The Chartered Governance Institute UK & Ireland - Irish Region

Irish Region

Under Article 82(1) the General Data Protection Regulation (“GDPR”) a person who suffers material or non-material damage because of an infringement of their data protection rights can seek compensation from the data controller or processor.


European Court gives guidance to national courts on the assessment of non-material damage where the GDPR has been infringed

Under Article 82(1) the General Data Protection Regulation (“GDPR”) a person who suffers material or non-material damage because of an infringement of their data protection rights can seek compensation from the data controller or processor. While material damage is a familiar concept and more easily identifiable, there has been a lack of clarity regarding what constitutes “non-material damage”. In 2023 the Court of Justice of the European Union (“CJEU”) ruled, in the Austrian Post case, that a data breach by itself is not sufficient to ground a claim for compensation and set out the three conditions which must be satisfied in order to recover compensation under the GDPR:

  • There has been a breach of the GDPR;
  • Material or non-material damage has been suffered by the data subject; and
  • There is a causal link between the infringement and the damage suffered.

The CJEU held that non-material damage arising from a breach of the GDPR does not need to reach a threshold of seriousness for the impacted party to have an entitlement to compensation and it is for the national courts to determine damages based on the seriousness of the harm alleged.

The Irish Circuit Court’s decision in Kaminski v Ballymaguire Foods Limited (“Kaminski”) in July 2023 provided helpful guidance on the level of compensation that may be awarded for non-material damage in data protection actions. In its judgment, the Circuit Court awarded compensation of €2,000 for non-material damage and held that “even where non-material damage can be proved and is also not trivial, damages in many cases will probably be modest”, noting that in some cases damages could be less than €500. The Circuit Court noted in Kaminski also that compensation for non-material damage does not cover “mere upset”. The non-material damage must be genuine and not speculative, and damages must be proved, with supporting evidence “strongly desirable”.   

Non-material damage – further decisions of the CJEU

A number of further decisions have now been delivered by the CJEU in the wake of the Austrian Post case that provide further clarity on the concept of non-material damage under Article 82 of the GDPR and the factors to be taken into account by a national court in awarding compensation. 

Assessment of damage

In terms of the assessment of damage the CJEU held in VB v Natsionalna agentsia za prihodite that fear experienced by a data subject with regard to a possible misuse of personal data can be sufficient to give rise to a claim for non-material damage. In that case, a repository of public debt in Bulgaria was hacked and its contents published online impacting 6 million data subjects. The CJEU held the claimants did not need to show there had been any misuse of their data to their detriment and the claimants’ fear that their data may be misused in the future could constitute non-material damage. A claimant must however show that they have suffered actual damage. The national court must verify that the fear can be regarded as well founded, in the specific circumstances at issue and with regard to the data subject.

In Gemeinde Ummendorf, a case where names and details of data subjects were disclosed without their consent on a website, it was held that the publication on the internet of personal data and the consequent loss of control over personal data for a short period of time could cause data subjects ‘non-material damage’, within the meaning of Article 82(1) of the GDPR, giving rise to a right to compensation, but those persons must demonstrate that they have actually suffered damage, however minimal. 

Purely hypothetical risk 

In MediaMarktSaturn, the data subject claimed non-material damage arising from a fear of the risk that the personal data in question would be communicated to other individuals by the third party who had mistakenly received his data, and misused in the future. The data subject had purchased a household appliance in an electrical store. The sales contract and a credit agreement drawn up in relation to his purchase were provided to another customer in error. As the error was quickly discovered, a store employee retrieved the documents and gave them to the correct customer within half an hour. 

The CJEU held that where it is obvious that the risk the data subject claims to be in fear of is unfounded, no damages should follow - such as where the third party to whom the data was inadvertently disclosed never became aware of the personal data during the breach and the document containing the data was returned within half an hour. The Court found that fear linked to this hypothetical risk was an insufficient basis for non-material damage.

Comment

The EU jurisprudence has given rise to some principles to be applied by national courts in relation to awarding compensation for non-material damage under the GDPR though questions still remain regarding the exact criteria to be applied. 

Based on the decisions discussed above, some takeaways are as follows:

  • The right to compensation for damage for breach of the GDPR requires a claimant to establish an infringement of the GDPR, that he or she has suffered damage, and that there is a causal link between the infringement and the damage suffered;
  • Non-material damage may include the fear associated with the potential misuse of data but there is an obligation on a claimant to prove some damage (though there is no de minimis threshold); and
  • While the CJEU has given guidance on the concept of non-material damage and the principles to be applied, it is for national courts to determine liability in each case.

Search CGI