Increasingly, data subjects who have been victims of data breaches are demanding compensation payments from the responsible parties, even if the data breaches are rather minor (so-called "trivial breaches"). This is made possible by a somewhat expansive interpretation by some courts of Article 82 of the GDPR, which states that "any person who has suffered non-material damage as a result of an infringement shall be entitled to compensation for such damage". Several courts, including the Federal Labour Court, hold the view that the mere breach of data protection itself triggers an obligation to pay monetary compensation. An impairment of some weight, as is common practice in personality and press law and a requirement for compensation payments, is not necessary.
In its ruling of 4 May 2023 [CURIA - Documents (europa.eu)], the European Court of Justice did not follow such an extensive interpretation. However, it stated that a certain materiality threshold did not have to be exceeded for the assumption of non-material damage.
The key statements of the court
- Not every data protection breach automatically gives grounds for an obligation to pay monetary damages.
- Article 82 of the GDPR is not punitive in nature and therefore does not give rise to a claim for punitive compensation.
- The affected person must prove that the data protection breach has actually led to non-material damage.
- However, it is not necessary that a proven non-material damage exceeds a certain materiality threshold. The "criteria for determining the extent of damages" are to be determined by the Member State courts themselves, as long as these criteria do not prevent the exercise of the rights guaranteed by the GDPR.
Unfortunately, the decision does not bring companies the added value of legal certainty that many had hoped for. It is welcome that not every petty violation and every "mere annoyance" per se leads to an obligation to pay compensation. However, the concrete criteria according to which courts will judge the existence of immaterial damage in the future remain unpredictable. It is true that courts will no longer - as was previously the case in some cases - explicitly orient themselves on the high materiality threshold from the general right of personality. From a company's point of view, however, it is positive that the affected party must at least have actually suffered damage and be able to prove it. " Copycats" who want to make additional profit from data protection incidents, e.g. through cyberattacks, without being able to prove actual damage, can be effectively countered with the help of this current ECJ case law.
Conclusion
Although the European Court of Justice now defines certain minimum hurdles for compensation claims, companies must still be prepared to be confronted with compensation claims not only in the case of serious data protection violations. It will be interesting to observe for which types of data protection violations the German courts will recognise compensation amounts in the future and on which criteria they will focus. Until a decision is made by the highest instance courts (BGH, BAG), a vacuum of legal uncertainty is likely to remain. The fact remains that, in the worst case, companies may be faced with a combination of fines by the supervisory authorities and direct claims for damages by the affected parties. It is all the more advisable to handle data protection incidents of any kind professionally and with a correspondingly high degree of care.