Legal Analysis: No non-material damages for GDPR violations?
Legal Analysis: No non-material damages for GDPR violations (C-300/21)?
By Max Schrems | Download the PDF Version of this Legal Analysis
On 6 October 2022, Advocate General (AG) Sánchez-Bordona issued his Opinion on CJEU case C-300/21 (UI v. Österreichische Post AG), the first of several preliminary ruling requests on the topic of damages for GDPR violations pending with the CJEU.
- Reference by the Austrian Supreme Court (in German)
- Final judgment by the Austrian Supreme Court on the other claims (in German)
- Submission by the plaintiff before the CJEU (in German)*
- Opinion by the AG in C-300/21
- noyb Update "Alarming: Court of Justice may severely limit enforcement of European’s privacy rights"
- "Grump GDPR" Podcast with Max Schrems on this Opinion (on transistor.fm)
(A) Facts: plaintiff illegally labeled as likely right-wing-populist supporter
The Austrian Postal Service (Österreichische Post AG) had collected the personal data of millions of Austrians (name, addresses and date of birth) and used an algorithm to calculate (based on statistical data) the affinity to different political parties in order to sell this result to for election advertising.
The plaintiff (an Austrian attorney) learned via an access request that he supposedly had a high affinity for the right-wing Austrian Freedom Party (FPÖ). As the plaintiff had entered his details in a mailing black list (“Robinsonliste”) the Postal Service stated that the plaintiff’s personal data was not sold to anyone.
The plaintiff was not the only one who found this kind of political attribution outrageous. In a variety of similar cases, the Austrian Data Protection Authority and the Supreme Court found the processing of political affiliations to require a legal basis under Article 9 GDPR. As the Postal Service insisted on being allowed to process the data based on legitimate interest under Article 6(1)(f), the authority and the courts had and granted injunctive reliefs. In the plaintiff’s case, the Austrian Supreme Court (OGH) confirmed the injunctive relief. However, the plaintiff, who had never consented to the data processing, had also sought compensation from the Postal Service: He claimed that he was upset, angered and offended by this wrongful political attribution, stated that it was insulting and shameful, as well as extremely damaging to his reputation and requested compensation of € 1.000 in respect of these non-material damage.
The first-instance and second-instance court dismissed the damages claim, arguing that the plaintiff’s discomfort and feelings of unpleasantness were below a certain threshold required to entitle him to compensation. The Austrian Supreme Court (OGH) referred the matter to the CJEU, while finding in favor of the plaintiff on all other claims.
(B) Questions referred: need for a damage, efficiency and adequacy and an additional threshold
The Austrian OGH referred three questions to the CJEU:
- Does the award of compensation under Article 82 GDPR also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
- Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
- Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?
(C) Advocate General Opinion
1. EU law or National Law?
Before analyzing Article 82 GDPR it seems necessary to first establish if this provision harmonizes the matter of damages or if it leaves this matter, or the details of the matter, to Member State law.
1.1 Reliefs under Article 79 GDPR
While the AG Opinion rightly points out that Article 79 GDPR may allow for other forms of reliefs (such as declaratory relief, nominal damages or claims over unlawful profits) under applicable national law (marginal no. 92), these claims are structurally separate from damages and clearly not regulated by Article 82 GDPR.
Nevertheless, the AG Opinion repeatedly points at any other enforcement option but one the CJEU was asked about – Article 82 GDPR. Especially as a reader from a statutory law country that does not foresee many of these approaches, the ideas in the AG Opinion largely point at non-existent or impossible alternatives. For example, nominal damages are not known in Austria and the possibilities to obtain declaratory relief are usually procedurally limited, to ensure that courts do not get bothered with litigation that has no material purpose.
So instead of pointing at hypothetical options, let us stay with what the referring court was concerned with and the plaintiff in our case has claimed: non-material damages under Article 82 GDPR.
1.2 Is Article 82 GDPR (fully) harmonizing the law or not?
To me one of the core questions in this reference is the issue of harmonization. Is Article 82 GDPR an opening-clause that merely foresees minimum requirements for national law on damages but leaves the details to the national legislator or did it fully harmonize the law on an EU level?
It seems the AG Opinion is taking openly conflicting positions on this core question.
When discussing efficiency and adequacy (see below) the AG Opinion rejects the narrative of the question, highlighting that Article 82 GDPR would harmonize the matter, so the question of efficiency and adequacy of national law would not arise (paragraphs 84 and 85).
