News from the CJEU on GDPR compensation

Germany

Updated version of the article published on 25 January 2024

The CJEU clarifies the requirements under Art. 82 GDPR. In addition, further CJEU rulings of practical relevance are pending.

At the beginning of this year and at the end of 2023 the European Court of Justice (CJEU) published several rulings on the relevant standard damages under data protection law in Art. 82 of the European General Data Protection Regulation (GDPR), in which the CJEU concretised the requirements of Art. 82 GDPR in important and previously controversial points. The CJEU relied on its Judgment from 4 May 2023 (C-300/21) and continued with the interpretation of Art. 82 GDPR that had begun in that Judgment.

At the beginning of this year and at the end of 2023 the European Court of Justice (CJEU) published several rulings on the relevant standard damages under data protection law in Art. 82 of the European General Data Protection Regulation (GDPR), in which the CJEU concretised the requirements of Art. 82 GDPR in important and previously controversial points. The CJEU relied on its Judgment dated 4 May 2023 (C-300/21) and continued with the interpretation of Art. 82 GDPR that had begun in that Judgment.

According to the CJEU, the key aspects for a claim under Art. 82 GDPR can be summarised as follows:

  • Not every infringement of the provisions of the GDPR automatically triggers a claim for compensation under Art. 82 GDPR. The data subject must have suffered material or non-material damage, which they must prove.
  • The concept of damage must be interpreted broadly. The right to compensation for non-material damage does not require a noticeable disadvantage.
  • Art. 82 GDPR does not have a threshold of seriousness or minimum threshold that would have to be exceeded by the damage.
  • The fear that personal data will be misused as a result of a cyberattack can be compensable non-material damage. If the damage results from this fear that data will be misused by third parties, the data subject must prove that the fear is well founded under the given special circumstances and with regard to his/her own person.
  • Exemption from liability in accordance with Art. 82 (3) GDPR is only possible within certain limits.
  • The GDPR does not contain provisions that relate to how the amount of damages to be paid should be assessed, therefore the national courts must apply the national provisions of the individual Member States in compliance with the principles of equivalence and effectiveness under EU law. To assess the amount of compensation to be paid, Art. 82 GDPR does not require that the degree of fault or the number of GDPR infringements by the controller towards the data subject be taken into account.
  • Art. 82 GDPR has a compensatory function and not a deterrent or punitive function.

Due to their high practical relevance, we want to take a closer look at each of these judgments from the CJEU.

Judgment dated 11 April 2024 (C-741/21): non-material damage due to advertising without consent?

One of the procedures dealt with the sending of three advertising letters to a data subject without the data subject’s consent. The data subject had also entered a code that was found in the advertising letters in the defendant's online shop, whereupon an order screen appeared with the pre-entered personal data of the data subject and demanded compensation for material damage due to bailiff and notary costs incurred as well as non-material damage. Based on the submissions by the Saarbrücken Regional Court (Decision dated 22 November 2021 – 5 O 151/19), the CJEU in its Judgment dated 11 April 2024 (C-741/21) essentially confirmed its previous case law to the effect that not every GDPR infringement automatically constitutes non-material damage and that Art. 83 GDPR, which applies to fines, cannot be used to assess a claim for compensation under Art. 82 GDPR. 

CJEU: exemption from liability only possible within very narrow limits

The CJEU's statements on Art. 82 (3) GDPR and the exemption from liability of the controller are interesting. In this regard, the CJEU ruled that it is not sufficient for an exemption that the controller claims that damage was caused by the misconduct of a person subordinate to the controller pursuant to Art. 29 GDPR, e.g. an employee. The CJEU said that in relations where a right to give instructions exists, the controller must ensure that the employees follow the instructions correctly, thus the controller cannot exempt itself from liability by invoking negligence or misconduct on the part of a person under its authority in accordance with Art. 82 (3) GDPR. The court said any other interpretation would undermine the practical effectiveness of a claim for compensation under Art. 82 (1) GDPR.

