The General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 [the GDPR]) provides both for public enforcement by data protection authorities and for private enforcement by any person who has suffered damage as a result of an infringement of the Regulation (on this inter-connection, see Johanna Chamberlain & Jane Reichel “The Relationship Between Damages and Administrative Fines in the EU General Data Protection Regulation” 89 Mississippi Law Journal (forthcoming 2020; SSRN)). As to private enforcement by means of damages claims, Article 82(1) GDPR provides that “[a]ny person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. CMS legal are tracking fines levied by data protection authorities in the EU – they record that, so far, 186 fines have been levied, for a total of almost €460m (the EDPB gives different numbers (pdf, pp33-34), discussed here). However, there is as yet no equivalent tracker for compensation claims, in part because there have been very few. So far as I can find, there have been eight judgments considering substantive claims for damages pursuant to Article 82 (though there have been other cases in which such compensation was claimed but the substantive issue was not reached). Of those, four were successful; but it is reported today that one of those cases has been reversed on appeal. In chronological order, the eight cases are:
-
7 November 2018 (Amtsgericht Diez, 07-11-2018, 8 C 130/18) (machine translation here via nyob‘s GDPRhub) the plaintiff sought damages for the receipt of a spam email, but the Local Court of Diez in Germany held that there would be no claim pursuant to Article 82 where there is merely an infringement of the GDPR without causing any damage;
11 March 2019 (Amtsgericht Bochum, 11-03-2019, 65 C 485/18) the Local Court of Bochum in Germany held that a misdirected email, of itself, is unlikely to count as damage for the purposes of Article 82;
28 May 2019 (Rechtbank Overijssel; 28-05-2019; AK_18_2047) the Administrative District Court of Overijssel in the Netherlands awarded damages of €500 to a plaintiff whose FOI request was shared with other public authorities as a best practice, without anonymizing the documents. The Court used Article 82 GDPR in conjunction with Article 6:106 of the Dutch Civil Code, and held that the misuse of the data was sufficient to justify non-material damages;
11 June 2019 (Oberlandesgericht Dresden, 4. Zivilsenat, Beschluss vom 11-06-2019, Az.: 4 U 760/19) the Higher Regional Court of Dresden held that minor loss did not give rise to any claim for non-material damages pursuant to Article 82;
2 August 2019 (Landgericht Karlsruhe; 02-08-2019; 8 O 26/19) the Regional Court of Karlsruhe in Germany held that a mere violation of the provisions of the GDPR would not allow for compensation pursuant to Article 82 (and that a claim for damages for a violation of the right of personality in Article 2 Grundgesetz required an identifiable loss which could be assumed n the case of “humiliation” resulting from an unlawful disclosure of data);
2 September 2019 (Rechtbank Amsterdam; 02-09-2019; 7560515 CV EXPL 19-4611) the Administrative District Court of Amsterdam in the Netherlands awarded damages of €250 to plaintiff for non-material damages pursuant to Article 82 GDPR and Article 6:106 of the Dutch Civil Code;
15 January 2020 (Rechtbank Noord-Nederland; 15-01-2020; C / 18 / 189406 / HA ZA 19-6) the Administrative District Court of the Northern Netherlands awarded €250.00 for unlawful processing of personal data, and emphasised that “Article 82 of the GDPR provides that the person who has suffered material or non-material damage as a result of an infringement of the Regulation has the right to receive compensation from the controller or processor for the damage suffered. All damage must be compensated and the concept of damage must – in accordance with the objectives of the GDPR – be broadly interpreted (paragraph 146 of the preamble to the GDPR), which means that the mere fact that the damage cannot be specified precisely and may be relatively small in scope cannot constitute grounds for rejecting any claim thereto” ([4.106]).
