A recent judgment from the Court of Justice of the European Union offers clarity on the issue of damages when a data subject’s rights have been breached. Mark D. Finan BL and R. Caroline McGrath BL examine in detail.
On the 4 May 2023, the Third Chamber of the CJEU delivered judgment in a request for a preliminary ruling under Article 267 TFEU from the Oberster Gerichtshof (Supreme Court, Austria), in the proceedings UI v Österreichische Post AG, Case C-300/21. Observations were filed by the parties, the Austrian Government, the Czech Government, Ireland and the European Commission. The Advocate General delivered his opinion on 6 October 2022. This was the case that many lawyers practicing in data protection were hoping would provide some clarity as to damages when a data subject’s rights have been breached.
Every reader of this article is a data subject. If you read the article online, you have created data which is directly identifiable to you or can be. If you read many legal articles, algorithms can identify a certain preference and direct your attention towards legal articles. This is a company using data about you and seeking to use your preferences in order to adopt more efficient marketing (albeit of a legal article). How that data is collated, processed and controlled is of concern. Principally because it concerns you. If your data is being collected for business purposes, you ought to be made aware of it. Your consent ought to be of the utmost importance when data, which is capable of identifying you, is being used.
The General Data Protection Regulation was adopted to protect natural persons with regard to the processing of personal data and on the free movement of such data. It is recognised that everyone has the right to the protection of personal data concerning him or her[1]. The GDPR became applicable from 25 May 2018[2] and consists of 99 Articles and 173 Recitals. Arguably, from an individual’s point of view, it is one of the most important pieces of legislation to emanate from the European Union. Case C-300/21, was to provide much needed guidance as to material scope of Article 82, GDPR.
Case C-300/21
The request for the preliminary ruling concerned the interpretation of Article 82. It was made in the context of proceedings between UI and Österreichische Post AG whereby UI sought compensation for the non-material damage arising fromprocessing of personal data by Österreichische Post (including UI’s data) relating to the political affinities of persons residing in Austria. Österreichische Post, since 2017, had, using algorithms, collated information concerning Austrians, including their likely political affinities. It then sold this information on for profit to various organisations. UI’s personal data was extrapolated by Österreichische Post whereby his own political affiliation was inferred. UI had not consented to the processing of his personal data and he felt offended that the political party in question was assigned to him. He stated that this causedhim great upset, a loss of confidence and a feeling of exposure..
UI sought an injunction directing cessation of the data processing and compensation for non-material damage in the sum of €1,000 before the Landesgericht für Zivilrechtssachen Wien (Regional Civil Court, Vienna, Austria). The injunction was granted but damages were refused. On appeal, the Oberlandesgericht Wien (Higher Regional Court of Vienna, Austria) confirmed the judgment of the lower court. Importantly, it noted that under Austrian law, a breach of personal data rights did not automatically result in non-material damage and would only give rise to compensation where such damage reached a certain “threshold of seriousness”.
Both parties referred the matter to the Oberster Gerichtshof (Supreme Court, Austria) which referred the matter to the CJEU for a preliminary reference on the interpretation of Article 82 and the requirements of Union Law in the determination of damages. The following questions were referred:
Does the award of compensation under Article 82 of [the GDPR] also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
Does the assessment of compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence [or effect] of the infringement of at least some weight that goes beyond the upset caused by that infringement?”
The CJEU, in considering the legal framework of the reference before it, considered recitals 10, 75, 85 and 146 of the GDPR which concern the lawful processing of personal data. Recitals 75 and 85 both refer to material and non-material damage caused by a data breach. Recital 146 states that a controller should make good any damage that a person may suffer resulting from a breach of the Regulation. Importantly, it also states that the concept of damage should be interpreted broadly in light of existing case law of the CJEU and in a way that “fully reflects the objectives of this Regulation”.
Articles 1, 4, 77, 78, 82, 83 and 84 were also duly considered by the Court. Articles 1 and 4 set out the objectives and definitions of the Regulation, including a definition for personal data.. The definition is a very broad one which refers to any data that identifies a person or whereby the person could be identifiable. Articles 77 – 84 fall under the heading: “Remedies, liability and penalties.” Articles 77 and 78 deal with the data subject’s right to lodge a complaint with a supervisory authority and right to an effective judicial remedy against a supervisory authority. Articles 83 and 84 concern regulatory and administrative fines. In the context of civil litigation, Article 82, headed ‘Right to compensation and liability’ states,
- “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
- Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation…”
At paragraph 28 of the judgment, the Court commences considering the conditions required for the exercise of the right to compensation provided for in Article 82. The CJEU noted that the GDPR does not include any refence to the law of the Member States in the context of the meaning of the terms of Article 82 including the terms of “material and non-material damage” and “compensation for damage suffered”. Accordingly, these terms are autonomous concepts of EU law which must be interpreted in a uniform matter across all EU States. (Case C-439/19 Latvijas Republikas Saeima (Penalty points) and Case C-595/20 ShareWood Switzerland)
In analysing Article 82 from a literal approach, the CJEU noted that it was clear from the wording that the existence of “damage” or “harm” which has been “suffered” was one of the conditions for the right of compensation, as well as breach of the GDPR and a causal link between the breach and the damage.
