On 6 October 2022, Advocate General (AG) Campos Sánchez-Bordona delivered his Opinion in case C‑300/21. At stake is the interpretation of Article 82 of the General Data Protection Regulation (GDPR), which provides compensation for non-material damages. The Opinion opts for a strict interpretation of this provision, but the present blogpost advocates that a broader reading is possible, and even desirable, in light of the GDPR’s objectives and the many barriers impeding effective enforcement of data protection rights.
The dispute giving rise to the preliminary ruling involves UI, an Austrian national who brought an action against the Österreichische Post AG (located in Austria as well) for the unlawful processing of his personal data since 2017. The Austrian undertaking collected information on UI’s political affinities without his consent and established that he was likely to vote for a far-right party with the assistance of an algorithm. UI claimed compensation amounting to EUR 1.000 for non-material damages, arguing that the profiling is insulting and damaging to his reputation. The action is based on Article 82(1) GDPR, according to which “[a]ny person who has suffered material or non-material damage as a result of an infringement of [the GDPR] shall have the right to receive compensation from the controller or processor for the damage suffered”.
The first and second instance courts dismissed UI’s claim for compensation, considering that mere discomfort and feelings of unpleasantness do not give rise to a right to compensation. The case reached the Austrian Supreme Court (Oberster Gerichtshof), which referred the three following questions to the Court of Justice of the European Union (CJEU).
Question 1.1: Is compensation available in the absence of any damage?
Remarkably, the question whether compensation is available in absence of damage is examined, even though UI claims to have suffered damage.
Article 82 GDPR plainly states that compensation is available to data subjects who “suffered material or non-material damage as a result of an infringement of [the GDPR]” (emphasis added by the author). An interpretation according to which compensation should be allocated in absence of any damage contradicts the provision’s wording and would confer a punitive function to Article 82 GDPR, says the AG. This leads him to examine the extent to which punitive damages could be awarded under Article 82 GDPR. The question pops up in an odd way, first because it is not part of the questions referred to the CJEU, and second because the allocation of punitive damages is contemplated in absence of compensatory ones. I have to admit that the latter scheme looks like a strange, unusual practice to me.
Be that as it may, the AG concludes that punitive damages cannot be awarded: neither the wording of Article 82 GDPR (literal interpretation), nor the legislative documents of the EU (historical interpretation) seem to allow this. Yet, considering that EU law usually states whether it intends to either promote or prohibit punitive damages (see the examples mentioned at paras. 37-38 of the Opinion), inferring prohibition from legislative silence is a rather quick conclusion.
Then, the Opinion’s contextual interpretation reveals that Article 82 GDPR has no punitive, deterrent function. The latter is achieved through public enforcement (Articles 77, 83(1), 83(9) and 84 GDPR). This “hermetic” allocation of functions is further justified by the necessity to avoid overlap. In the AG’s words, “entrust[ing] the punitive function to civil liability creates the risk of making the compensatory mechanisms redundant with the punitive mechanisms” (para. 49). Finally, the AG considers that a broad interpretation of Article 82 GDPR is not necessary to comply with the GDPR’s objective to protect data subjects’ rights (purposive interpretation). In fact, such an interpretation would negatively impact the other objective of the Regulation, that is, the free circulation of personal data. Practice shows a very different picture, however: the effectiveness of private/public enforcement mechanisms leaves much to be desired, to such extent that the free circulation of data does not seem to be under threat (see the European Parliament resolution of 25 March 2021 on the Commission evaluation report on the implementation of the General Data Protection Regulation two years after its application (2020/2717(RSP), paras. 12-18, as well as the enlightening comments of GDPR enforcement experts presented on the occasion of a public hearing organised by the Committee on Civil Liberties, Justice and Home Affairs (LIBE)).
To sum up, should the CJEU follow the AG’s Opinion, the mere infringement of the GDPR’s provisions would not confer an automatic right to compensation. Data subjects would have to show that they suffered damage as result of the infringement. What constitutes non-material damage and which threshold of seriousness is required is examined under question 3.
Question 1.2: Is an alternative reading possible?
Some read Article 82 GDPR differently. It is suggested that the mere infringement of the GDPR’s provisions automatically generates a compensable damage, corresponding to the data subjects’ loss of control over their data (irrebuttable presumption).
