Last week the opinion of Advocate General Campos Sánchez-Bordona was published in UI v Österreichische Post AG (Case C-300/21), which is a request for a preliminary ruling from the Oberster Gerichtshof (the Supreme Court of Justice, Austria) in connection with the provisions in the GDPR on damages.
The GDPR (and, in the UK, the UK GDPR) provides for any person who has suffered material or non-material damage as a result of an infringement to be compensated from the controller or processor for the damage suffered.
In the case that has been the impetus for the reference from the Austrian courts, Österreichische Post AG (the company responsible for postal services in Austria) had, from 2017 onwards, collected information on political party affinities of the Austrian population. With the assistance of an algorithm, it defined ‘target group addresses’ according to certain socio-demographic features. UI has claimed €1,000 in damages in respect of inner discomfort. He claims that the political affinity that Österreichische Post AG attributed to him is both insulting and shameful. He also claims that it is extremely damaging to his reputation. Furthermore, he says that the conduct complained of has caused him great upset and a loss of confidence as well as a feeling a public exposure.
At first instance, UI’s claim for compensation was refused. The appellate court upheld the decision to refuse him compensation holding that breaches of the GDPR do not automatically result in compensation. The appellate court also held that the principle in Austrian law that in life, everyone must bear mere discomfort and feelings of unpleasantness without any consequence in terms of compensation.
This decision was again appealed, and the referring court has referred three questions for a preliminary ruling:
- Does the award of compensation under Article 82 also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
- Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
- Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?’
In relation to the first question, the Advocate General comes down very firmly against an interpretation which allows automatic compensation for every infringement. At para 28 of his Opinion, he states that “there is an unequivocal requirement that the natural person concerned must have suffered damage as a result of an infringement”. He states, at para 29, that “an interpretation which automatically associates the notion of ‘infringement’ with that of ‘compensation’, without the existence of any damage, is not compatible with the wording of Article 82 of the GDPR.”
On the second question, the Advocate General takes the view, at para 89, that it “cannot be ruled out that reparation sought for non-material damage may include components other than merely financial components, such as recognition that the infringement occurred, thereby providing the applicant with a certain moral satisfaction.” However, it is important to consider how the provisions on an effective judicial remedy and the right to compensation interact with one another; a difficulty in proving damage where a data subject is alleging financial damage must not result in nominal damages (para 92).
On the third question, which is concerned with whether the GDPR permits member states to refuse damages where the damage does not exceed a particular level of seriousness, the Advocate General concludes that this question could be answered in the affirmative. At paragraph 105 of his opinion, the Advocate General states that he does “not believe, however, that it is possible to infer from this a rule pursuant to which all non-material damage, regardless of how serious it is, is eligible for compensation.” He continues, at para 112, by stating that ” the right to compensation under Article 82(1) of the GDPR does not appear to me to be a suitable instrument for countering infringements in connection with the processing of personal data where all those infringements create for the data subject is annoyance or upset.” However, he goes on to propose an answer to the third question which essentially leaves it to national courts to determine whether, on the facts before them in each case, whether it goes beyond “mere upset”. So, while the Advocate General is clearly of the view that there is some form of de minimis threshold, he does not assist that much with where the line is.
The AG’s opinion is, of course, not a judgment of the court; we await to see whether the court adopts the opinion of the Advocate General and, if so, to what extent. Of course, decisions of the European Court are no longer binding in the UK. That is not to say that they are no longer of any relevance when it comes to UK law that derives from EU law (such as the UK GDPR); the effect of section 6(2) of the European Union (Withdrawal) Act 2018 provides that a court or tribunal may have regard to case law for the European Court which has come about after the UK left the European Union.
In the UK, the most recent authoritative case to grapple with the question of damages for data protection breaches was the Supreme Court’s judgment in Lloyd v Google. That was concerned with damages under the Data Protection Act 1998 and Lord Leggatt, giving the sole judgment of the court, confined his decision to the 1998 Act. However, it would be prudent to note that the reasoning in Lloyd is essentially the same as the reasoning in the Advocate General’s opinion in UI.
When the European Court’s judgment comes in this case, it will likely be a decision of some importance to data protection litigation in the UK, if only to confirm that the reasoning in Lloyd is equally applicable to Article 82 of the UK GDPR.