Recent CJEU judgements concerning the right to compensation under Art. 82 GDPR – a state of affairs in ten focus points

Blog post written with assistance from Helena Vlegels.

On June 20^th 2024, the Court of Justice of the European Union (CJEU) addressed the right to compensation under Article 82 of the of the General Data Protection Regulation (GDPR) in two new cases. That article provides for a right to compensation for the data subject of material and non-material damage resulting from an infringement of the GDPR. The first case (C-182/22 and C-189/22) concerns the theft of the applicants' personal data, which was stored on a commercial application of the defendant. The second case (C-590/22) deals with the situation where the applicants ‘personal data has been disclosed to third parties without the applicants’ consent due to an error by the defendant.

The new case-law complements previous Court cases on the matter (in particular C-741/21 and C-300/21). In case C-300/21, the Court clarified that for a right to compensation under Article 82(1) GDPR, three conditions must be cumulatively fulfilled. First, there must be a breach of the GDPR’s provisions. Secondly, it is required that the breach actually caused damage (material or immaterial) to the data subject. Finally, it is necessary to prove a causal link between damage and infringement, meaning that it must be proven that without the infringement, the damage would not have occurred (C-300/21: para. 32). Thus, a breach of the GDPR in itself is not sufficient to give rise to a right to compensation. However, according to the Court, the damage (in that case non-material damage) suffered must not reach a certain level of seriousness/severity (C-300/21: para. 51).  Applying a threshold for damage would prejudice the fact that ‘damage’ under the GDPR is to be interpreted broadly (C-300/21: para. 46). Case C-741/21, in turn, clarifies that controllers cannot escape liability by claiming that the damage in question was caused by the failure of a person acting under their authority, within the meaning of Article 29 of the GDPR (C-741/21: para. 54).

In the two new cases, the Court confirms these principles and introduces some further clarifications. In case C-590/22, concerning the unauthorized transfer of data, the Court states that ‘a person’s fear that his or her personal data have, as a result of an infringement of the GDPR, been disclosed to third parties, without it being possible to establish that that was in fact the case, is sufficient to give rise to a right to compensation, provided that that fear, with its negative consequences, is duly proven’ (C-590/22: para. 36). The Court thereby further confirms the principle that any non-material damage (i.e. without any threshold for seriousness) can be taken into account under Article 82 GDPR as long as it is duly proven. This is further emphasized by the statement that non-material damage is not ‘by its nature’, i.e. as a matter of principle, less significant than physical injury (C-182/22 and C-189/22: para. 39). The Court also reiterates that an infringement of the GDPR in itself is not sufficient to give rise to damage (i.e. there is also no presumption of damage). The main topic for damage remains, in accordance with the principles already known, to be able to demonstrate specific harm caused by the infringement.

In both cases, the Court also addressed the question of what function compensation should fulfil under Article 82 GDPR. The question was whether compensation had a compensatory function or a ‘personal satisfaction’  function. A compensatory function implies compensation for all existing and foreseeable consequences of the damage, while a satisfactory function aims to erase the feeling of injustice arising because of the occurrence of the damage and may have, depending on the legal system, a more punitive/penalizing nature, as well as a deterring effect (C-182/22 and C-189/22: para.10 and 14). The Court confirms that Article 82(1) GDPR has exclusively a compensatory function and thus does not have a deterrent or punitive character (C-182/22 and C-189/22: para.23; C-590/22: para.44).

It follows from this compensatory function that the severity and possible intentional nature of the GDPR infringement should not be taken into account for the calculation of the compensation (C-182/22 and C-189/22: para. 29 and 30). Case C-741/21 already indicated that the criteria for administrative fines under Article 83 GDPR cannot be applied for calculating damages under Article 82 GDPR (C-741/21: para. 65). This is reaffirmed in both new cases under review here. The logic behind this is that Article 83 GDPR does in fact have a punitive character, and hence the seriousness of the breach is a relevant element to decide on the amount of the fine and/or what sanctions to impose. Compensation performs a different function, and thus an infringement of the GDPR that is quickly rectified and may not give rise to fines or other sanctions may still have caused a lot of damage, which will have to be fully compensated. Conversely, a flagrant and even deliberate infringement may potentially result in high fines, but the damage to those involved may be limited or non-existent.

