CJEU increases the requirements for claiming non-material damage within the meaning of the GDPR

14.03.2024

Whether or not (nearly) any and all violation of the General Data Protection Regulation (GDPR) entitles data subjects to non-material damages has been the subject of substantial debate. On 14 December 2023 the Court of Justice of the European Union (CJEU) issued a first decision on this topic holding, that such damages may in principle be claimed for all violations, as the GDPR not only does not require a ‘de minimis threshold’, but even pre-cludes national legislation or a national practice which sets such threshold. This caused the data protection community to predict a wave of incoming data-protection related litigation. 1 month and 11 days later, this has changed yet again.

In its decision C 687/21 from 25 January 2024 the CJEU, among other things, held that the mere concern that a person’s personal data after a data breach could be misused is not sufficient for nonmaterial damage. Another important finding is that the controller can exonerate himself or herself if he or she can prove that appropriate technical and organisational measures within the meaning of the GDPR were otherwise taken despite the breach.

 

Facts

In the main proceeding, an employee of an electrical retailer inadvertently handed over both the device ordered by the applicant and the associated purchase and credit agreement with the applicant’s personal data to the wrong customer. The mistake was recognized immediately and the employee of the electrical retailer obtained the return of the device and the documents. About half an hour after the erroneous handover to the wrong customer, the aforementioned items were returned to the applicant.

The applicant then brought an action before the Hagen Local Court seeking compensation for the nonmaterial damage suffered. According to the applicant this damage resulted from the error made by the employee of the electrical retailer and the resulting risk of losing control of his personal data. The applicant relied, among other things, on the provisions of the GDPR.

 

Decision of the CJEU

The Hagen Local Court then referred several questions to the CJEU for a preliminary ruling.

In its decision, the Court held that unauthorized disclosure of, or access to, personal data by 'third parties' is not in itself sufficient for it to be held that the technical and organizational measures implemented by the controller were not ‘appropriate’ within the meaning of Articles 24 and 32 GDPR. Rather, the competent court must also take into account all evidence provided by the controller to demonstrate the adequacy of the technical and organisational measures adopted by him or her to comply with his or her obligations under Articles 24 and 32 GDPR.

It can therefore be concluded from the CJEU’s decision that data controllers can prove and exonerate themselves within the framework of the reversal of the burden of proof that, despite the breach, appropriate technical and organisational measures are in place and therefore no data protection breach has occurred.

Furthermore, the CJEU stated that, in principle, the data subject may suffer non-material damage within the meaning of Art 82 GDPR even in the event of a temporary loss of control over personal data.

However, the CJEU further held ‘[…] that it is for the applicant in an action for compensation under Article 82 of the GDPR to demonstrate the existence of such damage. In particular, a purely hypothetical risk of misuse by an unauthorised third party cannot give rise to compensation. This is so where no third party became aware of the personal data at issue.’

A purely hypothetical possibility of data misuse is therefore not sufficient to prove that the breach of the GDPR had negative consequences for the applicant.

 

Conclusion

With this decision, the CJEU therefore increases the requirements for the assertion of claims for damages and, de facto, thankfully sets a ‘de minimis threshold’ for such claims. A purely hypothetical risk of data misuse is thus not sufficient to assume non-material damage within the meaning of Art 82 GDPR. This can be of particular importance in practice, as it is often difficult to prove actual data misuse after a data leak whereas non-material damage is regularly claimed already based on the ‘fear’, that a misuse may happen. This, at least, will not be possible henceforward.

Link to the CJEU Decision:
https://curia.europa.eu/juris/document/document.jsf?text=&docid=282062&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1

 

Article provided by INPLP member: Árpád Geréd (MGLP Rechtsanwälte, Austria)

Co-Author: Tamara Thirring 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.