CJEU Decides That A Mere Infringement of the GDPR Is Not Sufficient for Non-Material Compensation
Introduction
In its decision[1] regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere infringement of the GDPR is not sufficient to claim compensation for non-material damage. Instead, the CJEU ruled that (i) damage that has been suffered, (ii) an infringement of the GDPR, and (iii) a causal link between the damage and that infringement must exist. Furthermore, the CJEU states that there is no requirement for the non-material damage suffered to reach a minimum threshold of seriousness and that national courts must apply the domestic rules of each Member State to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with.
Background
The background to the case was the legal dispute of an affected party in Austria against the Austrian postal service (“Österreichische Post AG”). Accordingly, the Österreichische Post AG collected information on the political affinities of the Austrian population. It defined target group addresses using an algorithm that considers various social and demographic criteria. The data thus generated were sold to various organizations, to enable them to send targeted advertising.
The applicant, who was affiliated with a certain Austrian political party, brought proceedings in the Austrian courts and requested EUR 1.000,00 as compensation for their non-material damage. Although the information of the applicant was not communicated to third parties the applicant claimed that they did not consent to the processing of their personal data and that they felt offended by the fact that an affinity with the party in question had been attributed to them, the fact that data relating to his supposed political opinions were retained within that company caused them great upset, a loss of confidence, and a feeling of exposure.
The Austrian courts rejected the claim for compensation since the damage did not reach a certain “threshold of seriousness” and the mere anger of the claimant about unlawful processing is below this threshold.
The supreme court in Austria, which was hearing the appeal, referred the matter to the CJEU for a ruling on the following questions:
- Must Article 82 (1) of the GDPR be interpreted as meaning that the mere infringement of the provisions of the GDPR is sufficient to confer a right to compensation?
- For compensation to be awarded, must Article 82 (1) of the GDPR be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness?
- Must national courts apply the domestic rules of each Member State relating to the extent of financial compensation?
The Decision of the CJEU
Question 1: Must Article 82 (1) of the GDPR be interpreted as meaning that the mere infringement of the provisions of the GDPR is sufficient to confer a right to compensation?
Article 82 (1) of the GDPR reads as follows:
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
In its decision, the CJEU underlines that since the GDPR makes no reference to the law of the Member States as regards the concepts of “material or non-material damage” and of “compensation for the damage suffered” those terms must be regarded, for the purposes of the application of the GDPR, as constituting autonomous concepts of EU law which must be interpreted in a uniform manner in all of the Member States.
In light of these principles, the CJEU, first of all, evaluates the wording of the provision. According to the CJEU, it is clear from the wording, that the existence of the following conditions must be present cumulatively:
- “Damage” which has been “suffered”,
- An infringement of the GDPR,
- A causal link between the suffered damage and the infringement of the GDPR.
In the decision, it is underlined that the separate reference to “damage” and to an “infringement” in Article 82 (1) of the GDPR would be superfluous if the EU legislature had considered that an infringement of the GDPR could be sufficient for the right of compensation. Moreover, the CJEU supports this argument by stating that contrary, Articles 83 and 84 of the GDPR, which permit the imposition of administrative fines and other penalties, have essentially a punitive purpose and are not conditional on the existence of individual damage.
Question 2: Must Article 82 (1) of the GDPR be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness?
Concerning this question, the CJEU reminds that the concept of “non-material damage” must be given an autonomous and uniform definition specific to EU law since no reference to the domestic law of the Member States is given. Accordingly, Article 82 (1) expresses that “non-material damage” may give rise to a right to compensation, without any reference being made to any threshold of seriousness. Also, Recital 146 of the GDPR states that “the concept of damage should broadly be interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objective of this Regulation”. So, it would be contrary to a broad interpretation of “damage” to limit the concept solely to damage of a certain degree of seriousness.
The Decision underlines that making compensation for non-material damage subject to a certain threshold of seriousness would risk undermining the coherence of the rules established by the GDPR. Since such a threshold would fluctuate according to the assessment of the courts seized. However, a person who had negative consequences due to an infringement of the GDPR still has to demonstrate that those consequences constitute non-material damage within the meaning of Article 82 of the GDPR.
Question 3: Must national courts apply the domestic rules of each Member State relating to the extent of financial compensation?
As regards the last question, the CJEU declares that the GDPR does not contain any rules about the assessment of the damages to which a data subject, may be entitled where an infringement of the GDPR has caused him or her harm. Therefore, each Member State’s legal system must prescribe the criteria for determining the extent of the compensation payable to the data subject. However, the Court highlights that the principles of equivalence and effectiveness of EU law must be complied with. The principle of effectiveness refers to the requirements that national law should be interpreted in line with EU law, that conflicting provisions of national law should not be applied, and that consequences resulting from breaches of EU law should be overridden. The principle of effectiveness also means that detailed procedural rules governing actions to protect the rights of individuals deriving from EU law should not render the exercise of those rights practically impossible or unduly difficult. The principle of equivalence requires that Member States should not treat matters under EU law less favorably than purely national matters.
Conclusion
In conclusion, it is clear that this judgment has clarified many debated issues concerning Article 82 of the GDPR. Such as the need for actual damage caused by an infringement of the GDPR, the fact that such damage must not reach a minimum threshold of seriousness and that the amount of compensation should be determined in accordance with the domestic law of the Member States by considering the principles of equality and effectiveness. However, whereas the CJEU leaves the burden of proof on the claimant, it is not clarified what proof of non-material damage is required. In this respect, while it is clear that the judgment has played an important role in clarifying Article 82 in regard to non-material damage, there are still unanswered questions that have to be enlightened.
- The Decision of the Court of Justice of the European Union, Case-300/21 04.05.2023 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62021CJ0300 (Access Date: 22.05.2023)
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
Typically, when an employee departs, their corporate email account remains active and accessible to the employer for a period of time. During this time, the email archive and new incoming messages are forwarded to the employee's manager or another colleague...
In today's world, we now have the opportunity to purchase many products and services through e-commerce platforms with a single click from wherever we are. During these purchases, our personal data are collected and used through the websites or mobile applications of e-commerce platforms for various...
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority...
The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...
ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...