The European Court of Justice issued a ruling clarifying that a ‘mere infringement’ of the European data protection rules is not enough to claim compensation, but came short of defining the threshold of what compensation should be given, and when.

The ruling of Thursday (4 May) looked into the conditions under which damage caused by an infringement of the General Data Protection Regulation (GDPR) could be deemed serious enough that a claimant would expect compensation.

The case was raised by a claimant whose data had been processed by the Österreichische Post – the Austrian Postal Service – to determine political affinity for the purposes of targeted political advertising by mail. The processing was done without his consent and suggested that he had “a high degree of affinity” with Austria’s extreme right FPÖ party.

This caused the claimant “great upset”, who sought reparations for ‘non-material damage’ under the GDPR’s liability regime. The Austrian Supreme Court raised doubts about the extent of compensation rights for material and non-material damages and asked the European Court of Justice (ECJ) to rule on the matter.

Whether a natural person subject to GDPR infringement that caused non-material damage can claim compensation has been subject to heated debate – in comparable cases across member states, national courts have ruled differently on the matter.

Three necessary conditions

In a much-awaited decision, the ECJ ruled that “not every infringement of the GDPR gives rise, in itself, to a right of compensation”.

Instead, the Court pointed to three necessary conditions a claimant ought to meet to be conferred rights to compensation: that there was an infringement of GDPR, that the infringement resulted in material or non-material damages, and that a causal link can be established between the infringement and the subsequent damage.

“The CJEU [ECJ] is now saying: Without damage, no damage compensation,” Simon Assion, a lawyer and partner at the firm Bird & Bird, said on Twitter.

As such, the onus turns to defining what the non-material damage amounts to.

‘Threshold of seriousness’ done away with

In trying to determine non-material damage, the ECJ chose not to follow the Advocate General’s opinion, published in October last year, which called for a ‘threshold of seriousness’ above which non-material damages could be conferred compensation.

The opinion had raised concerns at the time that a non-material damage threshold, such as stress or mental health deterioration, could be particularly complex to determine in practice and so may infringe claimants’ rights under GDPR.

Some non-material harm would have been deemed “genuine”, while others would have been dismissed on some arbitrary grounds, Ursula Pachl, Deputy Director General at the European Consumer Organisation, told EURACTIV.

Instead, the Court ruled that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness.

It further warned that any threshold would, in practice, have been liable to “fluctuate according to the assessment of the courts seized”.

“This means that consumers seeking compensation for GDPR breaches can do so without proving that a specific threshold for the ‘seriousness’ of the harm is met,” Pachl added.

Back to national courts

When it comes to determining the rules governing the assessment of the damages, the Court established that it would be down to each national court “to prescribe the detailed rules” that determine the extent of the compensation, assuming the three necessary conditions are met.

This makes for an “extremely prudent” decision, Gianclaudio Malgieri, a scholar at Leiden University and co-director of the Brussels Privacy Hub, told EURACTIV.

More cases are likely to reach the ECJ then, he said, due to the sheer complexity of defining what non-material damage amounts to.

“How should we quantify an emotional distress resulting from the breach of a fundamental right?” Malgieri questioned, suggesting referring to ‘population surveys’ to get a better sense of citizens’ comprehension of emotional distress.

In other words, this decision frustrates lawyers who are sent back to their starting point.

For Assion, the “elephant in the room” of this ruling is the potential of scaling up compensation for damages to a mass level through class actions.

“Take, for example, a social network or large telecom service provider with a multi-million customer base. If each customer has a damage of 10 euros, then the compensation can reach large quantities.”

According to Robert Bateman, a data protection expert, the ruling might lead to so-called ‘forum-shopping’, where companies choose the jurisdiction they get established in on grounds of how stringent national courts are in assessing non-material damages.