, the implementation of Article 82 is not explicit in some respects. For example, it does not give an explicit definition of (non-material) damage or provide a guideline on how to assess the damage. This reflects that EU law has in principle little interest in intervening in how Member States create and implement their own compensation mechanisms.²⁷ In this regard, Member States have the discretion to choose how to compensate the damage resulting from the violation of a specific provision in EU law. Nevertheless, Member States must make sure that compensation complies with the objectives of a specific EU law.²⁸

National courts were having troubles enforcing Article 82 in recent years, so they had to request a preliminary ruling from the CJEU for the purpose of inspecting whether domestic rules on compensation are consistent with the objectives of the GDPR.²⁹ The AG Opinion and the judgment in Case C-300/21 provide priceless insights into understanding the fundamental issues regarding the compensation of non-material damage. This section provides a further analysis of these issues and discusses the potential implications that we can draw from the CJEU judgment.

A. The necessity of distinguishing risk and harm

Whether risk per se can be recognized as recoverable damage is at the heart of Question 1 presented by the referring court. The GDPR does not provide a consolidated definition of tort damage. Traditionally, the meaning of tort damage resulting from illegal data processing was defined by Member States, which was largely addressed by the general clauses in the civil code. When assessing the damage resulting from the violation of a GDPR provision, national courts mostly follow that infringement and damage are two separate conditions for receiving compensation.³⁰ In contrast, there have been instances where national courts ruled that a mere existence of infringement could be sufficient for claimants to receive compensation.³¹

Under this background, the CJEU provided a preliminary ruling at the request of Oberster Gerichtshof. The Opinion of the AG and the Judgment of the CJEU reached a consistent conclusion that violation per se does not necessarily lead to compensation. This conclusion is also supported by the conceptual distinction between risk and harm/damage. Risk, by attribute, refers to a probability that harm could occur (i.e., expected harm).³² From a law and economics perspective, risk is an indispensable concept for lawmakers and stakeholders to evaluate the cost-benefit of a specific activity prior to the decision making.³³ If we focus on reducing risks, the primary legal instrument would be risk regulation, the goal of which is not to eliminate risk but to control the level of risk. In comparison, when a specific risk is materialized into the actual harm in reality (e.g., driving activity leads to personal injury), the primary issue turns to be how to effectively remedy the harm suffered by a person. In this latter situation, tort damage is anticipated to play a crucial role.

When applying the above conceptual framework to the context of data processing, the direct consequence of violating any GDPR violation is that the control of data subjects over their personal information becomes weaker. The loss of control, however, is in nature more of a risk rather than a kind of actual harm, let alone tort damage. It creates ‘a risk of future injury’, which is only a speculation of harm rather than actual harm.³⁴ In order to successfully claim compensation, a data subject must further prove that the loss of control has caused material or non-material harm that posed actual disadvantage to them and further from a legal perspective, that harm is recoverable tort damage defined by law. Therefore, as the judgment confirmed and literature elaborated, a cumulative requirement for compensation is de facto established by Article 82 GDPR. Three cumulative conditions must be established for the sake of compensation: the existence of infringement of any provision of the GDPR, the existence of material or non-material damage and a causal link between infringement and damage.³⁵ Regarding the nature of the loss of control, it is noted that the wording of Recital (85) GDPR is confusing.³⁶ In this recital, loss of control is equivalent to damage. This equivalence is wrong and misleading.

The distinction of infringement (i.e., posing a risk) and harmful consequence is important, also because it will determine the choice of public and private enforcement under the GDPR. The mere infringement of any GDPR provision is sufficient for indicating that personal data is at risk and triggering a public enforcement (e.g., administrative fines and penalties). However, the existence of risk per se is not sufficient for a claimant to receive compensation via private enforcement.³⁷ To receive compensation, the claimant must further demonstrate the existence of harmful consequence as well as other elements required by tort damage (e.g., certainty, legitimacy and causation).

