In our global data breach risk report, we covered litigation risk and damages claims across a range of jurisdictions.
In a new series of blog posts, we dive deeper into the current case law on non-material damages in Europe, addressing questions such as:
- What is the threshold for awarding non-material damages?
- What is the average award for non-material damages for breaches of data protection provisions?
This blog post looks at the situation in Germany.
Like German case law, does the GDPR foresee a threshold for awarding non-material damages?
German case law on immaterial damages is pretty straightforward: if claimants request immaterial damages, they must prove that the act or omission caused a ‘major violation’ of their personal rights. Under the EU General Data Protection Regulation (GDPR), it is not clear if such a materiality threshold is also required.
If article 82 of the GDPR provides that anyone who suffers non-material damage as a result of a GDPR infringement shall have the right to receive compensation for the damage suffered, the GDPR’s (non-binding) recitals are less clear and open the door to various interpretations. Indeed, recital 146 states that the ‘concept of damage should be broadly interpreted’ and that data subjects should receive ‘full and effective compensation for the damage they have suffered’. However, recital 85 requires a ‘significant economic or social disadvantage to the natural personal concerned’.
Considering this unclarity, the German Federal Constitutional Court’s request (in German) to the Court of Justice of the European Union (CJEU) for a preliminary ruling is particularly welcomed. Thanks to this request, the CJEU could help clarify whether or not the GDPR foresees such a material threshold applying to damages claims under Article 82 of the GDPR, although it could still be some time before we get the CJEU’s ruling.
German court decisions regarding non-material damages for GDPR breaches
German courts have already awarded non-material damages for GDPR breaches. However, the approach to compensation differs between the civil and labour courts, and between the civil courts themselves.
In line with their general approach to awarding non-material damages, civil courts tend to adopt a stricter approach than the labour courts. For example, the civil courts have understood Article 82 of the GDPR to mean that not every infringement, particularly trivial ones without (proven) serious consequences for the respective claimant, should necessarily give rise to damages. For example, in a decision from June 2019, the Higher Regional Court of Dresden ruled that Article 82 of the GDPR should not be interpreted as meaning that a claim for damages can be made for every individual inconvenience or trivial offence that results in limited damage.
In contrast, labour courts tend to rule that the severity of the non-material damage is decisive when assessing the amount of the claim (but not when assessing liability). For example, in a March 2020 decision, the Labour Court of Düsseldorf (in German) awarded damages of €5,000, ruling that non-material damages shall not only arise in ‘obvious cases’ where the unlawful processing leads to discrimination, loss of confidentiality, damage to reputation or other social detriment, but also where the data subject is deprived of their rights and freedoms or prevented from controlling their personal data.
Among the civil courts themselves, some have shown a broader understanding and been more generous with their awards. For example, in a May 2020 decision, the Regional Court of Darmstadt (in German) awarded €1,000 in damages, saying that the unlawfully disclosed information could have damaged the claimant’s reputation, standing or their further professional advancement. (The judgment has been appealed.)
Another particularly interesting point is the question of the burden of proof. In March 2021, the Higher Regional Court of Stuttgart (in German) ruled that, even though the GDPR has no explicit provisions on this, the standard rules shall be applied. This means the claimant has to prove the requirements for a claim, particularly the breach, the damage and the causational link between them.
On the awarding of damages, particularly immaterial damages, German case law remains very complex and to a certain extent unclear. However, the threshold for awarding immaterial damages seems to be quite high.
This could of course all change when the CJEU rules on the German Federal Constitutional Court’s question of whether there is materiality threshold under Article 82 of the GDPR.