Judges M Safjan, N Piçarra, N Jääskinen (Rapporteur), M Gavalec
Advocate General M Campos Sánchez-Bordona
The defendant data processor, an Austrian company that carried on business as an address trader, collected information on the political affinities of the Austrian population and defined “target group addresses” which it sold to various organisations, to enable them to send targeted election advertising. In the course of its activity, the company processed data from which it emerged that the claimant data subject had a high degree of affinity with a certain Austrian political party. Although that information was not communicated to third parties, the data subject, who had not consented to the processing of his personal data, felt offended and publicly exposed. The data subject, however, suffered no harm other than those temporary emotional effects. The data subject brought an action seeking an injunction to stop the data processor from processing the personal data in question and an order requiring that company to pay him €1000 by way of compensation for the non-material damage. The injunction was granted but the claim for compensation was rejected. A higher court dismissed the appeal, holding that, under Austrian law, a breach of the rules on the protection of personal data was not automatically associated with non-material damage and gave rise to a right to compensation only where such damage reached a certain “threshold of seriousness”. Hearing the appeal brought by both parties, the Supreme Court, Austria, dismissed the data processor’s appeal against the injunction, but was unsure, in relation to the data subject’s appeal, as to the correct interpretation, and application, of the right to compensation for “material or non-material damage” for an infringement of the provisions of Parliament and Council Regulation (EU) 2016/679 (the General Data Protection Regulation or “GDPR”) under article 82 of that Regulation. In those circumstances, the Supreme Court stayed the proceedings and referred a number of questions on the interpretation of article 82 of the GDPR to the Court of Justice of the European Union for a preliminary ruling.
On the reference—
Held, (1) there were three cumulative conditions for the right to compensation under article 82 of the GDPR, namely the existence of: (i) “damage” which had been “suffered”, (ii) an infringement of the GDPR and (iii) of a causal link between that damage and that infringement. Accordingly, according to the correct, literal, interpretation of article 82, the mere infringement of the provisions of the GDPR was not sufficient, on its own, to confer a right to compensation on a data subject (see judgment, paras 32, 33, 42, operative part, para 1).
(2) The GDPR did not define the concept of “damages” for the application of article 82, and there was no reference to any threshold of seriousness. The context of article 82 further indicated that the right to compensation was not subject to the condition that the damage in question had reached a certain degree of seriousness. Making compensation for non-material damage subject to a certain threshold of seriousness would be contrary to the broad concept of damage under the EU principles and risk undermining the coherence of the rules established by the GDPR, since the graduation of such a threshold, on which the possibility or otherwise of obtaining that compensation would depend, would be liable to fluctuate according to the assessment of the courts seised. Therefore, a person harmed by an infringement of the GDPR could not be relieved of the need to demonstrate that those consequences constituted non-material damage within the meaning of article 82 of the Regulation. Accordingly, article 82(1) of the GDPR precluded a national rule or practice which made compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject had reached a certain degree of seriousness (see judgment, paras 45–51, operative part, para 2).
(3) Since the GDPR did not contain any definition of the rules on the assessment of the damages to which a data subject could be entitled under article 82, it was for the legal system of each member state to prescribe the detailed rules governing the criteria for such assessment, subject to compliance with the principles of equivalence and effectiveness. The domestic rules had to ensure that financial compensation based on article 82 was “full and effective”. In order to do so there was no need to require the payment of punitive damages, where the damage actually suffered as a result of the infringement of the Regulation was compensated in its entirety (see judgment, paras 54, 58, 59, operative part, para 3).
The data subject in person.
R Marko for the data processor.
A Posch, J Schmoll and G Kunnert, agents, for the Austrian Government.
O Serdula, M Smolek and J Vláčil, agents, for the Czech Government.
D Fennelly, instructed by M Browne, A Joyce, M Lane and M Tierney, agents, for Ireland.
A Bouchagiar, M Heller and H Kranenborg, agents, for the European Commission.