CJEU: A mere breach of the GDPR does not justify a claim for damages

A claim for damages, however, is not dependent on the non-material damage incurred reaching a certain materiality

The Court of the European Union (CJEU) has handed down the first decision on GDPR-damages (C-300/21). In this precedent-setting case, in which WOLF THEISS represented the respondent, the CJEU ruled on three central questions of interpretation regarding non-material damages for data protection violations under Art 82 GDPR.

The Austrian Supreme Court asked whether a violation of the GDPR in itself constitutes damage and whether the application of a “materiality threshold”, according to which mere feelings of displeasure would not qualify as compensable damage, complies with the GDPR. The CJEU now clarified that

• The mere breach of the GDPR does not give rise to a claim for damages.
• A claim for damages does not depend on the non-material damage incurred reaching a certain materiality.
• The determination of the criteria for defining the extent of the damages owed under Art 82 GDPR is a matter for the law of the individual Member State, whereby the principles of equivalence and effectiveness must be observed.

The most controversial aspect is certainly that of the materiality threshold: The CJEU states that the term “damage” and, in the present case, specifically the term “non-material damage” within the meaning of Art 82 GDPR must be given an autonomous and uniform definition under EU law, in view of the absence of any reference to the national law of the Member States. A materiality threshold of any kind was not mentioned therein. Moreover, legislators had a broad understanding of the term “damage” in mind, which would be undermined if this term were limited to damage with a certain materiality. Thereby, the CJEU clearly considers that the coherence of damages in the Union should not be undermined by different approaches to materiality by national courts. However, the CJEU also went on to say that this interpretation does not mean that a person affected by a breach of the GDPR, who has suffered negative consequences as a result, would be exempt from proving that those consequences constitute non-material damage within the meaning of Art 82 GDPR. The CJEU therefore distinguishes between (i) the infringement as such, (ii) the resulting adverse consequences for data subjects and (iii) (compensable) non-material damage, i.e. still not all adverse consequences of a GDPR violation are automatically non-material damage. And: the CJEU makes no statement that, as is often argued, the “loss of control” over data per se would already constitute damage.

This in our view means that data subjects must prove that they have suffered real and indisputable emotional harm as individuals. This must be examined by the national court in each particular case.

When determining the amount of damages, the national provisions of the individual Member States must be applied in compliance with the EU law principles of equivalence and effectiveness. As already stated in the Advocate General’s Opinion, in view of the compensatory function of the right to damages, financial compensation based on that provision is to be regarded as ‘full and effective’ if it makes it possible to compensate the injured party in full for the actual damage suffered as a result of the infringement of that regulation. Said full compensation does not require the imposition of punitive damages, according to the CJEU, which thereby also rejects punitive damages or a “deterrent effect” of damages as partly argued.

This first ruling on GDPR damages will have a significant impact and a harmonising effect on the sometimes widely divergent case law in the member states. Further preliminary rulings are in the CJEU pipeline and we will report on them accordingly (e.g. C-340/21 on non-material damages in the context of a data breach).