At the same time, (marginal nos.111 or 116 clearly say that Member States could have a minimum threshold for claims, which means that there is room for national limitations.
Whatever the correct view may be, the AG Opinion seems to switch between these two options – sometimes even paragraph by paragraph. Overall, it seems that the AG Opinion rather follows the concept of minimal harmonization.
While it seems clear that certain matters (such as procedural elements or the national statute of limitation) are regulated by the Member State, there seems to be no suggestion in Article 82 GDPR and no opening clause in the GDPR that would hint at options for national divergence. In fact, Article 82(2) to (6) GDPR also establish rather detailed tort system, including rules on that were criticized to even conflict with existing national tort law.
In addition to the rather detailed wording, different criteria for the awarding of damages for GDPR violation in different Member States would undermined the intentions of the GDPR as a Regulation and set the ground for forum shopping (as Article 79 GDPR and the Brussels-II-Regulation allow a multitude of possible civil courts with jurisdiction).
While the CJEU will have to make a final determination on the level of harmonization, I would assume for the sake of this article that Article 82 GDPR fully harmonized the rules on damages and that only fringe issues (e.g. the statue of limitations) are left to the Member States.
1.3 Principle of equivalence and effectiveness, if Article 82 GDPR is not fully harmonized (Question 2)
If however you take the view that Article 82 GDPR is in fact not fully harmonizing damages, then there is no way to avoid dealing with the EU law principles of equivalence and effectiveness. This is especially true, if the CJEU provides no detailed guidance on the assessment of non-material damage (as the AG Opinion suggests in marginal no. 116 by stating that this “difficult task falls to the courts of the Member States”).
If Member States make it relatively easy in comparison to enforce one kind of non-material damage (based on national law), but virtually impossible to enforce another (based on EU law), they violate the principles of equivalence and effectiveness.
For example in Austria where this reference originated) the following issues on equivalence and effectiveness would quickly arise if the Austrian OGH can introduce thresholds for non-material damages:
- Other non-material damages (such a broken bones or a slap in the face) do not require a plaintiff to cry in the witness-stand, but the courts developed tables that are based on the suffering of an average person (“objektive Maßfigur”). In addition to making litigation simpler and more predictable, this makes sure that an especially dramatic plaintiff gets the same damages as a tough victim. Similar approaches were reported from other Member States. Not following such an objective approach (as suggested by the AG Opinion) would reduce legal certainty and make the enforcement of GDPR claims harder than claims under national law, hence potentially violating the principle of equivalence.
- At the same time, § 1328a ABGB (Austrian Civil Code) requires a threshold of “considerable” violations of the right to privacy to get non-material damages. This threshold is only known for privacy violations. If this threshold is applied to GDPR claims it would make them less effective than other claims of non-material damages.
While these are just two tiny examples for one Member State, if all 30 EU/EEA Member States are left with determining thresholds and details for how to assess the entitlement to compensation and how to calculate damages under Article 82 GDPR, it seems that traditional EU law principles like equivalence and effectiveness would play an important role to have somewhat consistent case law. Otherwise national statutory and case law could discriminate GDPR claims by e.g. requiring individual (highly) subjective witness testimony, while using an objective calculation in other non-material damages.
It is therefore surprising that the AG Opinion states that “it does not appear that the principle of equivalence plays an important role here” (marginal no. 84) and does not even propose an answer on the second question of the Austrian OGH.
2. Damages without damage? (Question 1)
2.1 The non-question: damages without damage?
Even when the Austrian OGH referred this case to the CJEU, it was unclear how a question about awarding damages without any damage ended up in the reference. The plaintiff even submitted that this question is inadmissible, as he clearly articulated the non-material damages he wanted to be compensated for when the Postal Service wrongfully attributed him to the right-wing FPÖ.
It seems that this question itself is part of a certain “reframing” of the issue on the side of the Austrian OGH – indicating that there is actually no damages in this case. By moving the case away from actual damages (like anger, distress, physical pressure or the feeling of exposure) towards no damages at all, the referring court makes the claims seem extremely unreasonable.
In reality, the first question is a non-question, as the case clearly has a defined set of negative consequences that the plaintiff finds to constitute a non-material damage.
2.2 Opinion escalates question towards “punitive damages”
The AG Opinion takes the question of the Austrian OGH even a massive step further and reframed the question towards a claim for “punitive damages”.
