28 Aug Compensation for non-monetary damages in case of unlawful processing of personal data
The General Data Protection Regulation (GDPR) awards humans (data subjects) protection from violation of their privacy by misuse of their personal data. In this sense, the GDPR is a way to protect a basic human right (namely, the right to respect for family and private life as described in article 8 of the European Convention on Human Rights). Therefore, a violation of the GDPR generally equals a tort against the data subject, leading to an obligation to pay compensation for damages.
Often, however, a violation of privacy is problematic for the data subject because of the feelings of anxiety, stress and perhaps humiliation it causes. Violations of privacy rarely cause significant monetary damage to the data subject. What happens when a violation of the GDPR hurts everywhere, except in a person’s bank account? According to recent case law by the Court of Justice of the European Union, compensation for non-monetary damage is possible, but the existence and extent of such damage must be proven.
This spring, the Court of Justice of the European Union answered the question of whether people can receive compensation for non-financial damage resulting from misuse of their personal data. In Austria, a man declared to have felt ‘annoyance’, ‘anger’ and ‘offence’ when he was wrongly linked to a certain political party by an algorithm. He claimed damages from the company that used the algorithm, in the form of money. This raised the question whether the GDPR allows for a financial compensation if the data subject did not actually suffer financial losses.
Clarity at last
In past years, several courts in the Netherlands already assumed that the GDPR allows for the possibility of awarding financial compensation for emotional damages, but the Court of Justice of the European Union (CJEU) had not yet ruled on the matter. In a judgment dated 4 May 2023, the CJEU placed beyond doubt that non-financial damage caused by a violation of the GDPR can lead to financial compensation. But the decision comes with a caveat: certain conditions must be met.
The case that gave rise to the ruling concerned Österreichische Post. First and foremost, of course, Österreichische Post is Austria’s national postal service. However, it also earns part of its money by trading in addresses. To increase the value of these addresses for marketing purposes, Österreichische Post divides them into target groups, using an algorithm. Based on parameters used by the algorithm, a man (the plaintiff in the case) was sorted into the target group of likely supporters of a certain political party. The man – who apparently did have strong feelings about this political party, but negative ones – felt offended and embarrassed when he found out he was placed on a list of supposed supporters. He claimed a compensation of € 1,000 for the unpleasant emotions the algorithm had caused him.
The local Austrian court found that the processing of the man’s personal data by the algorithm was indeed a violation of the GDPR and that Österreichische Post should stop doing it, but it rejected the claim for financial compensation. The court decided that under Austrian law, a minimum threshold of severity must be exceeded before emotional distress can be eligible for compensation. The man appealed against this rejection.
Confronted with the fundamental legal question whether violation of the GDPR should always lead to a compensation, even if no financial losses have occurred and the alleged emotional damage does not appear to be very severe, the Austrian court of appeal decided to refer the question to the CJEU for a preliminary ruling.
The starting point: immaterial damage is compensable damage
In answering the Austrian court of appeal’s preliminary questions, the CJEU first considered that unlawful processing of personal data can have all kinds of adverse consequences: discrimination, identity theft or fraud, smearing of a person’s reputation, et cetera. This can sometimes lead to financial damage (e.g. in case of fraud), but also to non-financial damage. Under the GDPR, anyone who suffers damage due to a breach of the regulation has the right to receive compensation from the data controller. This is the rule, according to the CJEU, even if there is only non-financial damage. However, here is the caveat: actual damage must have been suffered and there must be a clear relationship (‘causality’) between the breach of the GDPR and the damage. In short: a breach of the GDPR alone does not automatically entitle the data subject to a sum of money.
No ‘threshold of severity’
So far, so good for the plaintiff: according to the CJEU, the GDPR does allow for compensation of non-financial damages. In its decision, the CJEU also made clear that member states may not set a threshold on the severity of the damage suffered. All damage resulting from a breach of the GDPR must be compensated, even if the damage is only minor.
