Under the General Data Protection Regulation (GDPR), Article 82 is the only instrument to claim compensation resulting from data protection infringements. So far, it has not been interpreted by the Court of Justice of the European Union (CJEU or Court). To date, nine preliminary references on the interpretation of Article 82 have been made by national courts. On 6 October 2022, Advocate General (AG) Sánchez-Bordona delivered his Opinion in one of them – Case C-300/21 Ul v Österreichische Post. Since it will be the first CJEU judgment on this subject, it will have a profound impact on the further development of EU data protection law, in particular, its private enforcement.
The case concerns a natural person’s claim for compensation for non-material damage from an undertaking that collected information on the political party affinities with the use of algorithmically calculated statistics. Expressing doubts about the right interpretation of Article 82 GDPR, the Austrian Supreme Court made a preliminary reference to the CJEU. In his Opinion, the AG stated that: (1) a mere infringement of the GDPR provision is not in itself sufficient to claim compensation if that infringement is not accompanied by material or non-material damage; (2) the compensation for non-material damage does not cover mere upset which the person concerned may feel, and it is for the national courts to determine when a subjective feeling of displeasure may be deemed to be non-material damage.
In our view, the AG does not tackle a fundamental problem of constitutional nature: Article 82 GDPR must be an effective judicial remedy for the data subject. Further, it is not clear how a data-subject-friendly interpretation could distort the free movement of personal data on the Single Market. The Court should also counter the risk of non-uniform application by providing further clarifying guidance to the national courts.
Summary of the AG’s argumentation
The AG considers two scenarios when a mere infringement of the GDPR could automatically constitute grounds for compensation: either as punitive damages, or as an irrebuttable presumption of damage (paras 23-26). Both of them, according to the AG, do not find a place in the text of the GDPR (paras 39, 60) or in the preparatory documents (paras 43, 63).
Punitive and compensatory functions in the GDPR are separated, the AG claims (para 47). The first is reflected in the fines imposed by supervisory authorities and the second in claims for damages, with different calculation criteria (para 48). The punitive character of the compensation could lead to a ‘punitive’ profit by compensating the data subjects. It could not only make the compensatory mechanism ‘redundant’ (para 49) but deprive the supervisory authorities of the instruments ‘more suitable for protection of public interest’ as the data subjects would prefer the judicial remedy over the administrative one (para 50). In any case, the data subject has the right to lodge a complaint (para 54) or to request the erasure of unlawfully processed data not dependent on any damage (para 67).
The AG attempts to strike a balance between the two objectives of the GDPR: ‘(a) first, “the protection of natural persons with regard to the processing of personal data”; (b) second, ensuring that that protection is structured in such a way that “the free movement of personal data” within the European Union is neither restricted nor prohibited’ (para 51). The punitive character of civil liability could ‘adversely affect’ the second objective to the point that it could discourage data processing (paras 53-55). Similar can be said about the ‘greatest control possible’ over one’s data. Recital 7 of the Preamble does not explicitly determine whether it is about power over data as a standalone right or about supervision over the data processing (paras 68-77). The objective is not to have the greatest control possible but ‘to reconcile each person’s right to protection of personal data with the interests of third parties and society’. The AG concludes that the aim of the GDPR is to legitimise the processing of personal data under strict conditions (paras 80-82).
The difference between mere upset and non-material damage cannot be, according to the AG, directly determined under the GDPR (para 98). It follows from the Court’s jurisprudence concerning other areas of law that not all non-material damage is eligible for compensation (para 105). Such a distinction between mere upset and non-material damage, in the AG’s view, can be transferred to the GDPR (para 111). It is for the national courts to assess what does exceed the ‚de minimis level‘ (para 116). The AG reiterates that it is not only the protection of individuals‘ data that is at stake (para 109) but there are other remedies available under the GDPR (para 115).
The AG merely touches upon the principles of equivalence and effectiveness. He offers some guidance for the national courts, stating that the assessment under Article 82 would have to be in line with Recital 146 of the Preamble (paras 84-85) and that the award of purely symbolic compensation does not arise from the said provision (para 92).
Protection of individuals. Clarifying the concept of non-material damage to ensure effective judicial protection?
Is it only about a ‘fine line’?
The AG admits that there is a ‚fine line‘ in the distinction between mere upset and non-material damage. Unfortunately, he does not provide an illustrative (exemplary) catalogue of situations where something more (i.e., non-material damage) than a mere upset could occur. General guidance based on areas of law other than data protection does not seem sufficient to provide uniform application of Article 82. This seems puzzling, as the AG refers to Recital 146 which, in its third sentence, provides that the concept of damage should be interpreted in the light of CJEU case law. However, it does not follow from the Recital, according to literal interpretation, that only existing and not future case law comes into play. Given the ongoing proceedings in the Member States and the questions referred for a preliminary ruling, one would expect a further clarifying distinction between mere upset and non-material damage from the CJEU. Leaving this distinction unclear might turn out to be even more problematic, bearing in mind the contradictory nature of civil proceedings.
The AG argues that it is for the national courts to draw the ‘fine line’ in question. Before them, on the other hand, it is the data subject as a claimant, who has to prove non-material damage during the proceedings. In the Opinion, the substantive law distinction between mere upset and non-material damage is, therefore, not sufficiently linked to issues of procedural law, including the problem of an irrebuttable presumption of damage. Assuming such a presumption exists, the data subject would not be obliged to make the said distinction and prove it. This would constitute a procedural relief in favour of the data subject. However, it would not mean that she would not be required, after all, to demonstrate a specified quantification of damage to obtain adequate compensation. Consequently, the very problem of an irrebuttable presumption of damage shows that substantive law problems should be considered in relation to the corresponding procedural problems.