13 February 2020 (Oberlandesgericht Innsbruck; 13-02-2020; pdf here via here; noted here and here; discussed here) the Higher Regional Court of Innsbruck in Austria reversed an award of €800 in non-material damages for unlawful processing of sensitive personal data relating to political opinion. On 14 August 2019, (Landesgericht Feldkirch; summary here; pdf via here; extensive discussion by Christopher Schmidt here) (machine translation here via nyob‘s GDPRhub) the Regional Court of Feldkirch had held that it was sufficient for the proposes of Article 82 that there was an unlawful processing of the plaintiff’s party preferences by the Austrian Postal Service, but the Higher Regional Court of Innsbruck reversed, holding that the plaintiff must actually feel impaired or distressed in order to be able to claim compensation for non-material damages: “A data protection violation must in any case intervene in the emotional sphere of the victim, … a minimum level of personal impairment will have to be required for the existence of non-material damage”.
Whilst it is clear that Article 82 provides for claims for compensation for both material and non-material damage, the courts seem to be slow to award damages under the latter head. The Austrian decision reported today (the Innsbruck decision, on appeal from Feldkirch) is a good example. The Oberster Gerichtshof (the Supreme Court of Austria) has confirmed that claims for damages pursuant to Article 82 may be maintained in class actions in the Austrian courts (see Schrems v Facebook Ireland 6Ob91/19d (23 May 2019)), but the decision of the Innsbruck court puts paid to any class action arising out of this breach, as well as to a claim in which a plaintiff seeks €1,000 compensation for each of 12 cookies placed on her computer by the defendant’s website without her consent. The decision of the Innsbruck court is also very similar in this respect to the approach being taken by the German courts (the Diez, Bochum, Dresden and Karlsruhe decisions). Indeed, on 7 November 2019, in a claim for an injunction to restrict unlawful processing, the Regional Court of Munich held that the mere processing of data contrary to data protection legislation is not of itself a sufficient violation to justify a remedy (see Landsgericht Munich, 07.11.2019, 34 O 13123/19) (machine translation here via nyob‘s GDPRhub). Like the Austrian courts, the German courts also permit class actions in which compensation pursuant to Article 82 may be sought (see Oberlandesgericht Stuttgart; 27-02-2020; 2 U 257/19; also here). It may be that, as such actions become more common, the German and Austrian courts may find it difficult to maintain such a narrow approach to non-material damage.
On the other hand, the Dutch cases (the Overijssel, Amsterdam and – especially – Noord-Nederland decisions) seem more open in principle to claims for compensation for non-material damage; but they then award very modest sums by way of compensation (and they insist that such claims must be brought in the appropriate courts (see here and here)). Moreover, in the UK, (in direct contradistinction from the Innsbruck decision) the decision of the Court of Appeal in Lloyd v Google LLC [2019] EWCA Civ 1599 (02 October 2019) (which I discuss briefly here) held that plaintiffs can recover damages for loss of control of their data without proving pecuniary loss or distress. This was a decision on the provision of UK law implementing Article 23(1) of the Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995); similar results are likely to be reached the GDPR (see, eg, Brendan Van Alsenoy “Liability under EU Data Protection Law: From Directive 95/46 to the General Data Protection Regulation” (2016) 7(3) Journal of Intellectual Property, Information Technology and E-Commerce Law 271); and it is consistent with the Dutch decisions on the GDPR. A fault line is obviously opening up in the national caselaw, and it may very well take a decision of the Court of Justice of the European Union (the CJEU) to resolve the issue.
