The European Union’s top court has handed down a ruling that clarifies the rules surrounding compensation for GDPR (General Data Protection Regulation) breaches.
Case C-300/21 concerns non-material damages related to data breaches. This refers to things such as distress, reputational damage the loss of future wages, which can occur when an organisation unlawfully processes personal information, or if it fails to response to a DSAR (data subject access request).
Individuals’ rights in this area have remained uncertain through the GDPR’s five-year history, but this month’s ruling states that “mere infringement of the GDPR does not give rise to a right to compensation”.
However, the CJEU (European Union Court of Justice) added that there are circumstances where a compliance violation will result in material damages.
In those cases, “there is no requirement for the non-material damage suffered to reach a certain threshold of seriousness in order to confer a right to compensation”.
This means that security breaches can result in non-material damages, and those damages can give rise to compensation, but this won’t always be the case.
Instead, regulators must evaluate the specifics of each case and determine whether it has caused non-material damage that necessitates compensation.
Why is this important?
The EUCJ’s ruling has its origins in a referral from an Austrian court where an individual sought to sue the country’s postal service for damages after it used an algorithm to predict citizens’ political views.
The postal service gathered this data using socio-demographic information that was processed without the data subjects’ consent, which the claimant said left them exposed and upset.
Ordinarily, this issue could have been resolved by considering Article 82 of the GDPR, which says that data subjects have the right to compensation following a data breach.
It states: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
However, it’s unclear exactly what the threshold for non-material damage is and whether an individual can claim compensation if they feel, for example, ‘exposed and upset’.
In a similar instance, a recent opinion given by Advocate General Advocate General Manuel Campos Sánchez-Bordona described a data breach as causing “inner discomfort”.
Meanwhile, the data protection activist Max Schrems has pointed out that non-material damages can also include the pain of broken bones or a “slap in the face”.
The most recent ruling sets a precedent that emotional damage, no matter how severe, can be considered non-material damage.
As The Register observes, this “may have far-reaching consequences for tech giants processing the personal data of millions across the bloc, particularly against the backdrop of recent growth in AI and the necessary ingestion of data behind it”.
Commenting on its ruling, the CJEU wrote:
[T]he Court holds that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness […] The GDPR does not contain any such requirement and such a restriction would be contrary to the broad conception of ‘damage,’ adopted by the EU legislature.
Indeed, the graduation of such a threshold, on which the possibility or otherwise of obtaining that compensation would depend, would be liable to fluctuate according to the assessment of the courts seised.
The court stopped short of mandating whether certain non-material damages were worthy of compensation, so it’s up to individual data protection authorities to make a judgement. This includes decision-making on damages that are within scope and the monetary values of such actions.
What does this mean?
Reflecting on the outcome of the CJEU’s decision, Peter Church, a counsel in the technology practice at the law firm Linklaters, said: “[I]t is possible that even minor anxiety or upset might justify a compensation claim. This in turn could open the way for not only frivolous or vexatious claims but also large class actions.”
Meanwhile, the privacy rights group NOYB, led by the prominent activist Max Schrems, praised the ruling and its acknowledgement of “emotional damages”.
In a statement, Schrems wrote: “We welcome the clarifications by the CJEU. A whole industry tried to reinterpret the GDPR, in order to avoid having to pay damages to users whose rights they violated. This seems to be rejected. We are very happy about the result.”
To what extent these damages will result in compensation is yet to be seen. The most obvious cases where this will apply are to incidents affecting special category data, such as health records, political opinions, union memberships and sexual orientation.
However, we suspect it’s only a matter of time before someone attempts to claim compensation for a data breach at a large tech giant. How that will pan out will depend on the supervisory authority’s decision-making.
If you’re concerned about the way this could affect your organisation, IT Governance is here to help. Speak to one of our GDPR expects to learn more about your compliance posture and the ways you can bolster your data protection practices to prevent information security incidents and compensation claims.
Whether you’re looking for a little guidance or you’d like a dedicated consultant, we offer a range of services that can be tailored to meet your needs.