Currently, data protection claims are all the rage in collective redress proceedings around Europe.^[1] The judgment of the European Court of Justice (“ECJ”) of 4 May 2023 in case C-300/21 – Österreichische Post^[2] will therefore be welcomed by many, as the ECJ has used this opportunity to specify the right to compensation under Art. 82 of the General Data Protection Regulation (“GDPR”),^[3] which forms the bedrock of most current claims for damages related to data protection infringements. In short, the ECJ held that awarding damages under Art. 82 GDPR requires the existence of a damage, but a requirement that this damage be of a certain seriousness is incompatible with EU law. The amount of damages is to be determined under domestic law, taking into account the principles of equivalence and effectiveness of EU law.

The case was referred to the ECJ for a preliminary ruling by the Oberster Gerichtshof (Supreme Court) of Austria. The main proceedings concerned the business practices of Österreichische Post, an Austrian provider of postal and logistical services which also engages in address brokerage. Among other things, Österreichische Post collected information on the political affinities of the Austrian population and generated “target group addresses,” which it then sold to third parties for targeted (election) advertising.^[4] The applicant in the main proceedings, an Austrian citizen who had not consented to this processing of his personal data, felt offended by the political affinity the algorithm employed by Österreichische Post had attributed to him. Even though this information was not shared with third parties and he suffered “no harm other than [some] adverse emotional effects of a temporary nature,” the applicant sued for injunctive relief and compensation in the amount of 1,000 Euro for the non-material damage he claims to have suffered. While the injunction was granted, his claim for compensation was rejected at first instance and on appeal.

The Austrian Supreme Court referred three questions to the ECJ:

1. Is a GDPR infringement in itself sufficient for an award of compensation under Art. 82 GDPR?
2. Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
3. Is it compatible with EU law to impose as a requirement for awarding compensation for non-material damages that the infringement is of at least some weight that goes beyond the upset caused by that infringement?

Regarding the first question, the ECJ, by establishing an autonomous and uniform interpretation of Art. 82 GDPR, answered that “the mere infringement of the provisions of [the GDPR] is not sufficient to confer a right to compensation.” The ECJ pointed to the three cumulative conditions of Art. 82 GDPR, namely the existence of “damage” which has been “suffered,” the existence of an infringement of the GDPR, and of a causal link between damage and infringement.

The ECJ then answered the third question and again underlined the need for an autonomous and uniform interpretation of “non-material damage” within the meaning of Art. 82 GDPR. The ECJ pointed out that the wording of Art. 82 does not make reference to any threshold of “seriousness” of (non-material) damages and that the objectives of the Regulation favour a “broad conception of ‘damage.’” It follows “that Article 82(1) of the GDPR must be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.”

Lastly, as to the second question of the assessment of damages, the ECJ noted that the GDPR does not contain any provisions in that regard. Hence, the amount of damages payable under the right to compensation pursuant to Art. 82 is subject to the domestic rules of each Member State, “provided that the principles of equivalence and effectiveness of EU law are complied with.” Regarding the latter, the ECJ alluded to the GDPR’s intention to ensure “full and effective compensation” (see recital 146 GDPR) for the damage suffered, “without there being any need […] to require the payment of punitive damages.”

While lowering the threshold for GDPR-related claims for non-material damages (at least for jurisdictions that knew a seriousness threshold), it is yet too early to denote this judgment as harbinger of a new torrent of data protection claims. Instead, the future of Art. 82 GDPR will most likely depend on the rigour national courts show regarding the assessment of damages in data protection matters. Also after the ECJ’s decision, how to assess non-material damages is still a question very much in want of a definitive answer.

Anton Burri^[5] and Johannes Nickl^[6]

[1] See for example the TikTok and Oracle/Salesforce litigation in the Netherlands.

[2] Judgment of 4 May 2023, UI v Österreichische Post AG, C-300/21, ECLI:EU:C:2023:370.

[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

[4] True to the nature of this blog, it should be noted that this business practice triggered a scandal and a call to action by Austrian claims bundling platform Cobin Claims, which managed to obtain a settlement with Österreichische Post on behalf of 2000 persons affected in January 2023.

[5] Doctoral Candidate at Faculty of Law, University of Lucerne, Switzerland

[6] Doctoral Candidate at Faculty of Law, Heidelberg University, Germany.

Foto Credit: Österreichische Post AG