5 July 2024 Daniel Pauly Data Privacy - EU Law - Telecoms, Media & Business Services

Allegation of fear does not justify compensation – ECJ confirms case law on Art. 82 GDPR

On June 20, 2024, the Court of Justice of the European Union (“ECJ”) issued two judgments (C-182/22 and C-189/22; C-590/22) on the interpretation of Art. 82 GDPR, essentially confirming its case law on the right to compensation. The two judgments are based on two requests for preliminary rulings from German district courts in 2022. They concisely summarize and advance the previous case law of the ECJ. In particular, the ECJ continues to place high demands on the demonstration of specific and causal damage.

Prerequisites for the right to compensation

The right to compensation under Art. 82 GDPR has three requirements:

  • infringement of the GDPR;
  • actual (material or non-material) damage to the data subject; and
  • a causal link between infringement and damage.

In principle, the data subject bears the burden of proof for all three requirements. They must therefore not only prove the violation of a provision of the GDPR, but also that they have suffered specific (material or non-material) damage as a result (see landmark ruling of the ECJ in the Austrian Post case of May 4, 2023 - C-300/21).

 

Judgment in the Scalable Capital case (C-182/22 and C-189/22)

Background

The related requests for a preliminary ruling concern the interpretation of Art. 82 GDPR.

Two plaintiffs sued Scalable Capital GmbH ("Scalable Capital") before the Munich District Court for compensation for the non-material damage they allegedly suffered as a result of the theft of their personal data. Scalable Capital operates a trading app on which the plaintiffs have stored certain personal data in their respective accounts, in particular their name, date of birth, postal address, email address and a digitally stored copy of their identity card. In 2020, personal data and data relating to the plaintiffs' securities deposits were accessed by unknown third parties but, according to Scalable Capital, have not been used fraudulently to date.

Art. 82 GDPR fulfils an exclusively compensatory function

On March 3, 2022, the Munich District Court referred several questions to the ECJ for a preliminary ruling. The ECJ has already ruled on some of the questions referred in the meantime. 

In the Scalable Capital case the ECJ reinforces that Art. 82 GDPR does not fulfil a punitive or dissuasive function, but only a compensatory function. The claim for damages is - as the name suggests - only intended to compensate for specific damage suffered and not to sanction infringements of data protection law.

Consequently, the severity of an infringement and any intent on the part of the data controller may not be taken into account when assessing damages. The ECJ thus confirms its earlier judgments in the cases Krankenversicherung Nordrhein (C-667/21),  Media Markt Saturn (C-687/21) and juris GmbH (C-741/21).

Comparison with physical injury

However, the ECJ's comments on the relationship between Art. 82 GDPR and the assessment of damages in cases of physical injury are new.

The Munich District Court wanted to know whether damage caused by a breach of personal data protection is by its nature "less significant" than physical injury.

The ECJ denies this and thus rejects an abstract weighting according to categories of damage. In particular, no hierarchy between material and non-material damage can be inferred from the GDPR. Furthermore, the fundamental assumption that physical injury is inherently more significant than non-material damage could call into question the principle of full and effective compensation.

As correct as this statement is, the opposite would also be true: personal injury as well as violations of data protection law cannot be measured in a general abstract manner. The actual damage suffered must always be assessed and compensated – however high the amount of damages may be in the individual case.

National courts can also award minimal compensation

Furthermore, the ECJ has clarified that a Member State court can also award "minimal compensation". If the data subject can merely prove minor damage, this damage must still be compensated. This means that Member State courts can also award very small amounts of compensation (e.g. Mannheim Regional Court - 1 O 99/23: EUR 50; Freiburg Regional Court - 8 O 212/23: EUR 100), which - according to the Munich District Court - would sometimes be perceived as "symbolic".

As there is no "de minimis threshold", the only prerequisite for the amount of compensation is that it fully and effectively covers the damage suffered. In this respect, the law of the member state is decisive, in Germany therefore Sections 249 et seqq. of the German Civil Code (BGB).

