In May, the European Court of Justice stated in case no. C-300/21 that not every breach of the GDPR triggers the right to compensation under Article 82 of the regulation. The case involved an Austrian citizen who sued the national postal service because it had predicted citizens' political views based on sociodemographic criteria without their knowledge or consent.
The European Court of Justice wrote that three conditions must be met to claim compensation under the regulation: 1) The processing of personal data must constitute a breach of the provisions of the GDPR, 2) The individual claiming compensation must have suffered damage, 3) There must be a causal link between the unlawful processing of information and the damage that has occurred.
Although it is required that the individual has suffered damage, the Court stated that it is not required that the damage meets a certain level of seriousness. This must be seen in light of the fact that it is important to have a broad concept of damage to ensure that the GDPR gives the individual the best protection possible. However, a far-reaching concept of damage may pose a major risk to businesses that risk being sued due to trivial damage suffered by the individual, for example if a breach of the GDPR has only resulted in the individual feeling upset and angry. In turn, this will also impose a heavy burden on the judicial system.
The GDPR contains no provisions providing guidelines for assessing the scope of the compensation that the injured individual is entitled to. In the absence of such provisions, the member states themselves must formulate rules on this. However, the European Court of Justice points out that the member states' provisions must take into account the GDPR's principles of equal treatment and efficiency.
However, such a solution could lead to different interpretations of the concept of compensation in the various EU countries, which in turn could result in the compensation amount being different depending on which EU country you live in. This can of course be unfortunate from an overall perspective. We will probably see many more such cases in the future. Techcrunch has a good article on the matter here: https://techcrunch.com/2023/05/04/cjeu-gdpr-damages-access-rights/