Fresh GDPR ruling says even 'minor anxiety' could mean payouts for EU folks

A major decision on GDPR compensation rights handed down today includes what looks like a nasty surprise for many businesses: there is no threshold that non-material damage needs to pass before data subjects can make a claim.

As we explained yesterday, "non-material" loss or damage means it didn't directly cost you any money, for example cause a loss of income. Examples include pain, suffering, shame, affronts to dignity, trauma and anxiety. The European Court of Justice (CJEU) was asked if it could give a threshold for how bad this needed to be before you had a right to claim compensation, and it appears from today's judgment that there is no minimum.

Privacy activist and lawyer Max Schrems commented: "We welcome the clarifications by the CJEU. A whole industry tried to reinterpret the GDPR, in order to avoid having to pay damages to users whose rights they violated. This seems to be rejected. We are very happy about the result."

The decision [translated from French – English is not yet available] explains that:

We understand that this is unexpected as it goes against the earlier Advocate General's opinion in October that there should be a threshold that non-material damage needs to pass before data subjects can make a claim, and that what he termed "mere upset" shouldn't clear this.

Schrems noted that his organization, noyb, had "already seen many GDPR cases being rejected for no good reason. If there would have been a threshold, it would have been very hard to define it. How many minutes did you have to be angry or cry? The law does not foresee such a threshold, just like there is no threshold for any other claim. You can also bring a lawsuit over 5 cents, the reality is just that no one does that."

EU residents can't claim compensation just because GDPR was breached, though

There is some relief for businesses operating in the political bloc in that the court was also asked whether the mere fact of infringement of the GDPR would cross that bar into giving right to compensation and said no.

The CJEU said in a statement this morning: "Not every infringement of the GDPR gives rise, by itself, to a right to compensation. Any other interpretation would run counter to the clear wording of the GDPR."

• Major decision on GDPR compensation rights expected soon
• That 3CX supply chain attack keeps getting worse: Other vendors hit
• NHS England considered using Palantir tech to manage strike disruption
• Italy bans ChatGPT for 'unlawful collection of personal data'

The court also offered some clarity around assessment of damages more generally, saying it was for the legal system of each member state to decide, that each country could "prescribe the detailed rules for actions intended to safeguard of the rights which individuals derive from the GDPR and, in particular, the criteria for determining the extent of compensation payable in that context, provided that the principles of equivalence are complied with."

As for the case that brought this all to head, from an Austrian attorney aggrieved over a GDPR breach that wrongly labeled him a right-wing party member, the CJEU doesn't decide that, and it will be kicked back to the national court "to dispose of the case in accordance with the Court's decision."

The Austrian Supreme Court had proposed the CJEU would introduce a "threshold" for such claims, said noyb, in the hopes it would "frame the case as a violation without real damages." But this does not seem to have held out.

Not all legal types were optimistic about this, with some pointing out that this added risk for business folk.

Peter Church, counsel in the Technology practice at Linklaters LLP, said: "The judgment is likely to be of concern for many businesses. The CJEU helpfully confirmed that breach of the GDPR does not automatically give rise to a right in compensation. It is also necessary to show the breach caused material or non-material distress.

"However, it goes on to say that non-material damage does not need to reach a certain threshold in seriousness. In other words, it is possible that even minor anxiety or upset might justify a compensation claim. This in turn could open the way for not only frivolous or vexatious claims, but also large class actions in the event of, for example, a data breach.

He added: "As Elizabeth Renieris notes, 'The definition of hell is European legislation with American enforcement'."

Finally, Church noted the EU and UK would "part ways" on this issue given the Supreme Court's indication in Lloyd v Google, a British action over the Safari Workaround ad-tracking cookie, which Google disabled when it was discovered in 2012. In that case, a 2021 judgement found that "claims under UK law must reach a threshold of seriousness to be eligible for compensation."

Data privacy lawyer Kingsley Hayes, head of data and privacy litigation at Keller Postman UK, said the "ruling is good news for people seeking compensation in data breach cases, as it provides a clearer path to seeking damages for GDPR violations." ®