The court determined that mere infringement of the GDPR is insufficient for a damages claim, but that there is no minimum threshold for non-material damages.

By Tim Wybitul, Myria Saarinen, Isabelle Brams, Floriane Cruchet, Camille Dorval, Charlotte Guerin, Lara Nonninger, and Hayley Pizzey

In a recent judgment (Case C-300/21), the Court of Justice of the European Union (CJEU) held that mere infringement of the General Data Protection Regulation (GDPR) is insufficient to claim compensation under Article 82, absent any material or non-material damage suffered by the individual. In relation to non-material damage, the CJEU rejected the concept of a minimum threshold level of damage or harm to the individual.

Article 82 of the GDPR states that any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation.

The CJEU’s judgment has the potential to encourage non-material damages claims — whether individual or collective — as it is clear that there is no de minimis threshold for such damages. However, the judgment also holds that mere GDPR infringement is an insufficient basis for non-material damages and therefore the claimant must prove that they suffered damage — albeit not to a standard, European Union-wide minimal threshold. Therefore, the specific impact of this judgment will vary across Member States, depending on applicable domestic law underpinning non-material damages claims more broadly.

Background

Actions for non-material damages are frequently based on the risk of disclosure of the claimant’s personal data to third parties, as a result of a personal data breach or other unlawful processing.

In most EU Member States, such claims are mainly brought by individuals. However, data protection and privacy-related class actions are gaining traction across the EU — especially following data breaches, attacks by malicious actors, or broader cybersecurity incidents. While collective redress mechanisms already exist in certain Member States, such as France, the EU’s Directive on Representative actions for the Protection of the Collective Interests of Consumers (2020/1828) will make it easier for consumer protection organisations to bring class actions against companies, including for non-material damages and cross- border claims under the GDPR.

The Judgment

The judgment confirms the cumulative three-pronged test for the availability of non-material damages: (i) the individual must have suffered damage, (ii) there must have been an infringement of the GDPR, and (ii) there must be a causal link between the damage and that infringement. If these requirements are met, the defendant can avoid liability only if it can show that it is not responsible for the infringement.

No Damages for Mere Infringement

The CJEU clarified that a mere GDPR infringement does not constitute non-material damage compensable under Article 82 GDPR since not every infringement gives rise, by itself, to a right to compensation. Claimants have previously argued before national courts that specific non-material damage need not be shown to receive compensation, and that mere GDPR infringement is sufficient. The CJEU has now rejected this view, finding that such damages, while “likely to discourage the reoccurrence of unlawful conduct”, fulfil a compensatory and not a punitive function.

The CJEU also clarified that claimants must show that a GDPR infringement has resulted in non-material damage to them.

No Minimum Threshold of Seriousness for GDPR Damages

In the past, certain Member States’ courts, such as Germany’s, have dismissed claims for non-material damages on the grounds that the damage claimed was minor or insignificant. Similarly, the Advocate General’s opinion in the case at hand suggested a de minimis threshold for claiming non-material damages (see Latham’s blog post on the Advocate General’s opinion).

The CJEU’s rejection of this minimum threshold indicates an emergent trend of eliminating such seriousness thresholds. This shift in approach is especially relevant for organisations located in or processing personal data of individuals located in Member States with damages thresholds (such as Germany), where the judgment is likely significantly to alter the dynamics of claims for non-material damages under the GDPR.

The CJEU found that limiting the term “damage” to something above a certain seriousness threshold would be contrary to the broad interpretation of that term under the GDPR. Further, making compensation for non-material damage dependent on a materiality threshold could lead to inconsistent application of the GDPR within the EU. This is because the threshold could vary depending on how national courts assess it and apply domestic rules determining the level of financial compensation for non-material damages. According to the CJEU, in awarding non-material damages, national courts must observe EU law principles and ensure that the specific damage suffered as a result of a GDPR breach is compensated in full — and not merely if it transcends a certain threshold.

Impact of the Judgment

This judgment may open the door to claims for non-material damages, in particular mass claims, but is unlikely to open the floodgates for such actions relating to GDPR infringements. The implications may, however, be more significant in Germany and other Member States with jurisdiction and domestic legislation which provides for de minimis thresholds for non-material damages. Here, the CJEU’s removal of the previous de minimis “gate keeper” could result in a more noticeable uptick in claims. Further, the judgment may benefit the business models of claimant-focused law firms which bring high volumes of non-material damages claims in the aftermath of large-scale infringements — as such claims can now be more easily pursued. The future use of AI and other legal technology may also help such firms to identify and particularise such claims en masse.

The fact that a mere GDPR infringement is insufficient to claim compensation under Article 82 may encourage compensation claims based on legislation other than the GDPR, such as privacy rights enshrined in constitutional and human rights laws. For example, the Supreme Court of France has held that the mere breach of an individual’s constitutional right to privacy opens the door to compensation, without the need to prove concrete harm.

Following the CJEU’s judgment, each Member State’s procedural rules remain relevant to claims for damages under Article 82 GDPR, and tried-and-tested approaches to defending such actions continue to apply. These approaches include refuting the alleged GDPR infringement, challenging the damage purportedly suffered (particularly if multiple claimants are pleading it in the same or similar terms), or arguing that claimants have failed to establish a causal link between infringement and damage. Notwithstanding a lack of a minimum threshold for non-material damages, a claimant must still prove all three cumulative requirements for a damages claim damage (of some degree); GDPR infringement; and a causal link between damage and infringement.

Relevance to the UK

CJEU judgments no longer bind UK courts but may still influence judicial reasoning in the UK. However, in this instance, the judgment departs from a recent spate of English decisions suggesting that non-material data protection damages claims are subject to de minimis thresholds, although such thresholds are not explicitly defined. For example, one High Court decision held that “the damage and/or distress caused, if any, was so low as not to satisfy the de minimis threshold implicit in the case law”.[1] The CJEU judgment may hint at divergence in the enforcement of data protection regimes in the EU and the UK — even while obligations under the UK GDPR remain closely aligned to the GDPR.

Endnotes


[1]  Rolfe & Others v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB), paragraph 7.