Number of GDPR infringements not a relevant criterion when assessing damages

A further issue referred by the Saarbrücken court to the CJEU relates to the amount of compensation to be paid. As GDPR compensation does not have a punitive or deterrent function, but rather according to Recital 146 GDPR is intended to ensure full and effective compensation for the damage suffered, the number of GDPR infringements by the controller towards the data subject should not be a relevant criterion when determining the amount of compensation. Only the actual damage suffered or incurred by the data subject is to be compensated; however, it is up to the national courts to develop criteria for this. Whether and to what extent the Saarbrücken Regional Court will now award the claimant a right to compensation also depends on the claimant's statement regarding the non-material damage suffered.

Judgment dated 25 January 2024 (C-687/21): no compensation in the event of a purely hypothetical risk of data being misused and demonstrable lack of knowledge by unauthorised third parties

With its Judgment dated 25 January 2024 (C-687/21) the CJEU, following a referral from the Hagen Local Court from autumn 2021, clarified questions of interpretation of Art. 82 GDPR and increased legal certainty for companies. In the facts of this case, on which the questions referred to the CJEU were based, personal data of a purchaser (name, address, place of residence, employer, income and bank details) had inadvertently been disclosed on a printout by an employee of the company to a third party who had pushed his way in unnoticed and, thus had mistakenly received the printed documents and the appliance sold to the data subject. Within half an hour, the employee realised a mistake had been made and both the documents and the electrical appliance were returned to the actual buyer.

The buyer then demanded compensation for non-material damage pursuant to Art. 82 GDPR, which he saw was based on the risk of loss of control over his personal data. He refused to accept an offer of free delivery of the purchased electrical appliance to his address as compensation. The company denied an infringement of the GDPR existed and did not see any compensable damage due to a lack of seriousness and also because the third party had not misused the data received. The CJEU has already ruled several times that damage does not require a threshold of seriousness (for the first time in its Judgment dated 4 May 2023 (C-300/21)). We would like to emphasise the following aspects of the other questions submitted by the Hagen Local Court.

Disclosure of data to unauthorised third parties does not automatically mean that the TOMs in place are unsuitable

The Hagen Local Court wanted to know whether a GDPR infringement had occurred if employees of the controller mistakenly passed on a document containing personal data to an unauthorised third party. It wanted to know if an infringement due to unsuitable technical and organisational measures (TOMs) pursuant to Art. 24 and Art. 32 GDPR could be taken into consideration. The CJEU denied that the unauthorised disclosure alone constituted an infringement of Art. 5, Art. 24, Art. 32 GDPR. Referring to a recent CJEU ruling dated 14 December 2023 (C-340/21, more on this below), the CJEU pointed out that the standards mentioned did not require absolute safety against infringements, but rather appropriate measures to ensure safety. The court said it is only when an organisational mistake occurs, and the erroneous disclosure of documents is the consequence of this that an infringement of Art. 24 and Art. 32 GDPR can be affirmed. 

In short: as is so often the case, it depends on the circumstances of the individual case. According to the CJEU, the burden of proof that suitable TOMs have been taken remains with the defendant in compensation proceedings. When establishing a GDPR infringement, the decisive national court must not focus solely on the fact that data was disclosed to an unauthorised third party but must take into account all the evidence provided by the controller to prove the suitability of its TOMs.

No non-material damage if it is proven that unauthorised third parties have not gained knowledge of the data

The CJEU's statements on the existence of damage are also particularly relevant in practice. In this Judgment, the CJEU again states that even short-term loss of control can create non-material damage which, regardless of its insignificance, must then be compensated if the claimant can prove causal damage. The CJEU did not repeat the wording in the Judgment dated 14 December 2023 (C-340/21, more on this below) from margin no. 85 of that Judgment, namely that if the damage lies in a fear that the data will be misused by third parties, the claimant must prove that this fear is well founded in the "specific circumstances at issue and with regard to the data subject" (at this point at the latest, a large number of claims for compensation in the so-called "scraping cases" would fail; especially recurring text modules are not sufficient for many courts as proof of individual involvement). As a result, however, the CJEU also applied these benchmarks in this referral from Hagen because the referring court had found that the third party had only held the data in his hands for a period of less than half an hour, not in digitalised but in printed form, and that, secondly, it had been proven that unauthorised third parties had not gained knowledge of the content of the data. The CJEU, therefore, categorised the concerns about data misuse as a purely hypothetical risk, which is not sufficient to affirm damage. 

