UK GDPR – prout de jure

Last week the opinion of Advocate General Campos Sánchez-Bordona was published in UI v Österreichische Post AG (Case C-300/21), which is a request for a preliminary ruling from the Oberster Gerichtshof (the Supreme Court of Justice, Austria) in connection with the provisions in the GDPR on damages.

The GDPR (and, in the UK, the UK GDPR) provides for any person who has suffered material or non-material damage as a result of an infringement to be compensated from the controller or processor for the damage suffered.

In the case that has been the impetus for the reference from the Austrian courts, Österreichische Post AG (the company responsible for postal services in Austria) had, from 2017 onwards, collected information on political party affinities of the Austrian population. With the assistance of an algorithm, it defined ‘target group addresses’ according to certain socio-demographic features. UI has claimed €1,000 in damages in respect of inner discomfort. He claims that the political affinity that Österreichische Post AG attributed to him is both insulting and shameful. He also claims that it is extremely damaging to his reputation. Furthermore, he says that the conduct complained of has caused him great upset and a loss of confidence as well as a feeling a public exposure.

At first instance, UI’s claim for compensation was refused. The appellate court upheld the decision to refuse him compensation holding that breaches of the GDPR do not automatically result in compensation. The appellate court also held that the principle in Austrian law that in life, everyone must bear mere discomfort and feelings of unpleasantness without any consequence in terms of compensation.

This decision was again appealed, and the referring court has referred three questions for a preliminary ruling:

Does the award of compensation under Article 82 also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?’

In relation to the first question, the Advocate General comes down very firmly against an interpretation which allows automatic compensation for every infringement. At para 28 of his Opinion, he states that “there is an unequivocal requirement that the natural person concerned must have suffered damage as a result of an infringement”. He states, at para 29, that “an interpretation which automatically associates the notion of ‘infringement’ with that of ‘compensation’, without the existence of any damage, is not compatible with the wording of Article 82 of the GDPR.”

On the second question, the Advocate General takes the view, at para 89, that it “cannot be ruled out that reparation sought for non-material damage may include components other than merely financial components, such as recognition that the infringement occurred, thereby providing the applicant with a certain moral satisfaction.” However, it is important to consider how the provisions on an effective judicial remedy and the right to compensation interact with one another; a difficulty in proving damage where a data subject is alleging financial damage must not result in nominal damages (para 92).

On the third question, which is concerned with whether the GDPR permits member states to refuse damages where the damage does not exceed a particular level of seriousness, the Advocate General concludes that this question could be answered in the affirmative. At paragraph 105 of his opinion, the Advocate General states that he does “not believe, however, that it is possible to infer from this a rule pursuant to which all non-material damage, regardless of how serious it is, is eligible for compensation.” He continues, at para 112, by stating that ” the right to compensation under Article 82(1) of the GDPR does not appear to me to be a suitable instrument for countering infringements in connection with the processing of personal data where all those infringements create for the data subject is annoyance or upset.” However, he goes on to propose an answer to the third question which essentially leaves it to national courts to determine whether, on the facts before them in each case, whether it goes beyond “mere upset”. So, while the Advocate General is clearly of the view that there is some form of de minimis threshold, he does not assist that much with where the line is.

The AG’s opinion is, of course, not a judgment of the court; we await to see whether the court adopts the opinion of the Advocate General and, if so, to what extent. Of course, decisions of the European Court are no longer binding in the UK. That is not to say that they are no longer of any relevance when it comes to UK law that derives from EU law (such as the UK GDPR); the effect of section 6(2) of the European Union (Withdrawal) Act 2018 provides that a court or tribunal may have regard to case law for the European Court which has come about after the UK left the European Union.

In the UK, the most recent authoritative case to grapple with the question of damages for data protection breaches was the Supreme Court’s judgment in Lloyd v Google. That was concerned with damages under the Data Protection Act 1998 and Lord Leggatt, giving the sole judgment of the court, confined his decision to the 1998 Act. However, it would be prudent to note that the reasoning in Lloyd is essentially the same as the reasoning in the Advocate General’s opinion in UI.

When the European Court’s judgment comes in this case, it will likely be a decision of some importance to data protection litigation in the UK, if only to confirm that the reasoning in Lloyd is equally applicable to Article 82 of the UK GDPR.

Section 166 of the Data Protection Act 2018 has produced a reasonable amount of litigation arising out of what appear to be repeated fundamental misunderstandings by data subjects as to what section 166 provides them with. The Upper Tribunal has authoritatively, on more than one occasion, sated that the right afforded by section 166 of the 2018 Act is limited and does not provide a route for an unhappy data subject to appeal the outcome of their complaint to the Information Commissioner.

A recent FTT decision on section 166 took a slightly different approach, striking out the appeal on the grounds that the applicant had not even made a complaint to the Commissioner and so the Commissioner’s obligation to provide information as to the progress of the complaint was not even engaged.

On 25 May 2021, the applicant copied the Information Commissioner’s Office into an E-mail that had been sent to various other organisations. In that E-mail, the applicant raised a number of issues, none of which seem to have engaged the data protection legislation. There was, attached to the E-mail, an annotated copy of an E-mail that she had received days earlier from the Home Office.

On 8 June 2021, a case officer at the ICO wrote to the applicant to inform her that none of the issues she had raised fell within the jurisdiction of the Commissioner and advised her to complete one of the ICO’s complaint forms if she wished to raise a complaint under the data protection legislation.

The Commissioner argued that as no valid complaint had been made to his office there was no complaint to progress and therefore the application under section 166 of the Data Protection Act 2018 had no reasonable prospect of success.

Judge O’Connor agreed with the Commissioner and concluded that there was no reasonable prospect that the applicant could establish the contrary. Therefore, the application was dismissed. Judge O’Connor did go on to state that even if he was wrong on this, the Commissioner’s letter dated 8 June 2021 was a response and so the Tribunal would have had no jurisdiction under section 166 of the Act in any event.

This case is rather different to the usual section 166 cases that have been seen until now. It suggests that the Information Commissioner is taking a robust approach to what is and what is not a complaint. It has been the case for many years that the ICO would not typically respond to E-mails where they have simply been copied in. The Tribunal appears to be willing, at least in this case, to conclude that no complaint in terms of Article 77 of the UK GDPR or section 165 of the Data Protection Act 2018 has been made to the Commissioner where that is appropriate, and strike out section 166 applications which follow on the back of correspondence not amounting to a proper complaint.