Introduction
On
Prior to this, in
In this Insight, we set out how the CJEU has diverged from this opinion, examine some of the reasons for doing so and what it might mean for future awards in
Background to the Austrian Post Case
In the Austrian Post Case, proceedings were initiated by an Austrian citizen for "great upset, loss of confidence, and a feeling of exposure" after he had been affiliated with a particular political party following a data collection exercise undertaken by
The CJEU's Judgment
In its reference to the CJEU, the
1. What are the required conditions of the right to compensation where there has been a breach of the GDPR?
Perhaps the most significant outcome of the judgment was the CJEU's decision that a mere infringement of the GDPR is not sufficient to establish a right to compensation under Article 82. Instead, three cumulative conditions must be satisfied to confer a right to compensation on a data subject:
- An infringement of the GDPR;
- Damage must have resulted from that infringement; and,
- There must be a causal link between the infringement and the damage suffered.
The above provides long overdue clarification that a claimant must still prove their case and that a breach of the GDPR does not automatically entitle the data subject to a claim for compensation.
2. Is a threshold of seriousness to be reached?
The CJEU held the wording of the GDPR does not stipulate that a right to compensation is limited to claims for non-material damage that exceed a certain threshold of seriousness.
This is a departure from the Advocate General's opinion who was of the view that there must be some threshold of harm above a de minimis level and that it is up to each Member State to determine the threshold of harm to be reached.
It was the CJEU's view that to enforce such a requirement would be contrary to the conception of 'damage', adopted by the EU legislature. The CJEU also referred to Recital 10 of the GDPR which ensures the consistent and homogeneous application of the rules for the protection of fundamental rights and freedoms of natural persons with regard to the processing of personal data across the EU.
3. What are the rules governing the assessment of damages?
Finally, the CJEU noted that the GDPR does not contain any rules governing the assessment of damages and it is for the Member State to prescribe the rules and criteria for determining the extent of compensation payable subject to compliance with the principles of equivalence and effectiveness (that those rules and criteria be applied without distinction as to whether the infringement is EU or national law). The CJEU further noted the contents of Recital 146 of the GDPR which provides that the right to compensation requires that data subjects to receive "full and effective compensation for the damage they have suffered".
What can we take from all of this?
While defendants to these types of claims will have hoped for the CJEU to follow the Advocate General's Opinion and provide that a threshold of sufficient seriousness is required, such a test is nowhere to be found within the wording of the GDPR. The de minimis test, which has been advanced in particular by the
Article 82 of the GDPR, which contains the right to compensation for damage under the GDPR was implemented into Irish law by Section 117 of the Data Protection Act 2018. It provides that data protection actions are to be founded in Tort. There are five broad types of damage available under Tort law in
To establish a claim for non-economic loss, plaintiffs must provide evidence that demonstrates the extent and severity of their injury together with any associated psychological or emotional harm. This evidence can take the form of witness testimony or personal statements. The
What the Supreme Court meant by "transient update or hurt" is that the injury suffered is more than a minor or temporary inconvenience that is quickly resolved and that in order to claim compensation a plaintiff must show that the harm suffered is significant and long-lasting.
The subsequent 2005 Supreme Court decision in Whelan v. South Western Area Health Board3, found a "transient upset or hurt" to be an injury that has little or no effect on the plaintiff's life beyond the moment of its occurrence. The Court noted that the severity and duration of the harm suffered are important factors to be considered when assessment whether an injury is more than a "transient upset or hurt" and it identified other factors like the impact of the injury on the plaintiff's ability to work, socialize, or carry out daily activities, as well as the nature and extent of any associated physical or psychological harm.
The
While the law in this area continues to develop, in general, the basic principle remains, in
It will be interesting to see if the current law in relation to non-economic loss in
A final word
As we approach the fifth anniversary of the implementation of the GDPR, this decision is only the first step on a long road to obtaining clarity on this issue. For example, only days before the CJEU judgment was delivered, the Advocate General Pitruzella published his opinion in a Bulgarian case referred to the CJEU5. The claimant in that case argued that he had suffered non-material damage in the form of distress, worry and fear about the possible misuse of his personal data arising from a cyber-attack and was entitled to claim compensation under Article 82 of the GDPR. The Advocate General opined that where a claim of this nature arises, the data subject must demonstrate "actual and certain emotional damage and not simply trouble or inconvenience" and that a "fear of possible future misuse of personal data may constitute recoverable non-material damage under the GDPR". That opinion looks already to conflict with the CJEU's judgment in the Austrian Post Case.
The CJEU's judgment provides welcomed, albeit limited, clarification on the meaning of non-material damage as it removes the limitations of a threshold having to be reached by the data subject. It also dispels any notion of a strict liability regime under the GDPR. While further guidance is awaited following the many preliminary references to the CJEU by other member states, for the first time since its introduction, national courts can now consider claims for non-material damage for GDPR breaches with a greater deal of understanding.
The authors would like to thank Sadhbh Walsh, for her research and assistance with this article.
Footnotes
1. [2021] EWHC 2809 (QB).
2. [1984] I.R. 493
3. [2005] 2 I.R. 425
4. https://www.irishtimes.com/business/2022/10/26/court-throws-out-data-protection-breach-claims-by-members-against-siptu/
5. Case C-340/21 Natsionalna agentsia za prihodite
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Mr
Cork
Tel: 214802700
Fax: 214802790
E-mail: linda.kelleher@rdj.ie
URL: www.rdj.ie/
© Mondaq Ltd, 2023 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source