Due to the aforementioned particularities of the Hagen case, it is not possible to draw any general conclusions about cases of data outflows that differ from this, e.g. in digital and, therefore, less controllable and reversible form or for a longer period of time. It can be clearly concluded from the Judgment that a general presentation of the damage can be refuted or is not sufficient as proof of the damage. The decision shows that it still depends on the circumstances of the individual case, which is also emphasised by the following CJEU ruling on a referral from Bulgaria. 

Judgment dated 14 December 2023 (C-340/21) on referral from Bulgaria: does a fear of data being misused after a cyberattack constitute non-material damage?

In the case C-340/21 with questions referred from Bulgaria, the CJEU had to rule, among other things, on the question of whether, in the event of a cyberattack on the controller, the data subject’s fear that their personal data could be misused as a result of this unauthorised access is sufficient to assume non-material damage within the meaning of Art. 82 GDPR if such misuse has not been established. 

The referral proceedings were based on media reports from 2019 relating to a cyberattack on a Bulgarian authority that processed the personal data of around six million people. These reports said that data had been published on the internet as a result of unauthorised access, whereupon some of those affected had demanded non-material damage. These included the claimant in the legal dispute that the Bulgarian court used to refer the case to the CJEU. The data subject had asserted a claim for compensation in court pursuant to Art. 82 GDPR in the amount of approx. EUR 510 against the controller. 

With regard to non-material damage, the data subject argued that the personal data published without her consent could be misused in the future or that she herself could be blackmailed, attacked or kidnapped. The authority responsible for data processing argued, among other things, that there was no causal link and that all necessary measures had been taken to protect the IT systems and the data contained in them before and after the cyberattack, which was carried out by persons not employed by the authority. 

The Opinion of the Advocate General has been available since April 2023. The Advocate General found that the data subject was obliged to prove that she had suffered real and certain emotional damage. It said this is a circumstance that national courts have to examine in each individual case.

CJEU: fear that personal data will be misused as a result of a cyberattack can be compensable non-material damage

In the referral proceedings, the CJEU ruled on 14 December 2023 (C-340/21) that the fear of possible misuse of personal data following a cyberattack in itself could constitute non-material damage to a data subject within the meaning of Art. 82 GDPR (incidentally, the Karlsruhe Higher Regional Court had ruled differently shortly beforehand in its Judgment dated 7 November 2023 (19 U 23/23) regarding a cyberattack:

Potential or hypothetical damage or mere concern about the theft of one's own personal data is not sufficient to constitute the existence of non-material damage within the meaning of Art. 82 (1) GDPR.

The CJEU emphasised that it is not relevant under Art. 82 (1) GDPR whether non-material damage is associated with the misuse of personal data by third parties that has already occurred or whether there is a fear that such use could occur in the future: 

It should also be noted in the present case that Art. 82 (1) GDPR makes no distinction as to whether the "non-material damage" alleged by the data subject as a result of a proven infringement of the provisions of the GDPR is linked to the misuse of their personal data by third parties that has already occurred at the time of their claim for compensation or whether it is linked to their fear that such use could occur in the future.

The CJEU underpinned this with a reference to the broad interpretation of the concept of damage intended by the legislation, which can be seen from the 85th and 146th Recitals of the GDPR.

