When can compensation be awarded as a result of data protection breaches?

A recent Austrian case, UI v Österreichische Post (Case C-300/21), is the first of several expected preliminary rulings regarding damages resulting from unlawful processing of data and the right to compensation.

There has been a steady increase in actions brought for damages under the GDPR and UK GDPR. As a result, the European Court of Justice (ECJ) has recently been dealing with a number of referred questions on the subject of claims for damages under the GDPR.

The GDPR and the UK GDPR give all relevant data subjects a way to pursue a claim for damages against a controller or a processor of their personal data.

Article 82(1) of both the GDPR and the UK GDPR states: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

A data subject, therefore, has a right to claim compensation for material or non-material damages resulting from a breach of data protection legislation.

The initial claim in the above case was brought by an individual, UI, against Österreichische Post AG, which is responsible for the Austrian postal service. From 2017, it collected information about the Austrian population’s affiliation to political parties and used an algorithm to define target groups according to certain socio-demographic features.

The algorithm assigned a particular political affinity to UI, which angered and offended him. He claimed that it was insulting, shameful and damaging to his reputation, caused him great upset, loss of confidence and public exposure. He therefore sought to claim compensation of 1,000 Euros for non-material damages.

The Austrian court had initially dismissed UI’s claim for compensation, indicating that the right to compensation requires that the damage claimed must be of a certain significance.

UI lodged an appeal with the Austrian Supreme Court of Justice (Oberster Gerichtshof). On 12^th May 2022, the court referred the following questions to the ECJ for consideration:

“1.        Does the award of compensation under Article 82 …[GDPR] also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?

2.         Does the assessment of the compensation depend on further EU law requirements in addition to the principles of effectiveness and equivalence?

3. Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?”

On 6 October 2022, the Advocate General, Campos Sánchez-Bordona (AG) issued his opinion on the questions raised.

The AG ruled out compensation for mere upset and for the vague, fleeting feelings or emotions which resulted from a breach of data protection legislation and confirmed that “Article 82 of the GPDR is to be interpreted as meaning that for the purposes of the award of compensation for damage suffered by a person as a result of an infringement of that regulation, a mere infringement of the provision is not in itself sufficient if that infringement is not accompanied by the relevant material or non-material damage.”

The AG went on to say that “[t]he compensation for non-material damage provided for in the regulation does not cover mere upset which the person concerned may feel as a result of the infringement of provisions of Regulation 2016/679. It is for the national courts to determine when, owing to its characteristics, a subjective feeling of displeasure may be deemed, in each case, to be non-material damage.”

The AG indicated that he believed that Article 82(1) “was designed and laid down to support the typical functions of civil liability: damages (for the injured party) and, on a secondary basis, the prevention of future harm (by the infringer).”

The AG also stated that the provision of non-material damages could be inferred from previous case law where the objective (or one of the objectives) of the provision being interpreted is the protection of individuals or a certain category of individuals (for example, consumers of products or victims of traffic accidents), the definition of damage must be broad; and in keeping with that rule, compensation covers non-material damage, even where it is not mentioned in the provision interpreted. 

Interestingly, the AG considered that the right to compensation under Article 82(1) was not the most suitable instrument for countering breaches of data protection legislation where the processing of personal data where those breaches would create annoyance or upset.  

Whilst the AG ruled out compensation for the vague, fleeting feelings or emotions which resulted from a breach of data protection legislation, this would not leave the data subject without any protection or redress, as the data subject could use the other GDPR remedies, including the right to erase personal data.

With more preliminary rulings expected, it will be interesting to see if they will reach a similar conclusion. It is of note that the AG’s opinion and comments are not binding on the ECJ, however, it gives us an idea about the court’s possible approach.

It will also be interesting to see what approach the UK courts will take in regards the interpretation of Article 82 and whether they will follow the same approach.