Austrian Post - EU Court: no minimum threshold re non-material damage following data breach
On 4 May 2023, The Court (Third Chamber) published its decision in UI v Österreichische Post AG, Cast C-300/21 following a request from the Supreme Court, Austria. It concerns the interpretation of Article 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), read in conjunction with the principles of equivalence and effectiveness. The decision provides encouragement for claimants seeking compensation who are upset about the collection of their personal data in breach of GDPR.
Article 82 of the GDPR provides that anyone who has suffered material or non-material damage as a result of a breach of the Regulation is entitled to compensation. This case concerns the meaning of what amounts to non-material damage and whether mere upset can amount to harm that leads to a damages award. The claimant in this case was upset and distressed about the collection of personal data concerning his political affinities in breach of GDPR. The General Court did not decide whether the facts of the case did equate to non-material damage but the Court laid down useful guidance.
The judgment usefully confirmed that non-material damage is a freestanding EU law concept under GDPR, and it should not be circumscribed by domestic laws of Member States. Whilst there is no threshold of seriousness for what constitutes non-material damage, mere breach of the GDPR does not itself establish that damage (material or non-material) has occurred. It is still necessary for an individual claiming compensation to demonstrate that they suffered negative consequences as a result of the breach which constitutes non-material damage. The damage cannot be assumed.
It remains to be seen whether the level of upset felt by the claimant amounted to non-material damage, but the judgment certainly makes this argument available. The assessment of the amount of compensation payable is a matter for domestic national rules and the GDPR does not define how damages should be assessed. The domestic rules must not make it impossible in practice or excessively difficult to exercise the rights to full and effective compensation under GDPR.
It will be interesting to see if the UK courts will adopt a similarly expansive approach to comparable claims for damages for distress arising from breach for UK data protection legislation.