While such ideas do exist in common law jurisdictions, they are seen as unacceptable in continental jurisdictions, such as Austria. Consequently, the plaintiff never asked to order the Postal Service to pay him damages as a punitive measure. I am also not aware of any relevant stakeholder that would call for punitive damages. No legal scholars have seriously read Article 82 GDPR in this way – let alone any judgment that ever awarded punitive damages in the EU.
This does not stop the AG Opinion to fight a non-issue from paragraphs 30 to 55, when in fact two paragraphs would have been sufficient to say that there is no basis for punitive damages in Article 82 GDPR and that Articles 83 and 84 GDPR exclusively regulate sanctions.
3. Presumption of damages and “loss of control”?
In paragraphs 56 to 82 the AG Opinion develops an argument about possible presumption of damages and connects this topic with the concept of “loss of control” in marginal nos. 75 and 85.
While marginal no. 56 of the AG Opinion highlights that the AG is himself not sure if he fully understood what the parties have argued, the following section of the AG Opinion seems hard to follow and mixes two concepts – the burden of proof and the “loss of control” – without any apparent reason.
3.1 Burden of proof
While there is a lively debate about the burden of proof between controllers and data subjects, as for example Article 5(2) or Article 82(3) GDPR provide certain responsibilities of the controller, it seems to me that there is no doubt about the facts in the referred case. It is clear that the Postal Service has generated political information in violation of Article 9 GDPR and the data subject has suffered various negative feelings as result of it.
3.2 Redefined “loss of control” in the mix?
The AG Opinion takes another surprising spin when marginal nos. 56 to 82 try to deal with the concept of “loss of control” (“Kontrollverlust”), as argued in the submission of the plaintiff.
The concept is based on Recital 85 of the GDPR, dealing with data breaches:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data…”
So far, the legal community understood the “loss of control” as the feeling that ones’ personal data is gone and the data subject has the feeling that data is generally “out of control”. This may include situations, like a data breach, where a third party has illegally gained access or cases where the controller has illegally used or distributed personal data. As it is apparent from Recital 85 GDPR, which deals with data breaches under Article 33 and 34 GDPR, such loss of control can happen no matter which legal basis under Article 6(1)(a) to (f) GDPR is used. In other words: data can be lost no matter if the processing was originally based on consent, a legal obligation or a legitimate interest. There is no connection between consent under Article 6(1)(a) GDPR and the loss of control under Article 33 and 34 GDPR.
Nevertheless, the AG Opinion connects the concept (to my knowledge for the first time) with the data subjects’ rights under the GDPR in an attempt to rebut the wording in the GDPR’s Recitals. The AG Opinion basically argues that because a controller may process personal data without the consent of the data subject (marginal no. 64), the plaintiff by definition has no control over his personal data and can therefore not lose it.
The AG Opinion is engaging in further straw man fights, when e.g. highlighting in marginal no. 68 that there is no “automatic equivalence between the processing of personal data for which the data subject’s consent has not been obtained and damages”. Other paragraphs are equally fighting alleged extreme positions, such as that data subjects should have the “greatest control possible” (marginal no. 74). It almost seems like the AG thinks that the referring court or the plaintiff would negate the fact that Articles 6 and 9 GDPR have various legal bases (marginal no. 73) and would argue for automatic damages for non-consensual processing.
After having reviewed the reference and the plaintiff’s submission, there seems to be no basis for such an argument in the underlying case or submissions. Instead it seems that the AG has either substantially misunderstood the reference and the submissions, or is indeed fighting an (incorrect) layman presumption that consent is the only legal basis in the GDPR.
3.3 Connection with the free flow of personal data in the Union?
Marginal nos. 78 to 82 stress that the free flow of personal data are another aim of the GDPR and the GDPR is meant to foster economic growth. While these observations are correct, I fail to see how this has anything to do with the definition of damages in Article 82 GDPR:
The free flow of personal data simply means that there are no digital borders within the EU/EEA, and any national limitations of the free flow of personal data are prohibited under Article 1(3) GDPR. However, this has nothing to do with the case before the CJEU, where a local controller has violated Article 9 GDPR in relation to a local data subject and the question arises how the word “damages” in Article 82 GDPR is to be interpreted.