The AG considers that this interpretation is “incorrect” (para. 59). To start, Article 82 GDPR does not manifestly confer an automatic right to compensation in case of an infringement, as it exists in other legal fields (see references to air passengers’ rights at footnote 38). The wording of recital 75 does not call into question this conclusion, as loss of control is perceived as a risk generated by processing but not as a damage. Doubts arise when one reads recital 85 GDPR, which provides that “[a] personal data breach may […] result in physical, material or non-material damage […] such as loss of control”, thereby bringing the notions of “loss of control” and “damage” closer together. This is however not enough to change the AG’s opinion.
The contextual interpretation, which takes consent as a reference point, further supports the AG’s line of argument. If I understand correctly, the reasoning is the following one: since data processing may lawfully take place without consent (i.e. because the controller shows a legitimate interest, for example), it cannot be said that data subjects exercise control over their data. In this case, however, processing without consent cannot equate with loss of control and give rise to compensation (otherwise, the only lawful basis for processing would be consent). Although it is not entirely clear to me why consent should serve as a definitional basis for loss of control, I will say this: everyone certainly agrees on the fact that absence of consent cannot automatically create a compensable damage, inasmuch as processing can be lawfully carried out without it under certain circumstances. However, is it not possible to understand that loss of control occurs when processing goes beyond the legal basis that justifies processing (be it consent, a legal obligation or a legitimate purpose)?
Finally, the teleological interpretation shows that control over one’s data is not part of a right, the violation of which gives rise to compensation. Again, the reasoning is based on the silence of the law, and the opposite interpretation does not seem indefensible. Considering the GDPR’s aim to enhance data subjects’ control over their data (recital 7 GDPR), I fail to understand why loss of control should not be part of the right to data protection. In that regard, the Opinion recalls that “[t]he aim of the GDPR is not[…] to limit systematically the processing of personal data but rather to legitimise it under strict conditions. That aim is served especially by promoting confidence on the part of data subjects that processing will be carried out in a safe environment[…]. This encourages the willingness of data subjects to permit access to and use of their data in, among other spheres, the sphere of online commercial transactions” (para. 82). If compensation is strictly limited, however, access to justice becomes more difficult, and some behaviours might go unpunished (given the important challenges that impede the effective enforcement of GDPR rights at present). This, in turn, does not contribute to the creation of a safe environment.
Question 2: Does EU law impose other requirements in addition to the principles of equivalence and effectiveness?
By its second question, the referring court wonders whether EU law imposes additional requirements for the assessment of compensation, along with the principles of equivalence and effectiveness.
Article 82 GDPR imposes no other requirements than the ones discussed above, but recital 146 GDPR specifies that compensation must be full and effective. In that regard, the AG notes that reparation can take different forms, depending on the national legal order. Compensation schemes may include payment of symbolic compensation or transfer of the unfairly obtained profit, for example. Whether said schemes shall fall under Article 82 GDPR’s scope or not and whether they constitute effective compensation remains unclear. Even though the Opinion mentions them, it concludes that Article 82 GDPR does not seem to provide for either option (para. 91 and 93). Hopefully, the CJEU will shed more light on this point in its upcoming judgment.
In case Article 82 GDPR does not fully harmonise the law of Member States, the principle of effectiveness could very well ensure that the concept of “effective compensation” is interpreted in a consistent manner within the EU, as Max Schrems highlights in his analysis of the Opinion.
Question 3: Does Article 82 GDPR impose any minimum threshold?
Lastly, the referring court asks whether compensation should be allocated only when the infringement generates consequences that go beyond a certain “threshold of seriousness” (para. 97). The AG answers in the affirmative. National systems operate a distinction between damage and mere inconvenience, which is transposable to the GDPR. Accordingly, the latter category shall not entitle data subjects to compensation. This does not mean that the data subjects are left unprotected, the AG adds: other remedies remain available.
If the CJEU validates the existence of such a threshold, access to justice for data subjects would be more complicated than it currently is. Needless to say, distinguishing damage from inconvenience would be an equally hard job (and the AG acknowledges it). As to the availability of other remedies, this post already highlighted that alternative avenues to redress GDPR infringements do not work as efficiently as they should. Therefore, the balance between the GDPR’s two main goal is not correctly stroke yet and a broader interpretation of Article 82 GDPR might help to set up a better equilibrium.
The EU has often been called a “barking jurisdiction” in the data protection field (I borrowed this terminology from Dan Jerker B. Svantesson), i.e. a jurisdiction with a protective regulation but inefficient enforcement mechanisms. If adopted by the CJEU, the restrictive interpretation of Article 82 GDPR provided by the Opinion will strengthen the accuracy of this concept.