The burden of proof of the damage lies with the data subject 

The CJEU agrees with the Advocate General that it is up to the data subject to prove that the negative consequences and their nature are compensable non-material damage. If this is based on a fear that personal data will be misused as a result of a cyberattack, then the national court must examine whether this fear can be categorised as well founded in the specific circumstances and with regard to the data subject. Allegations of anxiety, therefore, do not automatically mean that damage has been proven: an examination of the individual circumstances is still required. 

Exemption from liability only possible within limits

In this context, the CJEU also emphasised that the controller responsible for the processing must compensate for any damage which was made possible through an infringement of the GDPR caused in connection with processing, in particular against Art. 5 (1) f), Art. 24 and Art. 32 GDPR. The actions of cybercriminals can, therefore, only be attributed to the controller if the latter has enabled the criminal behaviour by disregarding the rules of the GDPR. Exemption from liability of the controller pursuant to Art. 82 (3) GDPR can only be taken into consideration if the controller can prove there is no causal link between the infringement of its data protection obligations and the damage suffered by the data subject, i.e. that it is not responsible in any way for the circumstance that caused the damage. On the same date, the CJEU issued another Judgment regarding Art. 82 GDPR and strengthened its comprehensive scope of application.

Judgment date 14 December 2023 (C 456/22): claim for compensation for non-material damage does not require a noticeable disadvantage

On 14 December 2023, the CJEU also ruled in the case C-456/22 in response to a question referred from Germany regarding Art. 82 GDPR and referring to the aforesaid Judgment in May 2023, and once again clearly rejected the assumption of a so-called threshold of seriousness or minimum threshold. The court also emphasised again that an infringement of the GDPR does not automatically trigger a claim for compensation under Art. 82 GDPR. 

In this second Judgment dated 14 December 2023, the CJEU provided further clarity with regard to the concept of non-material damage within the meaning of Art. 82 GDPR. The referral concerned, among other things, the question of whether non-material damage requires a noticeable disadvantage as well as an objectively comprehensible impairment of personality-related interests or whether a merely short-term (lasting a few days) loss of the data subject's data through its publication on the internet, which remained without noticeable or adverse consequences, is sufficient. According to the CJEU, the right to compensation for non-material damage does not require any noticeable disadvantage. However – as the court emphasised in line with the other aforesaid Judgment dated 14 December 2023 – the data subject must prove the existence of adverse consequences of the GDPR infringement that led to the non-material damage.

Judgment dated 21 December 2023 (C-667/21): re: compensatory function of Art. 82 GDPR for specific loss suffered as a result of GDPR infringements

With regard to case (C-667/21), which related to the processing of health data and compensation in the amount of EUR 20,000, the CJEU dealt with further questions referred from Germany in its Judgment dated 21 December 2023 regarding Art. 82 GDPR. The referral concerned, among other things, the issues whether the degree of fault of the controller (or processor) is relevant to the amount of non-material damage and whether, in particular, the lack of fault or minor fault of the controller (or processor) may be taken into account in its favour. In May 2023, the Advocate General presented its Opinion and argued that the degree of fault was not relevant for liability or the assessment of the amount of non-material damage to be compensated.

The CJEU referred to the purpose of Art. 82 GDPR and its compensatory function: the provision is intended to enable monetary compensation to be paid to compensate for specific loss suffered as a result of a GDPR infringement. It has no deterrent or punitive function. In accordance with the aforesaid Judgment, the CJEU interpreted Art. 82 GDPR to the effect that the fault of the controller is presumed unless the controller proves that the act causing the loss is not attributable to it. When assessing the amount of compensation to be paid for non-material damage, the CJEU stated that Art. 82 GDPR does not require the degree of fault to be taken into account. 

As the CJEU has not yet commented further on the specific amount of damages to be paid, the following decision also deserves attention, however it does not relate at all to the GDPR.