[I]t cannot be held that any ‘infringement’ of the provisions of the GDPR, by itself, confers that right to compensation on the data subject…Such an interpretation would run counter to the wording of Article 82(1) of that regulation.”
In paragraph 36, the CJEU refers to thethe three conditions specified by Article 82(2) as necessary to give rise to the right to compensation
- Treatment of personal data carried out in violation of the provisions of the GDPR,
- Damages or prejudice suffered by the data subject concerned
- Causal link between this unlawful processing and this damage.
The CJEU also notes that Articles 77 and 78 of the GDPR afford the supervisory authority the function of providing remedies for a data subject without the need to suffer damage or prejudice. This is contrary to the positive obligation that is stated in Article 82. The Court found that this distinction supported its conclusion that damage must have been suffered in order for the right to compensation to arise. The CJEU held, in answering the first question, that “the mere infringement of the provisions of that regulation is not sufficient not to confer a right to compensation.”
The CJEU examined the third question prior to answering the second. In so doing, it reiterated that in the absence of a reference to national laws, the CJEU had to give the concept of “non-material” damage an autonomous and uniform definition specific to Union Law. It was noted that “damage” is not defined. Therefore, “material damage” and “non-material damage” may give rise to a right to compensation, without any mention of any severity threshold. The Court also relied on the provisions of Recital 146 in coming to this conclusion.
The Court was of the opinion that having a certain threshold would undermine the consistency of the regime established by the GDPR. It held that any such threshold was likely “to fluctuate according to the assessment of the courts seised.” It held that as a consequence, the third question must be answered that any national rule making compensation for non-material damage being subject to a requirement to exceed a severity threshold must be precluded.
The focus of the second question concerned the application by Member States of their own rules concerning compensation for pecuniary compensation and the application of the principles of equivalence and effectiveness of Union law. It was noted that Article 4 does not contain a provision in relation to the assessment of damages. In the absence of any such rule, the CJEU held that it is
for the legal system of each Member State to prescribe the detailed rules governing actions for safeguarding rights which individuals derive from Article 82 and, in particular, the criteria for determining the extent of the compensation payable in that context, subject to compliance with thoseprinciples of equivalence and effectiveness” (Case C-295/04 Manfredi and Others).
In applying the principle of effectiveness, the Court said that it was for the referring court to determine whether the national assessment of damagesrender it impossible for a data subject to exercise its rights under the GDPR. The CJEU answered the second question that “national courts must apply the domestic rules of each Member State relating to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU laws are complied with.”
Implications for Ireland
Section 117 of the Data Protection Act 2018 gives further effect to Article 82 of the GDPR. The right to seek compensation is based on tort. The CJEU answer to the first question in Case C-300/21 aligns with the principles of existing Irish tort law which requires a claimant to establish a duty (an obligation pursuant to the GDPR), a breach of that duty (a violation of the GDPR) and that damages arise from that breach (a violation of the GDPR does not give rise to compensation in of itself). Arguably, the dicta of Mr Justice Feeney, when analysing section 7 of the Data Protections Acts 1988 – 2003, in Collins v FBD Insurance PLC [2013] IEHC 137 is still applicable: the duty of care is one which arises within the law of torts and goes no further.
Having regard to the second question, it is arguable that the rule set out in the decision of Kelly v Hennessy [1995] 3 I.R. 253, that psychological injury short of a recognisable psychiatric illness does not attract damages may require to be disapplied. It appears that such rule which requires a severity threshold for damage is not consistent with the answer provided by the CJEU to the third question.
[1] Recital 1, GDPR
[2] Article 99, GDPR
The views expressed above are the author’s own and do not reflect the views of The Bar of Ireland.
Discover our Specialist Bar Associations
The Media, Internet and Data Protection Bar Association (MIDBA), supported by the Bar of Ireland, is a specialist association for barristers who practice in, or have an interest in, those areas of law.
Given the seismic changes in the media landscape in recent years, and with many of the largest technology companies having their European headquarters located in Ireland, it is essential that law practitioners are kept up to date on developments in these complex and fast-moving areas of law.