Thursday, 24 November 2022

Can we seek compensation for a GDPR breach if it caused great upset or inner discomfort? The AG Opinion in C-300/21, Österreichische Post

According to Article 82(1) of the GDPR any person who has suffered material or non-material damage as a result of an infringement of the Regulation has the right to receive compensation from the controller or processor for the damage. It turns out that the exercise of this right in practice raises some questions, especially if the damage caused by the infringement would consist of a "great upset" or a "loss of confidence". Recently, the Advocate General Campos Sánchez-Bordona commented on this issue (see: case C-300/21 Österreichische Post). 

Facts of the case
The case concerns the processing of personal data by an Austrian postal company (Österreichische Post AG). The company had been collecting personal data on the Austrian public's affinities for political parties since 2017. Information on political preferences was inferred based on various socio-demographic characteristics. Such processing did not please "UI" (that's how the data subject is called by the AG in the opinion). More specifically, he did not like the way the company classified him as a person sympathizing with one of Austria's political parties. UI therefore entered into a dispute with the company, pointing out, for instance, that he had not consented to the processing of his personal data. As we read in the opinion, UI „was upset by the storage of his party affinity data and angered and offended by the affinity specifically attributed to him by Österreichische Post” (para. 10). What is more, he claimed that such a „political affinity attributed to him is insulting and shameful, as well as extremely damaging to his reputation” (para. 11). Therefore he demended compensation of EUR 1 000 in respect of non-material damage (inner discomfort).

Both the court of first instance and the appellate court rejected his claim. However, following an appeal to the Oberster Gerichtshof (Supreme Court, Austria), the court raised several doubts, referring the following questions to the Court of Justice for a preliminary ruling:

"1. Does the award of compensation under Article 82 of the GDPR also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?

2. Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?

3. Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?"


Opinion of the AG

The AG presented an interesting analysis of Article 82 of the GDPR, taking into account different types of interpretation (literal, historical, contextual and purposive). There are several important statements that deserve attention: 


1. Assuming that under Article 82 of the GDPR a data subject could be awarded compensation for a breach of the Regulation, despite the absence of any damage, would be inconsistent with the fundamental purpose of civil liability. This purpose is to compensate for the damage suffered by the data subject. If the damage could not be identified, the compensation then awarded would not fulfil the aforementioned function, but would be more like a punishment and a sanction for the infringer (paras 29-30). It is true that punitive damages may exist in both EU and national law, but the GDPR does not contain this type of reference (paras 39, 44, 49-50).


2. The AG's position is that a mere breach of the GDPR does not give rise to a presumption of automatic harm to the data subject (paras 56-59). As can be inferred from the Opinion, this is the presumption made by the parties to the proceedings, indicating that a breach leads to a loss of control over the data and thus causes harm to the data subject. However, the AG considers that not every loss of control over data necessarily leads to harm (para. 62) and, furthermore, that giving data subjects as much control over data as possible may not necessarily be derived from the GDPR provisions (para. 74). He states: „where a data subject does not consent to processing and processing is carried out without another legitimate legal basis, that is not a ground for the data subject to receive financial compensation on account of the loss of control over his or her data, as though that loss of control itself amounted to damage that is eligible for compensation” (para. 77).


3. The compensation for non-material damage regulated by Article 82 of the GDPR does not cover the mere upset that a person may feel due to a breach of Regulation 2016/679. It is up to the national courts to determine when, due to its characteristics, a subjective feeling of displeasure can be considered as a non-material damage in a given case (conclusion - para. 117).

Given the facts of the case, the AG's answers to the preliminary questions do not seem surprising. Nonetheless, some views are arguable, such as that „it is not straightforward to conclude from the GDPR that its objective is to grant data subjects control over their personal data as a right in itself” (para. 74). 

In my view, one of the primary objectives of the GDPR is precisely to give individuals control over their data, or even to 'restore' that control. This conclusion can also be drawn based on the provisions of other data flow regulations in the EU, such as the Data Governance Act* or the Data Act proposal**. It is clear that the opinion was given based on the GDPR provisions, but I guess they should not be interpreted without regard to the broader regulatory context. That said, we eagerly await the Court's final verdict.


* For instance, in recital 5 of the DGA it is stated that it "is necessary to increase trust in data sharing by establishing appropriate mechanisms for control by data subjects". A similar idea is expressed in recital 30 in the context of data intermediation services: "data intermediation services providers seek to enhance the agency of data subjects, and in particular individuals’ control over data relating to them". Maybe it is not directly indicated that the purpose of the DGA is to "grant control over data", but still this can be deduced from both the content and the particular objectives of the legal instruments adopted in the DGA. 
** See, for example, recital 78 of the proposal: "To foster further trust in the data, it is important that safeguards in relation to Union citizens, the public sector and businesses are implemented to the extent possible to ensure control over their data". Again, it is not stated expressly, but without ensuring control over data, the other objectives of the regulation will not be achieved. From this perspective, granting control over data may appear as one of the purposes.