The Court of Justice of the European Union (CJEU) has issued a landmark ruling refuting that emotional damages under the General Data Protection Regulation (GDPR) must reach a certain level of seriousness to get compensation for a data privacy breach.
The decision was the first judgment made by the EU court regarding emotional damages under the GDPR and it goes counter to a growing trend in national courts to strike down claims based on the argument that some emotional damages do not reach a certain “threshold of seriousness”.
The judgment related to a scandal in Austria in which the country’s postal service collected information on Austrian people and used it to estimate political leanings.
Using an algorithm that takes into account various social and demographic criteria, the Austrian Post defined target group addresses and sold them to organisations enabling them to send targeted advertising.
The claimant in the case was categorised as a person with a likely inclination to a far-right political party, albeit that information was never disclosed to third parties.
The claimant sued Austrian Post arguing that he had not consented to the processing of his personal data and he “felt offended” by being labelled as a supporter of a far-right party.
He said the Austrian Post’s actions “caused him great upset, a loss of confidence and a feeling of exposure”. No harm other than these temporary emotional effects was claimed.
Prior to the ruling, there has been a growing practice in national courts to implement a "threshold of seriousness" for GDPR claims. This has been particularly prevalent in Germany where such a threshold had existed in national law before the GDPR was adopted.
It was further supported by the opinion of the EU’s advocate general (AG) last year, which stated that compensation for non-material damage does not cover “mere upset”.
But the CJEU has now ruled that the GDPR makes no reference to any threshold of seriousness, neither in the case of material damage nor in a non-material one.
“I see great relief and satisfaction in the ECJ's clarification that the GDPR does not require a specific threshold for damages,” Christina Maria Schwaiger, attorney‑at‑law at CMS Law, told VIXIO.
Following the AG opinion, the data protection community had serious concerns that the GDPR would be less stringent in the future as it would have put the burden of proof on the claimant to show that he suffered emotional damage of a certain magnitude, she added.
Now the CJEU has confirmed that the GDPR stands for a broad claim for damages, which Schwaiger said was absolutely needed “otherwise it would be very difficult for the data subject to be (potentially) successful with such claims at all”.
She said that many colleagues in the privacy community appreciate that the court refrained from introducing a de minimis limit and data subjects can now be more confident when they assert emotional damage claims in national courts.
Austrian privacy advocate Max Schrems has also welcomed the decision.
“A whole industry tried to reinterpret the GDPR, in order to avoid having to pay damages to users whose rights they violated,” Schrems said while pointing out that it would have been very hard to define a threshold.
“How many minutes did you have to be angry or cry?”, he posed the question.
“The law does not foresee such a threshold, just like there is no threshold for any other claim. You can also bring a lawsuit over 5 cents, the reality is just that no one does that."