CJEU Defines GDPR Compensation For Non-material Harm

5 Jun 2023
Author Victoria Lee
General Data Protection Regulation

There's been doubt on when data subjects can get compensation for a violation of their rights without proof of harm. The CJEU decided on the rules for compensation on May 4, 2023. The rules apply to damages from breaching the GDPR.

The CJEU decided on three things: 1. Breaking GDPR rules doesn't automatically mean compensation. 2. You can still get compensation for non-material damages without proving it was serious. 3. Each country decides how much compensation you can get, based on their own rules.

The ruling helps people get compensation for harm from breaking GDPR rules. It is good news for lawyers who help people with data privacy cases. More rulings are coming soon.

A case called C-300/21 was brought to the attention of the CJEU. An Austrian citizen and Österreichische Post, the Austrian postal service, were in a legal dispute. The postal service had collected data about people's political beliefs and assumed that the citizen in question was affiliated with a specific political party. This made the citizen upset because they hadn't given permission for their personal data to be used this way. They felt emotionally harmed and uncomfortable because of this assumption.

An Austrian person went to court to demand that Österreichische Post pay them €1,000 and stop their actions that caused them emotional distress. The Austrian Supreme Court wasn't sure how much compensation people could get for non-physical harm under Article 82 of GDPR.

The highest court in Austria asked the CJEU for help with three things. First, is breaking GDPR enough to get compensation? Second, does the damage caused have to be really serious? Third, how much compensation should be given?

The CJEU said that there are three things needed for the right to compensation: breach of GDPR, harm, and a link between breach and harm. Just a breach of GDPR is not enough for the right to compensation. Damage may only be possible and a breach of GDPR doesn't always cause damage.

The CJEU decided that people can get compensation for emotional damage caused by GDPR violations. There doesn't need to be a certain level of severity. This follows what the GDPR says in Article 82.

These two answers work together. To claim compensation, three things must be met according to the CJEU. However, damage can be claimed regardless of how serious it is.

The CJEU answered the third question. They said the GDPR does not have rules for assessing damages. Instead, each country must use their own rules to decide how much compensation to give. The CJEU said that people should receive full and fair compensation for damages they suffer under the GDPR.

You can bring a case in a domestic court if the controller or processor has a business there or if you live there. This might affect which court you go to based on the rules of each country.

The CJEU said that national courts will decide how damages are quantified. If there's just a breach, damages may not be awarded. This could slow down class-action lawsuits since evidence of loss would be needed. It might be hard to represent large groups of data subjects with different characteristics. This is similar to the UK Supreme Court's decision in Lloyd v Google, where evidence of loss is needed for compensation.

The court said it's possible to have non-material loss. This, along with the EU Directive on Representative Actions, could bring more class actions for GDPR infringement. The directive protects consumer interests and is available in all EU countries.

Read more
Similar news
This week's most popular news