CKT

Compensation for a ‘mere breach’ of Data Protection Rights rejected.

The recent opinion of the Advocate General (AG) Campos Sánchez-Bordona in the case of UI v Österreichische Post AG provides a long-desired indication of the possible approach the Court of Justice of the European Union (CJEU) may adopt to the interpretation of a data subject’s right to recover compensation for ‘non-material damage’ under   Article 82(1) of Regulation (EU) 2016/679 (GDPR).

This article written by Yvonne Joyce, Partner, CKT and Tiana O’Brien, Intern, CKT gives an overview of the case and its findings.

Background

From 2017 onwards, Österreichische Post AG (The Austrian Postal Service) used an algorithm to define “target group addresses” for election advertising for various political parties according to socio-demographic features.  This data was not transferred to third parties.

This processing, which was without consent classified UI as having a high affinity with one of the political parties and he then sought to claim €1,000 in compensation for non-material damage (‘inner discomfort’) alleging that the political party attributed to him was insulting, as well as extremely damaging to his reputation and had caused him great upset.  His claim was denied in the Court of First Instance and Appellate Court in Austria.

The case then came before the Supreme Court of Austria who referred 3 questions to the CJEU for a preliminary ruling which included, whether “a mere breach” of GDPR allows a data subject to seek an award of damages and whether to be eligible for non-material damages there is a requirement that the legal infringement goes beyond the annoyance caused by the infringement.

The AG Opinion

AG Sánchez-Bordona delivered a non-binding Opinion on 03 October 2022.

The AG rejected the suggestion that an infringement of a data subject’s rights automatically gives rise to a right to compensation, regardless of whether harm occurred.  He opined that the wording of Article 82 unequivocally requires that the person concerned ‘suffered’ damage ‘as a result’ of the infringement.

Compensation is intended to redress the adverse consequences caused by the data breach.  GDPR does not allow for punitive damages, with the AG commenting that if this was not the case “in practice, the opportunity to obtain a “punitive” profit…. could lead data subjects to prefer that remedy” rather than avail of other statutory remedies such as making a complaint to the relevant authority (for example, in Ireland, the Data Protection Commission).

The AG also opined that Article 82 does not provide an irrebuttable presumption of ‘damage’ once an infringement is found as the mere loss of control over data does not necessarily result in the data subject suffering damage. Non-material damage must reach a certain threshold of seriousness to give rise to compensation.   Any breach of a GDPR provision leads to some negative reaction on the part of the data subject.

The AG did acknowledge however, that there is a “fine line between mere upset (which is not eligible for compensation) and genuine non-material damage (which is… “… and this difficult task falls to the courts of the Member States to rule on.”).

Conclusion

The AG stressed that the aim of the GDPR is not to limit the processing of personal data, but rather to legitimise it under strict conditions. This non-binding Opinion provides possible insight into how the CJEU will interpret “non-material” damage.  If this Opinion is followed, while it will provide welcome clarity on the concept of “non-material damage”, it appears that it will still leave room for debate as to when this threshold will be met.

If you have a query in relation to this article, please contact our GDPR team.