The CJEU clarifies the requirements under Art. 82 GDPR. In addition, further CJEU rulings of practical relevance are pending.
At the end of 2023, the European Court of Justice (CJEU) issued several rulings that provide more clarity for the relevant compensation standard under data protection laws in Art. 82 GDPR. It is relying on its Judgment from 4 May 2023 (C-300/21) and continuing with the interpretation of Art. 82 GDPR that had begun in that Judgment.
This article provides an overview of these latest developments as well as information on upcoming CJEU decisions on GDPR compensation.
CJEU referral from Bulgaria: can a fear of data being misused after a cyberattack constitute non-material damage?
In the case C-340/21 with questions referred from Bulgaria, the CJEU had to rule, among other things, on the question of whether, in the event of a cyberattack on the data controller, the data subject's fear that their personal data could be misused as a result of this unauthorised access is sufficient to assume non-material damage within the meaning of Art. 82 GDPR if such misuse has not been established.
The referral proceedings were based on media reports from 2019 relating to a cyberattack on a Bulgarian authority that processed the personal data of around six million people. These reports said that data had been published on the internet as a result of unauthorised access, whereupon some of those affected had demanded non-material damages. These included the claimant in the legal dispute that the Bulgarian court used to refer the case to the CJEU. The data subject had asserted a claim for compensation in court pursuant to Art. 82 GDPR in the amount of approx. EUR 510 against the controller.
With regard to non-material damage, the data subject argued that the personal data published without her consent could be misused in the future or that she herself could be blackmailed, attacked or kidnapped. The authority responsible for data processing argued, among other things, that there was no causal link and that all necessary measures had been taken to protect the IT systems and the data contained in them before and after the cyberattack, which was carried out by persons not employed by the authority.
The Opinion of the Advocate General has been available since April 2023. The Advocate General found that the person concerned was obliged to prove that she had suffered real and certain emotional damage. It said this is a circumstance that national courts have to examine in each individual case.
CJEU: fear of misuse of personal data as a result of a cyberattack can be compensable non-material damage
In the referral proceedings, the CJEU ruled on 14 December 2023 (C-340/21) that the fear of possible misuse of personal data following a cyberattack in itself could constitute non-material damage to a data subject within the meaning of Art. 82 GDPR (incidentally, the Karlsruhe Higher Regional Court had ruled differently shortly beforehand in its Judgment dated 7 November 2023 (19 U 23/23) regarding a cyberattack: Potential or hypothetical damage or mere concern about the theft of one's own personal data is not sufficient to constitute the existence of non-material damage within the meaning of Art. 82 (1) GDPR.)
The CJEU emphasised that it is not relevant under Art. 82 (1) GDPR whether non-material damage is associated with the misuse of personal data by third parties that has already occurred or whether there is a fear that such use could occur in the future:
It should also be noted in the present case that Art. 82 (1) GDPR makes no distinction as to whether the "non-material damage" alleged by the data subject as a result of a proven breach of the provisions of the GDPR is linked to the misuse of their personal data by third parties that has already occurred at the time of their claim for compensation or whether it is linked to their fear that such use could occur in the future.
The CJEU underpinned this with a reference to the broad interpretation of the concept of damage intended by the legislation, which can be seen from the 85th and 146th recitals of the GDPR.
The burden of proof of the loss lies with the person concerned
The CJEU agrees with the Advocate General that it is up to the person concerned to prove that the negative consequences and their nature are compensable non-material damage. If this is based on the fear of misuse of personal data as a result of a cyberattack, then the national court must examine whether this fear can be categorised as justified in the specific circumstances and with regard to the person concerned. Allegations of anxiety, therefore, do not automatically mean that damage has been proven: an examination of the individual circumstances is still required.
Exemption from liability only possible within limits
In this context, the CJEU also emphasised that the controller responsible for the processing must compensate for any damage which was made possible through an infringement of the GDPR caused in connection with processing, in particular against Art. 5 (1) f), Art. 24 and Art. 32 GDPR. The actions of cybercriminals can, therefore, only be attributed to the controller if the latter has enabled the criminal behaviour by disregarding the rules of the GDPR. Exemption from liability of the controller pursuant to Art. 82 (3) GDPR can only be taken into consideration if the controller can prove that there is no causal link between the breach of its data protection obligations and the damage suffered by the data subject, i.e. that it is not responsible in any way for the circumstance that caused the damage. On the same date, the CJEU issued another Judgment regarding Art. 82 GDPR and strengthened its comprehensive scope of application.
CJEU: claim for compensation for non-material damage does not require a noticeable disadvantage
On 14 December 2023, the CJEU also ruled in the case C-456/22 in response to a question referred from Germany regarding Art. 82 GDPR and referring to the aforesaid Judgment in May 2023, and once again clearly rejected the assumption of a so-called materiality threshold or de minimis threshold. The court also emphasised again that a breach of the GDPR does not automatically trigger a claim for compensation under Art. 82 GDPR.
In this second Judgment dated 14 December 2023, the CJEU provided further clarity to the concept of non-material damage within the meaning of Art. 82 GDPR. The referral concerned, among other things, the question of whether non-material damage requires a noticeable disadvantage as well as an objectively comprehensible impairment of personality-related interests or whether a merely short-term (lasting a few days) loss of the data subject's data through its publication on the internet, which remained without noticeable or detrimental consequences, is sufficient. According to the CJEU, the right to compensation for non-material damage does not require any noticeable disadvantage. However – as the court emphasised in line with the other aforesaid Judgment dated 14 December 2023 – the data subject must prove the existence of adverse consequences of the GDPR infringement that led to non-material damage.
