One (Case C-300/21) deals with compensation for breaches of the bloc’s General Data Protection Regulation (GDPR); and the second (Case C-487/21) clarifies the nature of information that individuals exercising GDPR rights to obtain a copy of data held on them should expect to receive. Read on for a summary of the judgements and some potential implications.
No automatic right to damages — but no threshold for harm either
The CJEU’s GDPR compensation ruling relates to a referral from an Austrian court where an individual sought to sue the national postal service for damages after it used an algorithm to predict the political views of citizens according to socio-demographic criteria without their knowledge or consent — leaving the individual feeling exposed, upset and with a knock to their confidence, per the Court’s press release. As regards regional damages for privacy violations, there have been a number of attempts to bring class action style suits seeking compensation for data protection breaches in recent years. This CJEU ruling may make it easier to do so within the EU, although the court has puts one limit on such claims since the judges have ruled that just the fact of an infringement of the GDPR does not automatically give rise to a right of compensation — meaning there is an onus on litigants to demonstrate personal harm. At the same time, the CJEU has ruled there is no requirement for the non-material damage suffered to reach a certain threshold of seriousness in order to confer a right to compensation. So, in other words, the court has avoided setting a bar on how much/what type of harm needs to be demonstrated to file a compensation claim. Which looks like a big deal. “[T]he Court holds that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness,” it writes in a press release accompanying the judgement. “The GDPR does not contain any such requirement and such a restriction would be contrary to the broad conception of ‘damage’, adopted by the EU legislature. Indeed, the graduation of such a threshold, on which the possibility or otherwise of obtaining that compensation woulda depend, would be liable to fluctuate according to the assessment of the courts seised.” Since the GDPR does not contain any rules for assessing damages, the judges say it is up to courts in EU Member States to define criteria for determining the extent of any compensation payable — while noting that such rules must comply with GDPR principles of equivalence and effectiveness, so as to ensure individuals can obtain full and effective compensation for damages suffered. This sets up for a patchwork of outcomes on damages for privacy breaches, depending on where in the EU a user is able to sue, based on how national courts interpret the mandate. Commenting on the outcome in a statement, Peter Church, a counsel in the technology practice at law firm Linklaters, suggested: “[I]t is possible that even minor anxiety or upset might justify a compensation claim. This in turn could open the way for not only frivolous or vexatious claims but also large class actions in the event of, for example, a data breach (which is currently the subject of separate pending decision in Case C-340/21).” He also predicted a divergence between the EU and the UK (which is no longer in the bloc) on this issue, given how — back in 2021 — the UK’s Supreme Court ended up denying a long running litigation against Google which had sought to skip the tricky step of demonstrating individual harms in favor of pressing for collective damages over privacy breaches related to ad tracking users of Apple’s Safari browser. In that case the UK judges concluded proof of harm was necessary; and, per Church, that it “must reach a threshold of seriousness to be eligible for compensation”. Hence his prediction that the EU and the UK will “part ways on this issue” since the CJEU has decided there is no seriousness bar on the harm experienced. So if you live in the EU and having your privacy violated by a data-mining giant like Meta has made you feel a bit annoyed, slightly upset, somewhat uneasy or a little alarmed any of those sensations would, presumably, be enough to sue for damages. (And this summer Member States are due to implement the Collective Redress Directive in national laws — a piece of pan-EU legislation which aims to make it easier for consumers to achieve collective redress through class action style litigation.) Privacy rights group noyb, which has been behind scores of data breach complaints against giants like Meta and Google, reads the CJEU ruling as confirmation that claims for “emotional damages” are affirmed. In a statement, its founder and honorary chairman Max Schrems, wrote: “We welcome the clarifications by the CJEU. A whole industry tried to reinterpret the GDPR, in order to avoid having to pay damages to users whose rights they violated. This seems to be rejected. We are very happy about the result.”
Faithful copy of data
In a separate ruling today, the CJEU has issued clarification around the scope and content of an individual’s right of access under the GDPR to obtain an copy of their data — deciding the regulation’s wording intends they obtain “a faithful and intelligible reproduction” of their data, in order they can conduct their own checks to ensure, for example, that their info is correct and being processed in a lawful manner. The referral here relates to a legal challenge brought by an individual after a business consulting agency which provides data on the creditworthiness of third parties for its clients had processed his personal data. The person had asked for a copy of the documents about him “in a standard technical format” but had instead been provided with a list summarising the data, not a complete copy. Europe’s top court clarifies GDPR compensation and data access rights by Natasha Lomas originally published on TechCrunch