More clarity – but lots of questions – on non-material GDPR harms

In the months before the EU’s General Data Protection Regulation (GDPR) took effect, in May 2018, you could count on one hand the number of conversations with clients that didn’t involve a discussion on its new penalty regime. When would regulators issue their fines? Which aspects of non-compliance would be targeted first? And what would it take to receive a seven, eight or even nine figure penalty?

This focus on fines was understandable. Under the UK’s then-current regime, the Data Protection Act (DPA) 1998, regulatory fines were capped at £500,000. Indeed, the Information Commissioner’s Office (ICO) had never issued a penalty under the DPA 1998 of more than £400,000.

In the five years since having those conversations, there have been a number of significant fines levied under the GDPR, including one of nearly €750m, four of more than €200m and a dozen of more than €20m. (The latter group includes an ICO fine and its second-largest penalty – £18.4m – falls just under that threshold.) Clearly, the deterrent of headline-grabbing regulatory actions should not be dismissed and the size of penalties is an important, albeit crude, metric against which to measure a law’s success.

Do no harm?

But we need to look elsewhere for the aspect of the GDPR’s penalty framework that could prove to be most impactful of all: the small damages claims brought by individuals, whether alone or as part of collective actions, for ostensibly low-level breaches of the regulation. This development is driven by two distinct but interrelating concepts that were formalised by the GDPR: the Art. 82(1) right of individuals to receive compensation for ‘non-material damage’ (ie, non-economic loss) resulting from a breach of the regulation and the Art. 80 ability for individuals to instruct organisations to bring claims on their behalf – and for those organisations to bring claims without the individuals’ instruction (ie, via opt-out class actions).

On 4 May 2023, the Court of Justice of the European Union (CJEU) issued its long-awaited judgment in UI v Österreichische Post AG, a case that considered the first of these factors. The CJEU had two main questions to answer. Firstly, whether an organisation’s mere infringement of the GDPR allows an individual to claim damages and, secondly, whether something more than the individual’s annoyance or upset with the infringement is required to award non-material damages. In October 2022, the Advocate General of the CJEU answered no and yes, respectively – in essence, creating a de minimis threshold for claiming GDPR damages.

But as students of EU law will remember, AG opinions, while influential on and often followed by the CJEU, are not binding. And in Österreichische Post the CJEU departed from the AG in finding that there is no requirement for non-material damage to meet a certain threshold. In other words, an individual may be entitled to compensation by proving they have suffered damage, including, potentially, low(ish) level distress, anger or upset. It is now for national courts to determine the threshold for and the amount of damages to be paid (if any) to individuals.