Judgment dated 5 March 2024 (C-755/21 P): compensation for damage under the Europol Regulation – facilitation of evidence for the data subject 

Even though this case that the CJEU ruled on in its Judgment dated 5 March 2024 C-755/21 P did not directly relate to Art. 82 GDPR, it did pertain among other things to a claim for compensation in connection with the disclosure of personal data. In the underlying case, Slovakian authorities and the EU Agency for Law Enforcement Cooperation (Europol) had investigated a case involving a murdered journalist and his fiancée, where Europol had extracted data from two mobile phones belonging to the claimant in the CJEU proceedings and had transmitted the data to the investigating authorities. A year later, transcripts of intimate communications between the claimant and his partner from an encrypted messenger service were obtained from this data together with information from Europol that the claimant had been arrested on suspicion of a financial crime and that he was connected to the so-called "mafia lists" and the "Panama Papers" and this was published in the Slovakian press. The claimant demanded non-material damage of EUR 50,000 before the General Court of the EU (EGC) for the disclosure of the data, and a further EUR 50,000 for including his name in the so-called "mafia lists" – i.e. a total of EUR 100,000. However, the EGC dismissed the case in 2021 (Judgment dated 29 September 2021 – T-528/20 (Kočner v Europol)), and the claimant appealed to the CJEU.

The CJEU disagreed with the assessment of the lower court. The latter had denied the claimant's claim because he had not proven that Europol had kept the said "mafia lists" and that the damage suffered by the claimant had been caused by a causal link to Europol. However, the CJEU emphasised that in order to assert joint and several liability, as was the case here, a data subject only has to prove at the first stage that unlawful data processing occurred during the cooperation between Europol and the authorities of the Member State concerned, which caused the damage claimed. However, according to the CJEU, the data subject does not have to prove which of these two bodies is responsible for the unlawful processing.

CJEU: compensation for damages in the amount of EUR 2,000 under the Europol Regulation

The EGC’s Judgment was overturned by the new ruling of the CJEU, which also immediately ruled on the matter itself. The CJEU only considered the appeals on the submissions relating to the disclosure of intimate communication data to be admissible and well founded and ruled that the claimant was entitled to compensation for non-material damage in the amount of EUR 2,000 against both authorities as joint and several debtors. The court said the data concerning the data subject had been disclosed without permission and made public (the ruling refers to press articles and websites, including those from an international network of investigative journalists), which infringed the claimant's right to respect for his private and family life and his communications (Article 7 of the Charter of Fundamental Rights) and impaired his honour and reputation. 

However, these proceedings did not relate to compensation under the GDPR, but rather under the so-called Europol Regulation (Regulation (EU) 2016/794) and Art. 49 (3) and Art. 50 (1) of such, which provide for rules on compensation in the event of unlawful data processing. Recital 57 of the Europol Regulation already recognises the difficulties in providing proof that arise for a data subject in the event of unlawful data processing by Europol and the EU Member States: "It may be unclear for the individual concerned whether damage suffered as a result of unlawful data processing is a consequence of action by Europol or by a Member State. Europol and the Member State in which the event that gave rise to the damage occurred should therefore be jointly and severally liable." However, the CJEU also emphasised the possibility for the defendant to prove that the alleged damage is not related to unlawful data processing in the context of cooperation between Europol and a Member State. 

The CJEU hardly dealt with the amount of damages awarded and the considerable deviation of the amount to be paid (EUR 2,000) from the amount requested by the claimant (EUR 50,000). Compared to cases in the German courts where compensation has been awarded in the same amount, the amount in the CJEU proceedings appears low considering the seriousness of the crime and the intimacy of the data disclosed as well as the publication in the press: for example, the Hamm Higher Labour Court awarded compensation in the amount of EUR 2,000 for a transfer of an employee's personal data within a hospital network (Decision dated 14 December 2021 – 17 Sa 1185/20), the Berlin-Brandenburg Higher Labour Court awarded the same amount solely for a breach of duty to provide information under Art. 15 GDPR (Decision dated 18 November 2021 – 10 Sa 443/21) and, similarly, the Düsseldorf Higher Regional Court for the sending of a claimant's health file by the defendant statutory health insurance company to an incorrect email address (Decision dated 28 October 2021 – 16 U 275/20). In this present case, the CJEU merely pointed out that it could not be established that photographs had also been disclosed to unauthorised third parties, as alleged by the claimant, but that the unauthorised disclosure was limited to the transcribed conversations between the claimant and his partner. Therefore, the CJEU considered damages in the amount of EUR 2,000 to be an appropriate amount of compensation. It remains to be seen whether the national courts will use this CJEU ruling, which awards a comparatively small sum in a serious case, as an opportunity to reduce the amounts of damages awarded in the ordinary courts.

