Other Author Salome Peters, Legal Intern
Not every infringement of the EU GDPR automatically grants data subjects the right to compensation under Article 82.1 That is the key takeaway of a decision dated 4 May 2023 of the Court of Justice of the European Union (CJEU) (Österreichische Post case, C-300/21). The CJEU concluded that in order to obtain compensation, the following is required: (i) there must be a violation of the GDPR, (ii) it must be proven that the infringement of the EU GDPR has resulted in harm to the data subject and (iii) there must be a causal relationship between the infringement and the harm endured. While the data subject must prove that harm has occurred, the EU GDPR does not require the data subject to demonstrate that the harm exceeded a particular level of seriousness before compensation can be claimed.
Starting in 2017, the Österreichische Post collected data on the political affinities of the Austrian population by using an algorithm to define “target group addresses”. These addresses were then sold to different political organizations to enable them to send targeted advertisements. The data subject, who did not consent to the processing of his personal data, was offended by the idea that was associated with one particular party and claimed that the retention of data pertaining to his supposed political views caused him to experience significant emotional distress, loss of trust, and a sense of vulnerability.
The data subject’s initial claim of EUR 1,000 was refused by the Regional Court for Civil Matters in Vienna, Austria on 14 July 2020. On 9 December 2020, the Higher Regional Court in Vienna confirmed this decision and stated that a violation of data protection law only gives rise to a right to compensation where such damage reaches a certain “threshold of seriousness”, which had not been the case at hand. Both parties appealed this decision. The Austrian Supreme Court then opted to suspend the proceedings and referred a set of questions to the CJEU for a preliminary ruling.
The takeaway of this decision is that not every infringement of the EU GDPR automatically leads to a right to compensation. According to the CJEU, such interpretation would conflict with the clear language of the EU GDPR, as it does not provide for a strict liability regime. In addition, the CJEU decided that non-material damage does not have to pass a defined threshold of seriousness before compensation can be claimed, given that the GDPR does not impose any such requirement, which would conflict with the EU’s broad interpretation of the word “damage”.
Lastly, the CJEU noted that the EU GDPR does not set out any regulations regarding the evaluation of damages. It is therefore the responsibility of each Member State to formulate comprehensive guidelines clarifying the criteria for determining the extent of compensation to be awarded by courts, taking into account the compensatory purpose of compensation under the GDPR.
Potential practical implications
After this decision, it will be harder for data subjects to obtain compensation following GDPR violations – including following a cybersecurity incident. Plaintiffs will need to prove the harm suffered and that it was caused by those violations. This may lead to a decrease in post-GDPR violation damage claims.