3.4 Paragraphs 56 to 82: politics may consume legal analysis
Overall, marginal nos. 56 to 82 unfortunately seem to be largely detached from the questions, law and facts. Neither is there any question as to the burden of proof in the reference, as the facts were properly established by the first instance, nor has a “loss of control” anything to do with consent as a legal basis. The free flow of personal data is uncontested and wholly irrelevant in a purely national case.
It is these sections of the AG Opinion, the reader is left with the impression that the AG seems to be more concerned with the GDPR going too far in general, than with the correct interpretation of Article 82 GDPR. Such sections also paint a picture that may explain why other parts of the Opinion are often detached from the questions and facts of the case and seem to be mainly concerned with limiting the GDPR beyond what the text or common forms of legal interpretation would suggest.
4. Defining non-material damage (Question 3)
In daily practice, Question 3 of the reference on the “threshold” for non-material damages seems to be the most relevant.
4.1. No positive definitions in AG Opinion
As far as I can see, the AG Opinion fails to define what a violation of the right to data protection alone could be. The AG Opinion consistently highlights what is not covered by Article 82 GDPR (e.g. punitive damages, merely being upset by the infringement or the loss of control), but there seems to be no mention of what could be a non-material damage.
This is a very common issue in discussions around Article 82 GDPR. Lawyers know damages that can be calculated. There are some traditional non-material damages, like a violation of the right to bodily integrity, but non-material damages for a violation of fundamental right? That is new.
4.2. Violation of other rights necessary?
A common instinct of lawyers is to assume that there must be some traditional non-material damage to trigger Article 82 GDPR – like a psychological damage or distress that amounts to a mental health issue.
However, this would not require a new provision in Article 82 GDPR that regulates damages under Article 8 CFR, nor the deliberate addition of “non-material” damages by the European Parliament during the GDPR negotiations: Under Article 3 CFR and various national provisions, everyone has the right to respect for his or her physical and mental integrity. If only GDPR violations that amount to severe emotional distress or mental ailments and therefore harm a person’s mental integrity entitle to immaterial damages for GDPR violations, there would be no need for Article 82 GDPR. Such a narrow view would make Article 82 GDPR a redundant provision, as these rights are already protected.
There is no basis that would support the view that Article 82 GDPR indeed only restates existing protections. The idea that a data subject would have to show some form of traditionally protected harm, in addition to the violation of the right to data protection, is simply belittling any violation of a fundamental right, with the result that typical violations of such a right will not receive the compensation foreseen by the European legislator.
4.3. Violation of the right to data protection (Article 8 CFR)
The right to protection of personal data is a fundamental right under Article 8 CFR. It protects an (often vague) feeling of not being under surveillance and freedom. Just like a broken bone, it is hard to measure freedom in Euros, but Article 82 GDPR provides for exactly that: a compensation for the harm caused by unlawful processing of personal data.
This is highly novel, as other fundamental rights like the right to assembly, freedom of speech or the right to vote do not typically come with non-material damages, if people’s rights to demonstrate or vote are unlawfully violated. It is understandable that the concept of Article 82 GDPR is therefore a big step for many lawyers that are not regularly dealing with the GDPR. However, it must be highlighted that we already protect very similar feelings, harms and distress in media law, traditional protections of the right to privacy and alike. The concepts from these areas of the law can equally be applied here. Some examples:
- While it is obviously hard to explain what the harm to your right to privacy or data protection exactly is, most people will agree that they would rather have their 500 Euro smartphone stolen than have all their private text messages posted online (assuming that everyone has some confidential messages might harm friendships or careers).
- Equally, many people will agree that being called a “Nazi” in a public space or being put in a marketing list of potential voters of an extremist party they fundamentally disagree with is at least equally disturbing. While calling someone a “Nazi” will usually get you into conflict with libel laws and trigger non-material damages, the AG Opinion however seems to have limited understanding for damages if a person is unlawfully put on a list of voters of a right‑wing populist party with similar historic roots. Given that a list of the Austrian Postal Service even had the appearance of a factual assessment (attributing a high affinity to a ring-wing populist party), I wonder if many people might not even see this as this more harmful.
- Emotional distress can often be even higher if there is no clear consequence yet, but the constant feeling that there could be a consequence. The CJEU has already highlighted this in C-293/12 and C-594/12, marginal nos. 25 and 37 when holding that retention of communication meta data can lead to self-censorship and hence limit of the freedom of speech. The fact that sensitive data is simply “gone” can also lead to anxiety: before your personal text messages from the previous example are posted online, they may well just be shared or lost – without any clarity if and where they will appear. This is what Recital 85 GDPR means with “loss of control”.
