Over the past two years, the Court of Justice of the European Union (CJEU) has significantly clarified the notion of compensation for data subjects under the General Data Protection Regulation (GDPR). In just two years, six decisions were issued in response to preliminary references from various Member States on the interpretation of Article 82 of Regulation 2016/679. One of the most notable decisions was issued in April 2024, where the Court of Justice seems to have re-affirmed previous judgements on the notion of damages for GDPR infringements.
The Case
The case decided in April 2024 dealt with the sending of advertising letters to a practicing self-employed lawyer without his consent. Notwithstanding that the lawyer withdrew consent to receive marketing information from a company operating a legal database, the lawyer continued to receive advertising leaflets.
The major issue: the leaflet contained a ‘trial personal code’ which gave access to an order form for the company’s products, which included information relating to the lawyer. For this reason, the lawyer claimed both material damages, and non-material damage, specifically due to loss of control over his personal data as a direct result of the company’s processing of his personal data.
Among the questions posed in the preliminary reference, the referring court in Germany asked the CJEU whether the concept of ‘non-material damage’ covers an infringement of the GDPR which is aimed at protecting data subjects, irrespective of the other effects and materiality of that infringement. The relevant article of the GDPR, Article 82, specifically provides for a data subject’s right to compensation and liability for material and non-material damages arising from an infringement of the GDPR.
On this specific question, the court held that:
“...an infringement of provisions of that regulation which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of that provision, irrespective of the degree of seriousness of the damage suffered by that person.”
Therefore, for an infringement of the GDPR to lead to compensation for data subjects for non-material damage, a more stringent level of evidence is required rather than simply the existence of an ‘infringement’.
Similar Judgements
This case complements and supports previous decisions issued by the CJEU on this subject. In the Austrian Post case , the court established 3 main criteria for an infringement of the GDPR to give rise to compensation. These are: there must have been an actual infringement of the GDPR, actual damage must have been suffered (either material or non-material) and a causal link must be shown between the damage and the infringement.
In cases C-340/21 and C-687/21, the court went a step further and extended the notion of ‘non-material damage’ to a well-founded fear that personal data will be misused at some point in the future. However, it excluded purely hypothetical scenarios. More recently in June of this year, the court was faced with another opportunity to clarify the interpretation of non-material damages. Specifically in the case of identity theft, the court held that it is implied that the identity of a person must actually be misused for a right for compensation to arise, however compensation for non-material damage cannot be limited to instances where identity theft or fraud actually occurred.
The CJEU seems to have interpreted the provisions of the GDPR on compensation in a consistent manner, striking a balance between protection to data subjects and a level of causality between the damaged alleged and that suffered. The concept of non-material damage itself is a tricky concept, however such decisions are essential for clarity under technology-neutral legislation such as the GDPR.
Contact us should you wish to know more about your rights under the GDPR