The recent judgment in case C-300/21 UI v Österreichische Post AG (commonly referred to as “the Austrian Post case”) marks the Court of Justice of the European Union’s (CJEU) first notable interpretation of the concept of non-material damage under the General Data Protection Regulations (GDPR).
This case concerned an Austrian man who was left feeling upset, distressed and exposed when his personal data was processed, without his consent, by an algorithm designed to link individuals with certain political views.
Relying on the right to compensation for GDPR infringements provided by Article 82 of the Regulations, he made a claim for damages before the Austrian courts. In dealing with this, the Austrian Supreme Court found it necessary to submit three questions to the CJEU in relation to the interpretation of the GDPR. In brief, these questions related to: 1) whether or not there exists a requirement to prove damage as well as infringement, 2) how damage compensation assessment interacts with EU law and 3) if a threshold of seriousness must be satisfied in relation to non-material damage caused by an infringement.
In response to the first question referred, the CJEU found that mere infringement of the GDPR does not directly result in a data subject acquiring a right to compensation. Once an infringement has occurred, it must also be proven that actual damage (be it material or non-material) was suffered by the claimant.
Turning to the second question, it was found that the GDPR does not contain any rules relating to the assessment of damages once the right to compensation is triggered. As such, it is up to each Member State to set out their own criteria for determining compensation in these instances. It was stressed, however, that any such criteria must ensure full and effective compensation while also satisfying the EU law principles of equivalence and effectiveness.
Finally, in dealing with the third question referred by the Austrian court, the CJEU decided that there is no threshold of seriousness for non-material damage caused by an infringement of the GDPR. In other words, no bar was set as to how much/what type of non-material harm needs to be demonstrated in order to claim compensation for an infringement. It was stated that to introduce such a threshold would be contrary to the broad conception of damage set out in the GDPR (specifically by Recital 146). It is notable that this aspect of the judgment is in direct conflict with the Opinion of Advocate General Campos Sánchez-Bordona, with Mr Sánchez-Bordona writing in October 2022 that there should be a seriousness threshold for non-material damage.
This judgment is both good and bad news for future claimants under Article 82 of the GDPR. While it is now clear that there is an inescapable onus on litigants to demonstrate that the relevant infringement of the GDPR directly caused them harm, they do not need to worry about satisfying any threshold of seriousness even if such harm is classified as non-material. As such, it is expected that courts will shift the emphasis in GDPR compensation claims from questions of de minimis to questions of causality.
All of that being said, the CJEU jurisprudence on GDPR compensation is a long way away from being settled, with a number of judgments in relation to similar cases pending. It is hoped that these judgments might shed further light on what exactly constitutes non-material damage for the purposes of the GDPR. Attention will also be paid to the progression of Irish cases such as Cunniam v Fastway Couriers Ireland (2023) IECC 1, which were stayed pending the determination of this and other related CJEU preliminary references. We will endeavor to keep our clients updated on all such developments.
Data Access Requests – Clarity on Obligation of Data Controllers to Provide a “Copy” of Personal Data
On the same day that the Austrian Post judgment was released, the CJEU also delivered judgment in case C-487/21 F.F. v Österreichische Datenschutzbehörde and CRIF GmbH. The latter was somewhat overshadowed by the former but is also an impactful judgment in the context of the GDPR.
The key takeaway from this judgment is that a data subject’s right of access to a copy of their personal data means that they must be provided with a “faithful and intelligible” reproduction of all of their data. As such, it is now clear that data subjects are entitled to obtain copies of extracts from documents and databases, if not full documents/databases. It is also evident that a summarised list of data will not be sufficient.
Sion Williams (Partner, Litigation Department)
Judith Curtin (Partner, Commercial Law Department)