- In a similar fashion, people that are incorrectly marked as having bad credit usually find it humiliating when they are denied even the most basic cell phone contract. In a free market society, being on a (usually central) blacklist alienates people from our society. Most people would probably pay a decent amount of money to overcome this embarrassing situation, which even lead to a rise of “credit management” services, for example in the United States.
These examples may be able to show, that while there is a new and novel type of non-material damage under Article 82 GDPR, the typical harms a data subject might suffer from are similar to harms that we accepted as compensable for a long time – or are types of embarrassment or harms we can all relate to.
Every reasonable lawyer will accept that such compensations should be proportionate and will usually not go beyond a couple of hundred Euros. However, assigning (often false) political views to millions of people and selling this data for years, as in the referred case, can hardly be shrugged off as harmless – especially after the experience with Cambridge Analytica.
Damages to the right of data protection also does not mean that there are “automatic” damages (see marginal no. 29), as a data subject may actually not be bothered by some unlawful processing, or may even welcome it. Many technical GDPR violations may also not even concern the data subject. For example, the lack of the appointment of a DPO or incomplete internal paperwork will usually not directly infringe the rights of a data subject. However, if a data subject is understandably outraged about illegal processing of personal data or a data breach that could have been avoided there is usually some form of harm on the side of the data subject.
The CJEU has a complex role in developing the parameters for non-material damages in cases of GDPR violations, always keeping in mind that they are comparable to other material and non-material harms. This will take multiple judgments by the CJEU. At the same time I would argue that the principle decision that the fundamental right to data protection under Article 8 CFR and the GDPR come with the possibility of compensation of non-material damages was taken by the legislator when adding the “material and non-material” element in Article 82(1) GDPR.
4.4. Adding a “threshold” element to Article 82 GDPR?
In essence, the referring court asks for the CJEU to add an additional (unwritten) element to Article 82 GDPR in the case of non-material damages: a “de minimis threshold”.
4.4.1. Wording of Article 82 GDPR
While the AG Opinion engages in a literal interpretation when responding to Questions 1 of the reference, this standard form of legal interpretations is missing in relation to the third question.
In fact, Article 82 has no word that could form the basis such an additional threshold. It is clear that the legislator has chosen not to add such an element. This is also the clear view of two of the key negotiators of the GDPR (see Jan Philipp Albrecht, Das neue Datenschutzrecht der EU, page 121, Paul Nemitz in Ehmann/Selmayr, DSGVO (3. Auflage), Art. 82, Rn 13), who both highlight that the German concept of a “de minimis threshold” has been overruled, which was also pointed out in the submissions of the plaintiff (see 4.1.3 of the submissions).
In addition to the lack of any wording that could be interpreted as a threshold in Article 82 GDPR, the relevant Recital 146 clearly states that “the concept of damage should be broadly interpreted” and that “data subjects should receive full and effective compensation”. The legislator therefore clearly pointed towards a broad interpretation and not the narrowing of the wording. The AG Opinion mentions these recitals, but does not follow their guidance.
In some academic writing Recitals 75 and 85 are cited to argue for a threshold. As the AG Opinion correctly points out in marginal nos. 98 and 99, these Recitals concern other elements of the GDPR and do not provide a basis to limit Article 82 GDPR.
4.4.2. Thresholds in other EU laws
While Article 82 GDPR and the relevant Recital 146 do not have any indication that there should be threshold, similar laws provide for such wording. For example, Recital 34 of the Package Travel Directive (EU) 2015/230 foresee non-material damages only for “substantial” problems. The courts have so far accepted even non-functioning air-conditioning or the lack of sand on a beach as a “substantial” non-material damages. It is hard so see how most major GDPR violations would be less “substantial” than non-functioning air-condition.
Instead of drawing the conclusion that there are clear thresholds in other EU laws and the lack of such wording in the GDPR would indicate that such a threshold is not foreseen, the AG Opinion points at Regulation (EC) No 261/2004, which provides for lump-sum damages for delayed flights and draws the conclusion that the legislator did not want “automatic compensations” as such provisions are missing in the GDPR (see marginal no. 60).
