Major decision on GDPR compensation rights expected soon
Breached businesses might have to cough for your discomfort too
Could EU residents receive compensation for "non-material" harm caused by illegal data use under the General Data Protection Regulation (GDPR)? We'll find out tomorrow, when the European Court of Justice (ECJ) is set to make a ruling in a case being nervously watched by many a data-hungry company doing business across the political bloc.
Quite crucially, one of the questions the ECJ is being asked to answer is what happens when someone suffers "non-material damage" under the GDPR and how bad it has to be for the award of compensation.
To give you an example of how nebulous non-material damage can be, a recent opinion given by Advocate General Manuel Campos Sánchez-Bordona described one such instance as "inner discomfort," while data protection law whiz Max Schrems has pointed out that the category also includes the pain of broken bones or a "slap in the face." You can contrast this with material damage, for example loss of income. The law gives EU residents a right to claim compensation from an organization if they have suffered damage because the org has broken data protection law.
The specific case that's being decided may have far-reaching consequences for tech giants processing the personal data of millions across the bloc, particularly against the backdrop of recent growth in AI and the necessary ingestion of data behind it. One can easily see how much "non-material" damage might arise from that.
Global law firm Linklaters LLP has said that if the ECJ were to "unexpectedly allow individuals to claim compensation for mere breach or upset, that would open the way to class actions on behalf of those individuals that will run into billions of euros."
Before we get into the details of the case, we should mention the plaintiff isn't the only individual who's suing for non-material damages under the data protection law – there are several other cases about. But an ECJ ruling on this one will be instructive.
You said I'm a member of what?
The case is C-300/21, also known as UI vs Österreichische Post AG. The plaintiff involved, an Austrian attorney, has asked for €1,000 in damages from a postal service provider after an algorithm processed his personal data – in a manner which the courts found to be illegal – and extrapolated that he likely supported mega libertarian right-wing populist types in the country's far-right Freedom Party (FPÖ).
UI, the plaintiff who never gave their real name, was "angered and offended" after he found out about the "affinity specifically attributed to him by Österreichische Post" when he performed a subject access request. In the original filing, he said that he had not consented to the processing of his personal data, and additionally had found the assignation "insulting and shameful, as well as extremely damaging to his reputation. In addition, Österreichische Post's conduct caused him great upset and a loss of confidence, and also a feeling of public exposure."
Austrian lawyer and privacy activist Schrems, famous for launching the cases against Facebook that killed US-EU data flow agreements Safe Harbor and Privacy Shield, opined of the case:
If Member States make it relatively easy in comparison to enforce one kind of non-material damage (based on national law), but virtually impossible to enforce another (based on EU law), they violate the principles of equivalence and effectiveness.
He added that, for example, in Austria:
Other non-material damages (such a broken bones or a slap in the face) do not require a plaintiff to cry in the witness stand, but the [Austrian] courts developed tables that are based on the suffering of an average person ("objektive Maßfigur"). In addition to making litigation simpler, this makes sure that an especially dramatic plaintiff gets the same damages as a tough victim.
As for UI v Österreichische Post AG, both the Austrian Supreme Court and an appellate court confirmed there was an infringement, that the processing was unlawful and the postal service had to stop what it was doing (sorting the data subjects into targets for political advertising), but neither the first-instance nor second-instance court found for UI on the damages part. The Austrian Supreme Court then referred the matter of the damages to the ECJ.
- German political parties accused of microtargeting voters on Facebook
- Ireland fines Meta $414m for using personal data without asking
- EU lawmakers argue against signing US data-transfer pact
- EU takes another step towards US data-sharing agreement
In October last year, Sánchez-Bordona wrote an opinion that might guide the ECJ, but isn't otherwise binding, saying: "Compensation for non-material damage provided for in the regulation does not cover mere upset which the person concerned may feel as a result of the infringement of provisions of Regulation 2016/679. It is for the national courts to determine when, owing to its characteristics, a subjective feeling of displeasure may be deemed, in each case, to be non-material damage."
Peter Church, counsel in the Technology practice at Linklaters LLP, commented: "This is a major decision that could affect businesses right across the EU. If the CJEU suggests individuals have a right to compensation simply for breach of the GDPR or for mere upset, that will unleash a torrent of claims, including class actions with liabilities running into the billions."
He added: "The decision is also being closely watched in the UK. While it will not be binding post-Brexit, it could still be influential and breathe life back into the moribund UK privacy class action market." ®