CJEU: re:balancing function of Art. 82 GDPR for specific damage suffered as a result of GDPR infringements
With regard to case (C-667/21), which related to the processing of health data and compensation in the amount of EUR 20,000, the CJEU answered further questions referred from Germany in its Judgment dated 21 December 2023 regarding Art. 82 GDPR. The referral concerned, among other things, the questions of whether the degree of fault of the controller (or processor) is relevant to the amount of non-material damage and whether, in particular, the lack of fault or minor fault of the controller (or processor) may be taken into account in its favour. In May 2023, the Advocate General presented its Opinion and argued that the degree of fault was not relevant for liability or the assessment of the amount of non-material damage to be compensated.
The CJEU referred to the purpose of Art. 82 GDPR and its compensatory function: the standard is intended to enable monetary compensation to be paid to compensate for specific damage suffered as a result of a GDPR breach. It has no deterrent or punitive function. In accordance with the aforesaid Judgment, the CJEU interpreted Art. 82 GDPR to the effect that the fault of the controller is presumed unless the controller proves that the act causing the damage is not attributable to it. When assessing the amount of compensation to be paid for non-material damage, the CJEU stated that Art. 82 GDPR does not require the degree of fault to be taken into account.
The subject of compensation under the GDPR will also be exciting in 2024: additional questions regarding Art. 82 GDPR referred to the CJEU
The CJEU has thus further specified the requirements and legal consequences for claims for compensation under data protection law, in particular with regard to non-material damage. It remains to be seen how the national courts will deal with the requirements of the Court of Justice. In addition, further referral proceedings are underway before the CJEU regarding Art. 82 GDPR. It was only in September 2023, for example, that the German Federal Court of Justice (BGH) suspended proceedings and referred questions on compensation under the GDPR to the CJEU, including whether Art. 82 (1) GDPR should be interpreted as meaning that mere negative feelings (e.g. anger, resentment, dissatisfaction, worry, fear) are sufficient for the assumption of non-material damage, although these are part of the general risk of life and daily experience, or whether a disadvantage beyond these feelings is required.
CJEU: Opinion of the Advocate General in the Scalable Capital referral proceedings
In the joined cases C-182/22 and C-189/22 with questions referred from Germany (C-182/22, C-189/22), the Opinions of the Advocate General, which is limited to the fifth Opinion of the Advocate General, regarding the Scalable Capital submission process have been available since October 2023. The referring courts seek answers from the CJEU, amongst other things, with regard to matters of whether, to assert non-material damage under Art. 82 GDPR, identity theft, within the meaning of Recital 75 of the GDPR, only exists if the identity of the data subject has been assumed, or whether the fact that criminals have data that makes the data subject identifiable is sufficient to affirm identity theft.
In these proceedings, the Advocate General came to the conclusion that the theft of sensitive personal data of a data subject by unknown criminals could lead to a claim for non-material damage if proof of a breach of the GDPR, concrete damage suffered and the causal link between the damage and the GDPR breach is provided. The Advocate General does not consider it necessary for offenders to have assumed the identity of the person concerned. According to the Advocate General, the possession of data that is sufficient to identify the data subject does not in itself constitute identity theft. As the Opinion of the Advocate General is already available in these proceedings, a decision by the CJEU is expected imminently. In light of the aforesaid CJEU ruling dated 14 December 2023 relating to the referral from Bulgaria, the excitement as to how the CJEU will rule in these cases is likely to be limited.
Overview of other referral proceedings before the CJEU relating to Art. 82 GDPR
Further referral proceedings have been or are pending before the CJEU, in which decisions are expected and some of which have parallels to the questions presented above; these are, for example:
- Case C-687/21 with questions referred from Germany including whether Art. 82 GDPR is invalid due to a lack of certainty and whether the disclosure of personal data to an unauthorised third party without their knowledge and the subsequent discomfort of the data subject without further explanation is sufficient for the assumption of non-material damage: The CJEU decided on 25 January 2024.
- Case C-507/23 with questions referred from Latvia, referred amongst other things, to whether Art. 82 (1) GDPR provides for an obligation to apologise as the only compensation for non-material damage if there is no possibility of restoring the original situation, and whether the motivation of the controller (e.g. fulfilment of a task in the public interest, lack of intent to cause harm or problems of understanding the applicable law) can be taken into account to reduce the claim.
- Case C-590/22 with questions referred from Germany referred to whether the mere fear, without positive proof, that personal data has been obtained by a third party without authorisation is sufficient for a claim under Art. 82 GDPR and whether a deterrent effect is required to assess the damages.
- Case C-741/21 with questions referred from Germany, amongst other things, referred to the possibility of discharge pursuant to Art. 82 (3) GDPR if the GDPR infringement is based on human error in an individual case and whether, in the case of several similar infringements, an general view is required for the assessment of damages or whether each individual infringement must be considered on its own.
This non-exhaustive list shows that there is a lot of interest in Art. 82 GDPR and compensation under data protection law and it will also remain exciting in the future.