I doubt that moving to (questionable) lump-sum statutory damages should be the only way that the European legislator can ensure that minor or average non-material damages are actually enforced, but it seems that the AG Opinion would require such provisions in the future.
4.4.3. Source of the “threshold”: Austria and Germany?
When arguing that such a threshold should be implemented, paragraph 111 of the AG Opinion refers to Italian, German and Austrian case law in footnote 82 - not the GDPR, EU case law or other EU principles.
While I was not able to research the cited Italian case, the irony of at least the German and Austrian judgments is, that these cases rely on pre-GDPR national law views. In Germany there was a “threshold” based on the right to privacy in the German constitution (“Allgemeines Persönlichkeitsrecht” or “APR”). In Austria there is an explicit threshold in § 1328a ABGB for a violation of the right to privacy under nation law. The national courts followed this tradition, ignoring the supremacy of Article 82 GDPR.
The interplay between the national courts and the AG Opinion therefore creates a full circle, when Courts in Austria and Germany ask if EU law is to be interpreted in the same manner they so far interpreted nation law and the AG response that there should be a threshold under EU law, because these courts previously had such a threshold in their national law.
This approach seems to be at odds with an independent interpretation of EU law.
In reality the situation is even more complex, as even the German and Austrian courts do hot have a uniform position (see e.g. Labour Court of Düsseldorf, 9 Ca 6557/18 or Austrian Supreme Court 6 Ob 56/21k). It is surprising that the AG Opinion does not reflect this conflict in national case law, but rather pretends that there is a uniform tradition in the Member States.
4.4.4. Member States’ courts are defining the “threshold”?
Even if such a “de minimis threshold” actually had a basis in law, there would be the need to define this threshold. While marginal no. 116 of the AG Opinion accepts that there is a fine line between “mere upset” and a genuine non-material damage, this determination is left entirely to the Member States’ courts - without any guidance that would allow for even the slightest harmonization.
The AG Opinion does not even take a clear position on the facts of the referred case and if this case meets the alleged “de minimis threshold”. At least the facts seems to go beyond a “mere upset”, but the AG Opinion highlights in footnote 86, that “by setting out these considerations [the AG] is not prejudging whether in this case [the plaintiff’s] situation came under one category or the other”. The AG Opinion seems to see the referred case as being too close to the “fine line” to make a determination – showing how the “de minimis threshold” element would not lead to clear decisions, but would instead fuel more legal uncertainty, as another element would be debated in courts throughout the Union.
This approach would allow judges throughout the EU/EEA to take their own views as to such a threshold and where it should be set, leaving data subjects and controllers in the dark about the correct interpretation of claims under Article 82 GDPR. In reality, many judges will find it very easy to simply dismiss such cases.
4.4.5. Small claims are usually not enforced
Proper determination of factors for damage calculation under Question 2, would also mean that smaller or average violations would see rather low amounts of compensation, which should overcome any worries that too many cases are brought.
For example, a short delay in answering an access request may be seen as a tiny damage, leading to a couple of Euros in damages. However, structurally not providing answers for years, where the relevant personal data is often deleted or overwritten by now may lead to a couple of hundred Euros, as there seems to be no option for factual relief.
The AG seems to recognize in marginal no. 114 that minor violations are hardly enforced, when he says that such litigation is “not efficient”, but instead of concluding that small claims are not a realistic issue, it seems that the AG is turning this fact against granting such rights at all.
In this respect, the AG Opinion also seems inconsistent insofar as the lack of efficient enforcement is used as an argument against smaller non-material damages, but at the same time points at even more trivial claims (such as declarations, nominal damages and alike) as an alternative.
There is also no “de minimis” rule for material damages. Plaintiffs can also bring a claim over a single stolen Euro. There is no indication in Article 82 GDPR that would differentiate between smaller non-material and smaller material damages.
The AG Opinion’s approach also seems to be at odds with EU law efforts to improve access to justice for small claims, when it passed laws to overcome such barriers, like the Regulation for a European Small Claims Procedure (Regulation (EC) 861/2007) or the recent passing of the Representative Actions Directive (Directive (EU) 2020/1828).
As with any other claims, plaintiffs hardly litigate non-payment of minor amounts or minimal violations, as costs and efforts of bringing claims are simply not worth it (more on that in point 4.5.). This is however not a reason to invent additional material law barriers for bringing a case, the existing procedural barriers are usually already hard to overcome.
