Data protection breaches: no damage, no compensation
Insight
Is compensation payable for the mere infringement of an individual’s data protection rights? This crucial question has just been considered by the Advocate-General in a leading test case making its way through the Court of Justice of the European Union. The resounding answer is “no”. If the A-G’s opinion is followed by the CJEU it is a further nail in the coffin of speculative data protection breach claims, reflecting the trend that has also developed in the UK courts.
The case emanates from Austria. It involved Österreichische Post AG. It gathered information on individuals and processed it via an algorithm in order to work out the individuals’ likely political affiliations. The claimant complained about this and claimed damages of €1,000 for the upset, anger and offence that this had caused him.
The Austrian Supreme Court referred questions to the CJEU about whether Article 82 of GDPR allowed an individual to claim damages on this basis. Does the mere infringement of data protection rights entitle an individual to compensation even where there is no actual loss? And is merely being upset, angry and offended enough to attract some award of compensation?
A-G Campos Sánchez-Bordona issued an Opinion to the CJEU on these questions on 6 October 2022. A-G Opinions are not binding on the CJEU but are usually followed.
In his Opinion, the A-G said that the mere infringement of data protection rights, or “loss of control” over one’s data, does not entitle an individual to compensation. The individual must have suffered some damage as a result of the infringement. The A-G pointed out that Article 82 is compensatory in nature. It is not intended to punish those who infringe data protection rights. In the context of GDPR as a whole, this punitive element is to be found in other provisions which allow individuals to complain to regulators who can themselves fine infringers or issue other sanctions against them.
The A-G went further than this and said that control over one’s data is not something that necessarily underpins GDPR in any event. He said that the basis to process data is sometimes based on the consent of the individual, but often on other grounds which do not involve consent (eg necessity or the legitimate interests of the data controller). The notion of “loss of control” is therefore not easy to justify as a basis for compensation. This does not seem to be a view which it is necessary for the CJEU to follow in order to reach the same outcome as the A-G. However, if it is followed by the CJEU, it opens up wider arguments about GDPR being more balanced in its treatment of competing rights to process personal data than perhaps previously thought.
In terms of whether merely being upset is enough to establish damage, the A-G again said no. He said it should be left to national courts to determine when non-material damage is sufficiently serious to attract compensation.
Regarding the position in the UK, the Supreme Court ruled in 2021 on similar issues in Lloyd -v- Google. See our article on this here. In particular, the UK Supreme Court said mere loss of control over one’s data is not enough to attract compensation. However, this decision was arrived at by reference to the former data protection regime under the 1998 UK Data Protection Act as the alleged infringements took place prior to GDPR taking effect. The UK Supreme Court declined to say whether it would reach the same conclusion under GDPR.
Subsequently, in 2022, the English Court permitted this question of the recovery of loss of control damages under GDPR to go through to a full argument in a case involving TikTok. See our article here. However, that case was subsequently withdrawn by the claimant, so the point was not fully tested.
If the CJEU follows the A-G’s Opinion, post Brexit, it will not be automatically binding on the UK courts. However, it seems unlikely that the UK courts will strike out on their own and adopt a more liberal approach than that adopted within the EU.
The trend in litigation over data protection breach claims continues to flow against claimants.
The A-G’s full Opinion is here.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, October 2022