Sign Up for our Free Newsletter
menu
Solicitors Journal Homepage
AssociateRopes & Gray LLP
Quotation Marks

The UK judiciary has shown a willingness to reject DPA 2018 claims involving trivial harm

More clarity – but lots of questions – on non-material GDPR harms

Tue May 16 2023Opinion
More clarity – but lots of questions – on non-material GDPR harms

Edward Machin considers the impact of a recent CJEU decision on low-value data protection claims

In the months before the EU’s General Data Protection Regulation (GDPR) took effect, in May 2018, you could count on one hand the number of conversations with clients that didn’t involve a discussion on its new penalty regime. When would regulators issue their fines? Which aspects of non-compliance would be targeted first? And what would it take to receive a seven, eight or even nine figure penalty?

This focus on fines was understandable. Under the UK’s then-current regime, the Data Protection Act (DPA) 1998, regulatory fines were capped at £500,000. Indeed, the Information Commissioner’s Office (ICO) had never issued a penalty under the DPA 1998 of more than £400,000.

In the five years since having those conversations, there have been a number of significant fines levied under the GDPR, including one of nearly €750m, four of more than €200m and a dozen of more than €20m. (The latter group includes an ICO fine and its second-largest penalty – £18.4m – falls just under that threshold.) Clearly, the deterrent of headline-grabbing regulatory actions should not be dismissed and the size of penalties is an important, albeit crude, metric against which to measure a law’s success.

Do no harm?

But we need to look elsewhere for the aspect of the GDPR’s penalty framework that could prove to be most impactful of all: the small damages claims brought by individuals, whether alone or as part of collective actions, for ostensibly low-level breaches of the regulation. This development is driven by two distinct but interrelating concepts that were formalised by the GDPR: the Art. 82(1) right of individuals to receive compensation for ‘non-material damage’ (ie, non-economic loss) resulting from a breach of the regulation and the Art. 80 ability for individuals to instruct organisations to bring claims on their behalf – and for those organisations to bring claims without the individuals’ instruction (ie, via opt-out class actions).

On 4 May 2023, the Court of Justice of the European Union (CJEU) issued its long-awaited judgment in UI v Österreichische Post AG, a case that considered the first of these factors. The CJEU had two main questions to answer. Firstly, whether an organisation’s mere infringement of the GDPR allows an individual to claim damages and, secondly, whether something more than the individual’s annoyance or upset with the infringement is required to award non-material damages. In October 2022, the Advocate General of the CJEU answered no and yes, respectively – in essence, creating a de minimis threshold for claiming GDPR damages.

But as students of EU law will remember, AG opinions, while influential on and often followed by the CJEU, are not binding. And in Österreichische Post the CJEU departed from the AG in finding that there is no requirement for non-material damage to meet a certain threshold. In other words, an individual may be entitled to compensation by proving they have suffered damage, including, potentially, low(ish) level distress, anger or upset. It is now for national courts to determine the threshold for and the amount of damages to be paid (if any) to individuals.

Drawing the line

That will be no easy task. Is Mr Smith more upset than Mrs Jones? Can he prove it? And what happens where Mr Smith alleges significant distress in a situation that probably doesn’t warrant it (a single analytics cookie being placed on his device), but Mrs Jones claims mere upset in an objectively more distressing situation (her medical history being leaked)?

Time will tell, but I’m less convinced than some commentators that Österreichische Post will result in a resurgence of successful class actions. The claims we have seen to date – involving low-level harm that is difficult to quantify – aren’t usually attractive to claimant firms and their funders, and the CJEU’s decision won’t necessarily make their analysis more compelling. That said, the emergence of claimant-friendly national courts will likely be seized on by litigants as venues in which to test where and how the line on GDPR non-material harm can be drawn.

For its part, the UK judiciary has shown a willingness to reject DPA 2018 claims involving trivial harm and it would be surprising to see it change course. But the picture will be more uneven in the EU and the CJEU can expect to add to the three pending cases that it already has on the books before the issues and questions set out in Österreichische Post are settled.

Edward Machin is an associate at Ropes & Gray
ropesgray.com

AdvertisementAdvertisementAdvertisementAdvertisementAdvertisementAdvertisement
Latest News

Legal job numbers increase but applications decline

Fri Sep 29 2023

BARBRI candidates outperform SRA average by 13%

Fri Sep 29 2023

Justice delayed as thousands of cases wait more than two years to be heard

Thu Sep 28 2023

Solicitors warned over immigration services

Thu Sep 28 2023

New report highlights the transformative effects of domestic abuse training on family lawyers

Wed Sep 27 2023

Asylum seekers stranded on Diego Garcia win challenge against return to Sri Lanka

Wed Sep 27 2023

UN and coalition of NGOs write to Unilever to voice deep concern regarding victims of violence at Unilever tea plantation

Tue Sep 26 2023

Live Facial Recognition: How to Stay Within the Law

Tue Sep 26 2023

Ethics Institute launches taskforce to examine legal services to oligarchs and kleptocrats

Mon Sep 25 2023
FeaturedThe Law Society intervention ensures liberal approach to dealing with concurrent problems on legal aid
The Law Society intervention ensures liberal approach to dealing with concurrent problems on legal aid
NewsFri Sep 29 2023
The Law Society intervention ensures liberal approach to dealing with concurrent problems on legal aid
The High Court has today (29 September) handed down its judgment in R v Lawstop*, a judicial review case where the Law Society intervened.
Jeanne Kelly elected President of the British Irish Chamber of Commerce
Jeanne Kelly elected President of the British Irish Chamber of Commerce
NewsFri Sep 29 2023
Jeanne Kelly elected President of the British Irish Chamber of Commerce
Jeanne Kelly, one of the founding partners of Browne Jacobson’s Dublin offering was yesterday (Tuesday 26 September) announced as the new elected President of the British Irish Chamber of Commerce (BICC).
Families continue to be victims of a broken justice system
Families continue to be victims of a broken justice system
NewsFri Sep 29 2023
Families continue to be victims of a broken justice system
The continued delays in the family courts mean families are the victims of a broken justice system, the Law Society of England and Wales warned today (29 September).
Call for compensation scheme extension to help more abuse survivors
Call for compensation scheme extension to help more abuse survivors
NewsFri Sep 29 2023
Call for compensation scheme extension to help more abuse survivors
APIL is calling for victims of child sex crimes, such as online grooming and online child sexual abuse, to be eligible for damages from the Criminal Injuries Compensation Scheme (CICS).
SJ Interview: Hannah Ambrose
SJ Interview: Hannah Ambrose
SJ InterviewMon Sep 25 2023
SJ Interview: Hannah Ambrose
Hannah Ambrose is an international arbitration partner at Herbert Smith Freehills. She talks to Solicitors Journal about her practice and the Law Commission's recent proposals to update the Arbitration Act 1996.
Whose human rights are more important, yours or mine?
Whose human rights are more important, yours or mine?
ForewordFri Sep 08 2023
Whose human rights are more important, yours or mine?

Under the law, should your right to express your opinion – be it on politics, the environment, abortion, or anything else – trump my right to go about my business unhindered, whether or not I happen to agree with your opinion?