More clarity – but lots of questions – on non-material GDPR harms

16 May 2023Opinion

Edward Machin considers the impact of a recent CJEU decision on low-value data protection claims

In the months before the EU’s General Data Protection Regulation (GDPR) took effect, in May 2018, you could count on one hand the number of conversations with clients that didn’t involve a discussion on its new penalty regime. When would regulators issue their fines? Which aspects of non-compliance would be targeted first? And what would it take to receive a seven, eight or even nine figure penalty?

This focus on fines was understandable. Under the UK’s then-current regime, the Data Protection Act (DPA) 1998, regulatory fines were capped at £500,000. Indeed, the Information Commissioner’s Office (ICO) had never issued a penalty under the DPA 1998 of more than £400,000.

In the five years since having those conversations, there have been a number of significant fines levied under the GDPR, including one of nearly €750m, four of more than €200m and a dozen of more than €20m. (The latter group includes an ICO fine and its second-largest penalty – £18.4m – falls just under that threshold.) Clearly, the deterrent of headline-grabbing regulatory actions should not be dismissed and the size of penalties is an important, albeit crude, metric against which to measure a law’s success.

Do no harm?

But we need to look elsewhere for the aspect of the GDPR’s penalty framework that could prove to be most impactful of all: the small damages claims brought by individuals, whether alone or as part of collective actions, for ostensibly low-level breaches of the regulation. This development is driven by two distinct but interrelating concepts that were formalised by the GDPR: the Art. 82(1) right of individuals to receive compensation for ‘non-material damage’ (ie, non-economic loss) resulting from a breach of the regulation and the Art. 80 ability for individuals to instruct organisations to bring claims on their behalf – and for those organisations to bring claims without the individuals’ instruction (ie, via opt-out class actions).

On 4 May 2023, the Court of Justice of the European Union (CJEU) issued its long-awaited judgment in UI v Österreichische Post AG, a case that considered the first of these factors. The CJEU had two main questions to answer. Firstly, whether an organisation’s mere infringement of the GDPR allows an individual to claim damages and, secondly, whether something more than the individual’s annoyance or upset with the infringement is required to award non-material damages. In October 2022, the Advocate General of the CJEU answered no and yes, respectively – in essence, creating a de minimis threshold for claiming GDPR damages.

But as students of EU law will remember, AG opinions, while influential on and often followed by the CJEU, are not binding. And in Österreichische Post the CJEU departed from the AG in finding that there is no requirement for non-material damage to meet a certain threshold. In other words, an individual may be entitled to compensation by proving they have suffered damage, including, potentially, low(ish) level distress, anger or upset. It is now for national courts to determine the threshold for and the amount of damages to be paid (if any) to individuals.

Drawing the line

That will be no easy task. Is Mr Smith more upset than Mrs Jones? Can he prove it? And what happens where Mr Smith alleges significant distress in a situation that probably doesn’t warrant it (a single analytics cookie being placed on his device), but Mrs Jones claims mere upset in an objectively more distressing situation (her medical history being leaked)?

Time will tell, but I’m less convinced than some commentators that Österreichische Post will result in a resurgence of successful class actions. The claims we have seen to date – involving low-level harm that is difficult to quantify – aren’t usually attractive to claimant firms and their funders, and the CJEU’s decision won’t necessarily make their analysis more compelling. That said, the emergence of claimant-friendly national courts will likely be seized on by litigants as venues in which to test where and how the line on GDPR non-material harm can be drawn.

For its part, the UK judiciary has shown a willingness to reject DPA 2018 claims involving trivial harm and it would be surprising to see it change course. But the picture will be more uneven in the EU and the CJEU can expect to add to the three pending cases that it already has on the books before the issues and questions set out in Österreichische Post are settled.

Edward Machin is an associate at Ropes & Gray
ropesgray.com