17 05 2023 Insights Cyber and Data Protection

Non-Material Damage Compensation – the CJEU Enters the Fray

Reading time: 7 mins

Website Insight Template 3

Introduction

On 4 May 2023, the CJEU delivered its first, and eagerly awaited, decision on the concept of ‘non-material damage’ arising from an infringement of the GDPR in the case of C-300/21- UI v Osterreichische Post AG (the ‘Austrian Post Case’).

Prior to this, in October 2022, the CJEU’s Advocate General had delivered an opinion on this concept. This opinion is the subject of a previous Insight, which can be found here. In summary, the opinion proposed that a de minimis approach be adopted for non-material damage claims under the GDPR i.e., that a certain minimum level of severity must be obtained to qualify for compensation. The opinion went on to provide that mere upset was not covered under the heading of non-material damage.

In this Insight, we set out how the CJEU has diverged from this opinion, examine some of the reasons for doing so and what it might mean for future awards in Ireland.

Background to the Austrian Post Case

In the Austrian Post Case, proceedings were initiated by an Austrian citizen for “great upset, loss of confidence, and a feeling of exposure” after he had been affiliated with a particular political party following a data collection exercise undertaken by Osterreichische Post. The data subject sought €1,000 in compensation for the non-material damage suffered for being linked to the political party and the misuse of his personal data.

The CJEU’s Judgment

In its reference to the CJEU, the Austrian Supreme Court submitted several questions, including, whether a mere infringement of the GDPR is sufficient to confer the right to compensation under Article 82 and whether a certain threshold must be reached for a claim under non-material damage. The CJEU was also asked to set out the requirements to be applied by Member States when determining the amount of compensation payable.

1. What are the required conditions of the right to compensation where there has been a breach of the GDPR?

Perhaps the most significant outcome of the judgment was the CJEU’s decision that a mere infringement of the GDPR is not sufficient to establish a right to compensation under Article 82. Instead, three cumulative conditions must be satisfied to confer a right to compensation on a data subject:

  • An infringement of the GDPR;
  • Damage must have resulted from that infringement; and,
  • There must be a causal link between the infringement and the damage suffered.

The above provides long overdue clarification that a claimant must still prove their case and that a breach of the GDPR does not automatically entitle the data subject to a claim for compensation.

2. Is a threshold of seriousness to be reached?

The CJEU held the wording of the GDPR does not stipulate that a right to compensation is limited to claims for non-material damage that exceed a certain threshold of seriousness.

This is a departure from the Advocate General’s opinion who was of the view that there must be some threshold of harm above a de minimis level and that it is up to each Member State to determine the threshold of harm to be reached.

It was the CJEU’s view that to enforce such a requirement would be contrary to the conception of ‘damage’, adopted by the EU legislature. The CJEU also referred to Recital 10 of the GDPR which ensures the consistent and homogeneous application of the rules for the protection of fundamental rights and freedoms of natural persons with regard to the processing of personal data across the EU.

3. What are the rules governing the assessment of damages?

Finally, the CJEU noted that the GDPR does not contain any rules governing the assessment of damages and it is for the Member State to prescribe the rules and criteria for determining the extent of compensation payable subject to compliance with the principles of equivalence and effectiveness (that those rules and criteria be applied without distinction as to whether the infringement is EU or national law). The CJEU further noted the contents of Recital 146 of the GDPR which provides that the right to compensation requires that data subjects to receive "full and effective compensation for the damage they have suffered”.

What can we take from all of this?

While defendants to these types of claims will have hoped for the CJEU to follow the Advocate General’s Opinion and provide that a threshold of sufficient seriousness is required, such a test is nowhere to be found within the wording of the GDPR. The de minimis test, which has been advanced in particular by the UK courts (see Rolfe v Veale Wasbrough Vizards LLP[1]) means that the UK appears to be departing from EU law.

Article 82 of the GDPR, which contains the right to compensation for damage under the GDPR was implemented into Irish law by Section 117 of the Data Protection Act 2018. It provides that data protection actions are to be founded in Tort. There are five broad types of damage available under Tort law in Ireland. One of those is known as general compensatory damages and it includes non-economic loss for pain, suffering, emotional distress, and loss of enjoyment of life.