This is not the only aspect of Article 82 that could reach the CJEU. I discuss some here, as does Emmanuela Truli “The General Data Protection Regulation and Civil Liability” in Mor Bakhoum, Beatriz Conde Gallego, Mark-Oliver Mackenrodt & Gintare Surblyte-Namaviciene (eds) Personal Data in Competition, Consumer Protection and Intellectual Property Law. Towards a Holistic Approach? (Springer, 2018) 303 (SSRN), and see also Sanna Toropainen “The Expanding Right to Damages in the Case Law of CJEU” (SSRN). On those aspects which reach the Court, there will be uniformity in the Member States. However, on those aspects which do not, a broad variety in the application of Article 82 is – unfortunately – inevitable. For example, one question is whether Article 82 requires national incorporation, whether directly by means of national legislation or indirectly via existing national private law claims to compensation. I argue here that the safest route would be for member states to provide for such claims in the legislation incorporating the GDPR. In Ireland, Article 82 is given further effect by section 117 of the Data Protection Act 2018 (also here) (on which see Clíona Kimber & Lorna Madden “A New Frontier in Law—Damages for Data Protection Breaches” (2019) 16(1) Irish Employment Law Journal 10). Similarly, § 29 of the Gesamte Rechtsvorschrift für Datenschutzgesetz, the Austrian legislation incorporating the GDPR, specifically incorporates Article 82 and provides for compensation for material or non-material damage; and this is the provision at issue in the Innsbruck case. On the other hand, there is no equivalent provision in the Bundesdatenschutzgesetz, the German legislation incorporating the GDPR; and the Diez, Dresden and Karlsruhe Courts relied directly on Article 82 rather than on the domestic provisions relating to damages, whereas the Munich Court looked at the domestic provisions relating to injunctions for private law infringements. Similarly, there is no equivalent provision in the Uitvoeringswet Algemene verordening gegevensbescherming, the Dutch legislation incorporating the GDPR; and the Overijssel and Amsterdam Courts gave effect to Article 82 via Article 6:106 of the Dutch Civil Code (whereas the German courts considered domestic constitutional and private law actions as alternatives to Article 82 rather than as means to give effect to it).
Successful Article 82 claims are likely to result in modest awards, not least because non-material damage is likely to modest. For example, according to The Economist (with added links):
IBM Security, a consultancy, puts the average cost of a data breach worldwide at $150 per victim. … [In The Fifth Domain (Penguin Random House, 2019)] Knake and Clarke think it should be more like $1,000 to spur the investment needed to prevent losses.
In the settlement arising out of the Equifax breach, actual losses (in Article 82 GDPR terms, material damages) were capped at $20,000, and other damages (in Article 82 GDPR terms, non-material damages) were initially set at $125, though, given a much-higher-than-anticipated volume of claims, individual awards (settlements) turned out to be much less. Note that in the US state of California, § 1798.150 of the California Consumer Privacy Act of 2018 (Title 1.8.5 of the California Civil Code) provides for a private cause of action to a consumer who has suffered a data breach, permitting recovery of damages of between $100 and $750, or “actual damages, whichever is greater” (see §1798.150.(a)(1)(A)). All of this is consistent with the €250 and €500 awarded in the Dutch cases, and the figure of £750 mentioned in at first instance in Lloyd (see [2018] EWHC 2599 (QB) (08 October 2018) [3] (Warby J)). But such small amounts, aggregated in class actions, will certainly equal and could easily exceed the large fines we are beginning to see. For example, the structure of the Lloyd litigation indicates a total potential liability for Google of up to £3 billion (an application for permission to appeal to the Supreme Court is still pending). A few such successful claims, and CMS may soon be tracking compensation awards in the courts of the member states in parallel to their fines tracker. But if the decision of the Oberlandesgericht Innsbruck, reported today, is any guide, there many not be too many Austrian cases on such a tracker.
Note: this post was published on 6 March 2020. It was updated on 7 March 2020 in the light of comments from Tim Walree below, and Christopher Schmidt and Brendan Quinn on LinkedIn. It was updated on 8 March 2020 in the light of comments from Thomas Schweiger here (via here), and also here. And it was updated on 9 March 2020 in the light of a comment by Olga Seewald on Twitter. Thanks, all.
Thanks for your post Eion,
I am also publishing on this topic, unfortunately only in Dutch up to now.
For more caselaw on article 82 GDPR see also:
Rb. Noord-Nederland 15 januari 2020, ECLI:NL:RBNNE:2020:247 (X/NDC Mediagroep)
Oberster Gerichtshof 23 mei 2019, 6 Ob 91/19d, ECLI:AT:OGH0002:2019:0060OB00091.19D.0523.000 (Schrems/Facebook Ireland), r.o. 3.1.
Landgericht Karlsruhe 2 augustus 2019, 8 O 26/19, ECLI:DE:LGKARLS:2019:0802.8O26.19.0A
Thanks Eoin – good information here!
Excellent research, Eoin. The German courts’ attitude is telling.
Hi Eoin – thanks for posting this. Really insightful. Rob