4.4.6. Summary on the “threshold”
The AG Opinion clarifies that the wording of the provision and the relevant Recital do not foresee a threshold, but marginal nos. 108 to 115 still get to the opposite conclusion even if they fail to identify any sound legal basis for Member States’ courts to add a “ de minimis threshold” element to Article 82(1) GDPR.
In addition to other legal uncertainties, any future plaintiff would have to worry if his or her GDPR claim would be seen as “substantial” enough by a judge to grant any compensation, as the AG Opinion does not even take a position on the referred case.
Overall, it seems that the German and Austrian courts may be successful in introducing old German limitations of data protection rights back into the CJEU case law, even if they were meant to be overridden by the European legislator.
4.5. Hints at alternatives to damages
The AG Opinion heavily relies on the idea that there are many other paths for a data subject, which should be chosen instead of claiming compensation for non-material damages.
As a general observation, it must be highlighted that a data subject generally has the right to choose the legal claim(s) that he or she finds most rewarding or promising. There is no “hierarchy” between a complaint in Article 77 and a civil litigation under Article 79 GDPR. Equally, Article 79 GDPR allows for any form of civil law claim. Depending on the case, there may be a good reason to for example ask for injunctions against future unlawful processing and for compensation for past violations. It is for a plaintiff to choose, which claims he or she thinks will remedy the situation the best.
While the AG Opinion points at many alternatives, they may often not be able to substitute non‑material damages. For example:
- Many data protection authorities (DPAs) have already declared that data subjects do not have a subjective right to have their fundamental right to data protection enforced via DPAs (such as the French CNIL or the Swedish IMY). Other DPAs simply “close” most cases without any enforcement steps (such as the Irish DPC) or fail to issue decisions on GDPR complaints within a reasonable time (such as the Austrian DSB, taking years instead of the statutory limit of six months). In many cases, DPAs have even suggested that data subjects should go to the civil courts, if they want their rights under the GDPR enforced. It is therefore detached from reality, when the AG Opinion claims that civil enforcement may “deprive” DPAs from more complaints and the relevant information (marginal no. 50). Compared to the reality on the ground such statements read simply cynical.
- When the AG Opinion suggests that civil courts should only “recognize” violations to provide “moral satisfaction” (marginal no. 89), the reader is left wondering if any “recognition” at this price tag would lead to any satisfaction, or rather just (financially) victimize a data subject a second time. One has to bear in mind that civil litigation comes with a significant cost risk. Even if such a recognition would be legally possible (e.g. in Austria declaratory relief is procedurally limited), it would likely leave many judges ask themselves why they should engage in a highly complex GDPR case just to issue a judgment that “recognizes” a violation.
- Equally, injunctions often have limited use, especially when it comes to past violations. In the present case, the Postal Service cannot “un-process” the political affiliation of the plaintiff for the past years. Often personal data can also not be recalled once it was published or sold, nor can the consequences of a data breach simply be undone. Equally, if a controller does not comply with the right to access within the set deadline, it seems impossible to retroactively get a copy of personal data that may not even exist anymore once a civil court has heard and decided a case.
- While the mention of unlawful profits is interesting, the reality is that these profits are often very hard to calculate and are also hardly worth any litigation – much less than even the most minimal non-material damages.
- I was also surprised to see that the AG emphasizes that the possibility of representation by NGOs under Article 80 GDPR makes the protection of general interests more easily available to individuals and uses this as an argument against non-material damages (marginal no. 41). In fact, noyb is the only NGO in Europe specialized in GDPR litigation under Article 80 GDPR and our annual budget would at best allow to bring five to ten civil cases per year – for the entire European Economic Area.
In summary, these hints and ideas in the AG Opinion are partly interesting, but largely do not present a relevant alternative. The GDPR also explicitly allows for parallel enforcement via the DPAs or the civil court system. It is a shame that DPAs and civil courts regularly point at each other when data subjects seek redress. In practice, it is obvious that GDPR claims are too often greeted with a “not on my desk”-response. We clearly do not have the problem of too many effective instruments to enforce the GDPR, but we actually have no efficient path right now.
Even if the enforcement alternatives mentioned by the AG would actually work smoothly in practice (which they do not) they could clearly not replace the need for compensation under Article 82 GDPR.
