May 2023 brought the eagerly awaited CJEU's decision in the Austrian Post case (C-300/21)[1]. It was the CJEU's first attempt to bring clarification and harmonisation on an individual's entitlement to compensation for non-material damage under Article 82 of the GDPR. Whilst the decision has brought the clarity it promised on the one hand, it leaves a slightly opaque window of interpretation with Members States' national courts on the other.
The Austrian Post Case
From 2017, Österreichische Post, a logistics and postal service provider in Austria, collected information relating to the political affinities of the Austrian population. It used an algorithm that took into account various social and demographic criteria, to define a ‘target group addresses', which was then sold to various organisations to enable them to send targeted advertising. By way of statistical extrapolation, it could be inferred from the processed data whether an individual had a high degree of affinity to a certain political party.
The claimant sought €1,000 in compensation under Article 82 GDPR for "great upset, a loss of confidence and a feeling of exposure" suffered as a result of the non-consensual processing of data relating to his political opinions. The Austrian courts rejected the claim for compensation, ruling that a an entitlement to compensation for non-material damage for a breach of GDPR only arises when such damage reaches a certain 'threshold of seriousness'. The claimant's temporary adverse emotional impact did not reach that threshold.
Questions of EU law referred to the CJEU
The Austrian Supreme Court referred the following questions on EU law to the CJEU:
- Does an infringement of the GDPR alone give rise to a right to compensation, regardless of whether or not harm has been suffered?
- Must the award of compensation for non-material damage be conditional on ‘the infringement of at least some weight that goes beyond the upset caused by that infringement’? (i.e. must the damage satisfy a certain "threshold of seriousness”).
- Does the assessment of the compensation depend on further EU-law requirements, in addition to the principles of effectiveness and equivalence? (i.e. how does the court determine the amount of compensation).
The ruling: the right to compensation
In its judgment, the CJEU made it clear that not all infringements of the GDPR will merit an award for compensation. Three cumulative conditions must be met : (i) the processing infringes the GDPR; (ii) damage is suffered; and (iii) there is a causal link between the infringement (unlawful processing) and that damage suffered.
As a result, and in answer to question (1), the CJEU ruled that a mere infringement of the GDPR is insufficient to merit an award for compensation. The burden is on the claimant to prove that they suffered material and/or non-material damage, and that the infringement is what caused it.
The Austrian Post decision also includes some useful statements to defend frivolous and vexatious claims. Not only does the CJEU make it clear that not every breach of the GDPR equals damage (see paras 37-43), the CJEU ruled that the GDPR provides various legal remedies for any infringement of an individual's rights without proving to have suffered 'damage' (e.g. an injunction), however, this is distinct from a claim for damages under Article 82, where damage must also be proven (paras 38-39).
The CJEU also ruled that the GDPR does not provide payment of punitive damages, they are compensatory only (para 58).
The unwelcome ruling: 'threshold of seriousness'
In respect of question (2), the CJEU stated that the right to compensation for non-material damage is not conditional on a "threshold of seriousness" first being met. The GDPR does not impose such requirement and to do so would allow compensation claims to be subject to different Member States' "seriousness" thresholds and thus, obstructing the uniform application of the GDPR .
However, that said, the CJEU is clear that this interpretation does not relieve a claimant from having to prove that they suffered negative consequences as a result of the infringement, and demonstrating that those consequences constitute "non material damage" (para 51).
The unanswered: 'assessment of compensation'
Where an individual has suffered a negative consequence as a result of a GDPR infringement, it does not necessarily equate to 'damage', but unhelpfully, the CJEU does not define what actually does constitute "non-material damage".
The word "damage" implies that a minimum threshold has to be met and it is a position that we have argued in defence to privacy claims, with the support of English case law, that the harm suffered as result of the infringement must exceed the 'de minimis' threshold (Lloyd v Google LLC[2]).
Furthermore, the CJEU has not shed light on how to quantify the amount of damages awarded. To contradict the CJEU's own principle to further harmonisation and uniformity across the EU Member States, its decision instead furthered ambiguity stating:
"it is for the legal system of each Member State to prescribe [...] the criteria for determining the extent of the compensation payable subject to compliance with those principles of equivalence and effectiveness " [para 54].
This therefore leaves it to the national courts to apply their existing domestic rules when deciding the level of damages awarded to successful claimants for GDPR breaches, if any at all. No guidance can be found in the GDPR. This means that the level of damages awarded across Member States for the same GDPR infringement will continue to vary and could lead to forum shoppers.
A number of cases had been stayed pending the CJEU's Austrian Post decision and we await in interest to see how the EU Member States will implement it in their national courts.
[1] C-300/21, UI v Österreichische Post AG - https://curia.europa.eu/juris/document/document.jsf?text=&docid=273284&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=3443740
[2] Lloyd v Google LLC [2021] UKSC 50 - https://www.supremecourt.uk/cases/uksc-2019-0213.html