Proof of existence and extent of damage
However, the CJEU’s ban on a threshold of severity does not alter the fact that a person seeking compensation will have to substantiate that at least some damage actually occurred. The data subject will also have to provide the court with sufficient evidence to be able to place a price on the damage incurred. According to the CJEU’s ruling, each EU member state may determine in its own legislation how the court should assess the financial value of non-financial damage.
Results of the Österreichische Post-case
What does the CJEU ruling mean for the man who started the case against Österreichische Post? The Austrian court of appeal will now have to decide the case on its merits, taking into account the CJEU’s interpretation of the GDPR. So: if the plaintiff can convince the Austrian court of appeal that he has suffered at least some actual damage due to Österreichische Post’s algorithm, the man might still get a financial compensation. Even if it may be very small.
How does this work in the Netherlands?
Even before the CJEU ruling in the case of Österreichische Post, Dutch courts already assumed that financial compensation for non-financial damage was possible in case of GDPR violations. Dutch courts also already required the data subject to substantiate that actual damage was incurred, and to provide insight into its extent.
It can be quite difficult to substantiate the existence of non-financial damage. Most people don’t keep a daily record of their mental health and emotional well-being. With this in mind, and inspired by the Dutch Supreme Court’s EBI judgment, Dutch courts generally reason that the existence of non-financial damage may be more easily assumed, the more severe a privacy violation is (e.g. if very sensitive data were involved, or if data was leaked to a hostile recipient). For lighter breaches – where it is not obvious that grave anxiety must have been caused – financial compensation is not impossible in the Netherlands, but the courts will require stronger substantiation of the existence of actual damage by the data subject.
Thus, in the Netherlands, there is no formal ‘threshold of severity’ to unlock the right to compensation. But: the severity of the GDPR violation does play a role in the effort a data subject has to make to prove the existence of damage. This approach, where the threshold of proof for the data subject is higher for a less severe breach, could amount to a de facto ‘threshold of severity’ after all.
A threshold of severity for data controllers?
The EBI judgment – the Dutch Supreme Court decision that the Dutch courts often refer to in cases about non-financial damages – did not pertain to a GDPR violation, but to a prisoner who was unlawfully detained in an overly strict prison regime. In the EBI judgment, the Dutch Supreme Court considered, among other things, that a violation of a person’s rights may in some cases be so bad, that it follows already from the nature and severity of the violation itself that emotional damage may be presumed to be present. In such cases, the threshold of proof for the existence of damage is so low, that no additional substantiation of damage needs to be provided. In such very severe cases, the violation itself ‘proves’ the damage.
To date, only one case is known in which a Dutch court has applied this train of thought to a GDPR violation. It concerned a case in which a secretarial employee of a hospital had frequently snooped in a particular patient’s medical file and had used the information from the medical file in a revenge novel (Zeeland-West Brabant District Court, 21-09-2022). This hospital employee was able to snoop in the patient’s file more than once, because the hospital – although it logged who took access to medical files – only did spot checks on the logs. The snooping hadn’t shown up in the spot checks. Also, once the data breach was discovered, the hospital had not done much to help the patient prevent the publication of the revenge novel. The result: the hospital was deemed liable for the data breach.
In this case, the court assumed the existence of emotional damage to the patient on the basis of the nature and severity of the violation alone, without the need for additional substantiation. Formally, the court still considered that a GDPR violation does not automatically entitle the patient to compensation, but that it must first be established that harm has been suffered; yet in practice, the existence of the damage was inferred directly from the existence of the violation.
In a sense, one might say that in Dutch law, there is a threshold of severity for data controllers who are liable for a GDPR violation: if the violation is severe enough, the step to ‘automatic’ financial compensation can suddenly be made. One may wonder whether this approach is compatible with paragraphs 28 to 42 and paragraph 50 of the Österreichische Post-ruling. Perhaps that question will come up in future cases.
Do you want to know more, or perhaps exchange views on financial compensation for GDPR violations? Call or email Inge Lakwijk: 088-440 2200 or email@example.com