Damages arising from a data breach: when is it really non-material?

1. Introduction

In this insight we consider recent developments in Ireland and the EU that will educate how organisations measure non-material damage suffered by individuals arising from a breach of their data protection rights.

The right of individuals to seek compensation for damage suffered as a result of a breach of their data protection rights under the General Data Protection Regulation (the “GDPR”) (Article 82) is common knowledge. However, the types of damage that individuals can seek compensation for continues to present significant challenges for organisations, the courts, and legal practitioners throughout the EU.

Article 82 of the GDPR specifically includes the right to seek compensation for both material and non-material damage. While the concept of material damage, which includes financial loss, is easier to measure, the courts have limited experience assessing the appropriate compensation for certain types of non-material damage and whether they can regard all levels of worry, upset and anxiety as such.

Before the Irish Courts, other than an acknowledgement of the right to non-material damage, there has been no consideration of Article 82 in any written decision. The 2013 Irish decision of Collins v FBD Insurance plc [2013] IEHC 137 is often cited but importantly predates the implementation of the GDPR – when no right to non-material damage existed.

This issue is not distinct to Ireland and the national courts of other EU member states, and the UK are observed taking diverging approaches. In the UK case of Rolfe v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) (previously considered by RDJ here), for example, the UK courts set out the requirement for claimants to demonstrate that they have suffered a certain minimum amount of damage. In particular the UK court found that the “claimants could not have suffered damage or distress above a de minimis level” and that it “must look at the reality of the personal information in question and the circumstances in which it was inadvertently sent to one third party”.

On the other hand, a decision by the German Constitutional Court (previously considered by RDJ here) departed from its typically strict approach to non-material damage claims, having decided that a claim could not be dismissed due to the damage suffered by the claimant not achieving a materiality threshold.

Thankfully, however, the upper echelons of the Court of Justice of the European Union (the “CJEU”) are beginning to stir, with multiple preliminary references beginning to make their way from Member States seeking guidance on the enforceability of the GDPR and Article 82.

For the remainder of this note we will give some consideration of these “stirrings”, in particular, the Advocate General Campos Sanchez-Bordona’s opinion in UI v Österreichische Post (Case C-300/21) which was delivered on 6 October 2022 and provides some welcome insights into how the CJEU may decide on the enforceability of data breach claims brought under the GDPR. We also examine a recent Irish Circuit Court judgment which has granted an Order to stay proceedings pending the determination by the CJEU of certain preliminary references, including the Österreichische Post case.[1]

2. Österreichische Post – The facts and background to the Referral

The case of UI v Österreichische Post (Case C-300/21) was referred to the CJEU by the Austrian Supreme Court and is the first of many requests for preliminary ruling pending before the CJEU on the interpretation of Article 82.

On 15 April 2021, the Austrian Supreme Court referred several key questions regarding non-material damage under Article 82 of the GDPR to the CJEU for a preliminary ruling. In this case, the defendant sold personal data as a profile publisher for third party marketing purposes. The defendant collected information via an algorithm including details regarding the political affinity of the claimant. The algorithm defined the target group’s profile according to socio-demographic characteristics. No consent was given by the claimant to the processing and storing of data. The claimant argued that the political affinity attributed to him was insulting and shameful and made a claim for non-material damage under Article 82.

Although his claim was dismissed in the Austrian lower courts, the Austrian Supreme Court referred three questions to the CJEU for a preliminary ruling, to which the Advocate General delivered his opinion and are discussed next.

3. Questions and answers from the Advocate general’s opinion

Question 1 - Is the mere breach of provisions of the GDPR, in and of itself, sufficient for the award of damages?

The Advocate General view is that there should be no right to compensation for a mere infringement of the GDPR. This approach closely follows the wording of Article 82 of the GDPR under which a right to compensation requires a person to have suffered material or non-material damage.

The Advocate General rejected the argument that there is an irrebuttable presumption of damage once a GDPR violation has occurred, particularly that an infringement results in a “loss of control” over data. In his view, the wording of the GDPR does not support this presumption. Recital 85 of the GDPR identified loss of control over data as simply one possible damage that can occur. He concluded that it is not the GDPR’s objective to grant data subjects absolute control over their personal data, rather , data subjects have a right to “supervise” the processing of the personal data and to intervene by exercising their rights. Accordingly, processing in violation of the GDPR that leads to loss of control over data is on its own not a ground for compensation in damages.

As part of this analysis, he also took into account the rights of third parties and the broader objectives of the GDPR such as the promotion of the free movement of data in the Single Market. He stated that the GDPR seeks “to reconcile each person’s right to protection of personal data with the interests of third parties and society”. The Advocate General considered that allowing compensation for a mere infringement of the GDPR would effectively create a system of punitive damages. Punitive damages are not mentioned in the text of the GDPR nor during the legislative process and there is a clear separation of the compensatory functions, evident in Article 82 and the punitive functions through fines under Article 83 of the GDPR.

Question 2 - In addition to the principles of effectiveness and equivalence, does EU law impose further requirements that national courts must observe when assessing damages under Article 82?

The next question considered by the Advocate General related to whether there are any further requirements, beyond the principles of effectiveness and equivalence, that Member States are required to consider in the assessment of damages.

