While the General Data Protection Regulation has generated libraries worth of commentary since it first entered into force, there has yet to be a decision of the Court of Justice of the European Union on the thorny issue of damages for the breach of the rights of data subjects. That is all about to change however, particularly in relation to the concept and interpretation of ‘non-material’ damages within the meaning of Art 82 GDPR. Germany’s Bundesverfassungsgericht, Austria’s Oberster Gerichtshof and Bulgaria’s Varhoven Administrativen Sad have all made preliminary references on this issue.
In essence, the central question boils down to one issue - the referring courts query whether or not to succeed in obtaining ‘non-material’ damages, an applicant must have suffered harm or damage, or if the infringement of provisions of the GDPR in itself sufficient. Somewhat surprisingly, there has been little judicial comment in relation to this in an Irish context, albeit that Whelan J, as obiter in Shawl Property v A and B [2021] IECA 53 at [114], noted that “Nothing stated in s. 117 [Data Protection Act 2018] or indeed the Act itself suggests that a data protection action is a tort of strict liability”,[1] and the position remains unclear since Collins v FBD Insurance PLC [2013] IEHC 137, whereby Feeney J held that under the Data Protection Acts 1988-2003 compensation requires proof of the existence of a duty of care, a breach of that duty and that damage flowed from that breach.
Ireland is not the only country grappling with how ‘non-material’ damage should be interpreted, with a number of Member States putting their own idiosyncratic spin on it. First, the German courts have approached the interpretation of non-material damages from the perspective of German national law whereby there must be a de minimis quantum of harm in order to succeed in the claim for damages. In one of the first cases, the Amtsgericht Diez held on 7 November 2018,[2] that a mere violation of the GDPR without resulting in damage does not result in liability leading directly to an award of damages as while on the one hand, a serious violation of personal rights is no longer necessary, on the other, no compensation for pain and suffering arises for a minor violation or for every mere individually-perceived inconvenience without serious impairment; rather, the person concerned must have suffered a noticeable disadvantage and an objective weighty impairment of an issue related to their personality.
This interpretation is largely dependent on the application of German domestic legal principles in relation to limits on tortious non-material damage - known as Bagatellverstoß. In particular, §253 Abs 1 BGB, the German Civil Code, states that the compensation of non-material damage only arises if expressly provided for by law and §253 Abs 2 BGB confines this to injuries to the person, health, freedom, or sexual self-determination. A similar interpretation arose in the Amtsgericht Goslar, ultimately leading to the live German reference.
A similar approach has been taken by the Dutch courts when in April 2020, the Raad van State held that breach of GDPR does not automatically imply an impairment of the integrity of a person which would lead to compensation of damages. The facts that an infringement of GDPR can result in non-material damage and that a data subject must receive full and effective compensation of the damages under GDPR, do not mean that violation of the law always results in damages and the damage caused must be real and certain.[3] Similarly, the Oberlandesgericht Innsbruck reversed a lower court decision awarding non-material damages for unlawful processing of political opinion data, on the basis that a minimum level of personal impairment will have to be required for the existence of non-material damage.[4]
How the CJEU will decide this remains to seen, although it certainly seems that an interpretation founded on what appears to be a common continental thread is not altogether unlikely. While Ireland has opted to conceptualise data protection actions under the Data Protection Act 2018 as a tort, it may be that any interpretation that the CJEU arrives at will inexorably lead to a tort quite unlike those with a common law genesis.
The views expressed in this blog are personal to the author alone and do not constitute the views of the EUBA and/or its Executive Committee. The information in the blog is not and is not intended to constitute legal advice. Readers should always seek independent legal advice with regard to any particular legal matter arising from or connected with this blog. The EUBA and its Executive Committee have agreed to the publication of this blog for general informational purposes only but make no representations as to its content. The blog and its contents cannot be republished in any format without the express written consent of the author.
[1] See also McGrath and Finan, ‘Data Protection Breach: A tort of strict liability?’ (Bar of Ireland: Viewpoints, 7 July 2021) accessible at https://www.lawlibrary.ie/viewpoints/data-protection-breach-a-tort-of-strict-liability/ [2] Rechtsprechung AG Diez, 07.11.2018 - 8 C 130/18. [3] Raad van State, 1 April 2020, 201902699/1/A2. [4] Oberlandesgericht Innsbruck, 13 February 2020, 1 R 182/19b.