Mere upset isn’t enough: data breaches don't always lead to compensation

Since the introduction of the General Data Protection Regulation (“GDPR”) in May 2018, it has been unclear what constitutes enough harm to give rise to compensation for those that have suffered damage due to breach. The Austrian case UI v Österreichische Post AG has provided welcome clarification.

Facts of the case

The Austrian Postal Service (Österreichische Post AG) processed the personal data (names, addresses and dates of birth) of Austrians then used an algorithm to predict individuals’ likely political persuasion and allocate them to possible target groups for the purpose of electoral advertising.

The applicant (UI) was angered to learn this process had affiliated him to an Austrian far-right political party. He hadn’t consented to this processing and felt the political attribution was insulting, shameful and damaging to his reputation. UI sought compensation from the Postal Service of €1,000. The claim was based on non-material damage.

GDPR and compensation

Article 82 (1) of the GDPR allows any person who has suffered material or non-material damage from an infringement of the regulations to receive compensation from the data controller or processor. Under Recital 146 the concept of damage should be broadly interpreted, and data subjects should receive full and effective compensation for damage suffered.

Not many cases have been brought on harm suffered through the processing of personal data since the introduction of the GDPR. So it was unclear whether damages could be awarded for feelings of discomfort or unpleasantness arising from a data processing breach.

In the Österreichische case the Court of Justice of the European Union (CJEU) was asked to consider:

  • Whether an award of compensation under Article 82 requires that an applicant must have suffered harm in addition to infringement of GDPR provisions
  • If an award of compensation for non-material damage presupposes a consequence of the infringement of at least some weight that goes beyond the upset caused

Five take-aways from the AG’s opinion

These are five key take aways from Advocate General (AG) Campos Sánchez-Bordona’s opinion in this case.

A mere breach of the GDPR isn’t sufficient to merit an award of compensation: A technical infringement of the GDPR isn’t enough to justify an award of damages. Any technical breach must be accompanied by evidence that material and/or non-material damage has been suffered because of that breach to give rise to an award of compensation.

There’s no automatic right of compensation: There are no provisions under the GDPR that would automatically trigger compensation if infringed. This means that harm can’t be inferred from any infringement without (a) the claimant evidencing damage/harm and (b) the defendant trying to demonstrate otherwise.

There’s no basis for punitive damages: Article 82 creates no basis for punitive damages. Articles 83 and 84 already allow, by way of criminal penalties and administrative fines, punitive action by the relevant supervisory authority.

Article 82 shouldn’t be used as an instrument to compensate mere annoyance or upset: there is difficulty in accepting that damages can be awarded for mere inconvenience as there is an imbalance between a claim of this nature’s monetary value and the cost of bringing the claim.

Quantifying non-material damage should be left to the courts of each Member State: the AG recognised “there is a fine line between mere upset (which is not eligible for compensation) and genuine non-material damage (which is eligible for compensation)”. The difficult task of distinguishing between the two should be left to the courts of the Member States. They need to consider the facts of each case and the “perception prevailing in society at a given time regarding the permissible degree of tolerance” to the effects of an infringement under the GDPR.

How this might impact you

Although the CJEU isn’t bound by AG opinions, it does tend to follow them. So this case will impact subsequent rulings on damages under the GDPR and UK courts may have regard to such cases.

The AG was reluctant to provide tangible guidance on the threshold for non-material damage and how to calculate the amount of compensation. However, there is an indisputable requirement that data subjects must suffer damage because of an infringement of the GDPR and that damage must be more than mere upset.

While this may be the case, you should continue to be wary of the risk of a damages claim if you haven’t got consent for the data processing you are undertaking, not least because of the legal costs involved in defending a claim. Of course, costs and damages aren’t the only concern, you should also be mindful of reputational damage suffered via infringement of the GDPR.

UI v Österreichische Post AG

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
Sites
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R

Visitors

Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.

Staff

Mills & Reeve system for employees.