The Advocate General does not address this question outright. Rather he suggests that the GDPR deliberately avoids the use of punitive damages. He outlined that the power of national courts to award symbolic or nominal amounts to vindicate the infringement is permitted under the GDPR but should only be available under Article 79 of the GDPR. He further emphasised the point that “difficulty in proving the damage must not result in nominal damages.”

Question 3 - Does non-material damage require an impairment (or other consequence of the infringement of at least some weight) that goes beyond the annoyance caused by the infringement?

The Advocate General expressed the view that compensation should not be available for “mere annoyance or upset”, since, any data protection violation will likely lead to some form of negative feeling for the affected data subject.

Interestingly, the Advocate General rejected the argument that a broad right to damage arises under Recital 146, which states that “any damage” should be compensated.

He also rejected the argument that the concept of damage “should be broadly interpreted” in light of the CJEU’s case law. Instead, the Advocate General suggested that a line of distinction be drawn “between non-material damage for which compensation may be awarded and other inconveniences arising as a result of abuse of the law which, owing to their insignificance, do not necessarily create the right to compensation.” Ultimately, he pointed out that compensation for a mere feeling of displeasure would be to readily confused with compensation without damage.

4. Garry Cunniam v. Parcel Connect Limited t/a Fastway Couriers Ireland and Others

In the Circuit Court, the effect of the number of preliminary refences awaiting determination by the CJEU can be seen in Mr Justice O’Connor’s judgment delivered in the Fastway Couriers case on 23 January 2023.[2]

In this case, the plaintiff contends that in February 2021, the defendants (or at least one of them) suffered a data breach after its operations were hacked in which the personal data of over 450,000 individuals was compromised.

The plaintiff pleads that the defendants were negligent and in breach of their duty by allowing his data to be unlawfully accessed, retained and being capable of being utilised by an unauthorised criminal or third party. The plaintiff alleges that the defendants failed to maintain adequate security measures to prevent this.

It was noted that the plaintiff’s solicitor acts for a number affected individuals arising from this incident, and it was submitted that there are other solicitors who may also have clients who have issued or intend to issue similar proceedings. The Fastway Couriers brought an application to the Circuit Court seeking a stay on the proceedings pending the determination by the CJEU of six relevant preliminary references made by various member states to the CJEU.

The Court was clear in its mind that a stay was required in accordance with the duty of sincere cooperation provided for in Article 4(3) of the Treaty of the European Union, pending the determination by the CJEU of the preliminary references. It noted that the principle of sincere cooperation and the need to avoid the risk of irreconcilable judgments has been held by the CJEU to give rise to an obligation on the part of national courts to stay the proceedings in any case where there was a risk that the decision might conflict with an existing or future CJEU decision.

The Court had to decide whether the stay should be granted now or at the notice of trial stage. The Court noted that the plaintiff had not proffered any prejudice apart from the delay itself; whilst the defendant had proffered substantial prejudice as follows:

• The possibility that the plaintiff would not be entitled to any damages if the CJEU decides to accept the recommendation of the Advocate General in the Österreichische Post case;
• The fact that, if proceedings are allowed to run until they are ready for hearing, the costs incurred by the defendants would be far in excess of any award of damages the plaintiff may recover; and
• That it is not possible for the defendants to make a lodgment, as it would be impossible to sensibly quantify the sum which ought to be lodged, given the pending receipt of clarification in respect of the correct interpretation of Article 82 of the GDPR from the CJEU.

The Court held that a refusal of stay at this stage will have little impact on the procedural efficiency to the plaintiff’s claim. However, the Court held that a delay in granting the stay could substantially increase legal costs.

In assessing the plaintiff’s claims at their highest level, the Court was of the view that damages were likely to be small and the continuation of the proceedings were highly unlikely to increase those damages. It was accepted that the case does need to be concluded, but that “justice is best served” by awaiting determination by the CJEU of the preliminary references.

5. What can we take away from all of this?

The Advocate General’s opinion in Österreichische Post proposes that a de minimis approach should be adopted in relation to Article 82 of the GDPR, i.e. that the mere infringement of provisions of the GDPR, without accompanying damage (material or non-material), is not sufficient for the purposes of awarding compensation. Additionally, the Advocate General is of the view that upset is not covered under the heading of non-material damages.

The opinion is not binding, and we will have to wait for the CJEU’s final judgment before anything definitive can be taken from it. It does however provide clarification on a number of important and divisive issues.

Lastly, the Circuit Court judgment in Fastway Couriers highlights the increasing need for guidance on the interpretation of Article 82 and compensation from the CJEU.

Until that time, and it is difficult to say when the CJEU will have responded to the six preliminary references, we may see similar stays being put on proceedings which will undermine and slow down the Irish court’s ability to determine cases in a timely manner.

The authors would like to thank Arabella Carr, trainee, for her research and assistance with this article.

[1] The relevant preliminary references referred to the CJEU are: Case C-300/21 – UI v. Österrreich Post AG; Case C-340/21 – VB v. Natsionalna agentsia za prihodite; Case C-667/21 – ZQ v. Medizinischer Dienst der Krankenversicherung Nordrhein; Case C-687/21 – BL v. Saturn Electro-Handelsgesellschaft mbH Hagen; Case C-741/21 – GP v. Juris GmbH; and Case C-182/22 – JU v. Scalable Capital GmbH.

[2] Dublin Circuit Court Record No. 2021/03424.