Although the distinction between infringement and actual harm adheres to the conceptual dichotomy of risk and harm, it can be argued that making such a distinction will make compensation in the data protection domain more challenging. Data breach, which may take years to become actual harm, once materialized could generate significant detriment to a person. For instance, the harm might be unknown before it becomes apparent. In addition, the victim may face unsurmountable obstacles while attempting to identify the defendants. Also, since specific information (e.g., biometric data and social security number) may remain unchanged over the course of one's lifetime, the fear resulting from data breach may accompany the person forever. Last but not least, the secondary harm caused by data breach should not be omitted. To explain it, data breach may pollute the credit report of the data subject and further give rise to a loss of opportunity (e.g., loan or work opportunity).³⁸ Therefore, distinguishing infringement and harm without providing additional measures to empower data subjects may exacerbate their situation. The next key issues are: (1) how to quantify the claimed harm and (2) whether the private law should set up a de minimis threshold for compensation. The answer to these questions will further determine the level of protection for data subjects.

B. The concept of recoverable non-material damage: A de minimis threshold?

Question 3 referred to the CJEU asks whether the GDPR requires a threshold of seriousness for the recoverable damage. This question in nature reflects the key issue of how to understand tort damage and more importantly, the extent to which harm could be recognized as tort damage in the eyes of law.

Conceptually, besides the distinction between risk and harm, it is of great importance to differentiate tort damage from harm. Tort damage is a legal concept, which is beyond the natural condition as harm indicates.³⁹ This distinction has already been recognized by a variety of Member States.⁴⁰ The harm suffered by the victim should in principle be recoverable as tort damage, if certain conditions (e.g., certainty, legitimacy and causation) are met.⁴¹ To explain it, tort damage must be a harmful resultant from an infringement of specific legally protected interests (e.g., bodily integrity, property, personality, etc.). In addition, there must be a causal link between the infringement or fault and harm, so certain types of economic harm (e.g., pure economic loss) and non-material harm (e.g., loss of opportunity) that have a remote causation from the risk might be excluded from tort damage. The conditions of recognizing harm as tort damage, nevertheless, are determined by Member States, which can be quite different. Member States can thereby determine the meaning and scope of tort damage, as long as it is compatible with the objective of the specific EU law.⁴² The controversial issue here is whether the gravity of harm would be a determinant of recognizing damage.

In the data-processing context, data subjects are increasingly raising their concern about non-material harm. So far, complains about non-material damage resulting from the violation of the GDPR mainly are stress, anxiety, psychological discomfort and defamation. Compared with material harm, the claim with regard to non-material harm is subject to more restrictions and controversies. First and foremost, it is not easy to explicitly outline the scope of non-material damage when GDPR provisions are violated. The extent to which a person claims the suffering of non-material damage rests largely on the scope of personality rights that a jurisdiction protects, which however can be quite divergent. What is worse, non-material harm cannot be easily linked to an objective price, such as loss of salary and medical bills, so it is not easy to quantify the harm suffered by a person. Worse still, the claim for non-material harm is based on the subjective perception of a specific person, meaning that it could be difficult to anticipate beforehand the potential type of non-material harm suffered by a victim and to assess its corresponding cost.

Regarding the tort damage resulting from illegal data processing, according to Article 23 of the Data Protection Directive (DPD), the predecessor of the GDPR, ‘any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to [the DPD] is entitled to receive compensation from the controller for the damage suffered’. In this sense, the DPD neither explicitly explains what the ‘damage’ refers to nor gives an affirmative answer regarding the compensability of non-material damage. Therefore, the DPD leaves the definition of damage and compensability of non-material damage to the discretion of Member States.