Data theft does not equal identity theft

Finally, the ECJ has clarified the concept of "identity theft".

For interpretation, the ECJ refers to recitals 75 and 85 GDPR and concludes that the theft of personal data cannot be equated with identity theft or identity fraud. Rather, the latter presuppose that a third party has actually misused the identity of a person affected by data theft. The mere assertion or abstractly expressed fear of a data subject that identity theft could occur in the future is not sufficient.

The person concerned must therefore specifically demonstrate and prove that identity theft or fraud has actually occurred – or how the data theft itself causally lead to specific negative consequences. A non-individualized submission consisting only of sample text modules typically does not meet these requirements.

 

Judgment in the PS case (C-590/22)

Background

In its second ruling of June 20, 2024 (Case C-590/22), the ECJ also confirmed previous case law on the interpretation of Art. 82 GDPR.

In this case, two plaintiffs asserted claims for non-material damages against a tax consultancy firm that had inadvertently sent the plaintiffs' tax return to an old address. It was not possible to clarify which documents were originally in the envelope and whether and to what extent the new residents had become aware of the contents of this envelope.

In its decision of August 5, 2022, the Wesel District Court referred various questions on the interpretation of Art. 82 GDPR to the ECJ for a preliminary ruling.

The ECJ continues its line of jurisprudence

The ECJ once again clarifies that the mere infringement of a provision of the GDPR is not sufficient to justify a claim for damages. Rather, the data subject must also prove that they have suffered causal damage as a result of the breach. The fear that data could be misused can indeed lead to non-material damage. However, the mere assertion of such a fear without proven negative consequences is not sufficient.

The ECJ thus confirms once again that the data subject must specifically demonstrate and prove the alleged negative consequences. Since the claim for damages has no dissuasive function, the criteria for the assessment of a fine (Art. 83 GDPR) cannot be used (by analogy) to assess the amount of compensation (likewise ECJ, juris GmbH -C-741/21, para. 62). Nothing new from Luxembourg insofar.

Violation of national provisions irrelevant for the amount of damages

However, the ECJ's answer to the sixth question is new: If a data controller simultaneously infringes purely national provisions related to the protection of personal data, this does not lead to an increase in damages under Art. 82 GDPR. Contrary to the plaintiffs' opinion, a possible breach of the German Tax Consultancy Act or the professional code of conduct of the Federal Chamber of Tax Consultants is "not a relevant factor" for the assessment of damages under EU law. Such national provisions are not covered by the scope of application of Art. 82 (1) GDPR, as they do not specify the GDPR (see recital 146 sentence 5).

The ECJ thus appears to be focusing on the criteria "infringement" or "processing" within Art. 82 GDPR. A violation of national tax law does not satisfy these prerequisites. A recourse to the compensatory function of Art. 82 GDPR leads to the same result: the assessment of the amount of damage does not depend on whether the controller commits one or more infringements of the GDPR and whether he acts negligently or intentionally (as already stated by the ECJ, juris GmbH - C-741/21, para. 64). The same must then also apply to infringements of national provisions.

 

Practical note

The ECJ's decisions of 20 June 2024 continue to provide affected companies with good arguments for a solid defence against claims for damages. In our experience, claims for "up to EUR 3,000" or more often fail because the plaintiffs are unable to demonstrate, let alone prove, causal damage on a specific and individual basis. Instead, the plaintiffs' representatives' presentation of the alleged damage is often exhausted in "a shot in the dark" and generalized allegations, which increasingly fail to convince the German regional and higher regional courts, especially after an informational hearing of the plaintiffs. On October 8, 2024 (VI ZR 7/24 and VI ZR 22/24), the German Federal Court of Justice (BGH) will hear claims for compensation in connection with a data protection incident at the social network Facebook (so-called scraping). This decision is likely to have a signal effect. It remains exciting!