At this point a question arises – is it certain that the data subject and the data controller or processor are equal parties to civil proceedings within the data protection framework?
Harsh reality of claiming compensation for non-material damage
An individual facing non-material harm from having her data processed in an unlawful way must bring a claim against an economic actor (frequently big business, sometimes transnational). Equipped with resources and represented by specialised law firms, the latter will often start from a better position. These litigatory circumstances make the task of tipping the scales before a national court for non-material damages, as opposed to mere upset, challenging for a claimant. In particular, bearing in mind the context of harm suffered because of the GDPR infringement. Losing control over processing of personal data does not have time limits, and therefore it results in uncertainty about its potential consequences for years. Thus, transferring the concept of distinguishing non-material damage (sufficient for compensation) from mere upset known in other fields of law to the GDPR should not be as straightforward as suggested by the AG. In practical terms, it might be difficult to think of a way in which an individual should prove that discomfort felt, for example, after identity theft, is non-material damage and not mere upset. While the consequences of such a data breach might not be known yet during the proceedings, granting minimum compensation (also known from the current practice of some national courts), corresponds with the first objective of the GDPR (protection of natural persons in relation to the processing of their personal data).
In our view, the approach suggested by the AG raises doubts regarding Article 82 as an effective remedy (as provided in Article 47 of the Charter of Fundamental Rights). According to the AG, the ‘difficult task’ of delimiting the ‘fine line’ between mere upset and genuine non-material damage falls to the national courts. Yet, this task would be difficult if not impossible in practice for data subjects, in the context of GDPR disputes against economic actors.
Free movement of personal data. How could private enforcement refurbish the GDPR compliance framework?
The AG argues that a data subject-friendly interpretation of Article 82 GDPR could lead to a Single Market distortion. However, as he points out, the already existing public law instruments prevent and punish data infringements. This does not necessarily mean that such a punitive regime distorts the market. Furthermore, the redress, no matter its origin, that individuals seek in civil proceedings always modifies the ex ante existing market situation to some extent. The problem is about something else: to what degree a given interpretation of Article 82 could lead to one party being favoured at the expense of another. As a matter of fact, claiming minimal compensation of EUR 1,000 for the unlawful processing of sensitive personal data, e.g., political preferences (Article 9 GDPR), as in the case at hand, does not financially seem such an exorbitant claim. The fear that the system will be swamped by the number of lawsuits is not convincing. There are mechanisms such as litigation costs, in contrast to complaints to supervisory authorities, that discourage the filing of unfounded claims.
The AG notes that private enforcement should complement public enforcement of the GDPR. However, his observations are made outside of the context of the GDPR enforcement deficit. Whilst it is true that primarily public enforcement with national supervisory authorities serves punitive functions and private enforcement with national courts intends to fulfil compensatory functions, both channels’ ultimate goal is ensuring compliance with the GDPR. Hindering the use of Article 82 by data subjects, the CJEU would lose an opportunity to seal the data protection system by having more GDPR infringements identified and addressed.
The AG finds a threat in the overlap of the two channels of enforcement by arguing that the national supervisory authorities would be deprived of the instruments ‘more suitable for protection of public interest’. This claim is unfounded in its entirety, which can be drawn on an example of how public and private enforcement may beneficially complement each other. Under Article 94 of the Polish Personal Data Protection Act, a national court informs the Polish Data Protection Commissioner (PDPC) about each new case and each final judgment in the case concerning the GDPR infringement. In turn, the PDPC notifies the national court about each case before it that concerns the same infringement. Consequently, if the infringement is already being examined by the PDPC, the national court shall suspend the proceedings, which ensures the lack of conflicting findings. Further, contrary to the AG’s argument, the supervisory authority not only maintains the opportunity to investigate and sanction infringements but is actively notified of violations that could otherwise remain under its radar.
The civil liability regime under Article 82 GDPR is not and cannot be a competitor to supervisory authorities. It is complementary to them and, together with the data-subject-friendly interpretation, would introduce a qualitative game changer. It would not disrupt but refurbish the Single Market in a way that would also take into account adequate protection of data subjects.
National courts. The risk of forum shopping as a result of non-uniform application?
Article 82 GDPR itself constitutes a broad and unclear provision. By following the AG’s Opinion and not providing any clarifying criteria in delimiting mere upset and non-material damage, the CJEU would complicate the interpretation and application of said provision by national courts even further. In our view, the CJEU has the means to further clarify the concept of damage (confirmed in Recital 146 of the Preamble) to ensure uniform application of the GDPR by not leaving too much room for manoeuvre to national courts. Unfortunately, the AG makes only a brief reference to the principles of equivalence and effectiveness, despite being directly asked by the referring court, which could point toward other possible solutions.
The uniform application of Article 82 GDPR is particularly crucial, as the law applicable to damages arising from data protection infringements is not regulated in the Rome II Regulation on the law that is applicable to non-contractual obligations. This likely creates a risk, given the alternate jurisdiction in Article 79 (2) GDPR, of forum shopping on the part of the data subjects.
Balancing the protection of individuals and the free movement of personal data
In our view, following the Opinion of the AG Sánchez-Bordona, the CJEU would put at risk the balance between the objectives of the GDPR – the protection of individuals and the free movement of personal data – favouring the latter. First, procedural burdens in disputes against economic actors would make Article 82 GDPR practically ineffective for natural persons; secondly, the opportunity to seal the data protection system with its enforcement deficit would be lost; and finally, national courts might be left with too much decisional leeway, resulting in the risk of forum shopping. That said, a data-subject-friendly interpretation and further clarifying criteria on the concept of non-material damage in the awaited judgment of the Court would be desirable.