Compared with Article 23 DPD, the GDPR takes a step forward by clearly expressing that non-material damage resulting from the violation of any GDPR provisions should be compensated.⁴³ Nevertheless, the GDPR does not explicitly define what counts as non-material damage. Consequently, Article 82 should be understood in a manner that it is not intended to provide a harmonized concept of non-material damage that all Member States should be subject to. Member States can still determine how to decide non-material damage by referring to their domestic criteria that are required for tort damage, which may largely be traced back to their general clauses in civil law, as long as such criteria are not detrimental to the objectives of the GDPR.

In practice, certain countries have the tradition to restrict the compensation of non-material damage by adopting additional criteria, ranging from requiring a minimum threshold for compensability to setting up a ceiling for the amount of damages. Regarding the latter case, however, the European Court of Human Rights (ECtHR) used to argue in a case that using a ceiling to limit the amount of non-material damage did not comply with Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms.⁴⁴ Nevertheless, there can be an argument about whether the reasoning of the ECtHR can be extended to the explanation of Article 82 GDPR.

The argument regarding the de minimis threshold asks whether the claimed non-material harm could be regarded as tort damage only if the harm has a substantial gravity. Traditionally, in countries like Germany such a threshold is widely required for the assessment of compensability of non-material damage.⁴⁵ In recent years, national courts have realized the potential conflict between de minimis threshold for compensating non-material damage and the objectives of the GDPR.⁴⁶ After GDPR came into force, it is increasingly visible that national courts started to consider the text of the GDPR and dismissed the threshold requirement by referring Recital (146) GDPR, which indicates that ‘the concept of damage should be broadly interpreted’.⁴⁷ In contrast, the traditional paradigm remained unchanged in many other cases: a severity of non-material damage was still required some national courts.⁴⁸ As was analysed in Section 3, the AG opinion in Case C-300/21 supports retaining the threshold of seriousness. In actual, a similar demonstration can also be found in the AG opinion in other cases.⁴⁹

According to Recital (146), the concept of damage should be broadly interpreted ‘in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation’. Therefore, it is the CJEU that has the ultimate power of addressing the definition of the non-material damage resulting from the violation of GDPR provisions. The CJEU can order Member States to correct their compensation regime that is not compatible with the principle of effectiveness.

The judgment of Case C-300/21 marks a milestone of how the CJEU starts to take a role in obliging Member States to define non-material damage in line with the objectives of the GDPR. In theory, non-material harm can refer to ‘any kind of disturbance affecting the claimant's feelings and not subject to a monetary assessment.’⁵⁰ The judgment of C-300/21 further confirms that the gravity of harm is not considered a criterion to decide damage. Both significant and trivial harm are in principle compensable in the first place. In practice, the key of determining whether trivial emotional harm could be compensated depends on other factors, such as whether the claimed harm is actual and certain.⁵¹ Also, however trivial the non-material is, the claimant is responsible for quantifying it in a reasonable manner. Otherwise, it might be declined by the national court and the CJEU.⁵²

It can be reasonably anticipated that, by dismissing the de minimis threshold, the judgment of C-300/21 benefits claimants to a large extent. In the aftermath of C-300/21, claimants will no longer worry about that their claimed non-material harm resulting from data processing may not reach a specific threshold for compensable damage. This will substantially enhance their access to justice reflected by Article 47 of the Charter of Fundamental Rights of the European Union. Likewise, a national court does not need to go through the efforts of specifying whether a kind of non-material harm is sufficiently substantial to meet the threshold as tort damage. Therefore, people could expect a higher level of legal certainty by removing the de minimis limitation for compensating non-material damage. Nevertheless, the admission of non-material harm as recoverable damage may raise the concern of excessive and abusive litigation, which may increase the burden of national courts.

To summarize, the rules concerning private enforcement are normally covered by directives rather than regulations.⁵³ From this perspective, national courts may constantly identify inconsistencies between the fully harmonized remedy rules in the GDPR and their pre-existent national rules regarding the recoverability of damage. In this regard, the CJEU is anticipated to frequently take the role in clarifying whether inconsistency referred by national courts meets the objectives of the GDPR. However, it should be noted that the specific clarification made by the CJEU will only have effect on the damage resulting from the violation of the GDPR, so it will not deliver a general implication for all scenarios.⁵⁴ In other words, while the CJEU rejects the de minimis threshold for the non-material damage resulting from violating GDPR provisions, it will not preclude national courts from continuing to rely on such a threshold for evaluating the non-material damage that is not a resultant of data processing.

