This ruling was particularly anticipated as it is the first time that the CJEU issued a ruling addressing the question of non-material damages under Article 82 of the General Data Protection Regulation (the “GDPR”), potentially impacting other proceedings that are ongoing before the CJEU and within Member States.
Since 2017, the Österreichische Post (the “Austrian Post”) collected information on the political affinities of the Austrian population and through the use of an algorithm that takes into account various social and demographic criteria, it defined “target group addresses”. The data generated were sold by the Austrian Post to various organizations to enable them to send targeted advertising.
An aggrieved data subject instituted court proceedings in Austria, seeking €1,000 in compensation for non-material damages as he claimed that he felt great upset, a loss of confidence and a feeling of exposure due to the fact that a particular affinity had been established between him and the party in question due to the claimed unconsented and unlawful processing.
Once the case reached the Austrian Supreme Court, it expressed doubts about the correct legal interpretation of the right to compensation established under the GDPR and made a preliminary reference to the CJEU for clarifying the respective interpretation, referring three questions:
On this first point, the CJEU ruled that the right to compensation under GDPR is subject to three cumulative conditions: (i) infringement of the GDPR, (ii) material or non-material damages resulting from the GDPR’s infringement, (iii) a causal link between the damage and the respective infringement.
Thus, not every GDPR infringement gives rise to, by itself, a right to compensation.
Furthermore, an infringement of the GDPR does not necessarily result in damage, and there must be a causal link between the infringement and the damage suffered in order to establish a right to compensation.
The CJEU ruled that the right to compensation is not limited to non-material damage that necessarily reaches a certain degree of seriousness under the GDPR.
The GDPR does not have such requirement and such requirement would be contrary to the broad concept of “damage” adopted by the EU legislature in the GDPR.
On this last question, the CJEU ruled that the GDPR is absent of rules that set out the assessment of damages and it is thus a matter for the legal system of each Member State to prescribe detailed rules for actions intended to safeguard GDPR rights and the criteria for determining the extent of compensation payable in that context, provided the principles of equivalence and effectiveness are complied with. In this regard, the CJEU noted the compensatory function established under the GDPR and noted that the GDPR seeks to ensure full and effective compensation for damages suffered.
For more information and assistance on Data Protection & Privacy Law, kindly contact Dr Ian Gauci and Dr Terence Cassar.