Claims for damages by those affected often argue a loss of control or discomfort. In several judgments, the CJEU has now provided concrete guidelines on when (immaterial) damage exists and which criteria may be used to determine the amount of damage.
Compensation for damages under the GDPR
In the event of data protection violations, the General Data Protection Regulation (GDPR) gives data subjects the opportunity to claim compensation from the controller for damages incurred as a result of the non-compliant processing of their personal data. In contrast to fines imposed by EU Member State supervisory authorities, only the data subject affected by the processing is entitled to claim damages (Art. 82 (1) GDPR).
Until now, the case law on claims for damages by data subjects in the event of data protection breaches has been inconsistent, particularly with regard to non-material damages.
With the latest rulings of the European Court of Justice (CJEU), the requirements for the facts of the case and questions regarding the burden of proof have become increasingly concrete (see in particular the summary judgment of 20 June 2024, ref.: ‑C590/22). In practice, these judgments will be applied in the future. However, there are still difficulties in drawing the line when assuming damage.
National case law to date
The interpretation of the concept of damage and its purpose has been strongly modelled on recital 146 GDPR by parts of the case law in recent years. According to this, the concept of damage should be interpreted broadly in a way that fully complies with the objectives of the GDPR. This was understood to mean that, unlike in German civil law, for example, claims for damages should not only compensate for disadvantages incurred, but also deter and make further infringements unattractive.
One of the consequences of this was that the line between a breach of GDPR provisions and damage became blurred, meaning that it was regularly sufficient to describe a feeling of discomfort or state abstract worries and fears in order to claim damages after a breach had been proven. Violations of GDPR provisions often led to the assumption of non-material damage in particular, without the data subject being able to describe any concrete damage that had occurred beyond the use of empty phrases.
For example, the Düsseldorf Labour Court ruled on 5 March 2020 (Ref.: 9CA 6557/18) that immaterial damage already occurs if the data subject is prevented from controlling the personal data concerning them. Ergo, the loss of control itself is sufficient for a claim for damages.
Furthermore, courts can orientate their assessment on the criteria for the assessment of fines in the GDPR in accordance with Art. 83 (2) GDPR. The assessment criteria could include the type, severity, duration of the infringement, degree of fault, measures to mitigate the damage caused to the data subjects, previous relevant infringements and the categories of personal data concerned.
If there was a loss of control over the personal data, it was assumed, as by the Higher Regional Court of Düsseldorf in its judgment of 28 October 2021 (Ref.: 16 U 275/20), that the immaterial damage was to be determined by the associated emotionally distressing uncertainty about the fate of their data. If the distinction between the violation of GDPR provisions and the assumption of damage was clearly explained, as in the judgment of Munich Regional Court I of 9 December 2021 (case no.: 31 O 16606/20), the criteria for determining the fine under Art. 83 (2) GDPR were again used to assess the damage. However, these are essentially based on a determination based on the existing violation of the GDPR, so that the conditions of the violation and the existence of damage were not separated from each other.
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
CJEU judgments on damages
However, in a whole series of decisions since December 2023, the CJEU has clarified that a breach of the GDPR’s provisions for the protection of data subjects is not in itself sufficient to constitute damage within the meaning of Art. 82 (1) GDPR. Discomfort, at least due to a temporary loss of control, does not constitute damage in isolation without additional circumstances.
The CJEU stated this in its ruling of 25 January 2024 (Case C-687/21):
“In particular, a purely hypothetical risk of misuse by an unauthorised third party cannot lead to compensation. This is the case if no third party has taken note of the personal data in question.”
In the same ruling, however, the CJEU found that non-material damage under Art. 82 (1) GDPR may exist if the data subject has well-founded fears that some of their personal data will be further processed by third parties because a document has been forwarded to an unauthorised third party. According to the court (which referred the question to the CJEU), the unauthorised third party did not have knowledge of the data subject’s personal data. In this context, the CJEU therefore speaks of hypothetical damage, as this never occurred.
The circumstances that must be added to the fears and mental discomfort in order to turn a hypothetical harm into a risk (which intensifies these fears or mental discomfort to such an extent that they are justified and thus harm can be assumed) are not further specified. Instead, explicit reference is made to the fact that the review in individual cases is a matter for the national courts.
The CJEU only makes a clear distinction between a breach of the provisions of the GDPR and the determination of damages. As a result, the severity of the breach of the GDPR is not a yardstick for determining the amount of damages. In its judgment of 11 April 2024 (Case C-741/21), the CJEU states that:
“[…] a breach of provisions of this Regulation conferring rights on the data subject is not in itself sufficient to constitute ‘non-material damage’ within the meaning of that provision, irrespective of the seriousness of the damage suffered by that person.”
