The question

What are the conditions under which compensation is payable for breaches of the EU General Data Protection Regulation (GDPR)?

The key takeaway

A controller or processor’s breach of the GDPR does not necessarily entitle data subjects to receive compensation pursuant to Article 82 of the GDPR. Compensation is intended to remedy the consequences caused by non-compliance with the GDPR, and therefore a data subject must demonstrate that they have suffered more than “mere upset”.

The background

On 6 October 2022, the Advocate General of the European Court of Justice (AG) released his opinion in UI v Österreichische Post AG (Case C‑300/21). The case concerned an organisation that targets members of the general public for election advertising. The claimant, who had not consented to the processing of his personal data for this purpose, was particularly offended by the party affinity attributed to him. He therefore brought a claim for non-material damages, in respect of his “inner discomfort”, to the value of €1,000.

The opinion was in response to a referral made by the Austrian Supreme Court in relation to Article 82(1) of the GDPR which gives data subjects the right to receive compensation for breaches of the GDPR.

The development

The key takeaways from the AG’s opinion were as follows:

  • loss of control over data does not automatically constitute non-material damage: the GDPR does not provide for a presumption of damage following a breach
  • the claimant must have suffered damage in order to receive compensation: a technical breach of the GDPR, without resulting in material or non-material damage, does not in itself merit compensation under the GDPR. Article 82 does not perform a deterrent or punitive function, but is intended to compensate for actual harm suffered
  • compensation does not apply to all types of non-material damage: despite the broad definition of damage in the GDPR, “mere upset” or “subjective feelings of displeasure” are insufficient to constitute non-material damage.

Why is this important?

Although not legally binding, the European Court of Justice often follows the AG’s opinions. If it does, this will be a welcome decision for controllers who might otherwise face the burdensome task of having to respond to swathes of compensation claims for what might be technical breaches with little harm caused. It would also align with the English courts’ approach to trivial and/or low value data protection claims (see the UK data breach Snapshot in this Winter 2022 edition).

Any practical tips?

There is no clear dividing line between what constitutes “mere upset” and “non-material damage”. So a different fact pattern, and perhaps a different type of victim, may sway a court to decide differently. Elements within a controller’s control of course, and which can be very effective in dissuading data compensation claims in the first place, are well-maintained unsubscribe systems as well as a responsive complaints procedure. While compensation was not payable in this particular case, it might well have been in another and in any event litigation defence claims do not come cheap.