Class actions and Privacy & Data Protection

The Court of Justice of the EU ("CJEU") recently elaborated on the interpretation of Article 82 of the General Data Protection Regulation ("GDPR") in the Krankenversicherung Nordrhein case. Its key findings are: 

• Article 82 GDPR does not have a deterrent or punitive function, but only a compensatory function;
• Fault is a necessary condition for liability;
• The existence of fault is presumed, unless controllers prove otherwise;
• Article 82 GDPR does not require the degree of fault to be considered when calculating non-material damages.
  
   

This judgment can be considered a follow-up to the ruling in Österreichische Post (CJEU 4 May 2023, Case C-300/21, ECLI:EU:C:2023:370). In that case, the CJEU ruled that compensation for non-material damage can only be awarded under Article 82(1) GDPR, if a data subject suffered (i) damage (no minimum threshold) that was (ii) caused by (iii) a GDPR breach. The compensation should fully cover the actual damage and be calculated under domestic law in compliance with the EU law principles of equivalence and effectiveness. In Krankenversicherung Nordrhein, the CJEU further clarified Article 82 GDPR. The CJEU also interpreted Articles 6 and 9 (2)(h) and (3) GDPR, which we will not discuss in this News Update.

First, the CJEU held that Article 82(1) GDPR does not have a deterrent or punitive function, but only a compensatory function, contrary to Articles 83 and 84 GDPR. These latter provisions, which allow supervisory authorities to impose fines or other sanctions, have a punitive purpose. Since Article 82 GDPR only has a compensatory function, the seriousness of the breach (which can be considered when determining administrative fines) cannot affect the amount of compensation, even if the damage is non-material. The important conclusion is that Article 82 GDPR provides for damages that fully compensate the actual damage caused by the breach, but not more than that.

Secondly, the CJEU decided that fault is a necessary condition for establishing liability under Article 82 GDPR. Before this ruling, it was not clear whether the GDPR intended fault-based liability or whether liability could already be assumed if the three criteria mentioned above (breach, damage and a causal link between breach and damage) were met (see the adverse opinion of advocate general Campos Sánchez-Bordona in this case). The lack of clarity was due to the wording of Article 82(2) GDPR, according to which any controller involved in data processing is liable for the damage caused by processing which breaches the GDPR. The CJEU deduced from an analysis of different language versions of this provision that the controller is deemed to have participated in the processing that breached the GDPR. Given this interpretation and Article 82(3) GDPR that releases the controller from liability if it proves that it is not responsible for the event that caused the damage, the CJEU concluded that Article 82 GDPR provides for a fault-based liability with reversal of the burden of proof. The CJEU noted that this interpretation also fits within the context of Article 82 and the GDPR's objectives. Further to its findings on Article 82 GDPR's compensatory function, the CJEU held that this provision does not require the degree of fault to be considered when calculating non-material damages.

From an evidentiary perspective, it is important that the controller's fault is presumed, unless the controller proves that the damage causing the event cannot be attributed to it. This controller might be exempt from liability if third parties such as cybercriminals commit a data breach. The CJEU ruled in a previous judgment that a data breach by a third party cannot be attributed to the controller unless the controller has made that breach possible by failing to comply with GDPR obligations. In that case, the controller may be exempt from liability if it proves under Article 82(3) GDPR "that there is no causal link between its possible breach of the data protection obligation and the damage suffered" (CJEU 14 December 2023, Case C 340/21, ECLI:EU:C:2023:986 (Natsionalna agentsia za prihodite). In that judgment, the CJEU also held that a data subject's fear of possible misuse of their personal data by third parties due to a GDPR breach can constitute non-material damage. The CJEU added that the burden of proof falls on the data subject and that the court must "verify that that fear can be regarded as well founded, in the specific circumstances at issue and with regard to the data subject".

Update 25 January 2024

The findings discussed above have been confirmed in CJEU 25 January 2024, C 687/21, ECLI:EU:C:2024:72 (MediaMarktSaturn Hagen-Iserlohn GmbH). In addition, the CJEU found that in a case in which a document containing personal data has been disclosed to an unauthorised third party who has demonstrably not taken note of that data, there is no 'non-material damage' within the meaning of Article 82 GDPR merely because the data subject fears that, following the disclosure, which made it possible to make a copy of the document before returning it, there will be further dissemination or even misuse of his or her data in the future.

CJEU 21 December 2023, Case C-667/21, ECLI:EU:C:2023:1022 (Medizinischer Dienst der Krankenversicherung Nordrhein)
CJEU 14 December 2023, Case C 340/21, ECLI:EU:C:2023:986 (Natsionalna agentsia za prihodite)
Please click here for our News Update on Österreichische Post (CJEU 4 May 2023, Case C-300/21, ECLI:EU:C:2023:370).