4.6. Is the EU following the US rejection model?
For anyone in the privacy community the approach by the AG Opinion reminds of the approach now dominant in US courts. Because US courts usually see no “harm” in any privacy violation, most cases are rejected at the outset, even if the law has been violated.
Courts have a strong incentive to follow such case law and expand it further and further, as it allows judges to reject complicated and often rather political cases with little effort.This dynamic lead to privacy laws being almost not enforceable in civil courts, as even most aggressive violations do not lead to any “harm” in the eyes of US judges.
4.7. Criteria for assessing non-material damages
The AG Opinion also failed to answer the question on further EU-law requirements for the assessment of the compensation. If the AG Opinion had truly dealt with the second question, it would have suggested possible objective criteria under the GDPR for the assessment of the compensation, which could be used by the national courts to determine if the data subject suffered an actual non-material damage and also to determine the amount of eligible damages. In my opinion, such criteria could contain:
- The kind of unlawful processing or other conduct that lead to a violation (e.g. tracking, profiling, disclosure to third parties, transfer to third countries, data breaches, ignored requests under Chapter III GDPR)
- The purpose of processing (Was the purpose also in the data subject’s interest? Was the processing mainly for commercial gain? Was there bad faith?)
- The category of processed data (A GDPR violation with regard to data under Article 9 or 10 GDPR usually weighs heavier than a violation concerning “non-sensitive” data. In the case at hand, the attributed political affinity was considered data under Article 9 GDPR, something the AG failed to note)
- The scope and time of the violation (A a reply to an data subjected request two days after the end of the deadline under Article 12(1) GDPR might not entitle the data subject to damages, a delay of two weeks or months might)
Such criteria would help the national courts to establish reasonable and harmonious case law. In reality, this will (as with other law) take some years and more case law to get towards a consistent system for damages, just like compensation in other areas.
Crucially, comparatively insignificant non-material damages would only entitle to low compensation. This is important to stress, as there seems to be a fear that awarding damages for non-material damages would lead to data subjects filing lawsuits on miniscule GDPR violations. Experience on the ground shows that this fear is entirely unfounded. The high costs of civil litigation usually prevents victims from bringing anything but severe cases to courts. In reality, people do not bring 50 Euro claims, no matter the area of the law.
4.8. Summary on the non-material damages
In summary, the AG Opinion does not provide answers on the interpretation of Article 82 GDPR. The Opinion explicitly does not even take a final view if the plaintiff in the case before the CJEU is entitled to non-material damages.
The AG Opinion does not only miss the opportunity to provide some guidance on Article 82 GDPR under the second question of the referring court, but instead even rejects the idea that the EU principles of efficiency and equivalence would play a role if Member States can further define non-material damages under the GDPR.
It is especially problematic that the German concept of a “de minimis threshold” is potentially introduced under Article 82 GDPR, even when the law does not provide for such a threshold.
(D) Personal comment
While CJEU judgments on the GDPR have so far followed a stringent line of principles, arguments and lines of interpretation, the AG Opinion in C-300/21 seems to largely depart from an academic or purely legal interpretation of the GDPR.
Since the GDPR came into force in 2018, we see many court decisions that try to “tame” the GDPR. This trend seems to be hardly based on actual strict enforcement, errors by the legislator or overreaching provisions – but by widespread public outcries by the industry and commercial practices (such as deliberately confusing and frustration “cookie banners”) that generated a problematic perception of the GDPR in the public. When reading certain sections of the AG Opinion, it is hard to ignore that the constant industry message of the GDPR “going too far” was unfortunately working for the outcome in this Opinion.
This PR effort must be contrasted with the fact that the European Parliament has passed the GDPR with 621 votes in favor, 22 abstentions and 10 votes against this pillar of EU privacy rights. Equally only one Member State has voted against the GDPR – as Austria found the level of protection lower than the previous national law. One of the main promises at the time was enhanced enforcement.
We can now only hope that the judges at the CJEU focus their final judgement in C-300/21 to what the referring court has asked, what the underlying case is actually about and what the legislator has written in Article 82 GDPR. If only the established legal forms of interpretations are consistently applied, we can hope for a judgment that clarifies the application of Article 82 GDPR, instead of trying to rewrite it.
* The submissions were provided by the plaintiff, as noyb has supported the plaintiff during the CJEU submissions on a pro-bono basis. The submissions of other parties may not be shared according to the rules of procedure of the CJEU.