Given that damages, including immaterial damages, have are not subject to any threshold of seriousness, the question arises how such damages should be calculated and whether very low amounts may at times be sufficient when the damages are not serious. This is especially important for immaterial damages, including moral damages. After all, material damages are much easier to quantify, e.g. financial damages resulting from identity theft caused by a GDPR breach. As a basic principle, when determining the amount of damages, national courts apply their Member State's domestic rules relating to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with (C-300/21: para. 59). However, the court clarifies that in the event that the damage established is not serious, the person concerned may be awarded minimal compensation, including small amounts of compensation, that are so small that they could be perceived as symbolic. Nonetheless, this does not mean that symbolic compensation is encouraged. The principle remains that the compensation must be able to compensate for the damage in full (C-182/22 and C-189/22: paras 40 and 46). The Court merely acknowledges that these amounts may in practice, under the domestic rules, be very small so that they may seem symbolic.

Finally, the Court also clarifies that the fact that the situation leading to an infringement of the GDPR also constitutes a simultaneous infringement of national legislation, which relates to data protection, but does not seek to clarify the provisions of the GDPR, should also not be taken into account as a relevant factor in determining the amount of the compensation to be awarded (C-590/22: para. 50). With this statement, the Court seeks to clarify that its case-law only clarifies the scope of the right to compensation under Article 82 GDPR, thus logically including national data protection laws further specifying the rules of the GDPR, but excluding other potential national rules, even if they also contain data protection elements or considerations. This must be understood as referring to national (sectoral) legislation in specific countries and sectors that may provide for additional compensation for the data subject for the same facts. Thus, Article 82 GDPR cannot be used to limit compensation under such laws, if any. Likewise, such a breach of national legislation cannot be used as an argument to increase the compensation under Article 82 GDPR. Both cases, where applicable, must be considered separately.

Based on the Court's current case law, we arrive at the following state of affairs regarding the right to compensation under Article 82 GDPR:

1. There are three conditions for a right to compensation:
   a. A processing of personal data in violation of the GDPR;
   b.Concrete damage (material or immaterial) suffered by the data subject;
   c.A causal link between the unlawful processing and the damage;

   Thus, the mere fact that the GDPR was infringed is not sufficient for a right to compensation; the data subject must prove that there is damage and that the damage was caused by the infringement. This principle applies to both material damage and immaterial damage, including moral damages;

2. Article 82 GDPR has an exclusively compensatory function, not a punitive or deterrent function. The only objective is to fully compensate the damage suffered by the data subject;

3. Due to the compensatory function, the seriousness of the breach of the GDPR (and national rules further specifying the rules of the GDPR) or its possible intentional character do not affect the calculation of the compensation and the reasoning of Article 83 GDPR regarding fines and sanctions should not be applied mutatis mutandis to Article 82 GDPR;

4. There is no threshold for seriousness of the damages; in other words, there is no requirement that damages reach a certain degree of severity;

5. There is no hierarchy between different types of damage relating to their compensation. Physical or material damage is not in principle more significant than immaterial, including moral, damage;

6. The fear of harm or negative consequences caused by a breach of the GDPR may in itself be sufficient to give rise to an entitlement to compensation, provided such fear and its negative consequences are duly proven;

7. The principle of full compensation for damages does not mean that compensation must always be substantial, especially as there is no lower limit to the severity of the damage. In particular, immaterial damages can thus be compensated with low compensation in certain cases (including cases where the compensation is so low it may be perceived as symbolic, provided it still compensates the damage in full);

8. Controllers are not exempt from liability if the damage is caused by someone acting under their authority;

9. Compensation for damages under Article 82 GDPR is without prejudice to any additional compensation under national (sectoral) rules, other than the national rules further specifying the provisions of the GDPR, even if those rules relate to data protection as well;

10. To calculate the concrete amount of the compensation, judges must apply their own domestic rules on calculating/quantifying the amount of monetary damages. This is in particular relevant for immaterial, including moral damages. The only requirement is that the application of these rules does not undermine the Union law principles of equivalence and effectiveness (i.e. does not undermine the objective of full compensation for damages).
     

Do you have a question about this blog post or about other elements of the GDPR? Please contact a Timelex lawyer or ask your question via our contact form.