C. The guideline for assessing non-material damage

There is no instruction on how to assess non-material damage in Article 82 GDPR. The recitals of the GDPR provide some implications. According to Recital (10), ‘the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States’. Recital (146) further states that ‘data subjects should receive full and effective compensation for the damage they suffered’. Fullness, also known as equivalence, means that data subjects should not be worsen compared with their condition prior to suffering the damage. Effectiveness indicates that there should be no obstacles in the procedure preventing data subjects from claiming their damage. The previous cases show that the CJEU also followed the principles of equivalence and effectiveness when dealing with the compensation issue referred by national courts.⁵⁵ In addition, the CJEU indicated that the compensation for damage must be in accordance with its real deterrence effect. Punitive damage is thereby not implemented unless the national laws provide it in certain circumstances.⁵⁶

In reality, Member States diverge when it comes to the amount of non-material damages they award.⁵⁷ Factors such as national wealth, social security outside tort damage and social judgment on non-material damage are found to play a role in the resulting difference.⁵⁸ The divergent social and economic condition indicates why the CJEU is so conservative in providing a EU-wide guidance on assessing non-material damages.⁵⁹ The effectiveness and fullness of compensation, in spite of being an objective in EU law, should consider the concrete conditions in a given Member State. The CJEU clarified in this case that there would be no standardized assessment that is unitarily applicable to all Member States.⁶⁰ National courts should develop their own guidance as long as it complies with the goal of fullness and effectiveness enshrined by Recital (146) GDPR.⁶¹ Therefore, while a standardized guideline for assessing non-material damage is not required according to the CJEU, an appropriate and explicit guidance at the national level should be established to safeguard the remedy objectives of the GDPR.

It should be noted that C-300/21 is not the only case that touched upon an issue relating to the amount of compensation in the domain of illegal data processing. Controversy about the compensation of non-material damage arose also in other cases. In Case C-667/21, an issue regarding the amount of compensation was also referred to the CJEU, which was asked to clarify whether the fault of the liable party (i.e., data controller in this case) should influence the calculation of compensation. According to the recently published AG opinion, the degree of fault should not be among the criteria for assessing compensation.⁶²

5. Conclusion

To conclude, even for a highly harmonized regime like the GDPR, the private enforcement regime that it introduced could be incomplete. While the GDPR does have a direct effect in EU Member States, several important issues, such as the concept of damage, the scope of damage and the guideline for assessing damage, are still complemented by national laws and the CJEU. Case C-300/21 is a milestone decision that clarifies a number of key issues surrounding the compensation of non-material damage resulting from data breach. The CJEU properly decided that a mere violation of the GDPR does not mean the existence of harm and tort damage. The analysis argued that this distinction will not necessarily disadvantage data subjects, on the condition that the de minimis threshold is removed and non-material harm could be properly quantified. The CJEU in this case denied the de minimis threshold, but it left the other work (i.e., the calculation of non-material harm) to Member States. Therefore, the compensation for the non-material harm is still a matter that relies on the work of both the CJEU and national courts. Case C-300/21 thereby draws some lessons for how to strike a delicate balance between harmonized data protection rules and local differences.

Footnotes

Funding

The author disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the Academy of Finland, (grant number 330884 (2020)).

ORCID iD

Shu Li

Notes

Author biography

Shu Li is an Assistant Professor of Law at Erasmus School of Law, Erasmus University Rotterdam. He is also a Visiting Fellow at the Legal Tech Lab, University of Helsinki and an Adjunct Professor of Law and Technology at the School of Law, City University of Hong Kong.