On the other hand, the CJEU makes a clear distinction between the function of a fine under Art. 83 GDPR and compensation for damages under Art. 82 (1) GDPR. Compensation only has a compensatory function. It does not have a punitive function like a fine. While the fine serves to discipline the participants by the supervisory authority, the claim under Art. 82 (1) GDPR satisfies the interest of the data subject in compensation for the damage suffered.
In its ruling of 25 January 2024 (case reference: C-687/21), the CJEU clarifies that
“Art. 82 para. 1 GDPR must be interpreted as meaning that the claim for damages provided for in this provision […] has a compensatory function, since compensation in money based on it is intended to make it possible to fully compensate for the specific damage suffered as a result of the infringement of the GDPR and does not fulfil a punitive function.”
The amount of damages is therefore determined on the basis of the specific disadvantages and impairments suffered by the data subject. It is still the case that the damage is not subject to a materiality threshold and that there is no de minimis limit for damages under Art. 82 (1) GDPR. The CJEU has already conclusively ruled on this in the past. This means that even the smallest damage leads to a claim for damages, provided that damage can be proven to have occurred.
The CJEU’s separation between the compensatory function and the punitive function is consistently applied to the determination of the amount of the damage, so that the criteria of Art. 83 (2) GDPR, which are often used by national courts to determine the amount of the fine, are not applicable to Art. 82 (1) GDPR (judgment of 11 April 2024 (Ref.: C-741/21)).
Not only does the purpose of Art. 82 (1) GDPR play a role here, but also the fact that the criteria of Art. 83 (2) GDPR largely relate to the modalities of the infringement of provisions of the GDPR. The CJEU follows its line with regard to the distinction between infringement and damage. This is probably intended to prevent a confusion of the two requirements.
The decision is convincing in terms of legal doctrine. In practice, the amount of damages will not be determined by the type, severity and duration of infringements as in Art. 83 (2) lit. a GDPR, but will depend on the type, severity and duration of the damage in its concrete form. Consequently, it should also not be taken into account that the same person is affected by several infringements resulting from the same processing.
Only the damage incurred is decisive.
Data protection assessment
The latest judgments of the CJEU sharpen the assessment criteria for the acceptance and amount of damages under data protection law. The determination of damages is clearly distinguished from the existence of an infringement. Furthermore, damages are distinguished from fines. The former only fulfils a compensatory function, not a punitive function.
Contrary to some opinions, the fear of losing control of one’s own personal data in isolation and with only clichéd justification is not immaterial damage. Any discomfort must be justified in the specific individual case. The burden of presentation and proof for the damage remains with the persons concerned. Convincing evidence is often not provided, even after comments in national judgments. A substantiated claim is required to affirm a claim.
This was impressively clearly recognised by the Regional Court of Dortmund in its ruling of 22 May 2023 (24 O 20/23):
“As is known in court from the large number of almost identical proceedings, the same phrase is repeated in all statements of claim about the loss of control suffered by ‘the plaintiff’ over the data and the state of unease and concern about possible misuse of her data, in which she has remained since then. It can therefore not be assumed that this formulation is based at all on personal information from the plaintiff here, and therefore does not describe his specific individual situation.”
However, the concrete distinction between an unfounded and a justified fear of a loss of control remains open. The categorisation is left to the national courts. The specific case of a lack of knowledge cannot be transferred to other cases such as phishing or data leaks. In these cases, knowledge by unknown and unauthorised third parties is to be expected on a regular basis. Data subjects can request information about specific facts relating to incidents of this kind from the controller in advance in accordance with Art. 15 GDPR.
However, it can be observed that national courts in recent decisions have set higher requirements for proof of justified fears and discomfort and regularly reject claims for damages (for example Ulm Regional Court, judgment of 27 May 2024, case no.: 2 O 8/24; Ellwangen Regional Court, judgment of 10 June 2024, case no.: 6 O 17/24; Tübingen Regional Court, judgment of 12 June 2024, case no.: 4 O 359/23; Ravensburg Regional Court, judgment of 20 May 2024, case no.: 4 O 91/24).
Recommendations for data controllers
In the event of an incoming claim for damages, you should first determine whether there has actually been a breach of the provisions of the GDPR. If there is sufficient documentation, proof of exoneration can be provided in accordance with Art. 82 (3) GDPR, which exempts you from liability.
Furthermore, the safest way to avoid claims by data subjects is to have a sophisticated data protection management system (DPMS) and competent and experienced legal expertise.