To establish a claim for non-economic loss, plaintiffs must provide evidence that demonstrates the extent and severity of their injury together with any associated psychological or emotional harm. This evidence can take the form of witness testimony or personal statements. The Supreme Court in its 1984 decision in Sinnott v. Quinnsworth Limited[2] sets out the requirements for a plaintiff when proving non-economic loss in Ireland. In particular, plaintiffs are required to prove that their injury is more than a “transient upset or hurt” and that it was caused by the Defendant.

What the Supreme Court meant by “transient update or hurt” is that the injury suffered is more than a minor or temporary inconvenience that is quickly resolved and that in order to claim compensation a plaintiff must show that the harm suffered is significant and long-lasting.

The subsequent 2005 Supreme Court decision in Whelan v. South Western Area Health Board[3], found a “transient upset or hurt” to be an injury that has little or no effect on the plaintiff’s life beyond the moment of its occurrence. The Court noted that the severity and duration of the harm suffered are important factors to be considered when assessment whether an injury is more than a “transient upset or hurt” and it identified other factors like the impact of the injury on the plaintiff’s ability to work, socialize, or carry out daily activities, as well as the nature and extent of any associated physical or psychological harm.

The 2022 Circuit Court decision of Judge O’Donohue[4], in which seven Siptu members had their actions for breaching their data protection rights dismissed on the basis that “more than minimal loss” must be proved, is in line with the principles set out in Sinnott. In this matter, Judge O’Donohue found that since the incident, the only plaintiff to advance their case had not suffered any ill-effect arising from the breach. Ultimately the Circuit Court Judge ordered the plaintiffs to discharge Siptu’s costs.

While the law in this area continues to develop, in general, the basic principle remains, in Ireland, that in order to claim compensation for non-economic loss, a plaintiff must prove that the damage they have suffered is significant and long-lasting i.e., more than a transient upset or hurt.

It will be interesting to see if the current law in relation to non-economic loss in Ireland meets the full and effective compensation threshold set out in Recital 146 and where the Irish courts go from here. For now however, the CJEU‘s decision, that it is for the Member State to prescribe the rules and criteria for determining the extent of compensation payable, offers support to the decision of Judge O’Donohue outlined.

A final word

As we approach the fifth anniversary of the implementation of the GDPR, this decision is only the first step on a long road to obtaining clarity on this issue. For example, only days before the CJEU judgment was delivered, the Advocate General Pitruzella published his opinion in a Bulgarian case referred to the CJEU[5]. The claimant in that case argued that he had suffered non-material damage in the form of distress, worry and fear about the possible misuse of his personal data arising from a cyber-attack and was entitled to claim compensation under Article 82 of the GDPR. The Advocate General opined that where a claim of this nature arises, the data subject must demonstrate “actual and certain emotional damage and not simply trouble or inconvenience” and that a “fear of possible future misuse of personal data may constitute recoverable non-material damage under the GDPR”. That opinion looks already to conflict with the CJEU’s judgment in the Austrian Post Case.

The CJEU’s judgment provides welcomed, albeit limited, clarification on the meaning of non-material damage as it removes the limitations of a threshold having to be reached by the data subject. It also dispels any notion of a strict liability regime under the GDPR. While further guidance is awaited following the many preliminary references to the CJEU by other member states, for the first time since its introduction, national courts can now consider claims for non-material damage for GDPR breaches with a greater deal of understanding.

The authors would like to thank Sadhbh Walsh, for her research and assistance with this article.

[1] [2021] EWHC 2809 (QB).

[2] [1984] I.R. 493

[3] [2005] 2 I.R. 425

[4] https://www.irishtimes.com/business/2022/10/26/court-throws-out-data-protection-breach-claims-by-members-against-siptu/

[5] Case C-340/21 Natsionalna agentsia za prihodite

AUTHOR: Ricky Kelly, Partner | Sadhbh Walsh

SHARE
Stay loop bg
Sign up

Stay in the loop

Sign up to our newsletter