CJEU: There is NO threshold for damage claims regarding a GDPR breach

The mere violation of the GDPR does not entitle per se to compensation, but it is not necessary for the damage suffered to reach a certain threshold of severity to produce a right to compensation.

These are the conclusions reached by the Court of Justice of the European Union (CJEU) in a ruling dated May 4, 2023.

The case on damage claims for a GDPR breach

The case from which the ruling originated concerns the Austrian-registered company Österreichische Post, which was active in the sale of addresses and in the course of its business collected data on the political affinity of certain citizens.  The processed data were used to create address packages with particular social and demographic characteristics, which were then sold to third parties for the conduct of targeted advertising.

An Austrian citizen, who had not consented to the processing of his political data, sued the company complaining that he was offended that he was given an affinity for a particular political party. It turned out that this data had never been the subject of transmission to third parties and that, therefore, the harm caused was solely of an emotional nature.

Regarding this case, the Austrian Supreme Court raised three questions before the Court of Justice of the European Union (“CJEU”) regarding whether

• for the purposes of awarding compensation under Article 82 of Regulation (EU) 679/2016 (“GDPR”) it is also necessary that the plaintiff has suffered harm, or whether a mere violation of the Regulation is sufficient in itself;
• there are other requirements of Union law, in addition to the principles of effectiveness and equivalence, for calculating the amount of compensation;
• the irritation caused by the violation itself is sufficient in itself for the award of intangible damage or whether, on the other hand, there must be a consequence or effect of the violation of a right having at least some weight in order to determine the damage.

On the first question, the CJEU clarified that not every mere violation of the GDPR gives rise to the right to obtain compensation, and any other interpretation would be contrary to the clear wording of the GDPR itself.  Three cumulative conditions must be met in order to obtain damages: (i) the breach; (ii) the moral or material damage; and (iii) the causal link.  The CJEU, moreover, clarified that in light of the recitals to the GDPR there must be a causal link between the violation in question and the damage suffered in order to ground the right to compensation.

On the second issue, the Court pointed out that the GDPR does not contain any rules governing the assessment of damages. Therefore, it is up to the legal system of each Member State to determine the modalities of actions to safeguard the rights that individuals derive from the GDPR and, in particular, the criteria for the assessment of damages.

On the third question, the Court noted that “making compensation for intangible damage subject to a certain threshold of seriousness would risk harming the coherence of the regime established by the GDPR, since the graduation of such a threshold, on which the possibility or otherwise of obtaining that compensation would depend, could vary according to the assessment of the courts seised.”  Therefore, it must be concluded that there is no threshold for the award of damages within the GDPR, and therefore any violation of the GDPR can in power generate an obligation for compensation.

The consequences of the case on future disputes

The conclusions reached by the CJEU are relevant in light of some of the litigation practices taking place in member states.  Many courts have rejected claims for damages on the basis that it is always necessary to reach a certain threshold of severity of damage in order to obtain compensation.  This is in accordance with the interpretation of harm provided by the domestic law of the state in question and differently from that of Union law.  However, the CJEU clarified that “the notion of ‘damage’ and, more specifically, in the present case, the notion of ‘intangible damage,’ within the meaning of Article 82 of the GDPR, must receive, in view of the absence of any reference to the domestic law of the Member States, an autonomous and uniform definition proper to Union law.”

This ruling sets an important precedent in the area of GDPR breach damages.  An important increase in litigation is expected, especially in the area of class actions.  Numerous appeals on this topic are still pending before the Court of Justice, so further developments in this matter are expected.

On this topic, the following article may be of interest: “Data protection damages have to be proven“.