When the GDPR came, many were unsure what the scope would be for compensation related to non economic loss. We know a lot more about that now because there are many cases about this.
In a fairly recent case from a court in Cologne, it was determined that it was not sufficient to refer to discomfort, anxiety and fear to claim compensation under GDPR Article 82. The case concerned data that went astray after a breach at Facebook in 2019. Even if the claimant actually lost control of the data after it was published on the dark web, this was not sufficient to constitute a relevant damage. It was not sufficient that the claimant referred to a "negative consequence" and abstract loss of control, it should have been referred to a clear damage.
The Court said at the same time that this does not mean that there is a minimum threshold for compensation, but that the damage must at least be determined objectively. Similarly, the court found that the claimant failed to show how he suffered harm from the spam e-mails and SMS he received after the breach, or how he spent time and effort dealing with the loss of control over his data.
Here it is useful to take a look at CJEU C-300/21 about the Austrian Postal Service (Österreichische Post), from 4 March 2023, which is referred to in the judgment above. The Österreichische Post case was one of the first cases concerning this. The Austrian Postal Service made assumptions about the political affiliation of the population based on socio-demographic criteria. One person complained. He had not consented to this and felt violated. The claimant claimed that this caused him great upset, loss of confidence and a sense of exposure by the postal service storing data about his supposed political opinions.
The case ended up before several Austrian courts and they consistently rejected the compensation claim. In the process, an Austrian court asked the ECJ to rule on several matters and the following was established:
For the right to compensation to arise, three cumulative conditions must be fulfilled. There must have been a breach of the GDPR, there must be material or non-material damage as a result of this breach, and there must be causation between the damage and the breach. A mere breach of a GDPR provision is not sufficient to have a right to compensation, unless the claimant shows that he or she has suffered damage and that the breach in question actually caused it.
The ECJ nevertheless determined that the member states cannot make it a condition that there must be a threshold of "seriousness" being fulfilled in order for there to be a right to compensation for non material damage. The Court ruled that the term "damage" should be interpreted broadly and also stated that a different result would mean that claims for compensation could have different outcomes in different countries, which would not be in line with the GDPR.
Finally, the ECJ pointed out that the GDPR does not contain any rules for determining the amount of compensation to be paid. Hence, national courts in the EU can apply national rules when determining the amount of compensation. This means that the level of compensation will vary. You can find the judgment discussed here.
What was established in the Österreichische Post case has in many ways become the gold standard for how assessments should be made. It is therefore rare that businesses have such compensation claims against them.
Here, I will also mention the ECJ's new decision of 14 December 2023 (C 340/21), which has several other principled clarifications.
After a cyber-attack against the Bulgarian National Tax Service, in which information was leaked, a user complained and claimed compensation. The person claimed to have suffered non-material damage; fear that personal data could be misused in the future or that they could be pressured, attacked or even kidnapped.
The ECJ assumed that even if there was a breach of the GDPR, it did not necessarily mean that the data controller had neglected to use appropriate technical and organisational measures. The ECJ said the EU legislator's intention was to "reduce" the risk of privacy breaches, without requiring the risk to be completely eliminated. This is good news for many. The measures that have been implemented must be assessed specifically.
The ECJ went on to say that even if a GDPR breach is caused by third parties (hackers), the data controller is not exempt from liability. One must look at whether the implemented technical and organisational measures were appropriate. Note, however, that it is the data controller who has to be able to document that adequate measures have been taken.
Next, the ECJ referred to the above-mentioned C-300/21 (postal service), and wrote that perceived fear and possible misuse of personal data by an individual can constitute relevant damage. The ECJ wrote that it is up to the national court to verify whether an individual's fear can be considered well-founded. If you are to pursue such a case, you should perhaps involve psychological expertise that can say something about real fear. You can find the judgment discussed here.