In December 2023 and January 2024, the Court of Justice of the European Union handed down several judgments1 that provide important clarifications regarding the right to compensation for non-material damage suffered as a result of a breach of the GDPR, enshrined in Article 82 of the General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJEU, 4 May 2016, No. L 119, hereinafter the GDPR).
ARTICLE 82 OF THE GDPR AND THE RIGHT TO COMPENSATION
Under Article 82 of the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered.
As the Court points out, this right to compensation requires three cumulative conditions to be met, namely:
- The existence of material or non-material damage;
- The existence of an infringement of the GDPR; and
- A causal link between the damage and the infringement.
NO "DE MINIMIS THRESHOLD" CONDITION
According to the Court of Justice, no other conditions may be imposed in order to benefit from this right to compensation, such as conditions relating to the tangible nature of the damage or the objective nature of the infringement. It follows that Article 82 does not require that the 'non-material damage' alleged by the data subject must reach a 'de minimis threshold' in order for that damage to be compensated.
Compensation for non-material damage within the meaning of Article 82 of the GDPR cannot therefore be subject to the condition that this damage must have reached a certain degree of gravity for it to be compensated; the most minimal damage is sufficient.
FEAR OF FUTURE MISUSE OF PERSONAL DATA PUBLISHED FOLLOWING A CYBER-ATTACK MAY CONSTITUTE NON-MATERIAL DAMAGE
The Court went even further, ruling that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting 'non-material damage' within the meaning of article 82 GDPR. The national court will have to determine in concreto whether that fear can be deemed to exist.
However, in its judgment of 25 January 2024, the Court of Justice held that if a document containing personal data was provided to an unauthorised third party and it was established that that person did not become aware of those personal data, 'non-material damage' does not exist due to the mere fact that the data subject fears that, following that communication having made possible the making of a copy of that document before its recovery, a dissemination, even abuse, of those data may occur in the future. Thus, a purely hypothetical risk of misuse by an unauthorised third party does not, according to the Court, constitute non-material damage within the meaning of Article 82 of the GDPR. This is the case where no third party has become aware of the personal data in question.
BURDEN OF PROOF FOR NON-MATERIAL DAMAGE
Although a "de minimis threshold" cannot be imposed as a condition for the right to compensation, according to the Court, the mere infringement of the provisions of the GDPR is not sufficient to confer a right to compensation. The data subject must demonstrate that he or she has actually suffered damage, however minimal. According to the Court, the data subject is required to show that the consequences of the infringement which he or she claims to have suffered constitute damage which differs from the mere infringement of the provisions of the GDPR.
BURDEN OF PROOF OF FAULT
The person who has suffered the damage must therefore demonstrate the breach of the GDPR and the damage suffered as a result of this breach, but does not have to prove the existence of a fault from the data-controller, as this fault is presumed.
The Court ruled that Article 82 of the GDPR establishes a system of liability by fault, but with a reversal of the burden of proof: the burden of proving a fault does not lie with the person who suffered the damage, but with the data controller. To avoid liability, the data controller must therefore prove that he is not in any way responsible for the event giving rise to the damage.
In particular, the controller cannot be exempt from its obligation to pay compensation for the damage suffered by a data subject solely because that damage is a result of unauthorised disclosure of, or access to, personal data by a 'third party' (e.g. cyber-criminals), in which case that controller must then prove that it is in no way responsible for the event that gave rise to the damage concerned. To be held liable, the data controller must have made it possible for a third party to commit a breach, by failing to comply with an obligation under the GDPR, such as the obligation to protect data. In addition, in the event of a personal data breach by a third party, the controller may be exempt from liability by proving that there is no causal link between its possible breach of its data protection obligation and the damage suffered by the natural person.
In addition, the burden of proving that the security measures implemented by him are appropriate pursuant to Article 32 of the GDPR lies with the data controller.
COMPENSATORY NATURE OF THE RIGHT TO COMPENSATION
Finally, according to the Court, Article 82 of the GDPR does not have a deterrent, or even punitive function, but only a compensatory function that must allow the damage actually suffered, however minimal, to be compensated in full. This implies:
- That it is not permitted to impose the payment of punitive damages on the basis of Article 82 of the GDPR;
- That Article 82 of the GDPR does not require the degree of gravity of the infringement to be taken into consideration for the purposes of compensation;
- That the amount cannot be set at a level that exceeds full compensation for the prejudice.
Footnote
1 CJEU14 December 2023, C-456/22; CJEU, 14 December 2023, C-340/21; CJEU, 21 December 2023, C-667/21; CJEU, 25 January 2024, C-687/21.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.