The issue of GDPR compensation will also be exciting in 2024: additional questions relating to Art. 82 GDPR which have been referred to the CJEU

Overall, the CJEU has further concretised the requirements and legal consequences for compensation claims under data protection law, in particular with regard to non-material damage with these aforementioned judgments. It remains to be seen how the national courts will deal with the requirements of the CJEU. In addition, further referral proceedings are underway before the CJEU relating to Art. 82 GDPR. It was only in September 2023, for example, that the German Federal Court of Justice (BGH) suspended proceedings and referred questions on compensation under the GDPR to the CJEU, including whether Art. 82 (1) GDPR should be interpreted as meaning that mere negative feelings (e.g. anger, resentment, dissatisfaction, worry, fear) are sufficient for the assumption of non-material damage, although these are part of the general risk of life and daily existence, or whether a disadvantage beyond these feelings is required. 

CJEU: opinion of the Advocate General in the Scalable Capital referral proceedings

In the joined cases C-182/22 and C-189/22 with questions referred from Germany (C-182/22, C-189/22), the Opinions of the Advocate General, which is limited to the fifth Opinion of the Advocate General, regarding the Scalable Capital referral proceedings have been available since October 2023. The referring courts seek answers from the CJEU, amongst other things, with regard to matters of whether, to assert non-material damage under Art. 82 GDPR, identity theft, within the meaning of Recital 75 of the GDPR, should only be confirmed if the identity of the data subject has been assumed, or whether the fact that criminals have data that makes the data subject identifiable is sufficient to affirm identity theft. 

In these proceedings, the Advocate General came to the conclusion that the theft of sensitive personal data of a data subject by unknown criminals could lead to a claim for non-material damage if proof of an infringement of the GDPR, concrete damage suffered and the causal link between the damage and the GDPR infringement is provided. The Advocate General does not consider it necessary for offenders to have assumed the identity of the data subject. According to the Advocate General, the possession of data that is sufficient to identify the data subject does not in itself constitute identity theft. As the Opinion of the Advocate General is already available in these proceedings, a decision by the CJEU is expected imminently. In light of the aforesaid CJEU ruling dated 14 December 2023 relating to the referral from Bulgaria, the excitement as to how the CJEU will rule in these cases is likely to be limited.

Overview of further CJEU referral proceedings relating to Art. 82 GDPR

Further referral proceedings are pending before the CJEU, some of which have parallels to the questions on Art. 82 GDPR described above; these are, for example:

  • The case C-507/23 with questions referred from Latvia, deals amongst other things, with whether Art. 82 (1) GDPR provides for an obligation to apologise as the only compensation for non-material damage if there is no possibility of restoring the original situation, and whether the motivation of the controller (e.g. fulfilment of a task in the public interest, lack of intent to cause harm or problems of understanding the applicable law) can be taken into account to reduce the claim.
  • Case C-590/22 with questions referred from Germany referred to whether the mere fear, without positive proof, that personal data has been obtained by a third party without authorisation is sufficient for a claim under Art. 82 GDPR and whether a deterrent effect is required to assess the damages.

This non-exhaustive list shows that there is a lot of interest in Art. 82 GDPR and compensation under data protection law and that things will remain exciting for the rest of the year.

Art. 82 GDPR takes on further contours through the latest CJEU case law

The CJEU's rulings in recent months have answered unresolved questions regarding Art. 82 GDPR and given the standards more precise contours.