Change of approach by Germany to claims for non-material damage under the GDPR
Reading time: 5 mins
The right to compensation under the GDPR is provided for under Article 82 and is one of the more controversial aspects of the GDPR. The provision not only allows for individuals to seek compensation for material damage (i.e., an actual quantifiable loss such as the theft of money) but also non-material damage (typically construed as upset, inconvenience, stress, anguish, etc) arising from an infringement under the GDPR.
There is currently no clear guidance from the EU as to how claims for non-material damage are to be assessed. How an infringement of the GDPR translates into stress, upset and inconvenience and is then quantified, remains as such with the national courts of the EU and the UK.
Despite the GDPR having been enacted in May 2018, a written judgment is yet to be handed down on this issue by an Irish court. The leading Irish judgments delivered on damages claims under data protection laws were delivered prior to the introduction of the GDPR and the 2018 Irish Data Protection Act and do not address claims for non-material damage.
There is established jurisprudence in the UK requiring evidence of a harm having been caused as a result of an infringement of the GDPR in order to bring a claim for non-material damage. For a more detailed appraisal of the UK courts and its assessment of claims for non-material damage please see our recent Insight on this topic which can be accessed here.
In mainland Europe, a rich jurisprudence is also developing for non-material damages claims. The purpose of this Insight is to give consideration of an interesting case which was decided recently in Germany, which appears to have created a divergence from its typically strict approach to claims for non-material damage.
Summary of the case
In October 2020, a financial services company (the defendant) notified a customer (the plaintiff) that that it had been the subject of a cyber-attack and that cyber criminals had gained access to the customer’s personal data, which included the customer’s full name, contact details and a copy of an ID card.
Interestingly, the compromised data of the customer in question was still being processed by the financial services company, notwithstanding that the customer had ended its relationship with the company back in 2015.
The plaintiff in this case issued proceedings on foot of Article 82(1), alleging that the stolen data could be used, rather than had been used, by a nefarious third party to commit identity theft or fraud.
The District Court of Munich, in a judgment delivered on 9 December 2021 (Case No. 31 O 16606/20), awarded the plaintiff €2,500 in damages, notwithstanding the absence of any evidence that the plaintiff’s data had been used to commit fraudulent activity. Rather, the court was satisfied that the possibility of fraudulent activity being committed at some stage into the future was sufficient grounds to award damages.
In addition, in what can be seen as a new line of EU jurisprudence, the court also ordered that the defendant company compensate the plaintiff for any future material damages incurred by the plaintiff which may arise as a result of the compromised personal data.
While the judgement was delivered by one of the lower courts in Germany, and may be appealed, the implications of the judgment are worth assessing:
- German courts have typically adopted a strict view when it comes to claims for non-material damage, requiring often that a minimum threshold of damage be proven, akin to that in the UK, in order for a plaintiff to succeed. This judgment departs from that view.
- An award of €2,500 is a significant sum for a claim for non-material damages. Typically, in Germany, and in other mainland EU member states, awards have tended to fall under €1,000 mark.
- The judgment breaks new ground in GDPR jurisprudence by ruling that an award for non-material damages does not preclude an affected person from seeking material damages from the same party at a future date. While we can only speculate at this stage, it is likely that an Irish court would be reluctant to issue a similar declaration as the German court did in this case in the absence of sufficient evidence establishing the probability of a future loss actually being incurred.
- Much attention has rightly been focused on the recent UK decisions of Rolfe and others v Veale Wasbrough Vizards and Lloyd v Google LLC  UKSC 50 as persuasive authorities for the Irish courts. However, it is probable that guidance from the Court of Justice of the EU (the CJEU) on non-material damage claims will come about as a result of a challenge brought by a civil law, EU member state. Both Germany and Austria have requested separate preliminary rulings from the CJEU on a number of issues in relation to compensation and claims for non-material damage. Those rulings are still awaited. As such, judgments handed down by other EU members states, such this recent case in Germany, are worth monitoring, notwithstanding Ireland’s own differentiating common law jurisdiction.
- The plaintiff in this case was backed by a litigation funder and it has been suggested that the case was brought as a test case to establish if further similar claims are to be brought in Germany. It is only a matter of when, not if, cases such as this will take the form of US-style, class actions across the EU. In this regard, Ireland is currently out of touch, as it lacks the legal procedural framework for such types of class actions. Instead, cases involving multiple plaintiffs, are typically heard by bringing a test or ‘pathfinder’ case. However, this is under review.
- Finally, the case acts a timely reminder for data controllers to review their data retention policies. Old or historic data can be particularly susceptible to cyber-attacks as it can be treated as an inconsequential or forgotten entity. However, in the eyes of cyber-criminals, they can be just as lucrative and bring with it the same implications and risks for data controllers including the potential for proceedings to be brought under the GDPR by affected persons.