In a very significant ruling on 4 May 2023, the Court of Justice of the European Union (CJEU) has determined that Article 82 of the General Data Protection Regulation does not provide for compensation to be payable for the mere infringement of an individual’s data protection rights.
For essentially the same reasons, in 2021 in Lloyd -v- Google the UK Supreme Court said that mere loss of control over one’s data is not enough to attract compensation under the data protection regime which preceded GDPR (the Data Protection Act 1998). See our article here. However, in that case the UK Supreme Court declined to say whether it would reach the same conclusion under GDPR, apparently keeping the issue alive.
Although decisions of the CJEU are no longer binding on the UK courts post-Brexit, it now seems highly likely that the UK courts will come to the same conclusion as has been arrived at by the CJEU, that the mere infringement of an individual’s data protection rights does not entitle the individual to compensation. This will further discourage litigation in the UK courts in this area. However, as we point out below, there are still some important questions to be resolved about compensation claims when data privacy rights are infringed, so defendants should not be complacent about the prospects of facing litigation.
We previously wrote about the Advocate General’s Opinion in this CJEU case. Our article is here. To briefly re-cap, using an algorithm, Österreichische Post (OP) collected information on the Austrian populations’ potential political affinities based upon various social and demographic criteria. OP sold the data to various third parties to enable targeted advertising. The data indicated that the claimant, UI, had strong ties to a particular Austrian political party. UI said this was offensive and caused him “great upset, a loss of confidence and a feeling of exposure”. UI sought compensation of €1,000 from OP under Article 82 of GDPR.
The main questions and answers
After the case made its way through the Austrian courts up to the Austrian Supreme Court, two main questions were posed to the CJEU by that Court. These were:
- Whether Article 82(1) of the GDPR must be interpreted as meaning that the mere infringement of the provisions of GDPR is sufficient to confer a right to compensation, and
- Whether Article 82(1) of the GDPR should be interpreted as precluding a national rule or practice which makes compensation for non-material damage subject to a condition that the damage suffered by the data subject has reached a certain degree of seriousness.
On the first question, the CJEU said that the mere infringement of a right under GDPR does not give rise to a right to compensation. To be awarded compensation, three things have to be shown: an infringement; damage (whether material or non-material); and a causal link between the infringement and that damage.
On the second question, the CJEU disagreed with the Opinion given earlier by the Advocate General. The CJEU said it was not necessary for a non-material damage claim to reach a certain threshold of seriousness in order to attract compensation. The CJEU went on to explain that suffering “negative consequences” is not enough. Instead, those “negative consequences” have to constitute non-material damage. The CJEU said it is for the courts of the EU Member States cases to determine under their own domestic rules whether financial compensation is payable on this basis, but they cannot be constrained by a concept such as “threshold of seriousness.”
Even after this ruling, as we have said there are still some important questions to be resolved about compensation claims when data privacy rights are infringed.
First, the need for a claimant to demonstrate a “threshold of seriousness” before being awarded compensation was accepted by the UK Supreme Court in Lloyd -v- Google. So, there might be some divergence now between the UK and EU approaches. However, we are only likely to know this once we see how the EU member states courts are applying the CJEU’s ruling in practice and how further CJEU rulings influence this.
In terms of further CJEU rulings on what constitutes non-material damage, we will be keeping a close watch on the pending case of VB -v- Natsionalna agentsia za prihodite (Case C – 340/21). On 27 April 2023, the Advocate General delivered their Opinion in this case. The case involves personal data disclosed following a cyber-attack. The claimant alleges non-material damage on the basis that they fear a future misuse of their data by the hackers or others. The Advocate General concluded that if the Claimant can demonstrate a “real and certain emotional damage” then this can constitute a basis for compensation for non-material damage. The CJEU of course does not always follow the Advocate General’s Opinion, but it is often highly persuasive. Though this might be thought to indicate a move towards mass compensation claims where GDPR data security obligations have not been observed which have then led to a cyber-breach, it still seems necessary for each Claimant to demonstrate that they have suffered “real and certain emotional damage”. This means that a uniform basis for compensation may not be possible and therefore a claim by a “class” may still face difficulty because each individual will not have the same interest.
Secondly, we await the outcome of the English High Court test case involving a representative action brought by Andrew Prismall on behalf of 1.6 million patients against Google DeepMind Technologies. The case concerns patients’ records transferred by a hospital to Google DeepMind Technologies in relation to the development and testing of an App used for the detection, diagnosis and prevention of kidney disease. This case is not proceeding as a claim based on breach of the patients’ data protection rights (the type of claim which failed in Lloyd -v- Google), but instead as a claim for Misuse of Private Information (MPI). In this case, the Claimant asserts on behalf of the class that the mere “loss of control” over their private information attracts compensation on a uniform basis without proving anything more, and so satisfies the “same interest” test necessary to bring a representative (opt-out) claim. The case was argued before the High Court in March 2023, so we expect a ruling shortly, although it may well be appealed by whichever party is unsuccessful.
The CJEU decision will clearly be welcomed by defendants who might otherwise have feared litigation following breaches of data protection laws and regulations. However, the rejection by the CJEU of a “threshold of seriousness” test may still encourage some claimants to bring claims. We should also not forget the possibility (at least in the UK) that representative (class) claims may still be brought on the basis of MPI.
The Österreichische Post AG decision of the CJEU is here.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, May 2023