Recently, the chairperson of the Dutch data protection authority (who is also the vice chairperson of the EDPB) wrote a blog post (in Dutch) about the right to claim non-material damages after a breach of obligations under the EU General Data Protection Regulation (GDPR). The chairperson proposes that new legislation is made in which it is clarified that even trivial breaches of the GDPR should result in compensation for non-material damages. In other words, awarding non-material damages should be the default and not the exception to the rule. According to the chairperson, such a new system of statutory compensation would help solve certain practical problems.
Proving a scratch on your soul
Under the current legal framework (ie without statutory damages) there are indeed some legal hurdles for claimants to overcome. In our earlier blog post, we noted that the European Court of Justice (ECJ) has ruled that for compensation of non-material damages, they must be 'actual and certain'. Furthermore, merely stating that non-material damages were suffered is not enough. The non-material damages must be sufficiently substantiated. However, this is often difficult to do. As the chairperson of the Dutch regulator puts it: 'how do you prove a scratch on your soul?'
By arguing that even trivial breaches should be subject to financial compensation, the chairperson of the Dutch regulator disagrees with the finding of the German Court (in German) relating to a trivial breach (see our blog post). The chairperson does not differentiate between what he calls trivial breaches (eg a clear but not so concise privacy notice?) and 'a scratch on your soul'. While claimants (and do not forget the litigation funders) may see every data breach as an opportunity to argue hundreds or thousands of affected data subjects now have a scratch on their soul, sufficiently proving this will be inherently challenging.
Furthermore, there are judgments illustrating that, in situations where proving the alleged non-material damages is not possible, it may be enough for a claimant to show that the conduct of which they complain is of such gravity that the conduct likely caused non-material damages (see, for example, Kendrion v. EU, paragraph 121, which is generally in line with Dutch case law on the matter). However, when the 'such gravity' threshold is passed in the context of data-processing activities is as yet unclear. In the Netherlands, this threshold can be assumed to be relatively high. Also, the highest administrative court in the Netherlands follows the strict case law of the Supreme Court, stressing that a single violation of a fundamental right does not automatically lead to impairment of the data subject and therefore to compensation of non-material damages.
Lastly, it can be questioned whether financial compensation is always the correct (and only) method for compensating trivial breaches. The ECJ has ruled that there may be instances where financial compensation is not the correct method to compensate for the suffered non-material damages (see, for example, the decision Hectors v. Parliament, paragraph 61). Also, here, when this is the case is unclear. With minimal guidance from the ECJ on these issues, it is initially up to the national courts to decide.
An era of statutory damages?
Based on the above points, it is understandable that the chairperson of the Dutch regulator would argue for a system of statutory damages. For now, claimants will still have to prove the scratch on their soul – sure to result in interesting case law.