In Germany, the GDPR has so far been associated primarily with the risk that data protection authorities impose fines for GDPR violations. This impression was certainly reinforced by the imposition of some very high fines in the last two years (e.g. against 1&1 Telekom and Deutsche Wohnen). Recently, however, the claim for material and non-material damage (Art. 82 GDPR) has become increasingly important. Since material damage as a result of data protection breaches are rather the exception, the claim for compensation of non-material damage means a new liability risk. Compensation for non-material damage was newly introduced in Germany with the GDPR in 2018. In this context, the recent decision of the Munich Regional Court (case no 31 O 16606/20) deals with the interpretation and scope of the claim for non-material damages under Article 82 GDPR.
Background
According to Art. 82 GDPR, any person who has suffered material or non-material damage as a result of a violation of the GDPR is entitled to compensation from the controller or the processor of personal data. The claim does not exist only if the controller or processor can prove that he is not responsible in any respect for the circumstance that caused the damage. The claim is therefore quite simple to bring, especially if non-material damage is claimed.
Jurisprudence in Germany interprets the claim under Art. 82 GDPR very differently.
For example, the Labour Court of Dusseldorf has ruled in favour of a claim for non-material damage in the amount of EUR 5,000 because the defendant company did not answer an employee's request for information in time and thus violated Art. 15 GDPR (case no 9 Ca 6557/18). The Regional Court of Darmstadt also affirmed a claim under Art. 82 GDPR in a case in which the defendant company had accidentally sent a message on salary to the wrong recipient and did not inform the plaintiff of this. The court awarded non-material damage in the amount of EUR 1.000 (case no 13 O 244/19). These and other comparable decisions often emphasise that non-material damage according to recital 146 of the GDPR should have a deterrent effect and should be "effective".
In contrast the Higher Regional Court of Dresden, for example, points out that not every individually perceived inconvenience or every trivial infringement justifies a claim for non- material damage. An unconditional claim for damages otherwise harbours a considerable risk of abuse (case no 4 U 760/19). The Karlsruhe Regional Court assumes that in addition to a breach of data protection law there must also be a concrete violation of personal rights (case no 8 O 26/19). The Frankfurt on the Main Regional Court requires the causal impairment of a protected legal interest (case no 2 27 O 100/20). This is also the view of the Hamburg Regional Court. A serious violation of personality is not necessary, but not every violation of the GDPR should lead to a claim for non-material damage (case no 324 S 9/19).
The list of different decisions of German courts grows longer every day. The discussion as to whether the claim under Art. 82 GDPR contains a de minimis limit or requires a violation of personal rights has now also reached the Germanys Federal Constitutional Court. It recently considered a referral to the European Court of Justice (ECJ) pursuant to Art. 267 of the Treaty on the functioning of the EU (TFEU) to be necessary (case no 1 BvR 2853/19).
The Case
The plaintiff is a customer of the defendant. Before entering into the business relationship, the plaintiff provided the defendant, a financial services company, with numerous personal data. In addition, he had to legitimise himself by means of a so-called Post-Ident procedure (an identification service offered by Deutsche Post), whereby his identity card was photographed.
Subsequently, the plaintiff used his customer account to invest in shares and securities. In October 2020, the plaintiff was informed by the defendant that unauthorised third parties had unlawfully accessed part of the data stored in their data archive. The following data was stolen from the plaintiff: First and last name, title, address, e-mail address, mobile phone number, date, place and country of birth, nationality, marital status, tax residency and tax ID, IBAN, copy of ID, portrait photo taken using the Post-Ident procedure.
The defendant had deposited access information to its complete IT system with its former service provider. The unidentified attacker used this access data to gain access to part of the document archive and the customer data contained therein. The contractual relationship between the defendant and the service provider was terminated at the end of 2015, whereby the defendant did not change the access data to its IT system.
The Munich Regional Court granted a non-material damage in the amount of EUR 2,500.
Art. 32 GDPR ("security of processing") requires appropriate technical and organisational measures to ensure a level of protection appropriate to the risk (see also Art. 5 para. 1 lit. f GDPR). In particular, recital 39 of the GDPR mentions as a required measure that it is ensured that unauthorised persons do not have access to the data and cannot use the data or the devices with which they are processed. The defendant did not change the access data for the service provider after the termination of the business relationship.
As the defendant submits that it had to assume that the access information would be deleted completely and permanently since then, it could not rely on this in view of the large scope (access to the complete IT system) and due to the quality and sensitivity of the stored data. Since the defendant obviously did not check the deletion, it had been negligent to leave the access data unchanged for several years from the termination of the business relationship in 2015 until the access to the defendant's customer data in 2020.
In the present case, extensive and sensitive data has been taken by the attacker. This is not an "insignificant or perceived violation of personal rights" in the view of the court. Art. 82 GDPR is not limited to serious damages, so that a general exclusion of minor cases is prohibited.
Recitals 75 and 85 of the GDPR list examples of the specific harms that may constitute "physical, material or non-material harm", such as discrimination, identity theft or fraud, financial loss, damage to reputation, unauthorised removal of pseudonymisation or other significant economic or social harm. According to recital 146 of the GDPR, the concept of harm must also be "interpreted broadly in the light of the case-law of the Court of Justice in a way that is fully consistent with the objectives of this Regulation" and "data subjects should receive full and effective compensation for the harm suffered".
Outlook
In its decision, the Munich Regional Court agrees with a broad interpretation of Art. 82 GDPR. The court's citations from the recitals of the GDPR in particular, however, do not answer the question what is a "full and effective" compensation for the non-material damage suffered. The difficulty in interpreting these vague legal terms lies in the fact that no material damage needs to have occurred. In this respect, the Regional Court simply repeats formulations of the GDPR, but it does not interpret them and thus does not attempt to concretise them. With regard to the recent Federal Constitutional Court's statement that a referral to the ECJ is necessary (see above, case no 1 BvR 2853/19), the Munich Regional Court simply stated that it was not obliged to make such a referral because it was not a court of last instance and the defendant could appeal against the judgment (Art. 267 para. 3 TFEU). A referral could then be made by the court of last instance.
The reasoning is therefore not very detailed and does not help either with the interpretation of the vague terms of the GDPR or with the question of how concretely non-material damage is to be measured. The result - a claim for damages of EUR 2500 - is not further substantiated.
Nevertheless, the decision must be seen in the context of numerous similarly unsatisfactorily reasoned decisions of German courts. Liability risks are thus difficult to assess. The development in Germany is now also being driven by specialised law firms, which are asserting claims for non-material damage under Art. 82 GDPR after data breaches in large numbers. One has to imagine what consequences a claim for damages founded in this way can have for a company in the case of numerous uniform lawsuits by those affected. It is to be hoped that the ECJ will quickly clarify the situation and concretise the interpretation of Art. 82 GDPR.
Dr. Franz König is attorney at law and partner at BLD Bach Langheid Dallmayr Rechtsanwälte a founding member of Legalign Global: An alliance of best-in-region law firms (including DAC Beachcroft LLP) working as one for multinational insurers, brokers and businesses in addressing cross-border risks and claims.
